HPE IMC-RS permission

DCTK · ‎10-22-2020

Hello
We are implementing integration between HPE IMC and Zabbix via IMC-RS Rest API, and we would like to limit what IMC-RS commands IMC operator, used by Zabbix, could access. In IMC-RS documentation I've found this:
<...>
By default, an operator can use all RESTful services offered by iMC-RS, regardless of the
operation rights restricted by the group to which the operator belongs.
<...>
Based on this, I guess there should be some way to configure what IMC-RS services are available to operator, but haven't found a way to configure this.
Is this possible?

IMC version: E0703

Thank you.

jguse · ‎10-23-2020

Hello,

I think the way that it's described as "by default" might lead you to think it's possible to restrict the API, but there is no such option. It's only possible to restrict access to the API in the sense that you can prevent the operator from executing any requests that modify iMC.

See this question in the FAQ of API docs:

Why error code 403 is returned when a service of the PUT/POST/DELETE operation type is called but the GET service can be correctly called?

To ensure data security, the RESTful web services framework allows only operators with the privilege to call RESTful Web Services Call to access services of the PUT/POST/DELETE operation type.

This is the only restriction you could implement, and it is done by creating a new Operator Group (System > Operator Management > Operator Group) without the privilege of System - Resource Management > RESTful Web Services Call. Then you add your API operator to that operator group, and it will no longer be able to modify anything.

It's either that, or full API access - even if you restrict access to other features in the Operator Group, this will only affect the GUI access when the operator logs in, and not the API.

Best regards,
Justin

Working @ HPE

HPE IMC-RS permission

HPE IMC-RS permission

Re: HPE IMC-RS permission

Hewlett Packard Enterprise International