- After upgrading our CiscoPrime to 3.1 (3.1.6 to be exact) from 3.0.4, any calls we make to /InventoryDetails (webacs/api/v1/data/InventoryDetails) returns 403 - Forbidden.
- The same user with the same rights can without issue call webacs/api/v1/data/Devices as before.
- The error message returned in the response is:
- Access is denied to Prime Infrastructure.
Are you using an external AAA provider (TACACS for example). Is it just InventoryDetails that you're having a problem with, or are you experiencing the same issue with other public API resources. What type of user are you using to query the API (root, Super, NBI Read).
- using an external provider (TACACS+) for login.
We are only quering /Devices and /InventoryDetails for now, the script have to scrape the general inventory (/Devices) works as before, whereas what is used to scrape the network topology (/InventoryDetails) fails. Have verified it by hand using PowerShell and browsing to the API endpoint directly in Chrome.
The user is a member of "NBI Read".
The user is able to read the information (CDP Neighbors) when browsed via the WebGui.
Can you double check your ACS shell profile and authorization config. Your shell profile should look something like this
role0=NBI Read task0=NBIReadPrivilege virtual-domain0=ROOT-DOMAIN
You might also want to check the reporting section on your ACS server. Specifically, the TACACS Authentication report. Click the details button of one of your most recent API sessions and ensure that the selected shell profile listed matches your expectations.
There is an explicit privilege grant in the system for the Devices API for a broad set of users, so it's likely that you're granted access to Devices based on that privilege.