Managing security for personal access token authentication
The IBM Copy Services Manager server supports authentication to the server through Personal Access Tokens. Personal Access Tokens are long lived tokens that users with access to the server can create for the purposes of authenticating to the server through REST calls.
Administrators or User Administrators have full control over how Personal Access Tokens are used on the server. Personal Access Tokens are disabled by default. An Administrator or User Administrator must enable them before use.
When Personal Access Tokens are used, the token grants the caller all the same permissions that are tied to the user at the time the call is made. If the user's permissions change, then any calls with the token after the change authenticates through the new permissions.
The following section describes how an Administrator or User Administrator can manage Personal Access Token usage.
Enabling and Disabling Personal Access Tokens
Personal Access Tokens are disabled by default. Users with access to the server cannot create and use personal access tokens if the feature is Disabled.
To enable or disable Personal Access Token usage, the Administrator or User Administrator completes the following steps:
- From the top Navigator in the GUI, go to Settings → Administration
- On the Administration page, click the link at the top of the page called "Manage Personal Access Tokens".
- In the popup, select the Enabled or Disabled radio button
- When you click Enabled, ensure that you also set the Maximum Expiration (days) to the maximum number of days allowed by your security guidelines for token creation. The default is 366 days.
- Click Ok to save the changes.
Viewing Users with Personal Access Tokens
At any time, an Administrator or User Administrator can view which users created a Personal Access Token and what the current expiration is for that token.
To view the current list of users with tokens, the Administrator or User Administrator completes the following steps:
- From the top Navigator in the GUI, go to Settings → Administration
- On the Administration page, click the link at the top of the page called "Manage Personal Access Tokens".
- In the popup, there is a table that displays the username, the date the token was created, the number of days the token was created to expire in and the actual expiration date for that token.
- Validate that all tokens are valid and meet security guidelines.
Revoking Personal Access Tokens for Users
If a user with a token no longer requires access, or if a security issue occurs, an Administrator or User Administrator can revoke their token at any time.
To revoke a Personal Access Token for one or more users, the Administrator or User Administrator completes the following steps:
- From the top Navigator in the GUI, go to Settings → Administration
- On the Administration page, click the link at the top of the page called "Manage Personal Access Tokens".
- In the table, select one or more users to revoke their tokens
- Click the Revoke Personal Access Token button.
- Click Ok on the "Are you sure?" prompt.
Deleting User Access to the Server
When Personal Access Tokens are enabled, any user with access to the server can create a Personal Access Token. This includes LDAP or Active Directory users or users with access through a Group.
While the user has access to the server, their Personal Access Token remains valid. If an Administrator or User Administrator removes access for that user, or the group that the user is in, the server automatically deletes their Personal Access Token. Administrators or User Administrators do not need to manually delete their Personal Access Token when they remove the user or group.