Content
View differences
Updated by Niels Lindenthal about 3 years ago
## Acceptance criteria
* [ ] Allow users to create multiple API token
* [ ] Each API token can be deleted individually
* [ ] For each API token the permissions can be set according to the existing global permissions
* [ ] For each API token the permissions can be restricted to individually selected projects (by using the defined project roles)
* [ ] API token have an individual name
## Technical considerations
* [ ] What needs to be prevented is privilege escalation. So a user can only grant a permission, she/he has themselves. And if the user looses the permission because a role is revoked, the token needs to also loose that privilege.
* [ ] In the token creation modal, this then needs to be taken into account as well. The user is only allowed to select roles for a project that user has themselves. Otherwise, a user might select a role which's permissions do not have an overlap with the user's permissions. which in my book should lead to the token not having any permissions at all.
* [ ] The above also applies to the global permissions. Here, only admins can currently grant global roles. I was a surprised to see the individual permissions here while the user chooses roles in the lower section for the projects. It would be easier to implement the epic if we choose one or the other option for both cases.
## **Visuals**
_Coming soon_
## **Figma**
https://www.figma.com/file/qivvu0fvo3EeIn9KlxuxJJ/Access-tokens?node-id=86-10138&t=2yvXAVwJXjiR5FNv-4
## Out of scope
* Limit the scope inside a project to individual modules
* [ ] Allow users to create multiple API token
* [ ] Each API token can be deleted individually
* [ ] For each API token the permissions can be set according to the existing global permissions
* [ ] For each API token the permissions can be restricted to individually selected projects (by using the defined project roles)
* [ ] API token have an individual name
## Technical considerations
* [ ] What needs to be prevented is privilege escalation. So a user can only grant a permission, she/he has themselves. And if the user looses the permission because a role is revoked, the token needs to also loose that privilege.
* [ ] The above also applies to the global permissions. Here, only admins can currently grant global roles. I was a surprised to see the individual permissions here while the user chooses roles in the lower section for the projects. It would be easier to implement the epic if we choose one or the other option for both cases.
## **Visuals**
_Coming soon_
## **Figma**
https://www.figma.com/file/qivvu0fvo3EeIn9KlxuxJJ/Access-tokens?node-id=86-10138&t=2yvXAVwJXjiR5FNv-4
## Out of scope
* Limit the scope inside a project to individual modules