RBAC Configuration for Dynamic Attributes

When using the Dynamic Attributes functionality with a limited-scope API token (non-admin), you need to configure specific RBAC permissions in IP Fabric to allow the SDK to perform all necessary operations.

Required API Endpoint Permissions

The Dynamic Attributes utility requires 17 API endpoint scopes to function properly with basic inventory-based attributes.

Additional Table Endpoints

If your configuration uses data from tables other than tables/inventory/devices, you will need to add POST permissions for those specific table endpoints. For example:

POST /tables/cloud/nodes/inventory - For cloud node data
POST /tables/cloud/vendors/aws/inventory - For AWS-specific data
POST /tables/cloud/vendors/gcp/inventory - For GCP-specific data
POST /tables/cloud/vendors/azure/inventory - For Azure-specific data

See the Region Example for a configuration that uses multiple cloud table endpoints.

GET Permissions (5 endpoints)

Endpoint	Purpose
`GET /filters`	Access filter configurations
`GET /os/hostname`	Get system hostname
`GET /prepared-requests/:preparedRequestId/execute`	Execute optimized queries (performance)
`GET /reports`	Access report configurations
`GET /reports/groups`	Access report group configurations

POST Permissions (10 endpoints)

Endpoint	Purpose
`POST /attributes/global`	Create global attributes
`POST /attributes/local/update-from-global`	Update snapshot attributes from global
`POST /attributes/local/update-from-global/check-sites-recalculation`	Check if recalculation is needed
`POST /filters`	Create/query filters
`POST /prepared-requests`	Create optimized query requests
`POST /tables/global-attributes`	Query global attributes table
`POST /tables/inventory/devices`	CRITICAL - Query device inventory
`POST /tables/management/configuration/saved`	Access saved configurations
`POST /tables/management/snapshots`	CRITICAL - Query snapshots with filters
`POST /tables/snapshot-attributes`	Query snapshot-specific attributes

PUT Permissions (2 endpoints)

Endpoint	Purpose
`PUT /attributes/global`	Update existing global attributes
`PUT /attributes/global/:id`	Update specific attribute by ID

Step-by-Step RBAC Configuration

1. Create a Policy

Navigate to: Settings → User Management → Policies
Click “Add Policy”
Configure:
- Name: dynamic_attributes_policy
- Description: API permissions for Dynamic Attributes automation
- Scope Type: API Scopes
Click “Save”

2. Add API Scopes to Policy

For each of the 17 endpoints listed above:

Open the dynamic_attributes_policy
Click “Add API Scope”
Configure:
- Method: (GET, POST, or PUT as specified above)
- Path: (exact path from the table above)
Repeat for all 17 endpoints

3. Create a Role

Navigate to: Settings → User Management → Roles
Click “Add Role”
Configure:
- Name: dynamic_attributes_role
- Description: Role for Dynamic Attributes automation
- Admin Role: No (unchecked)
- Policies: Select dynamic_attributes_policy
Click “Save”

4. Create API Token

Navigate to: Settings → Integration → API Tokens
Click “Add API Token”
Configure:
- Description: Dynamic Attributes Automation
- Role: Select dynamic_attributes_role
- Expiration: Set as needed (or leave blank)
Click “Create”
Copy the generated token and save it securely

5. Configure Environment

Update your .env file or environment variables:

IPF_URL=https://your-ipfabric-instance.com
IPF_TOKEN=your_generated_token_here

Critical Permissions Explained

POST /tables/management/snapshots

This is one of the most critical permissions. The SDK needs to:

Query the snapshots table
Apply filters on the status column
Sort by tsEnd to get the latest snapshot

Important: The permission must allow filtering and sorting, not just basic table access. Configure this as an API Scope (not a generic table permission) to ensure full query capabilities.

