search

jssimporter / jss_helper

jss_helper is deprecated.
GNU General Public License v3.0
66 stars 7 forks source link

Documentation request for API user account's JSS privileges #9

Open rtrouton opened 9 years ago

rtrouton commented 9 years ago

I would like to add a user account to my JSS that is used just for jss_helper, and I want to assign it only the privileges necessary. Would it be possible to document which privileges are needed, similar to what was done for the JSSImporter documentation's Setup section?

https://github.com/sheagcraig/JSSImporter

sheagcraig commented 9 years ago

That's a good idea. I'll set that up.

The short form is that you should only permissions for the things you're querying. It will fail if you try to lookup MobileDevices for example, if you don't have that permission, but you'll still be able to search Computers if you have perms on them.

It gets a little more tricky when you get into some of the multi-object queries!

sheagcraig commented 9 years ago

But why stop there?

This raises two ideas:

  1. If you have a user for just jss_helper purposes, it may have very different privs than what you want for python-jss interactive scripting or JSSImporter usage. So it may need its own preference domain (but could fall back to python-jss and JSSImporter prefs).
  2. What about a verb that prompts for your username and password, and a username, and then creates that user with exactly the permissions needed for jss_helper's range of functions?
rtrouton commented 9 years ago

I definitely like idea #2. You get automatic role separation and least privilege for working with jss_helper.

I'm assuming the password created for the jss_helper API user would be randomly-generated and stored somewhere in a plist file?