cancel
Showing results for 
Search instead for 
Did you mean: 
urvashi
Bronze I
Bronze I

This is an edited transcript of the 01.12.24 IT Hour

Key Takeaways

  • A new admin role, "Billing Only," has been introduced. This role is designed for finance team members to access and download invoices without having access to other administrative functions, thus preventing potential accidental user or data modifications.
  • The team discusses upcoming changes to API keys, moving towards the use of API tokens. These tokens will have a time-to-live feature and offer more granular control, responding to user feedback for more secure and controlled API access.
  • The changes aim to provide more security and control to admins over API keys, including the ability to enable or disable access.
  • The introduction of multiple API tokens allows for better organization and management of access, including setting expiry dates for tokens to enhance security practices.
  • For more detailed insights and a deeper understanding of these changes, check out the full video of the discussion.

Speakers

  • Becky Scott, Head of Technical Community, JumpCloud
  • Subha Sriram, Director of Product Management, JumpCloud 
  • Tim Croxdale, Manager of Product Design, JumpCloud 

Transcript

Subha Sriram: So today Tim and I are here to talk about our recent changes which will allow you to manage API access for the admins in your organization and the introduction of a new admin role. 

Our agenda today is going to be 

  1. The Disable/Enable API Access
  2. The addition of the Billing Only admin role
  3. Introducing the concept of API tokens
  4. Q&A

Enable/Disable API Access

Tim Croxdale: This is what we came up with as a solution to provide more ability with our API keys. Upon creation of an admin or on editing an admin, you can now enable or disable API access. Previously everybody had API access and so this is kind of the first step in the direction that we want to take this. 

So if somebody set me up as an admin and I don’t have access to the API Key, I would see a message letting me know that I don’t have permission to generate an API Key and that I need to reach out to the admin who set me up to ask for access. If an admin did have access they would see the same thing that you see today. You can generate a key and get a one-time view, which we make that clear in the messaging, and allow you a quick way to copy down that key. And this is the only time that we're going to show you that key. So if you were to come back here, you could generate a new one. So again, this is kind of a nod in the direction that we want to take things with being more secure and allowing you more control over your API keys. 

Subha Sriram: So for those of you that are admins in JumpCloud, you already have an API key that is provisioned to you by default. Going forward when you are creating new admins, they will not automatically have API access enabled, you have to explicitly check that box to give them permissions to the API. Even with that, they don't get an API key until they go in and click on the My API Key and generate one. 

Billing Only Admin Role

Subha Sriram: Now how many of you have always wanted someone who is in your finance team to access and download invoices that JumpCloud has, on their own, without giving them an Admin With Billing role where they could be destructive and accidentally delete users or something like that? So this is in answer to that question that you've all asked. 

So now, in addition to all the amazing roles we already have, we have a new Billing Only role. As the name suggests, they only have access in our platform to the areas that pertain to them, which is Account Details. They can only change credit card information or go to the invoices page and download invoices. 

So you'll see if you have a Multi-Tenant Portal admin who has a billing-only role, they will have access to the account page. They can:

  1. See the account overview
  2. See the payment history
  3. Go into the billing information and the change credit card
  4. Go into the usage
  5. Set user caps and license caps for all the tenant organizations
  6. See what their entitlements are, Free/Trial Account
  7. Go into our pricing pages and buy a new plan 
  8. (If subscribed to premium support) they can live chat with an agent if they have billing questions. 
  9. Access the case portal if you submitted any support cases
  10. Get to our knowledge base articles
  11. See “What’s New” 
  12. Change your password 

They can’t:

  1. Navigate into organizations 
  2. Make any other changes in the portal 

So this is what the Billing Only role buys you. And there are no more navigation elements on the top, so they cannot access anything else. And so this is a very restrictive role and you could safely provide this access and this access also goes into API. Their scope is also limited via API. 

Coming Soon: API Tokens

Subha Sriram: Next, I wanted to introduce you to some upcoming changes while we are on the topic of API Keys. API tokens with time-to-live (TTL) keeps coming up. A lot of you who use our APIs have asked us, “Hey, your API keys live forever. Can I have them expire on a regular basis so that I don't have to remember and put it on my calendar to go repeat them?” So we hear you loud and clear, and we are going to be introducing this feature coming up. 

So we're moving away from our classic API keys to API tokens. API tokens will allow for time-based access to resources. More granularity, more scoping, is where we are headed with API tokens. We will begin with offering you the ability to create multiple API tokens. Today you are probably creating alias admin accounts to do various functions with the API. So if you want to integrate to something you're using something like subhasriram+integratesso, and then you're going to do something for RADIUS and so on and so forth. You're creating different aliases so that you get access to separate keys and you can keep them organized. 

Now we are going to allow:

  1. A single user to create multiple tokens for different purposes 
  2. Name the tokens so you know what these tokens are being used for. 
  3. Set an expiration time, like a date. Defaults will be provided.

In the future these tokens will also get you into the fine-grain control that you are looking for over the resources that you want to access today. They are going to be based on the scopes that our roles offer, but over a period of time we are moving into much more granular scoping. So moving into tokens allows us the ability to do that.

Classic Keys vs API Tokens

Classic Keys

API Tokens

One hashed personal key per admin

Admins can create multiple API tokens

Will always only have scopes of the creating admin

Scope can be equal or lesser than the creating admin

Keys never expire

Will have expiration dates

No metadata for keys

Will have names, created by, role, and created date

API key Directory Insight events are not easy to search

Easy to audit in Directory Insights with API key names

Q&A 

Q: So what role is able to modify allowing admins to create APIs? I assume Administrator with Billing.

A: Yes, Administrator with Billing.

Q: Does the Billing Only Admin receive notifications of any kind? That'd be useful for us as an MSP to manage billing-related emails?

A: Yeah, absolutely. Ahe moment we do have Admin with Billing receiving these and we will be making changes to have the Billing Only Admin also receive some of the emails, especially related to usage. On the MSP side, when you're getting closer to usage limits or you've exceeded them, those kinds of emails, absolutely. 

Q: What is the ETA for the API Token update?

A: This is ongoing work so we are looking at it as the first half of the year. So you will start hearing news about it soon. 

Q: Will expirations show on the dashboard like MDM?

A: Absolutely. Yes they will. We will be showing the certificate and token status monitor board. We will also have API tokens expiring showing up in there, which will take you to the API token page where you can delete that token and create a new one.

Q: In addition to showing on the dashboard, is there any sort of notification around them expiring?

A: Yes, there will be a notification around them expiring, just as you would have certificate notifications as well via email. So the admin that created the token is the one who will be notified about the expiration coming up on that as well. So it'll be available in both places.

Becky Scott: I think that was all the questions. Thank you all for joining us and we’ll see you next Friday!  

Version history
Last update:
‎02-29-2024 08:06 AM
Updated by: