Connectwise integration authorization.
under review
A
Andy Helsby
Not sure if I'm misunderstanding the instructions, but it seems to require creating an api user with a designated set of permissions and then sharing the credentials to everyone who needs to add the connectwise integration. So not only are the permissions the same for everyone, the creds are also shared with everyone. Seems very sketchy, unfriendly and insecure.
Would expect some kind of filter to talk to Connectwise using my existing permissions not an admins level of access.
J
Justin Jondle
Not being the developer on the CW integration, I believe the intent is for each user to create their own API keys. This requires that users have the permission to create API Keys or someone to create individual keys for each user, but at least this way disabling the user's account would also disable the API Keys and the API would have the exact same access as the user already has. There are still concerns with this method, but it solves the major issues. It may be a good idea to put a WAF in front of CW that only allows API access from very specific public IP addresses to prevent a user's API keys from leaking somewhere and granting MFA-free access to the server.
I still think a full OIDC authorization process would be better for the users, but it isn't supported by CW. It may be possible to get it to work, but it wouldn't be supported.
Jimmy Hatzell
marked this post as
under review
J
Joshua Jones
Or some way to setup an integration where you don't have to share the API keys with everyone in the business.