security code that is library specific
It is a huge security hole for us that if you are using the api to create entries across libraries, that the security code in that script is now available to all admins of the library and that security code allows them to do anything on any library. The security code should be able to be generated so that it is library specific - or better - you can select a list of libraries that the code can act upon.
Comments
Hi Arlette,
We are providing a way to impersonate specific user accounts using the security codes ("Same as" security codes).
I would recommend you to have specific admin accounts that you can impersonate using this kind of security code.
Sorry - missed this comment. So, maybe an account that can only access a specific library to begin with, is your suggestion? That way the security account could not be used to access a library we would not want it to have access to?
I am a little confused about this part of the description about the "super administrator". How would it be limited if you chose the super admin account with this setting, how would its scope be limited?
Hi Arlette,
the example of the "super administrator" in the "Same as" example is not optimal. But you yes that would be my suggestion.
If you choose to generate a security code "same as a user" (which is not a super administrator) the security code will not allow performing API call on the domain or other libraries where this user is not listed as a administrator, contributor, reader.
Please sign in to leave a comment.