cool-daniel suggested an idea · Jan 27, 2018 at 02:41 AM · apis Account Management

Secret key permission management

It would be usefull if you could set permissions for each secret key to limit its usage on specific categories like Player Data Management or Account management within the admin or server api while denying access to other categories of the api. This would enable admins to give out secret keys without exposing all functionality (like for example only letting a secret key call the GetPlayerProfile while not working for BanUsers)

4 Show 2

Brent Batas (Lisk) · Jan 27, 2018 at 05:16 PM 0

Agreed, this is a good idea.

larissa · Feb 12, 2018 at 06:46 PM 1

Agreed! :)

One addition to this: It would also be useful, to be able to limit it to executing certain cloudscript handlers

david-marcelis commented · Feb 19, 2018 at 02:40 PM

Want to upvote this issue. The idea of having the Server Key have access to the Admin API is scary. This means if a server or matchmaker was compromised, it gives permissions to change builds or worse.

Just a separation between Server Key, Matchmaker Key, and Admin Key would already greatly reduce the potential impact.

Secret key permission management

1 comment

Navigation

Spaces

Your Opinion Counts

Follow This Idea

Related Ideas