Big news! The community will be moving to a new platform April 21. Read more.
Big news! The community will be moving to a new platform April 21. Read more.

REST-API: It should be possible to give users "read only" access rights for UCMDB REST-API

Idea ID 2808039

REST-API: It should be possible to give users "read only" access rights for UCMDB REST-API

When using the UCMDB REST-API it should be possible to give users "read only" access rights. Currently you need an integration user with "server administration privilege" for that.

20 Comments
Commodore
Commodore

From a security perspective there is a need to restrict the ability of an API (REST, SOAP, JavaAPI) integration from performing write / modify operations to UCMDB Data unless specifically required.  A more granular ACL capability would be better, but Read-Write/Read-Only as a minimum. secuity control.

Micro Focus Expert
Micro Focus Expert
Status changed to: Waiting for Votes

The idea has received an initial review to ensure adherence to our idea submission and community guidelines. More information may be needed at this stage and we expect the community to help prioritize the idea with comments and voting

Cadet 3rd Class
Cadet 3rd Class

New or Quiet Member..

Micro Focus Expert
Micro Focus Expert
Status changed to: Under Consideration

This idea received enough votes and comments from the community and been reviewed by Micro Focus for strategic fit. These ideas are continually monitored and considered for prioritization in our development planning.

Commodore Commodore
Commodore

We need this to work for 10.33 and up.

Micro Focus Expert
Micro Focus Expert

Have you checked to determine if the DataConsumer permission would work for this request?

https://docs.microfocus.com/itom/Universal_CMDB:11.0/admin/RolesMan_r_Permissions_summary

If you assign this role to the API user, they should have read-only permissions for the CIs and resources.

Micro Focus Expert
Micro Focus Expert

Hello, 

i think we need to have a read only access role for integration users using apis restapis.... 

Example:    yesterday    customer asked support to   pull data of ucmdb   to splunk.    More in detail what they need is the details of the servers, there main ips  and location info    of the servers to match  l with logs info  that  Splunk  is analyzing. 

So for now i gave the customer the    discovery and integration admin role to the user that is  pulling data from ucmdb. But   it would be strongly needed to have a readonly role   to avoid potential issues.   I would say this is a very important feature to be built 

 

 

 

 

 

 

 

 

 

 

Micro Focus Expert
Micro Focus Expert

There is another idea that is similiar to this - https://community.microfocus.com/t5/CMS-Idea-Exchange/Ability-to-define-an-API-account-as-Read-Only/idi-p/1654450

Please look at this to see if it's the same as you're requesting.

Additionally, the way the REST api works is that it uses the integration user to establish the connection (you shouldn't change this user at all).  But the role of the user actually authenticating to the REST API would be the role that is used to determine the rights of access for the data being collected by the REST API.  You could set up the user's role to have the required access (or lack thereof).  Would this approach work for you?

Micro Focus Expert
Micro Focus Expert

Bill,   so the similar idea , yes it is ok  the same need. 

The documentation says nothing at all about the user   credentials  for the restapi queries. 

So i   defined a local  user and granted the role of discovery and integration  admin  (the one that is availble).  

 

Frankly i do not want to spend hours trying to set the exact   grants  for the read only user.  This is something that is product side.   

I want to see in the available roles   one that says read only user for Rest or for whatever....  and use it.  And the fact that this idea is there since 9 months makes me  "more" willing to give other  ideas as this one is really no discussion and it is sitll in the middle of nowhere... 

Have a  nice week end 

Lorenzo

Micro Focus Contributor
Micro Focus Contributor
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.