11-11-2019 05:16 AM
Hello Team.
My customer is looking at consuming the ERS Api for specific uses and has enquired whether it is possible to restrict access to a limited subset of API? In reviewing the documentation, it seems that once an account is created for API access, it is granted full access to all ERS APIs.
- External RESTful Services Admin-Full access to all ERS APIs (GET, POST, DELETE, PUT). This user can Create, Read, Update, and Delete ERS API requests
Secondly, is it possible to report/audit API calls; determine what account and APIs have been used/called and when?
Lastly, my current understanding is that the API uses Basic Authentication within the http headers which is simply consist of a username and password base64 encoded. if this is correct, are there any best practices employed by other customer to avoid the credentials from being compromised and used by an unauthorized app/user?
Header Values Description
ACCEPT Application/XML or Application/JSON Indicates to the server what media type(s) this client is willing to accept
AUTHORIZATION "Basic " plus username and password (per RFC 2617) Identifies the authorized user making this request
CONTENT-TYPE Application/XML or Application/JSON Describes the representation and syntax of the request message body.
ERS-Media-Type Consists Of: resource-namespace.resource-name.resource-version This Header is not mandatory. It describes ERS resource version. If not sent from client, the server will assume latest version.
https://tools.ietf.org/html/rfc2617#section-2
the client sends the userid and password, separated by a single colon (":") character, within a base64 [ 7] encoded string in the credentials
Thanks,
Regan
Solved! Go to Solution.
11-14-2019 06:51 AM - edited 11-14-2019 07:59 AM
The first item is not available at present. I would suggest to check with our PM team(s) for enhancements.
The second item has some in our existing audit reports. Please have a look at them.
The third items will be done the same as the usual. Restrict access to the ERS API service port(s) by firewall and not using common user credentials, etc. ERS API has an option to allow CSRF validation, but this is not working with DNAC integration.
The last item does not seem a question or comment.
11-14-2019 07:55 AM
Here is the enhancement request already opened for this - CSCvr07394 (Create ERS users with specific privileges)
11-14-2019 06:51 AM - edited 11-14-2019 07:59 AM
The first item is not available at present. I would suggest to check with our PM team(s) for enhancements.
The second item has some in our existing audit reports. Please have a look at them.
The third items will be done the same as the usual. Restrict access to the ERS API service port(s) by firewall and not using common user credentials, etc. ERS API has an option to allow CSRF validation, but this is not working with DNAC integration.
The last item does not seem a question or comment.
11-14-2019 07:55 AM
Here is the enhancement request already opened for this - CSCvr07394 (Create ERS users with specific privileges)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide