DataPower

I am not able to setup a User Group access policies so a specific user can only access the REST-management interface. I am able to grant all access and in that case the REST interface works fine. But when I restrict access to REST Login and REST Management resources I get authentication failures and/or empty responses.

Does anyone know how to correctly set this up using the access policies of the Group Account to make this work?

Hi John,

You can explicitly deny access to specific interface types in RBM by using an access policy with Access=NONE, for example:

usergroup: nosshorweb [up] 
-------------------
 admin-state enabled 
 access-policy */*/*?Access=r+w+a+d+x 
 access-policy */*/login/ssh?Access=NONE 
 access-policy */*/login/web-mgmt?Access=NONE 

Alternatively, you can grant a minimal access policy for the specific resources you need. The example below permits logging in only using REST to query the system settings (GET /mgmt/config/default/SystemSettings) and the firmware version (GET /mgmt/status/default/FirmwareVersion3):

usergroup: restsysteminfo [up]
-------------------------
 admin-state enabled 
 access-policy */*/login/rest-mgmt?Access=r 
 access-policy */*/status/firmware-version?Access=r 
 access-policy */*/system/system?Access=r 

Kind regards,

Jamie

I am not able to setup a User Group access policies so a specific user can only access the REST-management interface. I am able to grant all access and in that case the REST interface works fine. But when I restrict access to REST Login and REST Management resources I get authentication failures and/or empty responses.

Does anyone know how to correctly set this up using the access policies of the Group Account to make this work?

Thanks for the quick and helpfull response. The login restrictions works fine for our use case. I've set it up and it works. If needed later I'll go for the finetuned policy. 

NOTE: I would have expected the automatically build access policiy to have worked. */*/mgmt/rest-mgmt?Access=r+w+a+d+x

Best regards,

John

Hi John,

You can explicitly deny access to specific interface types in RBM by using an access policy with Access=NONE, for example:

usergroup: nosshorweb [up] 
-------------------
 admin-state enabled 
 access-policy */*/*?Access=r+w+a+d+x 
 access-policy */*/login/ssh?Access=NONE 
 access-policy */*/login/web-mgmt?Access=NONE 

Alternatively, you can grant a minimal access policy for the specific resources you need. The example below permits logging in only using REST to query the system settings (GET /mgmt/config/default/SystemSettings) and the firmware version (GET /mgmt/status/default/FirmwareVersion3):

usergroup: restsysteminfo [up]
-------------------------
 admin-state enabled 
 access-policy */*/login/rest-mgmt?Access=r 
 access-policy */*/status/firmware-version?Access=r 
 access-policy */*/system/system?Access=r 

Kind regards,

Jamie

I am not able to setup a User Group access policies so a specific user can only access the REST-management interface. I am able to grant all access and in that case the REST interface works fine. But when I restrict access to REST Login and REST Management resources I get authentication failures and/or empty responses.

Does anyone know how to correctly set this up using the access policies of the Group Account to make this work?

Hi John,

I'm glad that you have now got a working access policy.

For your reference, */*/mgmt/rest-mgmt?Access=r+w+a+d+x, defines the authority the user group has to view/edit the REST management interface settings (i.e. to use the /mgmt/config/default/RestMgmtInterface REST URI or its equivalent in the CLI or UI). It does not control whether users can use REST.

If you used the access policy builder in the web UI to define your user group then I suspect you selected a resource type of Device Management - REST management interface. To grant/restrict access to login by REST you need to select Login - Rest-Mgmt instead.

Access to the login resources defines which management interfaces a user is permitted to use. The other resources in the access policy define what a user is permitted to do once they have logged in.

Kind regards,

Jamie

Thanks for the quick and helpfull response. The login restrictions works fine for our use case. I've set it up and it works. If needed later I'll go for the finetuned policy. 

NOTE: I would have expected the automatically build access policiy to have worked. */*/mgmt/rest-mgmt?Access=r+w+a+d+x

Best regards,

John

Hi John,

You can explicitly deny access to specific interface types in RBM by using an access policy with Access=NONE, for example:

usergroup: nosshorweb [up] 
-------------------
 admin-state enabled 
 access-policy */*/*?Access=r+w+a+d+x 
 access-policy */*/login/ssh?Access=NONE 
 access-policy */*/login/web-mgmt?Access=NONE 

Alternatively, you can grant a minimal access policy for the specific resources you need. The example below permits logging in only using REST to query the system settings (GET /mgmt/config/default/SystemSettings) and the firmware version (GET /mgmt/status/default/FirmwareVersion3):

usergroup: restsysteminfo [up]
-------------------------
 admin-state enabled 
 access-policy */*/login/rest-mgmt?Access=r 
 access-policy */*/status/firmware-version?Access=r 
 access-policy */*/system/system?Access=r 

Kind regards,

Jamie

I am not able to setup a User Group access policies so a specific user can only access the REST-management interface. I am able to grant all access and in that case the REST interface works fine. But when I restrict access to REST Login and REST Management resources I get authentication failures and/or empty responses.

Does anyone know how to correctly set this up using the access policies of the Group Account to make this work?