Details
-
Suggestion
-
Resolution: Unresolved
-
None
-
4
-
Description
Problem Definition
Currently organization admins can follow steps from this KB to track managed accounts API tokens:
https://www.atlassian.com/software/access/guide#api-token-controls
There is not this same capability for External Users that are not managed, which may be using their API tokens across Atlassian Cloud sites managed by the organization admin
Suggested Solution
Have the ability, similar to the managed users, for external users to track and see when the API token was last used on the sites managed by the organization.
Revoking API tokens for external users won't be feasible due to privacy reasons, but instead the ability to move the user to an external user security policy that blocks API tokens on the site would be beneficial
Why this is important
- Many companies have 3rd party accounts that will need to use API tokens on their sites
- Security teams need the ability to track and report on these API tokens
- Based off the information received from the reports, there should be a simple way to quickly, selectively block the users API tokens on the site
Workaround
At this moment, you can assign users to your external security policy that blocks API token access, but there is no way to determine how the API tokens are being used.