Update PAT (Access Token) Scope via API

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

Is it possible to update (PATCH) the scope for a PAT that belongs to another user? (i.e. not your own PAT ID, but another)
I tried, but I get 403 Forbidden. “The server understood the request but refuses to authorize it.”

patch-personal-access-token | SailPoint Developer Community

PATCH /v3/personal-access-tokens/:id

[
  {
    "op": "replace",
    "path": "/scope",
    "value": [
        "sp:search:read"
    ]
  }
]

Note:I can successfully DELETE a PAT that belongs to another user. So if it is a permissions issue, it is weird that I can delete a PAT but not edit its scopes.

Thanks

2

Hi @jrossicare ,

To update PAT, the user must have the below scope.

sp:my-personal-access-tokens:manage

For deletion,

sp:my-personal-access-tokens:manage,sp:all-personal-access-tokens:manage

Thanks!!

3

I think you might have the mentioned scope - sp:all-personal-access-tokens:manage . Hence, you would have deleted the PAT successfully.

4

Hi @GOKUL_ANANTH_M

Thanks for your response.
I have scope sp:scopes:all and my user level is Admin, so I would have thought that sufficient.
I tried adding the scopes you mentioned, but still getting same error.

5

Hi @jrossicare,

Use below curl and add sufficient permissions like [“sp:scopes:all”] to that user, which user API you to authenticate API:

Please ensure that the identity used for authentication has admin-level permissions in the tenant to perform updates and patches.

curl --location --request PATCH 'https://{{tenant}}.api.identitynow.com/v3/personal-access-tokens/{{PAT-id}}' \
--header 'Authorization: Bearer XBwb3J0ZWQiOmZhbHNlLCJhdXRob3JpdGllcyI6WyJPUkdfQURNSU4iLCJzcDp1c2VyIl0sImNsaWVudF9pZCI6InNwLXJlbmRlcmVyIiwic3Ryb25nX2F1dGhfc3VwcG9ydGVkIjpmYWxzZSwiY2xhaW1zX3N1cHBvcnRlZCI6ZmFsc2UsInNjb3BlIjpbIkFnPT0iXSwiZXhwIjoxNzI0NjQ3MTU4LCJqdGkiOiJTa2NwSGc0ZmtVYVJyMVotN0diWnBqUmRYMTgifQ.3stmEvN6hXOeHmGttTIYDrgldwy3RZ57vluRcuIP1b0' \
--header 'Content-Type: application/json-patch+json' \
--data-raw '[
     {
         "op": "add",
         "path": "/scope",
         "value": [
             "sp:scopes:all",
             "sp:my-personal-access-tokens:manage"
         ]
     }
 ]'

Thank You.

6

Hi @gogubapu to confirm, that PAT-id belongs to another user identity, and not your identity?

7

Admin user can’t modify a particular user PAT scope. only same user can be able to modify their scopes. if that user tenant access level admin or user.

1 Like
8

@jrossicare , a user can update the PAT scope only for self, as you are the admin too. Also the scope - sp:my-personal-access-tokens:manage (min scope to use the Patch PAT API), sp:scopes:all (you can do any API calls using this scope - max scope).

Thanks!!

9

Thanks for redirecting me to this discussion. This seems like a shortcoming if it’s intentional.

I opened idea GOV-I-3838 to allow full admin to modify other users’ PATs. If you know of another existing idea for the same topic, please let me know and I’ll vote that one instead.

1 Like
10

To add a bit of context to this thread.

I created a “ISC API Tokens” source, and I wanted to have Certifications to review the scope of API tokens/PATs, so say a manager could revoke scopes that a token shouldnt have.

As this is not possible, the Certification is now for the PAT, and manager can revoke the PAT completely.