Trying to prevent users to create tokenns

[joaolucasmacedo]

Hi.
I'm trying to prevent some user that have only read only permissions to create API tokens.
I've created a "read only all" permission selecting all object type but "Users > Token" and assigned it to that user.
But I noticed that ANY authenticated user can create tokens, whether or not it has the object on permission.
I would like to only a few admins being able to create tokens, even for other user.

I've read the issue but the updated documentation says:
"The ability to view, add, change, or delete tokens via the REST API itself is controlled by the relevant model permissions, assigned to users and/or groups in the admin UI."
I thought it was clear that if the user do not have the permission "Can add" he would not create tokens.

Is that right? Maybe the documentation should point that users can always create their tokens regardless of permissions on "Users > Token".

[candlerb]

Already answered here: #11821

[mtinberg]

I want to point out that IIUC if you allow read to the /users/tokens API that means users can read _anyones_ tokens, not just their own, so they can use the API to impersonate other users. Thats probably not a permission you want to hand out. And as Brian has kindly linked, you can use the web server config in front of the netbox appserver to block access to the web UI URL for token management or use a Script or API client to audit which users have tokens and enforce your own rules about who gets to have them, and delete ones you don't want, but that using the API doesn't give someone more access than the webUI so it should be a no-op (with a notable exception of new read-only permissions on custom fields only being enforced in the UI) — Mark Tinberg ***@***.***> Division of Information Technology-Network Services University of Wisconsin-Madison

…

________________________________ From: Macedo ***@***.***> Sent: Monday, March 13, 2023 3:18 PM To: netbox-community/netbox ***@***.***> Cc: Subscribed ***@***.***> Subject: [netbox-community/netbox] Trying to prevent users to create tokenns (Discussion #11971) Hi. I'm trying to prevent some user that have only read only permissions to create API tokens. I've created a "read only all" permission selecting all object type but "Users > Token" and assigned it to that user. But I noticed that ANY authenticated user can create tokens, whether or not it has the object on permission. I would like to only a few admins being able to create tokens, even for other user. I've read the issue<#8436> but the updated documentation says: "The ability to view, add, change, or delete tokens via the REST API itself is controlled by the relevant model permissions, assigned to users and/or groups in the admin UI." I thought it was clear that if the user do not have the permission "Can add" he would not create tokens. Is that right? Maybe the documentation should point that users can always create their tokens regardless of permissions on "Users > Token". — Reply to this email directly, view it on GitHub<#11971>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AAS7UM4YR5KTPLTIOTJRNELW356JLANCNFSM6AAAAAAVZRWSQ4>. You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[joaolucasmacedo]

Thanks guys!