-
Suggestion
-
Resolution: Done
-
180
-
Problem Definition
Atlassian accounts are able to generate API tokens for use with Jira and Confluence cloud APIs. At the moment, org admins can only revoke these tokens but they cannot enforce policies on the token usage of their managed accounts.
Suggested Solution
If a user belongs to an organization, give admins the following abilities:
- Enable or block a managed account from issuing tokens
- Make the creation of API tokens admin-only
- Log or track the creation of API tokens (such as in audit logs)
- Set a default expiration for the tokens that can be created (ie, 1 week, unlimited not allowed). see
ID-7825 - Have the ability to extract a report of all users that currently have API tokens
- Track whether API Keys are used by User in any project
- Track report on API Keys usage.
- is duplicated by
-
- Closed
-
- Closed
- is related to
-
- Closed
-
ACE-3014 You do not have permission to view this issue
-
ACE-3068 You do not have permission to view this issue
-
ENT-62 Loading...
- relates to
-
- Closed
-
- Closed
-
- Gathering Interest
- addresses
-
- blocks
-
- has action
-
- mentioned in
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
[ACCESS-96] Ability to manage API token creation as an organization admin
Hey Ferrari,
So we have actually enabled the external user management aspect with the API token restriction for those accounts. But this is vital for internal accounts too. What is important though is not a blanket rule, more like to be built into the access policies that govern accounts already. When you think of it, we will always ask service accounts to login and behave differently to normal users. This is no different.
ce1cce14423c - agree on the idea that there should be more controls for admins to govern API token usage. Right now you can set API token access for external users with the external user security feature that is part of Atlassian Access. I know that doesn't meet the full need, but might help address some of the challenges managing tokens for external users while you wait for this feature to be developed.
We have both internal and external users on our sites. While I understand that the API tokens are cross site and tied to a person, admins should atleast have a central place to be able to see and manage any tokens their users make and where they can use them. We have service accounts that allow for things like this.
It is not only a security risk but a technical issue when those users then leave. This should be looked into fairly quickly.
Hi,
Regarding
- Enable or block a managed account from issuing tokens
Since accounts in the organization are not managed accounts only, it is needed to be able to block non Managed accounts from accepting API calls to the organization's sites
Definitely looking forward to this so we can create tokens on behalf of accounts!
Is there any update on this issue, it would be great if only Admins are allowed to create tokens
Implementing this feature would be very helpful to our company! As Cyril said earlier today in Atlassian Cloud tokens can be taken out of network and used to bypass our IdP backed SSO. Additionally we do not have any our of the box tools for managing user tokens and who has access to create them.
Hi all,
Marking this ticket as completed.
Please see this page https://www.atlassian.com/software/access/guide/api-token-controls#why-use-api-token-controls on how to use the feature.
If you have any questions or feedback please email me at sscorse@atlassian.com
Thanks,
Stefan