Performing bulk operations can be time consuming in Nexpose. A good example is user provisioning, which can take a long time. To save time, using the Nexpose APIs is an effective way to save you time and eliminate the error-prone process of doing everything manually. For this blog post, I want to demonstrate how you can manage users using the Nexpose API. I will be using an open source Java API client, which is available on clee-r7/nexpose_java_api · GitHub.

Logging Into Nexpose

Before provisioning users, we need to log into Nexpose. Here is an example on how to log into Nexpose.

APISession session = new APISession(new URL(nexposeConsoleURL), "xml", APISupportedVersion.V1_2, username, password);  
APIResponse response = session.login(null);  

For the example above, you will have to specify the url to your Nexpose console, your username, and your password. Now that we have successfully logged in, we can move onto retrieving a list of users in Nexpose. Remember to hold a reference to the APISession object; the object is required for the later examples.

Listing Users

The example below makes an API request to UserListingRequest in order to retrieve the list of users. Each user's information is located inside of the UserSummary element. The last statement populates the NodeList object with a list of the users, including their user ID.

UserListingRequest request = new UserListingRequest(session.getSessionID(), null);  
APIResponse response = session.executeAPIRequest(request);  
NodeList users = response.grabNodes("//UserListingResponse/UserSummary");  

Creating Multi-tenant Users

This next example creates a multi-tenant user for a silo. For this example, the silo ID is "silo1". All of the user's properties as well as permissions are declared at the beginning for clarity.

// specify user info  
String fullName = "Bobby Jones";  
String authSourceID = "2";  
String email = "";  
String userName = "nxUser";  
String password = "mypassword";  
String isEnabled = "true";  
String isSuperUser = "false";  
// silo and role information  
String siloID = "silo1";  
String defaultSilo = "true";  
String roleName = "global-admin"; // can be the name of any of the built-in roles in Nexpose or user-defined roles  
String accessToAllSites = "true";  
String accssToAllGroups = "false";  
// for every silo you want the user to have access to, create a separate SiloAccess object and add it to the list "silos"  
SiloAccess siloAccess = new SiloAccess(accssToAllGroups, accessToAllSites, defaultSilo, roleName, siloID);  
List<SiloAccess> silos = new ArrayList<SiloAccess>();  
MultiTenantUserConfigSiloAccessGenerator siloAccessGenerator = new MultiTenantUserConfigSiloAccessGenerator();  
// make the request to create the user  
MultiTenantUserCreateRequest request =  
   new MultiTenantUserCreateRequest(  
APIResponse response = session.executeAPIRequest(request);  
// get the user's ID from the response  
String userID = response.grab("//MultiTenantUserCreateResponse/@user-id");  

Deleting Muti-tenant Users

String userID; // retrieved using the UserListingRequest from the example above  
MultiTenantUserDeleteRequest deleteRequest = new MultiTenantUserDeleteRequest(session.getSessionID(), null, userID);  
APIResponse deleteResponse = session.executeAPIRequest(deleteRequest);  

Deleting a user requires specifying the user's unique ID. It's the ID that is returned from the response from MultiTenantUserCreateRequest. You can also access it from the UserSummary element from the user listing example above.