Meraki

Community

Given an API key, how should we determine whether it is read-only?

Solved
david_n_m_bond
Building a reputation
‎Sep 10 2023 7:21 AM
‎Sep 10 2023 7:21 AM

Given an API key, how should we determine whether it is read-only?

Let's say I have an API key and need to determine whether it is read-only.

 

What is the approved way of doing so via the API, without making a call to change something and then putting it back as you found it?

Author, https://www.nuget.org/packages/Meraki.Api/
0 Kudos
1 Accepted Solution
daniel_abbatt
Getting noticed
‎Sep 11 2023 12:38 AM
‎Sep 11 2023 12:38 AM

You can make a call to the identities endpoint to see which user is associated with the current API key

https://developer.cisco.com/meraki/api-v1/get-administered-identities-me/

 

Then you can use that email to correlate with the admins endpoint and see what orgAccess you have.

https://developer.cisco.com/meraki/api-v1/get-organization-admins/

 

As noted already, there may be further restrictions on what you can do in a particular network, i.e. with cameras.

View solution in original post

8 Replies 8
Alisdair85
Getting noticed
‎Sep 10 2023 7:36 AM
‎Sep 10 2023 7:36 AM

A hard and fast way I can think of would be to make a call to the access control settings of an SSID that is configured for PSK, if you see the PSK in clear text you have a RW key if you don't you have an RO key

 

This is after a recent security change Meraki Engineering did. 

In response to Alisdair85
david_n_m_bond
Building a reputation
‎Sep 10 2023 12:40 PM
‎Sep 10 2023 12:40 PM

Understood, but relies on PSK being enabled.  It would be good if there was a direct call or information in the authentication response.

Author, https://www.nuget.org/packages/Meraki.Api/
0 Kudos
In response to david_n_m_bond
Alisdair85
Getting noticed
‎Sep 10 2023 1:39 PM
‎Sep 10 2023 1:39 PM

Just thinking outside the box you could try the below to gain this info

 

  1. Make any test GET call 
  2. Query https://developer.cisco.com/meraki/api-v1/get-organization-api-requests
  3. Obtain the "adminId" of the test GET call in Step 1
  4. Query the following to get what access level the "adminId" has https://developer.cisco.com/meraki/api-v1/get-organization-admins
0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Sep 10 2023 4:43 PM
‎Sep 10 2023 4:43 PM

Hmm.  This is quite a tricky question, because of the combinations.

 

You could have read-only org access, but write access to one network.  You can even have "none" org access.

You could of course have org-level write access.

What happens with camera only admins - that have no org access, and only camera access.

 

0 Kudos
In response to PhilipDAth
david_n_m_bond
Building a reputation
‎Sep 10 2023 6:19 PM
‎Sep 10 2023 6:19 PM

Is there a way to enumerate these permissions?  In other cloud APIs, there are ways for "SuperAdmins" to query the full set of permissions assigned, for security reporting/auditing purposes.

Author, https://www.nuget.org/packages/Meraki.Api/
0 Kudos
In response to david_n_m_bond
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Sep 10 2023 7:31 PM
‎Sep 10 2023 7:31 PM

This should get most of it.

https://developer.cisco.com/meraki/api-v1/get-organization-admins/ 

0 Kudos
sungod
Kind of a big deal
‎Sep 11 2023 12:29 AM
‎Sep 11 2023 12:29 AM

If you have the key, presumably you know the owner, so as above you can use https://developer.cisco.com/meraki/api-v1/get-organization-admins/

 to find permissions.

 

If you don't know the owner, it isn't so easy as the keys are effectively personal info and anyone with a direct login can create a couple. I wish there were a better approach to key management, at least for MSPs.

 

As @PhilipDAth points out, you have to test each network to be sure a key isn't read-write on just a subset of the org.

 

One way to test the key could be to iterate through all networks doing...

https://developer.cisco.com/meraki/api-v1/get-network/

...then try to write back the same info with...

https://developer.cisco.com/meraki/api-v1/update-network/

...I think this would work with both SM and  device networks, even if they have no devices.

0 Kudos
daniel_abbatt
Getting noticed
‎Sep 11 2023 12:38 AM
‎Sep 11 2023 12:38 AM

You can make a call to the identities endpoint to see which user is associated with the current API key

https://developer.cisco.com/meraki/api-v1/get-administered-identities-me/

 

Then you can use that email to correlate with the admins endpoint and see what orgAccess you have.

https://developer.cisco.com/meraki/api-v1/get-organization-admins/

 

As noted already, there may be further restrictions on what you can do in a particular network, i.e. with cameras.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2024 Cisco Systems, Inc.