Custom User role with access to only Apigee Audit

Not applicable

Hi,

We want to setup monitoring Apigee audit for any unauthorized changes. For this we need to store apigee users username/password for the user to invoke management API.

To restrict access, we want to give only audit api access to this user.

I could create custom roles for paths within /v1/organization/<org_name>

But since Auditing management API path is different (/v1/audits/organization/<org_name>), the custom role is not working.

Is this doable?

Thanks,

Jaskaran

6 7 664
7 REPLIES 7

Not applicable

Any takers?

Not applicable

Hi @jaskarangump ,

There is one Read only org admin role in APIGEE Edge. This role just has the read access to the organization and can access the audit logs as well. Try using this role.

Thanks @Vipul Agarwal

It certainly is better than org admin. But as a read admin, I can still see the application keys and secret, which is a concern.

Did anyone find a way to limit the role to only seeing the /audit APIs?

I'm guessing that is not currently possible due to the fact that the API resource paths that can currently be defined in a custom role start after the organization in the URI. The audit APIs for some reason start with /audit/organization/ which would mean that we wouldn't be able to restrict access.

This is still the case I guess, or any workaround known to blacklist audits?

You can create a custom role to only allow read only access to audit logs.

You'll need to:

  • Create a new role (via Management API)
POST https://api.enterprise.apigee.com/v1/organizations/{{org}}/userroles

with the following payload

{ "role" : [ { "name" : "{{role-name}}" } ] }
  • Use the management API to add the custom permissions. Invoke
POST https://api.enterprise.apigee.com/v1/organizations/{{org}}/userroles/{{role-name}}/resourcepermissio...

with the following payload:

{
    "resourcePermission": [
        {
            "path": "/",
            "permissions": [
                "get"
            ]
        },
        {
            "path": "/*",
            "permissions": [
                "get"
            ]
        },
        {
            "path": "/userroles",
            "permissions": [
                "get"
            ]
        },
        {
            "path": "/v1/audits/user/*",
            "permissions": [
                "get"
            ]
        },
        {
            "path": "/v1/audits/organizations/{{org}}",
            "permissions": [
                "get"
            ]
        },
        {
            "path": "/v1/organizations/{{org}}/history",
            "permissions": [
                "get"
            ]
        },
        {
            "path": "/v1/organizations/{{org}}/userroles",
            "permissions": [
                "get"
            ]
        },
        {
            "path": "/v1/audits/organizations/{{org}}/*",
            "permissions": [
                "get"
            ]
        },
        {
            "path": "/v1/organizations/{{org}}/userroles/*/users",
            "permissions": [
                "get"
            ]
        }
    ]
}


(Be sure to replace {{org}} and {{role-name}} with the correct values

  • Assign a user to only this role (via UI or Management API)
  • Login as that user. You should be able to see audit logs, but not much else in the Admin menu

Thanks! I successfully implemented a custom role based on the provided list of resources and was able to call the API to get audit events.