28 Sep 2023 01:44 PM
There is the option to use security policies to give users direct view or edit access on some specific schema's.
ALLOW settings:objects:read, settings:objects:write, settings:schemas:read
WHERE settings:schemaId = "builtin:alerting.maintenance-window";
But how can I create an API token with only that permission? The API-token scopes are not fine grained I presume.
28 Sep 2023 01:59 PM
At the moment, tokens use their own scopes so you can't use policies on them, that's correct. I could see the benefit of being able to provide policies for API tokens as well.
The only workaround today is personal access tokens which inherit the permissions of the user that created the token, so this means also the policies attached to the customer.
28 Sep 2023 02:23 PM
Using personal access tokens is difficult because it would require some kind of technical user which we don't have. It's not the biggest deal off course since we treat tokens as secrets. But if one would leak, it would give access to all settings while it could be restricted.
02 Feb 2024 08:13 PM
We have the same need here, we would like token (not personal ones) with more granular security to be able to give teams the right to manage only what they are supposed to.
it is a big show stopper for devops practices