troubleshooting rest api permissions issues

Question

Hi I'm trying to troubleshoot a permissions problem with a custom role. I've created the role to allow an account to perform get and put request against datagroups on an v12 F5 LTM. The way I've initially approached it is to just give the following permissions and work my way back from there once I got it working.
&nbsp;
"resources": [
    {
      "resourceMask": "/mgmt/tm/ltm/dataGroup",
      "restMethod": "GET"
    },
    {
      "resourceMask": "/mgmt/tm/ltm/dataGroup/*",
      "restMethod": "GET"
    },
    {
      "resourceMask": "/mgmt/tm/ltm/dataGroup/*/*",
      "restMethod": "GET"
    },
    {
      "resourceMask": "/mgmt/tm/ltm/dataGroup/*/*/*",
      "restMethod": "GET"
    },
    {
      "resourceMask": "/mgmt/tm/ltm/data-group",
      "restMethod": "PUT"
    },
    {
      "resourceMask": "/mgmt/tm/ltm/data-group/*",
      "restMethod": "PUT"
    },
    {
      "resourceMask": "/mgmt/tm/ltm/data-group/*/*",
      "restMethod": "PUT"
    },
    {
      "resourceMask": "/mgmt/tm/ltm/data-group/*/*/*",
      "restMethod": "PUT"
    },
    {
      "resourceMask": "/mgmt/tm/ltm/data-group",
      "restMethod": "GET"
    },
    {
      "resourceMask": "/mgmt/tm/ltm/data-group/*",
      "restMethod": "GET"
    },
    {
      "resourceMask": "/mgmt/tm/ltm/data-group/*/*",
      "restMethod": "GET"
    },
    {
      "resourceMask": "/mgmt/tm/ltm/data-group/*/*/*",
      "restMethod": "GET"
    }

&nbsp;
I can perform a get against a datagroup but I'm unable to perform a put. I receive the following error
{"code":400,"message":"\"internal\" unexpected argument","errorStack":[],"apiError":26214401}
&nbsp;
From reading the forums I understand this is a type of permissions problem.
So I also took an existing account and added it to the iControl_REST_API_User role. When trying to perform the same thing received.
{"code":400,"message":"01070822:3: Access Denied: user (username) does not have modify access to object (value_list)","errorStack":[],"apiError":3}
&nbsp;
So I'm a little confused at how I can troubleshoot an api permissioning issue like this. If anyone has any tips they've used previously to figure out which role permissions are required for task.

vijay_e · Answer

Is this a local user, configured on the F5 or some kind of remote authentication user like TACACS ? iControl REST with remote authentication user permissions were introduced in 12.1 (I think). &nbsp;

adavidjan_27668 · Answer

We receive the same error message using a local user when changing a default pool of a virtual without administrative permissions. Although in the role the resourcemask is set for PUT/PATCH/GET.&nbsp;
We've got release 12.1 on our device.&nbsp;

ken_russo_17849 · Answer

You must use token auth for non-admin local users.&nbsp;

Forum Discussion

troubleshooting rest api permissions issues

Recent Discussions

Application only need to access from 2 uris

In Radius auth, how to allow second attempt of token input when the first input is incorrect?

AS3 Limitations

Unable to install firmware OS and drop at 10%

Statistics ›› Analytics : HTTP : Overview

Related Content

Knowledge sharing: Troubleshooting/investigating SSL and HTTP issues

Access Troubleshooting: BIG-IP APM OIDC integration

How to Troubleshoot SNI

Insufficient permissions BIG-IQ login error

Virtual-wire Configuration and Troubleshooting

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS