Authentication
API requests adhere to a standard OAuth2 request format. You need a custom role with required permissions, a Service Principal assigned to that role, and an access token to make calls to the Access Management API. Service Principals are identities, represented as code, used by created applications, services, and automation tools to access specific resources.
Complete the steps below to authenticate and authorize a call to the Access Management API:
- Create a custom role with the required permissions.
- Create a Service Principal and assign it to your custom role.
- Generate an Access Token.
- Call the Access Management API.
- (Optional) Revoke and rotate secrets for automated calls to improve security.
- Next steps: Get Started with the Access Management API
Create a Custom Role for Making API Requests
The Company or Tenant Administrator must create a custom role with the required permissions.
Navigate to Access Management > FSO Tenant Roles from the Account Management Portal.
Select Custom Roles.
Click +.
From (1) Enter Role Details, enter the role name and description for the new custom role.
Click Next.
From (2) Clone Existing Role, select the Observe role as the base for the new custom role and click Next.
From (3) Fine-Tune Permissions, add the following permissions and remove any other permissions:
readAccessConfigscreateRolesupdateRolesdeleteRolesconfigurePrincipalAccess
Click Save & Close. The process of creating the new custom role may take a few minutes.
From (4) Assign Users, click Next. (You can assign the custom role to users later.)
From (5) Assign Service Principals, click Finish: We will create a Service Principal and assign it to the custom role in the next section.
Create a Service Principal and Assign It to the Custom Role
After creating the custom role, the Company or Tenant Administrator needs to create a Service Principal and assign it to that role so that the credentials can fetch access tokens that have permissions to make calls to the Access Management API. The Tenant Administrator could also assign a user to the custom role so that the user can create a Service Principal to make calls to the Access Management API as well.
- From the Account Management Portal, navigate to Access Management > Service Principals.
- From Service Principals, click +.
- Enter a name and description for the new Service Principal.
- Select the authentication type.
- Click Assign Role Access.
- Click Custom Roles.
- Select the custom role you created in Create the Custom Role for Making API Requests.
- Click Save.
- Click Create.
- From the Rotate Secret dialog, click Download.
- Save the credentials for the Service Principal. You'll need the client ID and client secret to fetch the access token.
Generate an Access Token
Cisco AppDynamics provides an OAuth API for fetching access tokens. With your client ID and client secret from Create a Service Principal and Assign It to the Custom Role, follow the steps in Generate an Access Token and then proceed to the next step.
Call the Access Management API with the Access Token
You can use the returned access token in requests in the authorization header as a Bearer type. For example:
curl "https://{tenant-name}.observe.appdynamics.com/iam/policy-admin/v1beta2/policies" \
-H 'Authorization: Bearer {accessToken}'
Revoke and Rotate Secrets (Optional)
If you are using automation to make API calls, you are recommended to revoke and rotate secrets periodically for security reasons.
You can revoke and rotate secrets with one of the following methods:
- Accounts Portal UI: Rotate or Revoke a Secret
- REST API: Rotate and Revoke Secrets for the Agent Principal