Why can't Administrators create API Tokens?

  • 3 December 2023
  • 9 replies
  • 90 views

Userlevel 7
Badge +8

It makes no sense that Administrators cannot themselves create API Tokens (e.g for new API-only users in a read-only role).

I have to either:

  1. Ask someone to demote my account (e.g. to the “manager” role)
  2. Create the API Token
  3. Ask them to promote my account back to the administrator role

OR

Create myself a second identity (which is contrary to our security policy).

OR

Create an API Token creation tool to bypass this nonsense.


9 replies

Userlevel 5
Badge +4

I agree with this 100%

I have to have a second admin account for myself just for this purpose and it’s just silly. Even if it is set up like this for security reasons, we should have the option to allow or disable being able to create tokens by role.

Userlevel 5
Badge +4
  • The LogicMonitor REST API will allow you to programmatically query and manage your LogicMonitor resources: dashboards, devices, reports, services, alerts, collectors, datasources, SDTs and more.
  • This key has FULL access to all the components across LM, API keys are used for programatic access to an LM Portal
  • The combination of out-of-box (OOB) admin permissions with the use of an API token can create a risk of the token becoming compromised which may cause unnecessary havoc in an LM Envision portal.
  • Customers can create a new role, link it to the new or existing user and assign all the permission needed to perform their task. 
  • If the user is already linked to an Administrator role, he has all the privileges to demote himself to Manage role, no need to ask someone
Userlevel 5
Badge +4

@pgordon : Re: second admin account for myself just for this purpose: 

  • Customers can create a new role or switch to an existing non-administrator role (OOB ), link it to the new or existing user as per their needs and assign all the permission needed to perform their task. No need to create another admin account.

Re: we should have the option to allow or disable being able to create tokens by role

  • yes that option is still there and will continue to exist.
Userlevel 7
Badge +20

I cloned the admin role and moved my admins into that role. IIRC that removes that restriction since you are only restricted if you are in the built in admin role.

Userlevel 7
Badge +8

@abhishek bhambore - you missed my point:

Administrators cannot create API-only users

@Stuart Weenig - YOU get it.

I will create a duplicate role.

Userlevel 7
Badge +20

 

Userlevel 2
Badge

Any user except an out-of-the-box administrator user role can create API tokens. Ensure to check the Allow Creation of API Token checkbox under Settings> User Profile.

Userlevel 7
Badge +8

@Sambhaji Kadam 

 

Yes. And I understand that LogicMonitor is protecting us from ourselves by not permitting administrators to create API tokens for their own user.

My point it that administrators should not be prevented from creating API-only users.

Userlevel 5
Badge +4

LM imposes restrictions specifically on default system-created administrators (OOB role) with ID=1, preventing them from connecting to the API token. However, customers have the flexibility to generate a new role or duplicate an existing role, associate it with the user, and assign the necessary permissions, enabling them to elevate the new role to a level equivalent to the OOB admin role.

Reply