Guidance on how to setup API Authentication and Access Control for VMware App Control.
     App Control APIs are authenticated through an API token for the login account of the
currently logged in console user. This token has to be placed inside each HTTP request's
'X-Auth-Token' header.

    For access control, the best practice is to have a separate console user for each API
client, with the minimum required access controls. However, the API client must have
access permissions similar to what would be required to access the same objects through
the console. For example, if an API client needs to access the 'event' object, the user
associated with an API token used in the client must have “View events” permission.

To create an API user and get its API token:
1. Review the App Control API documentation on your server or GitHub to determine the
permissions needed for your API client. Please see https://developer.carbonblack.com/reference/enterprise-protection for further information.

2. On the console menu, click the configuration (gear) icon and choose Login Accounts.

3. Click the User Roles tab and then the Add User Role button to open the Add User Role page.

4. On the Add User Role page, provide a Name (for example, “API Connector Extensions”), add a Description if you choose, and check the box for each permission
needed for your client. Note that some permissions depend upon others, and you must have permission to view an object if you also intend to change it.

5. When you have configured the group, click the Enabled button in the Status line and click the Create & Exit button at the bottom of the page.

6. Click the Users tab, and on the Login Accounts: Users page, click Add User.

7. On the Add User page, provide a user name (for example, “API HashBanScript”) and password, and choose the User Role you created above.

8. Provide any other information you choose in the other fields.

9. At the bottom of the page, check the Show API token box and then click the Generate button. An string of characters appears in the API Token box.

10. Copy the API Token to a location in which you can copy it to your API code. Also make a record of the login user name the code is associated with.

11. Click the Save button at the bottom of the page.
 

Important
Do not use the API Token in any way that displays it in clear text. If the API Token is compromised, open the Edit Login Account page for the API user,
check the Show API token box, click Generate to produce a new token, and then click Save. Then use the new token for authentication.

To disable API access for a user that currently has permission, follow the steps above but click Clear instead of Generate. If server hardening is required, all
API access should be removed

This appendix is a summary only. The full API documentation is available in two locations:
• Documentation for the REST API in your version of App Control is available through the console at https://<yourserveraddress>/api/bit9platform/v1.
• The App Control REST API documentation can also be found at https://developer.carbonblack.com/reference/enterprise-protection

The following additional resources are available for CB API developers:
• Carbon Black provides a Python module that developers can use for easy access to the REST APIs for App Control, Carbon Black EDR, and VMware Carbon Black
Cloud. The documentation for this module is available at cbapi: Carbon Black API for Python — cbapi 1.7.5 documentation.
• The source code for the CB API module (cbapi) for Carbon Black products is located at GitHub - carbonblack/cbapi-python: Carbon Black API - Python language bindings.
• Tutorials, blogs, and other CB API resources for App Control, Carbon Black EDR, and VMware Carbon Black Cloud are available on the Carbon Black Developer Network
site at Carbon Black Developer Network - Carbon Black Developer Network