Add computers to manual group via Rest API

Hi Everyone,

I just want to know whether rest API can be used to add computer to a manual group if yes pls help me the procedure to accomplish the same.

Thanks
Raja

You should NEVER use manual groups. They are a bad idea.

Instead use an automatic group and set the relevance to only include computers by name, IP, MAC Address, Serial Number, etc… this will have the same effect and can be done with the REST API.


Related:

Thanks James for your response. We have a requirement to use REST API to create/modify manual group that is why i raised this question. From you response can i assume manual group create/modification is not possible via REST API?

I’d expect it is possible the docs are here:

https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/Tivoli%20Endpoint%20Manager/page/RESTAPI%20Computer%20Group

I’m fairly certain you cannot manipulate Manual Groups using the REST API, and again, I would highly recommend against this approach and would recommend using an Automatic Group that is manipulated with the REST API for the same purpose instead.

@gearoid I am not certain as I have not tried using that REST API call with a manual group, but you cannot export a manual group to a .BES file in the console, while you can do so for an automatic group. A manual group doesn’t have an XML representation, so it should not be possible to change it using the REST API.

I feel like manual groups should default to being unavailable in BigFix and you would have to turn them on using BES Admin if you really needed them for some reason. There should be at least an option to disable them in larger environments since they are a bad idea.

I understood now, as you mentioned there is no export option for manual group so there is no way to use the same in rest api.

Thanks @jgstew & @gearoid

1 Like

After checking the REST API call I can see that it works using sites. Manual groups are not linked to sites. So looks like they are not going to be supported with that call.

GET:
	/api/computergroup/{site}/{id}
	/api/computergroup/{site}/{id}/computers
PUT:
	/api/computergroup/{site}/{id}
POST:
	/api/computergroup/{site}/{id}
DELETE:
	/api/computergroup/{site}/{id}
1 Like

FYI to all the manual computer group is now possible via the REST API starting BigFix version 9.2.5.48.

The XSD is here:
https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/Tivoli%20Endpoint%20Manager/page/BESAPI.xsd

2 Likes

Adding a specific computer to an automatic group is cumbersome because you have to go looking for the ID or MAC address. And then when you want to see the members of the group, it’s even worse because you cannot easily see which computers are a member. If you add a computer by hostname this is potentially dangerous because it’s quite possible to have multiple machines of the same hostname in Bigfix (for example, if you were to re-install the OS or the Bigfix client). If automatic groups are the only recommended method of grouping computers, can you explain how one would easily maintain large groups in a safe and easy manner?

Can you explain how one would list the members of a manual group please? It’s still not in the API documentation from what I can see.

You can leverage the approach described by @gearoid above ( Add computers to manual group via Rest API )

With Computer Groups, you have to specify the site. Since manual computer groups are not associated with a site, you must reference ‘master’ for the site.

Given that, to return the machines associated with a specific manual computer group you could perform a GET against:

/api/computergroup/master/<id>/computers

You can identify the ID associated with the manual group either via the Console, or via the REST API by first performing a GET against:

/api/computergroup/master

It’s also possible to return the IDs of all manual computer groups with the following session relevance (which can be passed to the /api/query resource):

(id of it, name of it) of bes computer groups whose (manual flag of it)

Ah, manual groups are part of the Master site. Thanks!

So is it possible to add computers to a manual group via REST? Sorry, it’s unclear to me

It is possible to update manual computer groups via REST, yes.

For reference, please see https://developer.bigfix.com/rest-api/api/computergroup.html

As an example, you might first perform a GET operation against the given computer group with something like:

/api/computergroup/master/<id>

That will return the XML document you could leverage to update the given computer group. With the current schema, it would return XML such as the following:

<?xml version="1.0" encoding="UTF-8"?>
<BESAPI xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="BESAPI.xsd">
    <ManualComputerGroup Resource="https://bigfix:52311/api/computergroup/master/1260">
        <Name>Test Manual Group</Name>
        <EvaluateOnClient>false</EvaluateOnClient>
        <ComputerID>123456</ComputerID>
        <ComputerID>789101</ComputerID>
    </ManualComputerGroup>
</BESAPI>

Once you have the XML associated with the existing manual computer group, you can update it as desired, and then perform a PUT operation against the same /api/computergroup/master/<id> resource. Note that the ComputerIDs specified in the XML document that you PUT to the API should include all the ComputerIDs you want to be part of the manual group (rather than just the additions to the group). In this way, you are essentially updating the definition of the group in its entirety. A sample call to the IEM CLI might look like:

iem PUT group.xml /api/computergroup/master/1260

where group.xml contains the updated manual computer group XML definition.

1 Like

Thanks Aram, I thought it might be that, but when I tried it gave me the error:
Access to this site is not allowed by the requesting operator.

In the console my account (normal operator) is able to add computers to the manual group no problem.
I’m hoping I do not need full Master Operator permissions, because we really are not able to grant our API account this kind of access.

So, is it possible to add a computer to a manual group using REST without an MO account? This is the error I get anytime I try to do it:
Access to this site is not allowed by the requesting operator.

I don’t have an MO account to test, nor will I be able to use one with REST in production, anyway.

If you’re finding that it is not possible to add a computer to a manual group via REST API without an MO account, I would suggest opening a PMR (particularly since you are able to perform that function within the Console without MO).

@seanscriv, Sean, I suspect there are 2 key pieces of info needed to get us going with adding computers to Manual Groups via the REST API.

