API Security

Getting noticed

API Security



In Meraki the API keys are connected to the user, the user has to be added in the dashboard to gain access. Inherently some form of access credentials must be combined with the user in the dashboard. It would seem that these credentials does not apply to the API requests that also follows the user. Am I correct in assuming the following:


Organization A adds user "Security@risk.biz" in their organization, add API credentials so that this user can use the API.


Organization B adds user "Security@risk.biz" in their organization, but limit the dashboard user to <read only> to limit  this user. They have already enabled API access for other users that are OK.


Now user "Security@risk.biz" can run POST/GET/LIST etc. commands through the API and have full control of Organization B's Meraki portal, allthough that was never the intention? 

1 Reply 1
Building a reputation

Meraki is aware of this and the API will return an error if you try to make a POST/PUT call into an organization where you don't have full access.

Get notified when there are additional replies to this discussion.