cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Choose one of the topics below for SD-WAN Resources to help you on your journey with SD-WAN

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC!
We will not comment or assist with your TAC case in these forums.

510
Views
15
Helpful
5
Replies
Vennila
Beginner

vManage API Permission

Hi,

 

In the vManage apidocs, apis are arranged with reference to resource collection. And permission for the apis will be enabled with the reference to feature selection.

 

Would like to understand for a specific feature, what are all the available APIs. For instance, if we enable Interface Read permission for a user group, then what are all the APIs that user can invoke successfully?

 

Thanks in advance!

 

Regards,

Vennila

5 REPLIES 5
msuchand
Cisco Employee

Hi,

 

RBAC rules are same for GUI and APIs.

 

For example if user belongs to operator group, user can only view the information and can't do configuration on vManage GUI and similarly the user will not be able to trigger the API calls related to configuration of policies or templates. 

 

Thanks,
Sai

Hi,

Thanks for your response!

I would like to know how the rbac is set for vmanage apis.

i.e., if user fires any api listed in apidocs, how vmanage knows whether to send the response or block the request.

Is there any way to know what is the rbac set for those apis.

Thanks in advance!

Hi, 

 

For example if the user-id belongs to user group netadmin or custom user group test, then we can use URI : https://vmanage-ip/dataservice/admin/usergroup and GET request to this returns the RBAC rules in below format. 

 

"data": [ { "groupName": "test",

               "tasks": [

               { "feature": "Policy",

                 "enabled": true,

                "read": true,

               "write": false },

            { "feature": "Routing",

             "enabled": true,

             "read": true,

             "write": false },

<snip>

 

Based on above key values for "read" and "write" respective response will be returned as API response. If "write" is false for feature policy and if user tries to edit the policy configuration using API then response would be 403. 

 

Thanks,
Sai

Hi,



Thanks for the response!



But could we know the apis associated to a feature? For example, if user is assigned to Interface feature with Write operation, then what are all the apis(listed in apidocs) he can access.



Can you please help!



Thanks in Advance!


Hi, 

 

We don't have API call or single doc to find associated API URLs for a RBAC category However, we can use below links to correlate the information. 

 

For example if user has read permission for Interface category then user can run commands like "show interface" , "show arp" etc. ( please check section "User Group Authorization Rules for Operational Commands" in link https://sdwan-docs.cisco.com/Product_Documentation/Software_Features/SD-WAN_Release_16.3/02System_and_Interfaces/01_System_and_Interfaces_Overview/Role-Based_Access_with_AAA ) 

 

Now similar we have link ( https://sdwan-docs.cisco.com/Product_Documentation/Command_Reference/Command_Reference/vManage_REST_APIs/Real-Time_Monitoring_APIs/Interface ) which maps the CLI command to API URL. 

 

We can identify the commands available for each RBAC category in the first link and in the second link we can see the API URLs associated for that command. 

 

Thanks,
Sai

Content for Community-Ad