AD User Permission Denied To Clone VM Via REST API | Nutanix Community
Skip to main content

I tried to log in with AD user in REST API Explorer.

I am getting error as

message": "No permission to access the resource. <Request 'http://nmegh02.prd.dcservices.in:9440/v3/vms/c2784552-c129-4f49-9d0e-b20b32c2a5e4/clone' [post]>",
"reason": "ACCESS_DENIED"

I have given FULL ACCESS to roles of current AD user .i.e VM and APP → FULL ACCESS in Roles Section.

What other permission i need to give so that AD user can execute REST API?

Hey @Balram 

Can you check this KB-2257(Authentication Methods using REST API) & check if the user is creating Basic Auth example with REST-API.


Here is some more output @AnishWalia20 


Hey @Balram 

Can you check this KB-2257(Authentication Methods using REST API) & check if the user is creating Basic Auth example with REST-API.


I have checked article KB-2257, i have given Basic Auth with base64 encoded still getting same message as

No permission to access the resource

Hey @Balram 

Can you check this KB-2257(Authentication Methods using REST API) & check if the user is creating Basic Auth example with REST-API.


after reviewing all the roles, please take a note of these points that

i have create two types of user in AD’s VM i.e Balram as a admin, user01 to user10 as a user to view console and create vm.

In Administration>Roles,

Balram users is added in SUPERADMIN Roles

User01 to user10 are added in Custome Created Role eg:Trainees

Note: I have tried to give Trainee roles all Permission as VM,Cluster as FULL Access,

 

Conclusion: I am able to clone vm via authenticating as Balram. Why i am getting error on cloning via user like user10 .Error as

{ "api_version": "3.1", "code": 403, "message_list": i { "message": "No permission to access the resource. ", "reason": "ACCESS_DENIED" } ], "state": "ERROR" }

 


Hey, @Balram thanks for the update. Let me try out the above scenario you mentioned an get back to you with some results.


Hey @Balram So I checked internally and researched a bit on this issue and got to know that this is currently a feature that is going to be added soon in the upcoming PC releases this year.

 

Basically, Cloning & snapshotting a VM with non-admin or AD users belonging to custom RBAC(role bases access control) roles on PC is not possible as of now, unfortunately. Currently, SSP/RBAC does not have a REST API or UI support for cloning a user VM

 

This is the reason on when you are creating a role and adding actions which that role is permitted to do we don’t see Clone or Snapshot VM Permissions:
 

 

Or not even in Custom VM Permissions:
 

 

I hope I made things clear. This feature is planned to be added in PC 2021.4 this year.

 

Btw what PC version are you running ?

 


Hey @Balram So I checked internally and researched a bit on this issue and got to know that this is currently a feature that is going to be added soon in the upcoming PC releases this year.

 

Basically, Cloning & snapshotting a VM with non-admin or AD users belonging to custom RBAC(role bases access control) roles on PC is not possible as of now, unfortunately. Currently, SSP/RBAC does not have a REST API or UI support for cloning a user VM

 

This is the reason on when you are creating a role and adding actions which that role is permitted to do we don’t see Clone or Snapshot VM Permissions:
 

 

Or not even in Custom VM Permissions:
 

 

I hope I made things clear. This feature is planned to be added in PC 2021.4 this year.

 

Btw what PC version are you running ?

 

Okay , i am waiting for 2021.4 release as i need this feature on custom role permissions supported with REST API.
I am using 5.17.1.1 pc version.

 


Hey @Balram Sure sounds great. Let me know if I can help in any other way. :smile:

 

Would be more than happy to help you.


Hello @AnishWalia20 

I’m trying to create a VM in PC with non-admin user, and I receive :

“No permission to access the resource. <Request 'http://xxxx.xxxx.xxx:9440/v3/vms' vPOST]>”

 

I have already create a role with VM creation permission and a project to the user and a Catalog Image.

 

“Basically, Cloning & snapshotting a VM with non-admin or AD users belonging to custom RBAC(role bases access control) roles on PC is not possible as of now, unfortunately. Currently, SSP/RBAC does not have a REST API or UI support for cloning a user VM”

 

This is applyed to what I want to do?