This is working for me:
"api-allow" : "A:0/0,W:*,P:127.0.0.1",
STATUS=S,When=1544249013,Code=27,Msg=Switching to pool 2:'stratum+tcp://zzzz:3333',Description=cgminer 4.10.0|
Seems the "trick" is to be sure to add the commands to api-groups but as a new group named P (can use any letter besides A or W) and then it seems if I didn't add them to the A group as well I'd still get access denied.. For some reason using W in place of P would not work for me. So not sure if that's modified by Bitmain in bmminer or standard cgminer functionality but I sure wasted too much time on something so trivial.
You can easily add your local LAN range to api-allow with 192.168.1.0/24 or specific IP's is better yet.
I ended up editing the strings in /www/pages/cgi-bin/set_miner_conf.cgi so that the conf isn't clobbered upon saving Miner Configuration in the web admin.
Btw some notes for anyone else reading this.. I left the W:* allow in there because it was "stock", but from what i can tell they might have mixed up the wildcard formatting unless * happens to mean deny all.. lol The docs show W:0/0 as format to allow all for a particular group (probably a very bad idea to set this for obvious reasons..) but the docs do show for api-groups you can add :* to mean "all commands". I didn't bother testing it but I suspect adding :* to end of A might do the trick but that opens up all read-only commands to "the world" so maybe not ideal even if it did work.
W:0/0 isn't bad unless your network is wide open... and it shouldn't be.
Jason