REST access for user without Performance Management UI access

book

Article ID: 141578

calendar_today

Updated On:

Products

CA Infrastructure Management CA Performance Management - Usage and Administration DX NetOps

Issue/Introduction

How can we provide a user with REST access to both Performance Management and Data Aggregator REST web services. The user should not also have access to the Performance Management UI.

Cause

Internal requirements demand a user with REST access, while the user is unable to access the Performance Management web user interface.

Environment

All supported Performance Management releases

Resolution

This is specific to Performance Center REST based web services that require user authorization. This requires both an Administrative Role and a User. The key to this user having REST web services access without web UI access, is the creation of an empty or permissionless Role.

This doesn't apply to Data Aggregator REST based web services, which with the exception of the Data Aggregator based OpenAPI OData services, do not require user authentication.

Note that there is no Read-Only vs Read-Write control in Performance Management REST web services overall. Users with REST access but not UI access will still be able to implement changes via REST web services.

To set up the required User and Role:

  1. In the Performance Management web UI go to Administration->User Settings->Roles
    1. Select New to create a new Role
    2. Set a Name. Set a Description if desired. Set the Role Status to Enabled.
    3. No need to assign Menu options to the user unless the user needs to access reports in the web UI
    4. Leave the Performance Center Role Rights empty unless the user needs to access the web UI.
  2. Open a REST client. Enter the following URL in the client, replacing <RoleName> with the name of the new Role created.
    1. http://PC:8181/pc/center/webservice/roles/roleName/<RoleName>/makeRoleAdministrator
    2. Set the REST client for a PUT request.
    3. Ensure the Authorization header for admin access is set with a user:pass with Administrative Role access
    4. Ensure the Content-Type is set to application/xml

After 200 Success for the PUT REST call, we can use the following URL in a browser to validate the new Role is now listed as an Administrative role.

  • http://PC:8181/pc/center/webservice/roles/administratorRoles/en-US

Additional Information

Note: When creating the new user, if assigning it only the Collections group tree, the user will be able to only see Devices. If the user should also see Interface and Component items as well, add the All Groups group to the users access.