Suggestion for standard accounts and settings rights (important)

- And VIEW and GENERATE a new API key (and this ***absolutely*** NOT desired!!!)

Every user has their own API key. So, the user can only view & generate the API key for their user account. It doesn't affect the API key for your account or for any other user in that LimeLM account.

Also, the abilities of the API key are limited by the permissions you give the user. The API key is just another way to access that particular user's access to the LimeLM account. The API key doesn't give them special permissions.

So, for example, let's say you create a user "Joe" and you give him the permission to view keys, but not the permission to create or delete keys. He'll get his own API key for his particular user account. And the API key will be able to view keys created in the LimeLM account, but he won't be able to create or delete keys via the API (or via the LimeLM UI).

Does that make sense?

- Receive email for invoices

They'll only get the emailed invoice if they have permission to view invoices.

- Receive email for new API versions

That doesn't affect your (or any other user's) ability to receive new API notifications.

In the DASHBOARD page:- Get full access to the Account activity (not desired)- Manage TurboActivate translations (really not desired)

We're going to make customizable dashboards for different users.

- To enter the user management page (not desired - should have access to it's settings only in the settings page)

"Regular users" don't have the ability to edit or delete other users. But maybe we'll take away their ability to even view other users.

- Able to import/export product keys (not really desired, except given rights to do so)

Only users with the ability to view key can export keys. And only users with the ability to create keys can import keys.

- View the version GUID (not desired)

Hmmm... maybe we'll make that customizable along with the dashboard. So only "developer" or "admin" accounts will see that.

- Able to make bulk product key (not really desired, except given rights -- maybe the same right as bulk import/export)

Why wouldn't the "can create keys" permission be enough?

So there are some important holes in the security management that is an hindrance for us right now. But especially the ones in the settings, about the API key! (I did not check everything in details, but the main ones.)

I don't see any security holes here. Some UI fixes, for sure.

Hi Wyatt,

Yeah, when I say security holes I mean that users can do or view things they should not view or do.

Ok, thank you for these detailed explanations.

- For the "API Key" I understand. So that means that our Website is actually using one of the administrator's key. If that administrator user is deleted... the WebSite is down. Is there a solution to avoid this kind of "oups, I deleted an admin account that also was used for the WebSite" kind of problem? - Alors, only an admin / developer account should have this option... but an admin could re-generate a specific user key.

- Ok, for the invoice and API emails... but if it's not a valid option for the user, it should not be there. WYSIWYCD! (What You See Is What You Can Do).

- Different dashboard for different users is good idea.

- Yep, regular users should not be able to see other users. This was my point.

- The problem with bulk import and bulk export is the fact that it is done in bulk... a user can add one at the time a key and search and see them. But why allowing a newbie exporting 5000 keys in a CSV file? We do not see the point. An admin might need that, or a developer... ok, but a standard user? Bulk creating is the same thing. There is a huge difference in impact and responsibility between creating keys manually one by one and creating thousands at once. It's more of a suggestion.

- GUID for developers, yep.

Thank you very much Wyatt for passing through the list. It helped me learn things about the interface.

Best regards,Alexandre Leclerc

Is there a solution to avoid this kind of "oups, I deleted an admin account that also was used for the WebSite" kind of problem?

Yes, create a separate admin account just for API calls. Of course, you could still delete the account. But you can't delete all users in a LimeLM account. So you'll always have at least 1 admin account.

So, I guess we give you a loaded gun and assume you won't shoot yourself in the foot. We try to prevent stupid mistakes. So when you click "Generate new API key" it tells you that the old key will cease to function immediately and it gives you a chance to cancel.

- Ok, for the invoice and API emails... but if it's not a valid option for the user, it should not be there. WYSIWYCD! (What You See Is What You Can Do).

😀 I agree. This will be fixed.

- The problem with bulk import and bulk export is the fact that it is done in bulk... a user can add one at the time a key and search and see them. But why allowing a newbie exporting 5000 keys in a CSV file? We do not see the point. An admin might need that, or a developer... ok, but a standard user? Bulk creating is the same thing. There is a huge difference in impact and responsibility between creating keys manually one by one and creating thousands at once. It's more of a suggestion.

Maybe separate permissions for bulk creation / exporting are in order.

Hi Wyatt,

I just thought that if it's not possible to "lock-down" a specific account because we know the API key is very important, maybe the same kind of message could be added to the actual delete confirmation: "Are you sure ... ?" adding: "Because, you know, if you were using the API key of this account for your WebSite or any other software, it will not work anymore. Really want to do that?"

Again, thank you very much! It's pleasure to work with you. (But we can't wait for the next release!)

Best regards,Alexandre Leclerc