Personal-Access-Token API can only change your own tokens

Good afternoon,
I opened a support ticket because we get an error 500 when trying to change PATs that we did not generate. After looking at it for a couple months, they were able to confirm that the PATCH personal-access-tokens restricts full admins to only changing their own PATs.

From both a security (over-permissioned) and a tech support perspective (under or improperly permissioned), it would make sense for admins to be able to manage other users’ tokens, at a bare minimum to be able to alter the “scopes” array.

Can we confirm this is intentional and not a bug? (REF: case CS0298425, idea GOV-I-3838)

You can’t PATCH other users PATs, but you can DELETE other users PATs.

:thinking:

1 Like

Yeah @jrossicare , I think we have discussed about it here - Update PAT (Access Token) Scope via API

You can’t Patch other user’s PAT, only Delete is supported.

2 Likes

Thanks for the redirect - this other topic didn’t come up when I initially searched.

This seems like a shortcoming if it’s intentional. I don’t understand the logic - if it’s a “don’t touch another user’s existing PATs even though you’re the top admin” thing, I’d think deleting a PAT would be MUCH worse than altering it… that’s guaranteed breakage and a lost key vs controlled burn in-place.

guess I’ll try and pursue on the idea page instead

2 Likes

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.