Netskope Global Technical Success (GTS)

KB -  How does API V2 work with RBAC V3?

Netskope Cloud Version - 128

Objective

Understand how to create the  API's V2 in the new RBAC V3.

Prerequisite

RBVAC V3 Enabled

The RBAC V3 service is not enabled by default in tenants upon release. It is being rolled out progressively.

Context

In this knowledge base article, we'll understand how to create API V2 endpoints and tokens in the new RBAC V3.

Do You Know?

Netskope has introduced a new Role-Based Access Control (RBAC) model called RBAC V3, designed to provide greater flexibility and granularity in how administrative roles are assigned and managed.

Here are some key highlights:

• Custom Roles: You can now create roles tailored to specific job functions by selecting from a wide list of permissions grouped by feature.
   
• Scoped Access: RBAC V3 supports scoped roles, meaning you can assign roles that apply only to specific organizational units (OUs), locations, or user groups.
   
• Predefined Roles: Netskope provides predefined roles such as Tenant Admin, Security Admin, and Read-Only Admin, which can be assigned as-is or used as templates for custom roles.
   
• API Support: RBAC V3 works seamlessly with API V2, ensuring that users with scoped permissions only see and act on resources they're authorized for, even when using APIs

How to create API V2 on RBAC V3?

The first significant change in RBAC V3 is that the API v2 section will no longer be used to create endpoints or generate tokens. This section will only contain the API v2 documentation and the endpoints that were created prior to the migration to RBAC V3.

**Note:** Please keep in mind that previously created endpoints will not be affected and will continue to function normally until their expiration date. Those existing endpoints cannot be extended or reissued—you can only edit, revoke, or delete the token.

With that said, we will now go over how to create new endpoints and obtain the token.

We need to navigate to Settings > Administration > Administrators & Roles > Roles and create a New Role.

Note: In RBAC V3, roles define which endpoints we can use. For example, in this case, we are going to create a role that allows a SCIM integration.

When creating the role, we add a name—in this case, we’ll call it SCIM API. We also add a description for the role to provide more details about its purpose.

Then, we select the Administration section to display all available administrator permissions.

We proceed to mark all unnecessary permissions as None, leaving only Manage Users & Groups enabled for this role.

If you hover over the information icon to the right of the permission, you can see the specific endpoints included under that permission—such as the READ and WRITE endpoints for users and groups, which are the ones we need. Click save.

Now go to the Administrators section and click on Service Account.

Add the Service Account Name, select the role we created earlier, and in this section, you can define the duration of the token, which can be set to hours, days, weeks, or months.

You can also choose to generate the token later.

After creating the service account, a popup will appear allowing you to copy your token.

We will be able to view our created service account directly in the Administrators section, and we can perform certain actions such as: edit, disable, regenerate, change expiration, or revoke.

Now the service account is created with the assigned role, ready to perform your SCIM integration.

 

IMPORTANT: Netskope Migration from RBACv2 to RBACv3

As part of the migration from RBACv2 to RBACv3 currently being implemented across Netskope tenants, we are providing additional reference material.

The following illustrative video offers deeper insights into the use of REST API v2 tokens with RBACv3. This content is meant to serve as complementary information after the migration process has been completed.

 Please refer to the video for further details.

Terms and Conditions

• All documented information undergoes testing and verification to ensure accuracy.
• In the future, it is possible that the application's functionality may be altered by the vendor. If any such changes are brought to our attention, we will promptly update the documentation to reflect them.

Notes

• This article is authored by Netskope Global Technical Success (GTS).
• For any further inquiries related to this article, please contact Netskope GTS by submitting a support case with 'Case Type – How To Questions'.