Meraki

Community

Granting technicians port-level configuration access

Crocker
A model citizen
‎Sep 12 2022 4:06 PM
‎Sep 12 2022 4:06 PM

Granting technicians port-level configuration access

I'm looking to allow our help desk techs to adjust non-trunk switchports. For example, swapping VLAN assignments when moving different bits of hardware around (phones, desktops, printers, etc).

 

I see that we can create a switchport tag, and grant that tag the ability to modify switchports. With an API script, I can determine if a port is an Access or Trunk port, and assign the tag appropriately. I see that the switchport tag privilege propagates to all networks, which is great; However, I don't see an immediately obvious way to grant a user (or a SAML role) the privilege across the across the board. It appears that I have to add this privilege for each network within our organization to that user (or SAML role)?

 

Am I missing something obvious?

Labels:
0 Kudos
4 Replies 4
RaphaelL
Kind of a big deal
Kind of a big deal
‎Sep 12 2022 8:03 PM
‎Sep 12 2022 8:03 PM

Hi ,

 

You would need to update the saml Roles with this endpoint : https://developer.cisco.com/meraki/api-latest/#!get-organization-saml-roles

and : https://developer.cisco.com/meraki/api-latest/#!update-organization-saml-role

 

The 'get' endpoint returns something like : 

 

[{"id":"XXXXX","role":"Read","orgAccess":"read-only","networks":[{"id":"XXXXXXX","access":"switchport","privilegeName":"PORT_PRIVILEGE_NAME"}]}]

 

You would need to repeat the update process for every desired network.

 

Documentation says it 'must' be the 'default roles' but I haven't tried it yet but since I can 'get' the info that I have tested for a single network , I don't see why I couldn't POST the payload for other networks.

 

 

Good luck ! 

In response to RaphaelL
Crocker
A model citizen
‎Sep 13 2022 7:25 AM
‎Sep 13 2022 7:25 AM

I'll give that a try and see how it plays, good suggestion.

 

Honestly was hoping I could use a network tag to tie the switchport modify privileges to a subset of networks to put a nice little bow on this, but when I try to do that I don't see the switchport access tag as an option...bummer.

0 Kudos
In response to Crocker
RaphaelL
Kind of a big deal
Kind of a big deal
‎Sep 13 2022 7:33 AM
‎Sep 13 2022 7:33 AM

Yep ! This is a real bummer ! 

 

I tried to attach a network tag to a port privilege in the past and it wasn't available ( and still not available to this day sadly ) 

0 Kudos
In response to RaphaelL
Crocker
A model citizen
‎Sep 15 2022 9:51 AM
‎Sep 15 2022 9:51 AM

Took a swing at this this morning and all I'm getting when I try to PUT against  https://developer.cisco.com/meraki/api-latest/#!update-organization-saml-role the endpoint as documented is either 400 Bad Request or "There was a problem with the JSON you submitted".

 

I may be doing something wrong but...I dunno. Just for grins, I copied a Request Body example, generated with the form from the endpoint documentation, using just the default values (read-only for org, full access for network) and it just blows up. Curious.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2024 Cisco Systems, Inc.