A customer using Fleet's Vanta integration needs to provide an API-only user token. The API-only user must have an admin role, as the integration needs to retrieve users and that capability is only available for admins.
Since admin users receive all permissions, this seems excessive to satisfy the requirement to pull users. If the token for this user is compromised, the surface area for abuse is extended beyond the ability to retrieve users.
What have you tried?
The customer searched Fleet's documentation for role-based access to see if there was a non-admin role with permissions to retrieve users, but they did not find one.
Potential solutions
The ability to retrieve users might be appropriate to add an existing user role, like Observer or Observer+.
Otherwise a new role could be created to specifically address the need to retrieve users for an API integration.
What is the expected workflow as a result of your proposal?
A customer would be able to configure and use Fleet's Vanta integration without needing to provide an API-token for a user with admin permissions. This would decrease the footprint for misuse if the token is compromised.
JoStableford
commented
3 weeks ago
Problem
A customer using Fleet's Vanta integration needs to provide an API-only user token. The API-only user must have an admin role, as the integration needs to retrieve users and that capability is only available for admins.
Since admin users receive all permissions, this seems excessive to satisfy the requirement to pull users. If the token for this user is compromised, the surface area for abuse is extended beyond the ability to retrieve users.
What have you tried?
The customer searched Fleet's documentation for role-based access to see if there was a non-admin role with permissions to retrieve users, but they did not find one.
Potential solutions
The ability to retrieve users might be appropriate to add an existing user role, like Observer or Observer+. Otherwise a new role could be created to specifically address the need to retrieve users for an API integration.
What is the expected workflow as a result of your proposal?
A customer would be able to configure and use Fleet's Vanta integration without needing to provide an API-token for a user with admin permissions. This would decrease the footprint for misuse if the token is compromised.