API
Hi,
I've been exploring the API more extensively, and overall, it's been a great experience. However, I have some serious security concerns about the current setup where we only have one API key that has full access (Read/Write/Delete) to the system.
From a security standpoint, this poses a significant risk because:
- The single key represents a single point of failure. If compromised, it could allow unauthorized access to all functionalities, which could lead to severe data breaches or unauthorized actions.
- There is no way to enforce the principle of least privilege, meaning that even actions that only require read access are unnecessarily given write and delete capabilities, increasing the risk of accidental or malicious misuse.
- It limits our ability to track and audit specific actions within the system since all operations are tied to the same key.
- In case the key needs to be rotated or revoked, it would disrupt all services depending on it, potentially causing downtime.
I’ve spoken to support, and they mentioned that introducing more granular API keys is on the roadmap, which is great to hear. However, given the security implications, I strongly believe this should be prioritized and bumped up the queue. Enhancing the API’s security by allowing multiple keys with customizable permissions would significantly mitigate these risks and improve overall operational security.
Comments
-
This is a great point.
Syncro get around it by making it work only via their agent without an API key needing to be present
might I also suggest including the Atera PS module into the agent itself so that an agent can run an API based script without extra setup0 -
Thank you!
I have this marked twofold, both with our security team and the product one, your explanation makes sense for my less-informed rationale, but they might have additional input which I'll happily share.2 -
Hey,
Our product team had the following to say -
We are working on improving the API infrastructure, and that his suggestions are very good and we will take them into account
Certainly helpful, and in good timing for it :)1
Topics
- All Topics
- 39 Getting started
- 23 Read before posting
- 8 Meet and greet
- 211 General
- 59 News and announcements
- Swag
- 1 Roadmap updates
- 63 Resources
- 8 Knowledge Base
- 11 Webinars
- 1 Shared Script Library
- 1 Blog
- 14 Pro Tips
- 26 Got an idea?
- 1 ActionAI
- 1 Copilot
- 117 Remote Monitoring and Management
- 76 Remote Monitoring
- 23 Patch Management
- 86 Professional Services Automation
- 51 Helpdesk
- 16 Billing
- 18 Reporting
- 32 Integrations & add-ons
- 18 Integrations
- 10 Add-ons
- 93 Scripting and automations
- 55 Scripts
- 28 Automations