Accessing a users permission

[james-bellamy]

I'm using this library to provide automated IP tagging actions for users, however, to do this I need to know if the credentials provided by the user have permission to perform this action.

Is there a way I can either see the permissions of a given user, specifically the one I created the device with, or check if the user has XML permissions to tag IPs? (Without trying to actually tag an IP)

[jamesholland-uk]

You could try and retrieve current IP tags; that should prove it as I believe the User-ID XML API permission allows for adding, removing and listing tags.

You could also potentially enumerate the administrator name, gather the Admin Role assigned to that administrator, then see if the Admin Role in question has "User-ID" enabled for XML API. But that's a much longer process, checking current IP tags is much quicker.

[james-bellamy]

Unfortunately, listing tags doesn't require the User-ID Agent XML permission but adding does.

How would I enumerate the admin name? I couldn't find an obvious reference to it in the docs

[jamesholland-uk]

Do you have the administrator username and password, or just an API key? If you have the former, you have the admin name?

[james-bellamy]

I'm using username and password so I have the admin name

[james-bellamy]

@jamesholland-uk, would you be able to link the relevant documentation section about how I can get admin details from a device?

[jamesholland-uk]

Hi @james-bellamy, I got this so far, showing the administrator account name and the role it has. If you can carry on, next is to get the privileges the admin role provides the allocated administrator

# Setup firewall
fw_device = firewall.Firewall(
    firewall_ip, api_username=api_user, api_password=api_password
)

# Get the admin
admin = device.Administrator(name=api_user)
fw_device.add(admin)
admin.refresh()
print ("Administrator: " + api_user)

# Get the admin's role name
if admin.superuser is not None:
    print ("Role: superuser")
else:
    if admin.superuser_read_only is not None:
        print ("Role: superreader")
    else:
        if admin.role_profile is not None:
            print("Role: " + admin.role_profile)

[james-bellamy]

Thanks, this is really helpful. Unfortunately, I'm still hitting a wall, I can't see a way to get the privileges the admin role provides.

Based on the method to get the Administrator, I'd expect it to be something like device.AdminRole(name=role_profile) or device.RoleProfile(name=role_profile) but I don't see anything like that in the source code or the docs