Introducing SOC Insights for BloxOne Threat Defense: Boost your SOC efficiency with AI-driven insights to eliminate manual work and accelerate investigation and response times. Read the blog announcement here.

API & Integration, DevOps,NetOps,SecOps

Reply

[RESOLVED] set specific DNS permissions via WAPI

[ Edited ]
New Member
Posts: 2
3167     0

I want to create an API-only service account that can only create and update A & TXT records in a subzone. All of this should be automated via the WAPI interface.

 

Steps I had in mind:

1. create subzone: POST https://{{grid_master}}/wapi/v2.7/zone_auth?_return_fields=fqdn

2. create group: POST https://{{grid_master}}/wapi/v2.7/admingroup (for now I add a local user manually, but want to link it to an AD group later)

3. block this group to all resources (deny IPV6_HOST_ADDRESS / HOST / IPV6_NETWORK / NETWORK / HOST_ADDRESS / NETWORK_VIEW / PORT_CONTROL)

4. allow this group access to subzone (A and TXT records only)

 

The problem is I can't find the objects to add the permissions via the WAPI for steps 3 and 4. As an example, I can only find the object for IPV6_HOST_ADDRESS if I create such a permission via the GUI first (which then shows "_ref": "permission/b25lLmhpZXJfcnVsZSQuY29tLmluZm9ibG94LmRucy5uZXR3b3JrX3ZpZXdfcGFyZW50JC8uLi5jb20uaW5mb2Jsb3gub25lLmFkbWluX2dyb3VwJC5rOHMxLmRucy5ob3N0X2FkZHJlc3M7aXNfaXB2ND1mYWxzZQ:k8s1/DENY" if I check via the API)

 

Same goes for the A and TXT records in a DNS zone. I can retrieve the object of a zone via https://{{grid_master}}/wapi/v2.7/zone_auth?fqdn~=mydomain.com which gives 

"_ref": "zone_auth/ZG5zLnpvbmUkLl9kZWZhdWx0LmNvbS5qbmpsYWIuZHZsLWFwcHMudGVzdDI:mydomain.com/Internal". I can only find the objects for A and TXT if I again create a permission via the GUI and query via the API.

 

Any thoughts?

[RESOLVED] Re: set specific DNS permissions via WAPI

New Member
Posts: 2
3167     0

Answering my own question here: I approached my quest differently.

 

Instead of trying to find the object IDs, I wanted to know all parameters to the 'permission' API call. I managed to get that via the 'permission?_schema' call. In the result I found the field 'resource_type' which I could use to set the global permissions required for step 3.

 

I should be able to also apply the 'resource_type = A' for step 4, but apparantely there is no way to also specify the fqdn for the zone I want to apply it to. I still have to give full access to the zone for now.

Showing results for 
Search instead for 
Did you mean: 

Recommended for You