This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Why is a Custom role user without any permissions able to run Analytics API for the org ?

Posted on 12-17-2015 01:05 AM
adevegowda
Staff
Reply posted on --/--/---- --:-- AM

I have created a custom role called "Inactive account" for my org wherein all the permissions are disabled. I have added a user for this custom role (let's call it as "InactiveUser1"). However, when I run the following analytics API call with this "InactiveUser1", I am getting 200 OK and also get the response payload. 

curl -v https://api.enterprise.apigee.com/v1/organizations/adevegowda/environments/test/stats/apiproxy?selec...

I was expecting that I should get 401 Unauthorized.

Can you please look into this and let me know if this is expected behaviour or not ?

Solved Solved
1 3 475
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

The Edge UI surfaces a subset of all possible RBAC permissions and lets you set up simplified roles that are intended to be used in the UI. The UI currently does not surface Analytics permissions, so it gives custom roles GET permissions for Analytics calls.

The UI should probably let the user do a raw edit of RBAC permissions, and that feature is under consideration.

In the meantime, you should update the role's permissions with the Management API directly to remove the GET permissions on the Analytics' paths.

See this link.

View solution in original post

Jump to Solution
3 REPLIES 3

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

The Edge UI surfaces a subset of all possible RBAC permissions and lets you set up simplified roles that are intended to be used in the UI. The UI currently does not surface Analytics permissions, so it gives custom roles GET permissions for Analytics calls.

The UI should probably let the user do a raw edit of RBAC permissions, and that feature is under consideration.

In the meantime, you should update the role's permissions with the Management API directly to remove the GET permissions on the Analytics' paths.

See this link.

Jump to Solution

Posted on --/--/---- --:-- AM
adevegowda
Staff
In response to
Reply posted on --/--/---- --:-- AM

@coverbeck,

Thanks for your suggestion, it helped.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
adevegowda
Staff
Reply posted on --/--/---- --:-- AM

As suggested by Charles above, I update the "Inactive account" role's to remove all permissions for Analytics API as shown below using the API at Add/Update Permissions

{
    "path": "/environments/test/stats/*",
    "permissions": []
}

Post this, if I use the "Inactive account" user then I get the below error as expected

HTTP/1.1 403 Forbidden

If we want to remove the permissions across all the environments for Analytics API, then we can do it as follows:

{
    "path": "/environments/*/stats/*",
    "permissions": []
}
Jump to Solution
0 Likes