REST API config read-only

[sltn]

Hi there, we like to retrieve some info from the REST API and for security reasons we configured an API user with read-only access. If we configure the user with Authorization Level "Admin" everything works fine. However, if we choose Authorization Level "User" we cannot access the CCM information.

A "User" can retrieve data from this API endpoint:
https://nagiosxi.company.local/nagiosxi ... apikey=xxx

But not from this endpoint:
https://nagiosxi.company.local/nagiosxi ... apikey=xxx
{
"error": "Authenticiation failed."
}

This is not what we expected, since we provided these settings:


Is this something which can be changed?

[scottwilkerson]

No, unfortunately this is not possible.

From the Config Reference section of the API documentation:

This API section is admin only.

[sltn]

No, unfortunately this is not possible.

Hi Scott, thank you for the replly. Is this something for the future perhaps?

[scottwilkerson]

I can add a feature request, but there is no guarantee it will be included in future versions, that would ultimately be a decision for the Principal Software Architect.

[sltn]

I can add a feature request

That sounds good. A security improvement in the API should be a useful addition, so I can imagine the PSA will understand that.
Maybe we could ask for "API: GET-only for non-admin users with CCM read-only rights". This might be easier to achieve than an complete RBAC solution for API.

[scottwilkerson]

I'll add that to the request