Cannot create Personal Access Token with second account

DHorn · October 2, 2018, 12:20pm

Hi,

we are currently using two management accounts, one with full access (role:admin) and one with less access (role:maintainer).

The maintainer role has following rights/claims set:
account:read, user:write, user:read, trialPolicy:write, trialPolicy:read, trialActivation:write, trialActivation:read, tag:write, tag:read, role:read, release:write, release:read, product:write, product:read, personalAccessToken:write, licensePolicy:write, licensePolicy:read, license:write, license:read, invoice:read, eventLog:read, analytics:read, activation:read, account:write, webhook:read, webhook:write

With the maintainer account I’m not able to generate a personal access token, it always fails with “scope ‘xxx’ is not allowed”, where xxx stands for the first ticked scope in the list.

Is it possible that only admin accounts are allowed to create tokens?

Cheers,
Daniel

adnan-kamili · October 2, 2018, 1:12pm

Hi Daniel,

A user cannot create a personal access token containing the permission which it, itself doesn’t have. It’s access token permissions should always be a subset of it’s role permissions.

DHorn · October 2, 2018, 1:15pm

Hi Adnan,

tried this also and it doesn’t work either. I selected just one of the permissions that the account has and I still can’t create the token.

support · October 2, 2018, 3:39pm

Hi Daniel,

It was a bug. It has been fixed now.

DHorn · October 8, 2018, 11:19am

Thank you very much, now everything works as expected