FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Restrict settings API tokens based on policies

Bert_VanderHeyd
DynaMight Pro
DynaMight Pro

‎28 Sep 2023 01:44 PM

There is the option to use security policies to give users direct view or edit access on some specific schema's.

ALLOW settings:objects:read, settings:objects:write, settings:schemas:read
WHERE settings:schemaId = "builtin:alerting.maintenance-window";

 

But how can I create an API token with only that permission? The API-token scopes are not fine grained I presume.

Reply
2 REPLIES 2

victor_balbuena
Dynatrace Mentor
Dynatrace Mentor

‎28 Sep 2023 01:59 PM

At the moment, tokens use their own scopes so you can't use policies on them, that's correct. I could see the benefit of being able to provide policies for API tokens as well.

The only workaround today is personal access tokens which inherit the permissions of the user that created the token, so this means also the policies attached to the customer.

Reply

Bert_VanderHeyd
DynaMight Pro
DynaMight Pro
In response to victor_balbuena

‎28 Sep 2023 02:23 PM

Using personal access tokens is difficult because it would require some kind of technical user which we don't have. It's not the biggest deal off course since we treat tokens as secrets. But if one would leak, it would give access to all settings while it could be restricted.

0 Kudos
Reply
Ask a question