Open
Description
Problem Statement
Currently, any user within a Sentry organization can create an organization token. While these tokens are limited in scope, primarily used for CI/CD tasks like release creation and sourcemap/DIF uploads, the lack of granular permission control creates several issues:
- Security Concerns (Perceived): Organization owners receive notifications for every token creation, which can trigger unnecessary security reviews and raise concerns, even if the tokens are inherently limited in scope.
- Lack of Access Control: Organizations with strict security policies may want to restrict token creation to specific roles or users, preventing accidental or malicious token generation.
- Confusion: Users might create multiple tokens without proper management, leading to confusion and potential security vulnerabilities if tokens are not rotated or revoked when needed.
Solution Brainstorm
Implementing a more granular permission system for organization token creation. Something like
-
Project-Level Token Creation (With Org Level Admin Override):
- Allow token creation on project levels, that way the scope of the token is more clear.
- Allow an organization admin to override this project-level scope.
- This would allow more control over the scope of the token.
-
Approval Workflow:
- Implement an approval workflow for organization token creation.
- When a user requests a token, an organization owner or designated approver would review the request and approve or deny it.
- This would provide an extra layer of security and ensure that tokens are created only when necessary.
-
Token Management Interface:
- Develop a dedicated interface for managing organization tokens, including features like token expiration, revocation, and usage tracking.
- This would provide a centralized location for organization owners to monitor and control token usage.
Product Area
Settings
Metadata
Metadata
Assignees
Type
Projects
Status
No status