FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Change Access Token Owner

ct_27
DynaMight Pro
DynaMight Pro

‎11 May 2023 08:36 AM - last edited on ‎12 May 2023 01:53 AM by Community Team

Scenario:   An employee creates multiple solution for a department using Dynatrace APIs.  This employee used their own ID to create a API Token to be used in all of his solutions. This employee leaves the organization but we need the API Token to continue working and change it's owner.

Is there a way in Dynatrace to change the 'Owner' of an existing API Token?

 

HigherEd
Labels:
0 Kudos
Reply
5 REPLIES 5

ChadTurner
DynaMight Legend
DynaMight Legend

‎11 May 2023 08:44 AM

I think that can be done via the API in Environment V2.

-Chad
0 Kudos
Reply

dannemca
DynaMight Leader
DynaMight Leader

‎11 May 2023 12:07 PM - edited ‎11 May 2023 12:08 PM

Unfortunately the PUT Token API is not able to change the Token owner..
https://www.dynatrace.com/support/help/dynatrace-api/environment-api/tokens-v2/api-tokens/put-token
You can rename, enable/disable, add/remove scopes only.

Let's open an idea for that.

 

Site Reliability Engineer @ Kyndryl
0 Kudos
Reply

Julius_Loman
DynaMight Legend
DynaMight Legend

‎14 May 2023 11:36 AM

The only proper solution is to rotate the tokens (manually or automatically) or use tokens created by a technical account which won't leave the company.  

I don't think changing the ownership is from a security point of view.

Certified Dynatrace Master | Alanata a.s., Slovakia, Dynatrace Master Partner
0 Kudos
Reply

ct_27
DynaMight Pro
DynaMight Pro

‎15 May 2023 07:07 AM

Thank you everyone for your feedback.  

@ChadTurner  - I thought so as well but looks like you can for Credential Vault but not for Access Tokens. It is a good tip to know that if you submit a change to a Credential Vault using an Access Token owned by someone else it changes the owner to the person that last edited.   This actually causes a problem with our Secret Server process that changes passwords with a robot so no human knows the code, but it causes the robot to take ownership.

 

@dannemca  - it would be a good RFE, but DT will shoot it down for security reasons. I've already had some battles in the Access Token zone with them and have lost every one.

 

@Julius_Loman  - Correct, that's the same findings we've all had I was just hoping i was missing something.  Actually the reason we want to do this is for the same security reason you say.  A resource developed a few things and since we're not at a corporation security can be a bit more lax here, not discarded, just more lax.  We want to move this Access Token to a technical account for security but we can't risk right now breaking the unknowns. So, we wanted to change the owner to fix the situation.   

 

Oh well, thank you everyone for your input. DynaMights rock!!!

The solution: We're going to generate a new token under a technical account and replace what we know, I think we know of all the critical ones. Then deactivate the old account to see what breaks.  Hmmm....would be cool if DT maybe provided some audit details on what's been accessing the token over the past 30+ days (cough, cough...that RFE is around here somewhere).

 

HigherEd
0 Kudos
Reply

Julius_Loman
DynaMight Legend
DynaMight Legend
In response to ct_27

‎15 May 2023 07:10 AM

Just a quick note - if it is Dynatrace Managed - you can create such tokens with the built-in admin user. That user will never leave the company 😎 

Certified Dynatrace Master | Alanata a.s., Slovakia, Dynatrace Master Partner
Reply
Ask a question