Solved: Re: Given an API key, how should we determine whether it is read-only?

david_n_m_bond

Let's say I have an API key and need to determine whether it is read-only.

What is the approved way of doing so via the API, without making a call to change something and then putting it back as you found it?

Author, https://www.nuget.org/packages/Meraki.Api/

daniel_abbatt

You can make a call to the identities endpoint to see which user is associated with the current API key

https://developer.cisco.com/meraki/api-v1/get-administered-identities-me/

Then you can use that email to correlate with the admins endpoint and see what orgAccess you have.

https://developer.cisco.com/meraki/api-v1/get-organization-admins/

As noted already, there may be further restrictions on what you can do in a particular network, i.e. with cameras.

View solution in original post

Alisdair85

A hard and fast way I can think of would be to make a call to the access control settings of an SSID that is configured for PSK, if you see the PSK in clear text you have a RW key if you don't you have an RO key

This is after a recent security change Meraki Engineering did.

david_n_m_bond

Understood, but relies on PSK being enabled. It would be good if there was a direct call or information in the authentication response.

Author, https://www.nuget.org/packages/Meraki.Api/

Alisdair85

Just thinking outside the box you could try the below to gain this info

Make any test GET call
Query https://developer.cisco.com/meraki/api-v1/get-organization-api-requests
Obtain the "adminId" of the test GET call in Step 1
Query the following to get what access level the "adminId" has https://developer.cisco.com/meraki/api-v1/get-organization-admins

PhilipDAth

Hmm. This is quite a tricky question, because of the combinations.

You could have read-only org access, but write access to one network. You can even have "none" org access.

You could of course have org-level write access.

What happens with camera only admins - that have no org access, and only camera access.

david_n_m_bond

Is there a way to enumerate these permissions? In other cloud APIs, there are ways for "SuperAdmins" to query the full set of permissions assigned, for security reporting/auditing purposes.

Author, https://www.nuget.org/packages/Meraki.Api/

PhilipDAth

This should get most of it.

https://developer.cisco.com/meraki/api-v1/get-organization-admins/

sungod

If you have the key, presumably you know the owner, so as above you can use https://developer.cisco.com/meraki/api-v1/get-organization-admins/

to find permissions.

If you don't know the owner, it isn't so easy as the keys are effectively personal info and anyone with a direct login can create a couple. I wish there were a better approach to key management, at least for MSPs.

As @PhilipDAth points out, you have to test each network to be sure a key isn't read-write on just a subset of the org.

One way to test the key could be to iterate through all networks doing...

https://developer.cisco.com/meraki/api-v1/get-network/

...then try to write back the same info with...

https://developer.cisco.com/meraki/api-v1/update-network/

...I think this would work with both SM and device networks, even if they have no devices.

daniel_abbatt

You can make a call to the identities endpoint to see which user is associated with the current API key

https://developer.cisco.com/meraki/api-v1/get-administered-identities-me/

Then you can use that email to correlate with the admins endpoint and see what orgAccess you have.

https://developer.cisco.com/meraki/api-v1/get-organization-admins/

As noted already, there may be further restrictions on what you can do in a particular network, i.e. with cameras.