Meraki

Community

API Security

Kenneth
Getting noticed
‎Feb 18 2022 2:08 AM
‎Feb 18 2022 2:08 AM

API Security

So...

 

In Meraki the API keys are connected to the user, the user has to be added in the dashboard to gain access. Inherently some form of access credentials must be combined with the user in the dashboard. It would seem that these credentials does not apply to the API requests that also follows the user. Am I correct in assuming the following:

 

Organization A adds user "Security@risk.biz" in their organization, add API credentials so that this user can use the API.

 

Organization B adds user "Security@risk.biz" in their organization, but limit the dashboard user to <read only> to limit  this user. They have already enabled API access for other users that are OK.

 

Now user "Security@risk.biz" can run POST/GET/LIST etc. commands through the API and have full control of Organization B's Meraki portal, allthough that was never the intention? 

0 Kudos
1 Reply 1
AutomationDude
Building a reputation
‎Feb 18 2022 2:14 AM
‎Feb 18 2022 2:14 AM

Meraki is aware of this and the API will return an error if you try to make a POST/PUT call into an organization where you don't have full access.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2024 Cisco Systems, Inc.