02-07-2024 09:15 AM - edited 02-29-2024 08:06 AM
This is an edited transcript of the 01.12.24 IT Hour
Subha Sriram: So today Tim and I are here to talk about our recent changes which will allow you to manage API access for the admins in your organization and the introduction of a new admin role.
Our agenda today is going to be
Tim Croxdale: This is what we came up with as a solution to provide more ability with our API keys. Upon creation of an admin or on editing an admin, you can now enable or disable API access. Previously everybody had API access and so this is kind of the first step in the direction that we want to take this.
So if somebody set me up as an admin and I don’t have access to the API Key, I would see a message letting me know that I don’t have permission to generate an API Key and that I need to reach out to the admin who set me up to ask for access. If an admin did have access they would see the same thing that you see today. You can generate a key and get a one-time view, which we make that clear in the messaging, and allow you a quick way to copy down that key. And this is the only time that we're going to show you that key. So if you were to come back here, you could generate a new one. So again, this is kind of a nod in the direction that we want to take things with being more secure and allowing you more control over your API keys.
Subha Sriram: So for those of you that are admins in JumpCloud, you already have an API key that is provisioned to you by default. Going forward when you are creating new admins, they will not automatically have API access enabled, you have to explicitly check that box to give them permissions to the API. Even with that, they don't get an API key until they go in and click on the My API Key and generate one.
Subha Sriram: Now how many of you have always wanted someone who is in your finance team to access and download invoices that JumpCloud has, on their own, without giving them an Admin With Billing role where they could be destructive and accidentally delete users or something like that? So this is in answer to that question that you've all asked.
So now, in addition to all the amazing roles we already have, we have a new Billing Only role. As the name suggests, they only have access in our platform to the areas that pertain to them, which is Account Details. They can only change credit card information or go to the invoices page and download invoices.
So you'll see if you have a Multi-Tenant Portal admin who has a billing-only role, they will have access to the account page. They can:
They can’t:
So this is what the Billing Only role buys you. And there are no more navigation elements on the top, so they cannot access anything else. And so this is a very restrictive role and you could safely provide this access and this access also goes into API. Their scope is also limited via API.
Subha Sriram: Next, I wanted to introduce you to some upcoming changes while we are on the topic of API Keys. API tokens with time-to-live (TTL) keeps coming up. A lot of you who use our APIs have asked us, “Hey, your API keys live forever. Can I have them expire on a regular basis so that I don't have to remember and put it on my calendar to go repeat them?” So we hear you loud and clear, and we are going to be introducing this feature coming up.
So we're moving away from our classic API keys to API tokens. API tokens will allow for time-based access to resources. More granularity, more scoping, is where we are headed with API tokens. We will begin with offering you the ability to create multiple API tokens. Today you are probably creating alias admin accounts to do various functions with the API. So if you want to integrate to something you're using something like subhasriram+integratesso, and then you're going to do something for RADIUS and so on and so forth. You're creating different aliases so that you get access to separate keys and you can keep them organized.
Now we are going to allow:
In the future these tokens will also get you into the fine-grain control that you are looking for over the resources that you want to access today. They are going to be based on the scopes that our roles offer, but over a period of time we are moving into much more granular scoping. So moving into tokens allows us the ability to do that.
Classic Keys |
API Tokens |
One hashed personal key per admin |
Admins can create multiple API tokens |
Will always only have scopes of the creating admin |
Scope can be equal or lesser than the creating admin |
Keys never expire |
Will have expiration dates |
No metadata for keys |
Will have names, created by, role, and created date |
API key Directory Insight events are not easy to search |
Easy to audit in Directory Insights with API key names |
Q: So what role is able to modify allowing admins to create APIs? I assume Administrator with Billing.
A: Yes, Administrator with Billing.
Q: Does the Billing Only Admin receive notifications of any kind? That'd be useful for us as an MSP to manage billing-related emails?
A: Yeah, absolutely. Ahe moment we do have Admin with Billing receiving these and we will be making changes to have the Billing Only Admin also receive some of the emails, especially related to usage. On the MSP side, when you're getting closer to usage limits or you've exceeded them, those kinds of emails, absolutely.
Q: What is the ETA for the API Token update?
A: This is ongoing work so we are looking at it as the first half of the year. So you will start hearing news about it soon.
Q: Will expirations show on the dashboard like MDM?
A: Absolutely. Yes they will. We will be showing the certificate and token status monitor board. We will also have API tokens expiring showing up in there, which will take you to the API token page where you can delete that token and create a new one.
Q: In addition to showing on the dashboard, is there any sort of notification around them expiring?
A: Yes, there will be a notification around them expiring, just as you would have certificate notifications as well via email. So the admin that created the token is the one who will be notified about the expiration coming up on that as well. So it'll be available in both places.
Becky Scott: I think that was all the questions. Thank you all for joining us and we’ll see you next Friday!