How to Use the Admin API

You can manage your administrators and view user activity via the Admin API. For installation instructions for access-cli, see https://github.com/barracuda-cloudgen-access/access-cli#installation.

All commands provide a help text with the available sub-commands and flags. For example, running access-cli admins will let you know about the get, list, add, edit and delete sub-commands, and access-cli admins edit --help will list all available flags for the edit admins command, including pagination, sorting, and filtering flags. For more examples beyond this page, see CloudGen Access CLI Client Usage Examples.

• list

• help

• edit

• create

• delete

• user

• records

• Use Case example: Export user web surfing activity (allow and denied) web access

List all the account administrators:

The help flag tells you the things you can change:

The edit command allows you to edit the information:

The create command lets you create new admins:

You can also edit the admin roles. It is possible to assign multiple roles to the admin. Here are the current admin roles:

• owner – Has access to all the APIs, including the Administrator API.

• owner_ro – Has access to all the APIs, including the Administrator API, but only for listing and searching. Modification, creation, or deletion is not permitted.

• admin – Has access to all APIs except the Administrator API. It cannot list, add, modify, or delete admins.

• admin_ro – Has the same logic as the owner_ro. It is a read-only admin. Modifications are not permitted.

• moderator – Has access to all APIs except for the User, Groups, and Administrator API (cannot add, modify, or remove users, groups or admins).

• enrollment – Has access to listing and searching users, and to manipulate everything related to device enrollments (create a new enrollment link, delete it, add more allowed devices to an existing enrollment link, and send enrollment emails).

• evaluate_resource – Useful for service accounts. It only allows access to the evaluate_resource API (used for troubleshooting).

• read_events – Only has access to the records objects (the Activity menu on the web console). It is useful for service accounts configured to export records through our CLI to later import them into a SIEM solution.

Specify the new authentication type for the admin:

The delete command lets you delete admins:

The user command has access to all users. It can list, add, modify, or delete users for a tenant. This command gives a list of users that match the email address given. The result is in json format. 

The records command can only list events, and you can filter for attributes. You can get particular events by their id, list a range of events using the provided filters, or watch events as they come in. You will not be able to modify events or create new ones with access-cli.

If you run the help on the access-cli records list command, you get the filter options.