Read-only users ability to add API-keys

[AndreasMoe]

Hi, created a read-only/view permission for a group of users. All working fine, but the user is still able to add user API-keys. How can I disable the users ability to add API-Keys to their Users?

Can this be set using constraints? if so, how?

[kkthxbye-code]

If you mean in the UI, there's no way to prevent a user from creating a token for their own account.

[mtinberg]

And to be extra clear, the user-generated API key is constrained by the same access permissions as the user, so it doesn't give them any new access they didn't already have. Is there a reason to not allow API access if the user wants it? You may be able to add some access control in the webserver config of your reverse proxy prevent access to the token generating URL based on whatever the webserver knows about (client IP or REMOTE_USER/groups if the front-end webserver is doing SSO/authn) if you really feel the need to block this. — Mark Tinberg ***@***.***> Division of Information Technology-Network Services University of Wisconsin-Madison

…

________________________________ From: kkthxbye ***@***.***> Sent: Tuesday, January 3, 2023 4:45 AM To: netbox-community/netbox ***@***.***> Cc: Subscribed ***@***.***> Subject: Re: [netbox-community/netbox] Read-only users ability to add API-keys (Discussion #11366) If you mean in the UI, there's no way to prevent a user from creating a token for their own account. — Reply to this email directly, view it on GitHub<#11366 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AAS7UM5LFIIYCK27Q5RNYI3WQP7MXANCNFSM6AAAAAATPQZGXI>. You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>