  • Firstly, the URL is slightly different than the “master” format, and it should look something like this:
https://<your server>/api/computergroup/operator/<operator name>/<manual group id>

Looks like this on mine:

https://localhost:52311/api/computergroup/operator/marco/647
  • Secondly, I notice the PUT method will REPLACE the list entirely as an update. So if you have a manual group with 10 members, and you want to add 2 more, you should first get a list of all 10, then combine with the 2 new additions before PUTting.

I will post a few of my example URLs next.

@seanscriv, some additional info in case useful.

Firstly I login as a Master Operator to get info for my Non-Master Operator

Logged in as: Master Operator
Method: GET
URL: https://localhost:52311/api/operators

Response:
<?xml version="1.0" encoding="UTF-8"?>
<BESAPI xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="BESAPI.xsd">
    <Operator Resource="https://localhost:52311/api/operator/marco">
        <Name>marco</Name>
        <LastLoginTime>Thu, 22 Dec 2016 20:01:11 +0000</LastLoginTime>
        <MasterOperator>false</MasterOperator>
        <CustomContent>true</CustomContent>
        <ShowOtherActions>true</ShowOtherActions>
        <CanCreateActions>true</CanCreateActions>
        <PostActionBehaviorPrivilege>AllowRestartAndShutdown</PostActionBehaviorPrivilege>
        <ActionScriptCommandsPrivilege>AllowRestartAndShutdown</ActionScriptCommandsPrivilege>
        <CanLock>true</CanLock>
        <CanSendMultipleRefresh>true</CanSendMultipleRefresh>
        <CanSubmitQueries>false</CanSubmitQueries>
        <LoginPermission>Unrestricted</LoginPermission>
        <UnmanagedAssetPrivilege>ShowAll</UnmanagedAssetPrivilege>
        <InterfaceLogins>
            <Console>true</Console>
            <WebUI>true</WebUI>
            <API>true</API>
            <Applications>
                <Name>appadmin</Name>
                <Name>custom</Name>
                <Name>patch</Name>
                <Name>prfmgr</Name>
                <Name>query</Name>
                <Name>swd</Name>
            </Applications>
        </InterfaceLogins>
    </Operator>
</BESAPI>

Get the list of Computer Groups accessible by Marco - the Non-Master Operator

Logged in as: Marco (Non Master Operator)
Method: GET
URL: https://localhost:52311/api/computergroups/operator/marco

Response:
<?xml version="1.0" encoding="UTF-8"?>
<BESAPI xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="BESAPI.xsd">
    <ComputerGroup Resource="https://localhost:52311/api/computergroup/operator/marco/647" LastModified="Thu, 22 Dec 2016 19:54:56 +0000">
        <Name>MarcoManualGroup</Name>
        <ID>647</ID>
    </ComputerGroup>
    <ComputerGroup Resource="https://localhost:52311/api/computergroup/operator/marco/649" LastModified="Thu, 22 Dec 2016 19:49:53 +0000">
        <Name>Aura Building</Name>
        <ID>649</ID>
    </ComputerGroup>
</BESAPI>

Listing the current members of the Manual Group “MarcoManualGroup” so we have the XML for posting

Logged in as: Marco (Non Master Operator)
Method: GET
URL: https://localhost:52311/api/computergroup/operator/marco/647

Response:
<?xml version="1.0" encoding="UTF-8"?>
<BESAPI xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="BESAPI.xsd">
    <ManualComputerGroup Resource="https://localhost:52311/api/computergroup/operator/marco/647">
        <Name>MarcoManualGroup</Name>
        <EvaluateOnClient>false</EvaluateOnClient>
        <ComputerID>2538330</ComputerID>
    </ManualComputerGroup>
</BESAPI>

List the computers managed by Marco so that we can copy the Computer IDs needed

Logged in as: Marco (Non Master Operator)
Method: GET
URL: https://localhost:52311/api/computers

Response:
<?xml version="1.0" encoding="UTF-8"?>
<BESAPI xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="BESAPI.xsd">
    <Computer Resource="https://localhost:52311/api/computer/186543">
        <LastReportTime>Fri, 28 Oct 2016 18:12:49 +0000</LastReportTime>
        <ID>186543</ID>
    </Computer>
    <Computer Resource="https://localhost:52311/api/computer/787733">
        <LastReportTime>Thu, 24 Nov 2016 20:57:55 +0000</LastReportTime>
        <ID>787733</ID>
    </Computer>
</BESAPI>

The actual URL for adding (replacing remember?) members of the Manual Group

Logged in as: Marco (Non Master Operator)
Method: PUT
URL: https://localhost:52311/api/computergroup/operator/marco/647

Post Body:
<?xml version="1.0" encoding="UTF-8"?>
<BESAPI xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="BESAPI.xsd">
    <ManualComputerGroup Resource="https://localhost:52311/api/computergroup/operator/marco/647">
        <Name>MarcoManualGroup</Name>
        <EvaluateOnClient>false</EvaluateOnClient>
        <ComputerID>2538330</ComputerID>
        <ComputerID>186543</ComputerID>
        <ComputerID>787733</ComputerID>
    </ManualComputerGroup>
</BESAPI>

1 Like

And, there’s this (if it’s any help): -) Two versions, one in python, -) one in powershell
check out by issuing command: git clone https://github.com/jpsthecelt/createIEMgroup.git

jpsthecelt

2 Likes