Given an API key, how should we determine whether it is read-only?

Solved
david_n_m_bond
Building a reputation

Given an API key, how should we determine whether it is read-only?

Let's say I have an API key and need to determine whether it is read-only.

 

What is the approved way of doing so via the API, without making a call to change something and then putting it back as you found it?

Author, https://www.nuget.org/packages/Meraki.Api/
1 Accepted Solution
daniel_abbatt
Getting noticed

You can make a call to the identities endpoint to see which user is associated with the current API key

https://developer.cisco.com/meraki/api-v1/get-administered-identities-me/

 

Then you can use that email to correlate with the admins endpoint and see what orgAccess you have.

https://developer.cisco.com/meraki/api-v1/get-organization-admins/

 

As noted already, there may be further restrictions on what you can do in a particular network, i.e. with cameras.

View solution in original post

8 Replies 8
Alisdair85
Getting noticed

A hard and fast way I can think of would be to make a call to the access control settings of an SSID that is configured for PSK, if you see the PSK in clear text you have a RW key if you don't you have an RO key

 

This is after a recent security change Meraki Engineering did. 

david_n_m_bond
Building a reputation

Understood, but relies on PSK being enabled.  It would be good if there was a direct call or information in the authentication response.

Author, https://www.nuget.org/packages/Meraki.Api/
Alisdair85
Getting noticed

Just thinking outside the box you could try the below to gain this info

 

  1. Make any test GET call 
  2. Query https://developer.cisco.com/meraki/api-v1/get-organization-api-requests
  3. Obtain the "adminId" of the test GET call in Step 1
  4. Query the following to get what access level the "adminId" has https://developer.cisco.com/meraki/api-v1/get-organization-admins
PhilipDAth
Kind of a big deal
Kind of a big deal

Hmm.  This is quite a tricky question, because of the combinations.

 

You could have read-only org access, but write access to one network.  You can even have "none" org access.

You could of course have org-level write access.

What happens with camera only admins - that have no org access, and only camera access.

 

david_n_m_bond
Building a reputation

Is there a way to enumerate these permissions?  In other cloud APIs, there are ways for "SuperAdmins" to query the full set of permissions assigned, for security reporting/auditing purposes.

Author, https://www.nuget.org/packages/Meraki.Api/
PhilipDAth
Kind of a big deal
Kind of a big deal

sungod
Kind of a big deal

If you have the key, presumably you know the owner, so as above you can use https://developer.cisco.com/meraki/api-v1/get-organization-admins/

 to find permissions.

 

If you don't know the owner, it isn't so easy as the keys are effectively personal info and anyone with a direct login can create a couple. I wish there were a better approach to key management, at least for MSPs.

 

As @PhilipDAth points out, you have to test each network to be sure a key isn't read-write on just a subset of the org.

 

One way to test the key could be to iterate through all networks doing...

https://developer.cisco.com/meraki/api-v1/get-network/

...then try to write back the same info with...

https://developer.cisco.com/meraki/api-v1/update-network/

...I think this would work with both SM and  device networks, even if they have no devices.

daniel_abbatt
Getting noticed

You can make a call to the identities endpoint to see which user is associated with the current API key

https://developer.cisco.com/meraki/api-v1/get-administered-identities-me/

 

Then you can use that email to correlate with the admins endpoint and see what orgAccess you have.

https://developer.cisco.com/meraki/api-v1/get-organization-admins/

 

As noted already, there may be further restrictions on what you can do in a particular network, i.e. with cameras.

Get notified when there are additional replies to this discussion.