security code that is library specific

It is a huge security hole for us that if you are using the api to create entries across libraries, that the security code in that script is now available to all admins of the library and that security code allows them to do anything on any library.  The security code should be able to be generated so that it is library specific - or better - you can select a list of libraries that the code can act upon.

0

Comments

3 comments
  • Hi Arlette,

    We are providing a way to impersonate specific user accounts using the security codes ("Same as" security codes).
    I would recommend you to have specific admin accounts that you can impersonate using this kind of security code.

    0
    Comment actions Permalink
  • Sorry - missed this comment.  So, maybe an account that can only access a specific library to begin with, is your suggestion? That way the security account could not be used to access a library we would not want it to have access to?

    I am a little confused about this part of the description about the "super administrator".  How would it be limited if you chose the super admin account with this setting, how would its scope be limited?

    • Same as user: this allows operations with the security code by the specified user. If you choose a super administrator email address here, the security code will be active but its scope will be limited.
    0
    Comment actions Permalink
  • Hi Arlette,

    the example of the "super administrator" in the "Same as" example is not optimal. But you yes that would be my suggestion.

    If you choose to generate a security code "same as a user" (which is not a super administrator) the security code will not allow performing API call on the domain or other libraries where this user is not listed as a administrator, contributor, reader.

    0
    Comment actions Permalink

Please sign in to leave a comment.

Didn't find what you were looking for?

New post