Web Admin - PAPI Key Management Permissions
With 7.1, Polaris administrative settings can now be accessed on the web, which includes PAPI Key Management. However, the PAPI keys can be accessed and changed today by anyone with the permission 'Access Administration - Allow' (which gives basic access to system admin settings).
We give some of our staff access to admin settings, for activities like adding workstations and updating branch hours. As it stands these users can access and change the API settings through web-admin, but they should be secured so only systems administrators have access. This will be barrier for us sharing web-admin with our staff in the future, and moving admin activities from the client to the web.
There should be more granular, PAPI Key Management-specific permissions, so that only appropriate users can access or change these, not anyone with admin access.
Idea Value
For customers who use API keys, and also give some staff access to system administration functions, this is likely to be a security gap, and may prevent them from moving all staff functions off the client.
-
Brad commented
Having just gotten access to the Web Admin with the changes in authentication, the lack of separate permissions for PAPI access will prevent me from having staff use the web interface for the reasons Jason outlined. In fact, I'll need to dial back some staff access in general due to this issue.
-
AdminWes Osborn (Admin, Innovative) commented
Also, the API key itself shouldn't be visible to ANYONE.
Modern security practice is that you get ONE chance to see the actual key during the creation step and then after that all you can do is disable/delete it.
-
Eric Young commented
Yes please!