App Control: API Authentication and Access Control
Article ID: 288947
Updated On:
Products
Carbon Black App Control (formerly Cb Protection)
Issue/Introduction
Guidance on how to setup API Authentication and Access Control for VMware App Control.
App Control APIs are authenticated through an API token for the login account of the
currently logged in console user. This token has to be placed inside each HTTP request's
'X-Auth-Token' header.
For access control, the best practice is to have a separate console user for each API
client, with the minimum required access controls. However, the API client must have
access permissions similar to what would be required to access the same objects through
the console. For example, if an API client needs to access the 'event' object, the user
associated with an API token used in the client must have “View events” permission.
App Control APIs are authenticated through an API token for the login account of the
currently logged in console user. This token has to be placed inside each HTTP request's
'X-Auth-Token' header.
For access control, the best practice is to have a separate console user for each API
client, with the minimum required access controls. However, the API client must have
access permissions similar to what would be required to access the same objects through
the console. For example, if an API client needs to access the 'event' object, the user
associated with an API token used in the client must have “View events” permission.
Environment
- App Control Server: All Supported Versions
- Microsoft Windows Server: All Supported Versions
Resolution
To create an API user and get its API token:
1. Review the App Control API documentation on your server or GitHub to determine the
permissions needed for your API client. Please see https://developer.carbonblack.com/reference/enterprise-protection for further information.
2. On the console menu, click the configuration (gear) icon and choose Login Accounts.
3. Click the User Roles tab and then the Add User Role button to open the Add User Role page.
4. On the Add User Role page, provide a Name (for example, “API Connector Extensions”), add a Description if you choose, and check the box for each permission
needed for your client. Note that some permissions depend upon others, and you must have permission to view an object if you also intend to change it.
5. When you have configured the group, click the Enabled button in the Status line and click the Create & Exit button at the bottom of the page.
6. Click the Users tab, and on the Login Accounts: Users page, click Add User.
7. On the Add User page, provide a user name (for example, “API HashBanScript”) and password, and choose the User Role you created above.
8. Provide any other information you choose in the other fields.
9. At the bottom of the page, check the Show API token box and then click the Generate button. An string of characters appears in the API Token box.
10. Copy the API Token to a location in which you can copy it to your API code. Also make a record of the login user name the code is associated with.
11. Click the Save button at the bottom of the page.
1. Review the App Control API documentation on your server or GitHub to determine the
permissions needed for your API client. Please see https://developer.carbonblack.com/reference/enterprise-protection for further information.
2. On the console menu, click the configuration (gear) icon and choose Login Accounts.
3. Click the User Roles tab and then the Add User Role button to open the Add User Role page.
4. On the Add User Role page, provide a Name (for example, “API Connector Extensions”), add a Description if you choose, and check the box for each permission
needed for your client. Note that some permissions depend upon others, and you must have permission to view an object if you also intend to change it.
5. When you have configured the group, click the Enabled button in the Status line and click the Create & Exit button at the bottom of the page.
6. Click the Users tab, and on the Login Accounts: Users page, click Add User.
7. On the Add User page, provide a user name (for example, “API HashBanScript”) and password, and choose the User Role you created above.
8. Provide any other information you choose in the other fields.
9. At the bottom of the page, check the Show API token box and then click the Generate button. An string of characters appears in the API Token box.
10. Copy the API Token to a location in which you can copy it to your API code. Also make a record of the login user name the code is associated with.
11. Click the Save button at the bottom of the page.
Additional Information
Important
Do not use the API Token in any way that displays it in clear text. If the API Token is compromised, open the Edit Login Account page for the API user,
check the Show API token box, click Generate to produce a new token, and then click Save. Then use the new token for authentication.
To disable API access for a user that currently has permission, follow the steps above but click Clear instead of Generate. If server hardening is required, all
API access should be removed
Do not use the API Token in any way that displays it in clear text. If the API Token is compromised, open the Edit Login Account page for the API user,
check the Show API token box, click Generate to produce a new token, and then click Save. Then use the new token for authentication.
To disable API access for a user that currently has permission, follow the steps above but click Clear instead of Generate. If server hardening is required, all
API access should be removed
Feedback
Yes
No
Powered by
