ACSP Suggestion 2026.4: Fix API permission checks on NET

Suggestion

Author: Richard Laager   
Submitted On: 03 March 2026

Description:

If there are multiple ways to do the same thing, they should require the same permissions. They should not be inconsistent.

Steps to reproduce:

  1. Perform a Detailed Reassignment out of one of your NETs to another ORG.
  2. Try to GET that NET by handle using your API key.

Expected results: The GET succeeds.

Actual results: The GET is rejected for lack of permission. Only an API key of the “another ORG” can GET the NET.

Additional discussion:

  • I created the NET in the first place. If I created it, surely I should be able to GET it (assuming nothing else has changed in the state of the world).
  • I can DELETE the NET. If I can DELETE something, surely I should be able to GET it.
  • I can GET the NET if I ask using the start and end IP address (via a mostSpecificNet call), but I cannot GET it by its handle.
  • Anyone, without authentication, can view the same information using the WHOIS protocol, by handle or by IP address. This is equivalent to a GET.
  • Accordingly, the correct permission check for a GET on a NET is “return True”.
  • Similarly, if I can DELETE and then recreate something, I should be able to modify it using a PUT. So the PUT permission check should also allow those with access to the parent NET to PUT a (direct) child NET (since they could otherwise DELETE and recreate it with the same effect).

Value to Community: The NRPM requires documenting reassignments. ARIN discontinued the email interface in favor of the API. Having a correctly working API is useful.

Timeframe: Not specified

Status: Closed   Updated: 30 March 2026

Tracking Information

ARIN Comment

30 March 2026

Thank you for your suggestion, numbered 2026.4 upon confirmed receipt, requesting that ARIN change the API permissions checks for NETs.

After discussing other methods for retrieving this information with other existing tools, as well as future development plants, it was concluded that changes to the current API permissions are unnecessary at this time.

With the submitter’s agreement, this suggestion is now closed.

Thank you for participating in ARIN’s Consultation and Suggestion Process.

Regards,

ARIN

Related