Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2025
Views
7
Helpful
3
Replies

Upgrade to CiscoPrime 3.1 /InventoryDetails always returns access denied?

theflyingcorpse1
Level 1
Level 1

‎05-04-2017 09:37 AM

After upgrading our CiscoPrime to 3.1 (3.1.6 to be exact) from 3.0.4, any calls we make to /InventoryDetails (webacs/api/v1/data/InventoryDetails) returns 403 - Forbidden.

The same user with the same rights can without issue call webacs/api/v1/data/Devices as before.

The error message returned in the response is:

Access is denied to Prime Infrastructure.

Any thoughts on what might be wrong here?

Labels:
3 Replies 3

Spencer Zier
Cisco Employee
Cisco Employee

‎05-04-2017 10:03 AM

Are you using an external AAA provider (TACACS for example)?  Is it just InventoryDetails that you're having a problem with, or are you experiencing the same issue with other public API resources?  What type of user are you using to query the API (root, Super, NBI Read)?

https://developer.cisco.com/site/prime-infrastructure/

theflyingcorpse1
Level 1
Level 1
In response to Spencer Zier

‎05-04-2017 10:08 AM

We are using an external provider (TACACS+) for login.

We are only quering /Devices and /InventoryDetails for now, the script I have to scrape the general inventory (/Devices) works as before, whereas what I use to scrape the network topology (/InventoryDetails) fails. I have verified it by hand using PowerShell and browsing to the API endpoint directly in Chrome.

The user is a member of "NBI Read".

The user is able to read the information (CDP Neighbors) when browsed via the WebGui.

Spencer Zier
Cisco Employee
Cisco Employee
In response to theflyingcorpse1

‎05-04-2017 11:34 AM

Can you double check your ACS shell profile and authorization config?  Your shell profile should look something like this

role0=NBI Read


task0=NBIReadPrivilege


virtual-domain0=ROOT-DOMAIN

You might also want to check the reporting section on your ACS server.  Specifically, the TACACS Authentication report.  Click the details button of one of your most recent API sessions and ensure that the selected shell profile listed matches your expectations.

There is an explicit privilege grant in the system for the Devices API for a broad set of users, so it's likely that you're granted access to Devices based on that privilege.

Let me know if that works or not

https://developer.cisco.com/site/prime-infrastructure/
Customers Also Viewed These Support Documents