topic Re: Change Access Token Owner in Dynatrace API

Change Access Token Owner

ct_27 — Fri, 12 May 2023 08:53:08 GMT

Scenario: An employee creates multiple solution for a department using Dynatrace APIs. This employee used their own ID to create a API Token to be used in all of his solutions. This employee leaves the organization but we need the API Token to continue working and change it's owner.

Is there a way in Dynatrace to change the 'Owner' of an existing API Token?

Re: Change Access Token Owner

ChadTurner — Thu, 11 May 2023 15:44:15 GMT

I think that can be done via the API in Environment V2.

Re: Change Access Token Owner

dannemca — Thu, 11 May 2023 19:08:47 GMT

Unfortunately the PUT Token API is not able to change the Token owner..
https://www.dynatrace.com/support/help/dynatrace-api/environment-api/tokens-v2/api-tokens/put-token
You can rename, enable/disable, add/remove scopes only.

Let's open an idea for that.

Re: Change Access Token Owner

Julius_Loman — Sun, 14 May 2023 18:36:43 GMT

The only proper solution is to rotate the tokens (manually or automatically) or use tokens created by a technical account which won't leave the company.

I don't think changing the ownership is from a security point of view.

Re: Change Access Token Owner

ct_27 — Fri, 02 Jun 2023 13:36:13 GMT

Thank you everyone for your feedback.

@ChadTurner - I thought so as well but looks like you can for Credential Vault but not for Access Tokens. It is a good tip to know that if you submit a change to a Credential Vault using an Access Token owned by someone else it changes the owner to the person that last edited. This actually causes a problem with our Secret Server process that changes passwords with a robot so no human knows the code, but it causes the robot to take ownership.

@dannemca - it would be a good RFE, but DT will shoot it down for security reasons. I've already had some battles in the Access Token zone with them and have lost every one.

@Julius_Loman - Correct, that's the same findings we've all had I was just hoping i was missing something. Actually the reason we want to do this is for the same security reason you say. A resource developed a few things and since we're not at a corporation security can be a bit more lax here, not discarded, just more lax. We want to move this Access Token to a technical account for security but we can't risk right now breaking the unknowns. So, we wanted to change the owner to fix the situation.

Oh well, thank you everyone for your input. DynaMights rock!!!

The solution: We're going to generate a new token under a technical account and replace what we know, I think we know of all the critical ones. Then deactivate the old account to see what breaks. Hmmm....would be cool if DT maybe provided some audit details on what's been accessing the token over the past 30+ days (cough, cough...that RFE is around here somewhere).

[UPDATE CT_27 6/2/2023] The RFE referenced above was created in Nov. 2022 please Kudo it. Here is the RFE Link

Re: Change Access Token Owner

Julius_Loman — Mon, 15 May 2023 14:10:27 GMT

Just a quick note - if it is Dynatrace Managed - you can create such tokens with the built-in admin user. That user will never leave the company 😎

Re: Change Access Token Owner

ct_27 — Fri, 02 Jun 2023 13:41:07 GMT

ok, so my situation is worse than expected and it's self inflicted. So, back before Dynatrace had Private Tokens I was the sole admin and created many API Tokens for people to do things and develop applications. We were like 3 days into Dynatrace so we were still learning.

If one day i decide to leave my company I now have a huge issue on my hands. All these important Keys have me as the owner. [NOTE: I'm on SaaS, which unlike Managed doesn't have a special Admin Account]

Dynatrace......is there any way to take these old Tokens and change the ownership? (I'll open a support case now) I'm sharing this in the forum in case others are in a similar situation or can learn from my actions.