Solved: SDWAN API RBAC

Heri Diaz · ‎06-13-2024

Hi Team,

I have a couple doubts about the RBAC required to use SDWAN APIs.

1. When the API doesn't show a "x-roles-required", this means that any users can execute this API?

2. The x-roles-required: "default" what is the user group that I need to use because seems that is not part of Feature user groups param in vManage.

bigevilbeard · ‎06-13-2024

Not an expert here, from what i recall when an API endpoint does not specify an "x-roles-required" header, it does not mean that any user can execute the API. Instead, it implies that the API endpoint is accessible to all authenticated users. Therefore, other words, any user who has a valid login credential and is authenticated by the vManage system can access the API endpoint, regardless of their role or permissions.

The "x-roles-required: default" header would indicate that the API endpoint requires a user to have the default role to access it. In the context of vManage, the "default" role is a built-in role that is assigned to all users by default from what i recall this role provides basic read-only access (i do not think this means 'imply unrestricted access' please check this part) I believe to use an API endpoint with "x-roles-required: default", you don't need to assign a specific user group/feature role to the user. You would instead, ensure that the user has a valid login credential and is authenticated by vManage and the user will then be able to access the API endpoint with the default role's permissions.

Ive not seen this listed much in the documentation so would suggest to double check this with the SD-WAN API ENG team at Cisco.

Happy to be corrected on the above too, hope this helps.

Please mark this as helpful or solution accepted to help others
Connect with me https://bigevilbeard.github.io

View solution in original post

bigevilbeard · ‎06-13-2024

Not an expert here, from what i recall when an API endpoint does not specify an "x-roles-required" header, it does not mean that any user can execute the API. Instead, it implies that the API endpoint is accessible to all authenticated users. Therefore, other words, any user who has a valid login credential and is authenticated by the vManage system can access the API endpoint, regardless of their role or permissions.

The "x-roles-required: default" header would indicate that the API endpoint requires a user to have the default role to access it. In the context of vManage, the "default" role is a built-in role that is assigned to all users by default from what i recall this role provides basic read-only access (i do not think this means 'imply unrestricted access' please check this part) I believe to use an API endpoint with "x-roles-required: default", you don't need to assign a specific user group/feature role to the user. You would instead, ensure that the user has a valid login credential and is authenticated by vManage and the user will then be able to access the API endpoint with the default role's permissions.

Ive not seen this listed much in the documentation so would suggest to double check this with the SD-WAN API ENG team at Cisco.

Happy to be corrected on the above too, hope this helps.

Please mark this as helpful or solution accepted to help others
Connect with me https://bigevilbeard.github.io