11 May 2023
08:36 AM
- last edited on
12 May 2023
01:53 AM
by
MaciejNeumann
Scenario: An employee creates multiple solution for a department using Dynatrace APIs. This employee used their own ID to create a API Token to be used in all of his solutions. This employee leaves the organization but we need the API Token to continue working and change it's owner.
Is there a way in Dynatrace to change the 'Owner' of an existing API Token?
I think that can be done via the API in Environment V2.
Unfortunately the PUT Token API is not able to change the Token owner..
https://www.dynatrace.com/support/help/dynatrace-api/environment-api/tokens-v2/api-tokens/put-token
You can rename, enable/disable, add/remove scopes only.
Let's open an idea for that.
The only proper solution is to rotate the tokens (manually or automatically) or use tokens created by a technical account which won't leave the company.
I don't think changing the ownership is from a security point of view.
Thank you everyone for your feedback.
@ChadTurner - I thought so as well but looks like you can for Credential Vault but not for Access Tokens. It is a good tip to know that if you submit a change to a Credential Vault using an Access Token owned by someone else it changes the owner to the person that last edited. This actually causes a problem with our Secret Server process that changes passwords with a robot so no human knows the code, but it causes the robot to take ownership.
@dannemca - it would be a good RFE, but DT will shoot it down for security reasons. I've already had some battles in the Access Token zone with them and have lost every one.
@Julius_Loman - Correct, that's the same findings we've all had I was just hoping i was missing something. Actually the reason we want to do this is for the same security reason you say. A resource developed a few things and since we're not at a corporation security can be a bit more lax here, not discarded, just more lax. We want to move this Access Token to a technical account for security but we can't risk right now breaking the unknowns. So, we wanted to change the owner to fix the situation.
Oh well, thank you everyone for your input. DynaMights rock!!!
The solution: We're going to generate a new token under a technical account and replace what we know, I think we know of all the critical ones. Then deactivate the old account to see what breaks. Hmmm....would be cool if DT maybe provided some audit details on what's been accessing the token over the past 30+ days (cough, cough...that RFE is around here somewhere).
Just a quick note - if it is Dynatrace Managed - you can create such tokens with the built-in admin user. That user will never leave the company 😎