Open rtrouton opened 9 years ago
That's a good idea. I'll set that up.
The short form is that you should only permissions for the things you're querying. It will fail if you try to lookup MobileDevices for example, if you don't have that permission, but you'll still be able to search Computers if you have perms on them.
It gets a little more tricky when you get into some of the multi-object queries!
But why stop there?
This raises two ideas:
I definitely like idea #2. You get automatic role separation and least privilege for working with jss_helper.
I'm assuming the password created for the jss_helper API user would be randomly-generated and stored somewhere in a plist file?
I would like to add a user account to my JSS that is used just for jss_helper, and I want to assign it only the privileges necessary. Would it be possible to document which privileges are needed, similar to what was done for the JSSImporter documentation's Setup section?
https://github.com/sheagcraig/JSSImporter