HTTP Token Best Practice - Which permissions are needed?

[terdinatore]

Below I wrote down / summarized, how I think in best practice an HTTP Token should be generated.

1. Login to your Zammad instance with an administrator account.
2. Under Settings ⇾ Manage ⇾ Roles create a new role, I called that role Connector
3. The new Connector role needs the following grants: Manage Groups, Manage Tags, Manage Users, Access to Chat, Access to Agent Tickets, Manage Access Tokens and Manage Notifications
4. At the Access to Agent Tickets give the role only the permission to create tickets for every group and nothing else. This is for two reasons. First, this way you can make sure that if the token gets leaked no one can read the tickets on your instance, second, this way users that have the Connector role do not show up in Zammad as they cannot have tickets assigned to them.
5. Now create a user that we for instance could call Website Connector. Assign this user the Connector permissions and create access to all groups.
6. Click on the Action Menu on the far right of the Users table and click View from user's perspective
7. Open the new users profile by clicking on the icon with its initials on the lower left and choosing Profile.
8. Disable all notifications for this user.
9. Now under Token Access create a new token that has permissions to all resources that the roles except Manage Token Access and Manage Notifications. Give the token a name and set a suiting expiry date for the token. Click Create. Copy the token and close the window. Switch back to the administrator account.

@ouun What do you think? Are there any other permissions (not) needed? Could there be a way to structure the plugin without needing Manage Groupsand Manage Tags? Also, is there any advantage in using an OAuth token instead of HTTP?

[ouun]

Thanks for this, @terdinatore. I am sure it will be helpful for others. It really depends on your needs and honestly the only authentification method I did not use with Zammad is 'HTTP Token'. I prefere to add an Application in Zammad under Settings -> API -> Applications (OAuth Authentication) and to use that in favor. Also no extra user or role is required, as far as I am aware of. But it is also a while ago that I set up the last connection, it is running smoothely as it is.

Are there any other permissions (not) needed? Could there be a way to structure the plugin without needing Manage Groups and Manage Tags?

I see the point that you want to limit the permissions. However it depends on what you want to do via API. If you just want to embed the chat it will be different to a usecase where you want to have a comprehensive form that sets tags to tickets. I would need to investigate which permissions are required at least, did not use a limited account so far.