LDAP group import via Rest API fails for User/Group Manager
Article ID: 233748
Updated On:
Products
Issue/Introduction
LDAP group import using the Rest API, POST /cspm/ext/rest/ldap/userGroup, only appears to work if the API key used has global administrator privileges. The User/Group Manager role is not sufficient, although this role can be used to import the same LDAP user group interactively using the UI. We do not want to assign the global administrator role to the API key used for the LDAP user group imports, since it has too many privileges. We need the Rest API to work with the same privileges as the user interface.
Environment
Release : 3.4
Component : PRIVILEGED ACCESS MANAGEMENT
Cause
The Rest API checks Credential Management privileges as well, and the API key used did not have a CM group assignment.
Resolution
The Rest API does not require a Global Administrator role. It does require a Password Manager role that includes the UserAdmin Credential Manager role. This is not wrong, since addition of a user group also creates user entries in the Credential manager database. There is no built-in CM user group with just the UserAdmin role. You can add it by going to Credentials > Manage Credential Groups > Credential Groups. Create a new group and assign role UserAdmin:
Now you can assign this group to your API user:
With this role the API key will be able to import LDAP user group using the Rest API.
Feedback
