Netbox API Tokens Permissions #11821
-
Hello there! I'm trying to create custom permissions to the action of creating/deleting/updating/viewing API Tokens, but it seems that even a new user with no permissions at all can have all access of token creation. I tried disabling the token permissions, added constraints to the token permissions, but none works, what I'm missing here? Thanks! |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 4 replies
-
If you mean creating tokens for your own user in the UI, then that is not something you can turn off. The API token has the same access as the user has in the UI. |
Beta Was this translation helpful? Give feedback.
-
While this may not solve your problem the way you were planning, there is an API endpoint which can see user tokens /api/users/tokens/, so you can audit who has tokens and report on changes or DELETE tokens if necessary. The URL for token management /user/api-tokens/ could also be blocked at the http proxy level if need be, or restricted based on group if you are doing auth in the webserver, right?
—
Mark Tinberg ***@***.***>
Division of Information Technology-Network Services
University of Wisconsin-Madison
…________________________________
From: Leo-scs ***@***.***>
Sent: Friday, February 24, 2023 10:16 AM
To: netbox-community/netbox ***@***.***>
Cc: Subscribed ***@***.***>
Subject: Re: [netbox-community/netbox] Netbox API Tokens Permissions (Discussion #11821)
We wanted to restrict it so that only one user can generate API tokens to centralize management and know where the tokens are being used.
—
Reply to this email directly, view it on GitHub<#11821 (reply in thread)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AAS7UMYP62PP6IDDVN77QOTWZDNHXANCNFSM6AAAAAAVHAVTRU>.
You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>
|
Beta Was this translation helpful? Give feedback.
If you mean creating tokens for your own user in the UI, then that is not something you can turn off. The API token has the same access as the user has in the UI.