cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

API Network Authorization security problem

Highlighted
Here to help

API Network Authorization security problem

Hi,

   I created a new user which has access to only a test network and using the API I cannot access network listing as the API Key generated does not have organization access, so cannot list networks in organizations. But if I give Organization Read access to this user I can list ALL the networks and I could read, for example, the firewall configuration on every network as the user has read access although I specified only one network access.

 

I think this is a big problem for every external application using the API in terms of security as it is not possible to give access to only one network without giving organization read access.

3 REPLIES 3
Meraki Employee

Re: API Network Authorization security problem

This is how the Org and Network level was designed to operate.  My solution to your particular situation was to write a API script that a Org Admin runs which creates a CSV file of all the available network IDs for a Network Admin.  The Network Admin can then use this CSV file for making APIs calls to all the Networks that they have rights to.

Here to help

Re: API Network Authorization security problem

I do not think is a good practice to have a batch scanning of network/organization id. I think the API ACL should better organized because if I have access to only a network I should be able to perform any kind of operation on that network without security flaws on other networks.

Meraki Employee

Re: API Network Authorization security problem

An Admin's API key is tied to THAT Admin's Dashboard account and only has the same access rights as to what they can do via the Dashboard UI.  This avoids having to use any API ACLs to control access rights.  Because of this, Network Admins do not have access to "batch scanning".  Only Org Admins can see the other Network Admin's networks.

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.