Authentication and Access Permissions

Download this manual as a PDF file

This section describes the authentication and access permissions needed to use the ScienceLogic API.

Use the following menu options to navigate the SL1 user interface:

  • To view a pop-out list of menu options, click the menu icon ().
  • To view a page containing all of the menu options, click the Advanced menu icon ().

User Access to the API

User access to the API is controlled in the same way user access to the Administration Portal is controlled:

  • A user can interact only with entities associated with their organizations. Entities are either explicitly aligned with organizations, aligned with organizations based on the user that created the entity, or are not aligned with an organization.
  • Users of type "Administrator" can perform all actions on all resources, regardless of organization membership.
  • Device groups and dashboards can be configured so that a user must be granted a specific access key to use that device group or dashboard.

NOTE: The new user interface architecture requires API access for all users; API access is automatically granted to users. The following API-specific access hooks have been deprecated and removed from SL1: API: Resource Indexes, API: Server Access, API: Virtual Device.

The following sections describe how the access permissions system applies to the API. For more information on the access permissions system in SL1, see the Access Permissions section.

User accounts that use a SAML provider for authentication cannot perform API requests unless the authentication profile for that user also includes an EM7 Internal or AD/LDAP authentication resource.

Account Lockouts

The account lockout functionality applies to API requests (i.e., if an incorrect password is specified in multiple, sequential API requests for a valid user account, the user account will be locked out). The following settings in the Behavior Settings page (System > Settings > Behavior) control account lockouts:

  • Account Lockout Attempts. Number of times a user can supply incorrect login information (i.e., the number of consecutive API requests with an incorrect password before a lockout occurs). Choices are 1 time through 10 times.
  • Account Lockout Type. If a user enters incorrect login information multiple times in a row, that user will be locked out of the user interface. In this field, you can select how the lockout will be applied. Choices are:
  • Lockout by IP Address. All login attempts from the IP address will be denied.
  • Lockout by Username and IP Address. All login attempts by the username from the IP address will be denied.
  • Lockout by Username (default). All login attempts by the username will be denied.
  • Disabled. Lockouts are disabled.
  • Account Lockout Duration. Specifies how long a user will be locked out of the user interface. Choices are 1 hour through 24 hours, in one-hour increments.

While a user account is locked out, API requests specifying that user will return an HTTP 403 status code with the following ScienceLogic-specific header values:

X-EM7-status-message: Authentication failed due to lock

X-EM7-status-code: LOCKED

X-EM7-info-message: Authentication temporarily locked due to too many failed authentication attempts

Account lockouts can be removed via the API using the /access_lock resource. The /access_lock resource supports the following methods:

Action URI Method
View a list of locked-out user accounts. /access_lock GET
View details about a locked-out user account. /access_lock/X GET
Clear a lock on a user account. /access_lock/X DELETE

The _self Resource

User accounts are granted access to their own user account information through the following resource:

/account/_self

This resource returns the equivalent of the standard /account resource for the user that authenticated the request, even if that user account has not been granted permission to access other /account resources.

Audit Logging

All requests that use a PUT, POST, or DELETE method are included in the audit logs for the user's primary organization. Organizational audit logs are accessible through the Logs tab in the Organizational Summary page; a log for all organizations is displayed on the Audit Logs page (System > Monitor > Audit Logs). Each log message generated by an API request includes the following information:

  • The date when the request was made.
  • The user account that was used to authenticate the request.
  • The method used in the request.
  • The resource URI the request was made on.
  • The result of the request.

All API audit logs have a Source of "API Server".