Apply the Principle of Least Privilege
Last updated on 19 September, 2024This principle relates to the that every API token should have the minimum level of access necessary to perform its tasks. Avoid granting broad permissions to users assigned API tokens; instead, provide specific permissions required for each task or API endpoint. This minimizes the potential damage that could occur if a token is compromised.
LogicMonitor no longer allows generating API tokens assigned to users with the out-of-the-box Administrator role. For other out-of-the-box roles to consider aside from the Administrator role, LogicMonitor installs three other roles with fewer available permissions that can be considered:
- Readonly: The readonly role assigns view permissions to all platform areas; it provides no ability to make changes to the platform, with one exception: users with this role can create private dashboards.
- Ackonly: The ackonly role assigns view, acknowledge, and SDT permissions for alerts for all hosts and websites. It also includes permissions for managing device dashboards and creating private dashboards. Note: This may be named acksdtonly in older portals.
- Manager: The manager role assigns almost the same permissions as the administrator role, except for security-sensitive actions.
Additionally, LogicMonitor no longer allows generating API tokens assigned to the lmsupport user. This is unintended functionality being deprecated, as tokens should be assigned to users under your control instead of the support account used for troubleshooting and assistance.
LogicMonitor recommends you create a custom Role with the minimum permissions required. Additionally, we recommend every year to review permissions that are granted to API tokens.