API - using to set Reader permission on external site?

Customizations
1

I have an automation requirement to grant Reader permission on an External Site, using the BigFix API.

By default BigFix grants no (“None”) permissions to non-master Operators when an External Site is enabled. Master Operators are granted an effective permission of “Reader”.

My issue is that I have a non-Master operator that uses the API to extract data from External Sites. I have automation which grants this operator Reader permissions over all Custom Sites. When I try to do this for External Sites I get a permission denied (because even Master Operators only hold Reader permissions on the External Sites).

The only way to can grant the Reader permission is to log onto the Console as a Master Operator and manually click on the Reader permission to grant it for my operator. This is not ideal, as I need to do this as part of a fully automated pipeline.

I am reaching out to see if anyone has any ideas or suggestions as to how this might be achieved?

Since I can grant the right via the Console as Master Operator (even though I only hold Reader permission), should it not be the case that I ought to be able to to the same using the API?

2

I am trying to POST the following:

<?xml version="1.0" encoding="UTF-8"?>
<BESAPI xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="BESAPI.xsd">
        <SitePermission>
                <Permission>Reader</Permission>
                <Operator Resource="http://localhost:52311/api/operator/Joe">Joe</Operator>
        </SitePermission>
</BESAPI>

I am posting this to the following resource:

https://<bigfix server>:52311/api/site/external/Enterprise%20Security/permission/operator/Joe

Joe is the existing non-Master operator whom I want to grant Reader permissions to on the Enterprise Security external site.

I am posting this using credentials of a Master Operator.

I receive the following:

Access to this site is not allowed by the requesting operator

3

I found an APAR which seems to suggest this was raised as a software defect, and that it was fixed in 9.5.13?

https://www.ibm.com/support/pages/node/4510305:

Issue BFP-10120 - APAR IV99815  - IT IS NOT ALLOWED TO MODIFY THE OPERATOR PERMISSIONS FOR EXTERNAL SITES USING REST API

However, this doesn’t seem to work for me. I’ve also tried the same in 9.5.14 and get the same error.