Solved: API Token - What happen when the user that created them is deleted?

monitoringteam · ‎30 Oct 2020

We are in a situation in which one of our users created some API Token adopted in our Automation pipelines. This user is not using Dynatrace anymore and we are planning to remove his user account.

What happens if we do that? Do we risk to loose all the API Token and to break our Automation Pipelines?

monitoringteam · ‎30 Oct 2020

@Barbara S. Please can you provide more info about this use case?

monitoringteam · ‎02 Nov 2020

Hello @Barbara S. Our use case is that the user acting as "admin" on our DT instance will stop doing that. For our internal security reasons / processes, we don't allow users to create their own Tokens. Only the admin is able to do that.

Since we are about to delete this user, we thought we lost all the tokens but it seems it is not so! The only issue here will be that we will not be able to change the grants to add on each token.

I am wondering if it can make sense to change the logic about how the tokens are managed on Dynatrace. Does it make sense to map each token on a specific user? Generally speaking, we have a lot of other tools having the Token "centralized" (stored on the server with no association with any user) and then only the Admin are able to create / edit / delete them.

Does this last statement make sense for you? In case, I will open an RFE to let you take in consideration my proposal.

Thanks,

JamesKitson · ‎30 Oct 2020

Everything I can find indicates the token will still be active even after the user is deleted so you shouldn't need to worry about breaking any automation. It would be a good idea to go through and create new ones tied back to existing users but this wouldn't be urgent.

barbara_schachn · ‎06 Nov 2020

Thx a lot for reaching out! I think there are a few aspects to this:

Currently API tokens are not user-bound - so they will remain, if the user is deleted (in order not to break automation unexpectedly). You are right, that you can't change the scopes in the UI, but if the user has left your company, we highly recommend to disable the tokens he had access to and replace them with new ones.
You can also use our Tokens API to even manage scopes of the tokens or regularly rotate them in your automation.
For the future, we plan to provide the option to chose between making API tokens user-bound or system-wide. @Florian A. can provide more details around this.

I hope this answers your questions. Please let us know, if you have further questions.