API to get list of legacy personal access token (PAT) for users in the organization #61490
Replies: 3 comments
-
|
@albert-anzenna personal access tokens are "personal" so another user or organization owner has no right to view such information, this behaviour would comply with ser data protection rights and GitHub's data privacy policy so not something to be changed in my opinion. However GitHub Enterperise Cloud has a feature for SAML enabled organizatons where any personal access token used for organization acess must also be SAML authorized in additon to the member having the required organization permissions. |
Beta Was this translation helpful? Give feedback.
-
|
Despite the word "personal" in their name, organization users use PATs to access data that belongs to the organization, not the individual user. Therefore, this information cannot be considered personal data. Uncontrolled breeding of PATs can become a serious threat to enterprise security. While the suggested solution allows listing organization-wide authorized PATs, it still doesn't provide an answer as to which of them actually exist at a given point in time. Another possible solution is to use audit logs. Note that this will only work if you have the Enterprise version of GitHub and are an enterprise admin. This will work only if you have to have at least To identify events related to fine-grained access tokens, you should use the
|
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Select Topic Area
Product Feedback
Body
Github is encouraging people to move away from legacy PAT to fine grained PAT, and there are comprehensive API for managing users with fine grained PAT in an organization. However there seems to be a case that is missed in order to allow org admin to fully move all users to use the fine grained PAT. Here is the use case.
As a org admin, I want to know how many of my users has setup legacy PAT. I want to give them a grace period to deactivate the legacy PAT, and then I want to enforce a policy in the org to disallow legacy PAT.
This may have a lot of steps, and having "how many of my users has setup legacy PAT" is already going to help me a lot here.
Thank you for the consideration.
Beta Was this translation helpful? Give feedback.
All reactions