API Network Authorization security problem

webfrank
Getting noticed

API Network Authorization security problem

Hi,

   I created a new user which has access to only a test network and using the API I cannot access network listing as the API Key generated does not have organization access, so cannot list networks in organizations. But if I give Organization Read access to this user I can list ALL the networks and I could read, for example, the firewall configuration on every network as the user has read access although I specified only one network access.

 

I think this is a big problem for every external application using the API in terms of security as it is not possible to give access to only one network without giving organization read access.

3 REPLIES 3
Avis
Meraki Employee
Meraki Employee

This is how the Org and Network level was designed to operate.  My solution to your particular situation was to write a API script that a Org Admin runs which creates a CSV file of all the available network IDs for a Network Admin.  The Network Admin can then use this CSV file for making APIs calls to all the Networks that they have rights to.

webfrank
Getting noticed

I do not think is a good practice to have a batch scanning of network/organization id. I think the API ACL should better organized because if I have access to only a network I should be able to perform any kind of operation on that network without security flaws on other networks.

Avis
Meraki Employee
Meraki Employee

An Admin's API key is tied to THAT Admin's Dashboard account and only has the same access rights as to what they can do via the Dashboard UI.  This avoids having to use any API ACLs to control access rights.  Because of this, Network Admins do not have access to "batch scanning".  Only Org Admins can see the other Network Admin's networks.

Get notified when there are additional replies to this discussion.