POST /tables/inventory/devices

Required to:

Fetch device inventory with filters
Extract data for attribute assignment
Get device serial numbers for attribute mapping

Prepared Requests (Optional but Recommended)

The prepared requests endpoints (POST /prepared-requests and GET /prepared-requests/:preparedRequestId/execute) are optional but highly recommended:

With: Significant performance improvement on large inventories
Without: Script works but uses slower query methods

Troubleshooting

Common Permission Errors

Error	Missing Permission	Solution
`403 Forbidden` on `/tables/inventory/devices`	`POST /tables/inventory/devices`	Add API scope to policy
`403 Forbidden` on `/tables/management/snapshots`	`POST /tables/management/snapshots`	Add API scope to policy
`403 Forbidden` on `/attributes/global`	`PUT /attributes/global`	Add API scope to policy
`API_INSUFFICIENT_RIGHTS` with filters	Scope doesn’t allow filtering	Use API scope, not generic table permission
`Prepared requests not available`	`POST /prepared-requests`	Optional - add for better performance

Verification

Test your configuration:

ipf_dynamic_attributes config.yml --dry-run

Expected output should show no 403 Forbidden errors and successfully process devices.

Security Best Practices

Principle of Least Privilege

✅ Use the 17 specific endpoints listed above
❌ Don’t grant full admin rights
❌ Don’t use wildcard permissions unless necessary

Token Management

Rotation: Rotate API tokens every 90 days
Storage: Store tokens in .env files (never commit to version control)
Naming: Use descriptive names (e.g., “Dynamic Attributes Automation”)
Expiration: Set expiration dates when possible

Audit and Monitoring

Monitor API token usage in IP Fabric audit logs
Review token activity regularly
Disable unused tokens immediately
Create separate tokens for different automation tasks

Example Configuration File

Here’s a complete example showing the IP Fabric configuration with a limited-scope token:

config.yml

---
ipfabric:
  base_url: 'https://ipfabric.example.com'
  auth: null  # Uses IPF_TOKEN environment variable
  timeout: 30
  verify: true
  snapshot_id: $last

dry_run: true
update_snapshot: true

inventory:
  report_columns:
    - loginIp
    - siteName
    - vendor
    - platform

default:
  overwrite: true
  attribute: REGION

rules:
  - name: "Assign Region Based on Site"
    filters:
      - column: siteName
        value: unknown
        operator: neq
    value:
      api_endpoint: tables/inventory/devices
      column: siteName
      transform: upper
      regex:
        pattern: "^([^-]+)-"
        group: 1
      mapping:
        LONDON: London-Region
        PARIS: Paris-Region
        FRANKFURT: Frankfurt-Region
      default_mapping_value: UNKNOWN

Additional Resources

Determining Required Table Endpoints

To identify which table endpoints your configuration requires, examine the api_endpoint values in your rules:

rules:
  - name: "Example Rule"
    value:
      api_endpoint: tables/inventory/devices  # Requires: POST /tables/inventory/devices

Common table endpoints used in dynamic attributes:

Configuration Use Case	Required Endpoint
Standard device inventory	`POST /tables/inventory/devices`
Cloud nodes	`POST /tables/cloud/nodes/inventory`
AWS cloud resources	`POST /tables/cloud/vendors/aws/inventory`
GCP cloud resources	`POST /tables/cloud/vendors/gcp/inventory`
Azure cloud resources	`POST /tables/cloud/vendors/azure/inventory`
Device configurations	`POST /tables/management/configuration`
Interfaces	`POST /tables/inventory/interfaces`
IP addresses	`POST /tables/addressing/managed-ip-ipv4`

For each unique api_endpoint in your configuration, add a corresponding POST /<api_endpoint> API scope to your policy.

Summary

Minimum Requirements: - 17 API endpoint scopes (GET: 5, POST: 10, PUT: 2) for basic inventory-based attributes - Additional POST permissions for any other table endpoints used in your configuration - No DELETE permissions required for normal operation - API Scopes must be used (not generic table permissions) - Filtering and sorting must be allowed on snapshot queries

Key Success Factors: 1. Use API Scopes for all permissions 2. Ensure POST /tables/management/snapshots allows filtering 3. Include all attribute endpoints (global and local) 4. Add POST permissions for all table endpoints referenced in your configuration 5. Add prepared requests for performance (optional)