It would be ideal if we could restrict the commands that a specific API key has access to.
Similar to TACACS command authorization, the addition of this feature would allow us to harden the API and the router.
E.g., limit a given API key to only show commands, or even specific configuration commands.
Possible configuration syntax:
# limit key to show commands only set service https api keys id MY-HTTPS-API-ID key MY-HTTPS-API-PLAINTEXT-KEY set service https api keys id MY-HTTPS-API-ID endpoint show op show
# limit key to specific set/delete config commands set service https api keys id MY-HTTPS-API-ID key MY-HTTPS-API-PLAINTEXT-KEY set service https api keys id MY-HTTPS-API-ID endpoint configure op delete path protocols bgp neighbor * description * set service https api keys id MY-HTTPS-API-ID endpoint configure op delete path protocols bgp neighbor * shutdown set service https api keys id MY-HTTPS-API-ID endpoint configure op set path protocols bgp neighbor * description * set service https api keys id MY-HTTPS-API-ID endpoint configure op set path protocols bgp neighbor * shutdown