Implement more granular API permissions
In https://suggestions.simplemdm.com/forums/204404-suggestions/suggestions/32990482-scope-api-key API permissions were split up to correspond with API endpoints. While a welcome change, it doesn't go far enough in providing granular access to sensitive MDM actions. Since the the /devices endpoint contains so much (device update, info, restart, shut down, lock, erase, etc.) it is a prime target were an API key to be compromised.
I am asking for API permissions to be split up to be even more granular by MDM command. An API key which only needs to enable/disable remote desktop should not also be able to lock or wipe the device. While I don't want permissions to become overly complex and thus difficult to configure, I do want to have confidence API keys aren't overly permissive.
I'm asking..
- Split out all MDM commands into their own API permission. Admins will need to specifically allow commands when creating/updating an API key.
- When creating a new API key, default all permissions to none. Currently permissions for all resources are allowed by default. Should start with least privilege.
![](https://secure.gravatar.com/avatar/0f22ddbfd9fbe47ed3346d63b860b26b?size=40&default=https%3A%2F%2Fassets.uvcdn.com%2Fpkg%2Fadmin%2Ficons%2Fuser_70-6bcf9e08938533adb9bac95c3e487cb2a6d4a32f890ca6fdc82e3072e0ea0368.png)