Jimmy Hatzell: We would like to create an agent to share with our team that has the ConnectWise integration. However, the way it is structured now is still a stumbling block because that means we have to manage an API Key for every single person and walk them through the settings.

Here is an band-aid-idea for an 'easy share process' - I already have the hatz_api user set up in connectwise with the appropriate access. Add a 'Share' button to the connection page for connectwise and have the system replicate this connection to my users. If we change the API Key or something, disable the share on the connectwise connections page, and it deletes it from our users.

That would keep us from going through 50 people and setting them up with the exact same hatz_api info. We already have it set to least-privilege read-only, just for service tickets, time entries, etc. Stuff that anyone can see by logging in on their own.

FYI: Share/Unshare option only to show on the site admin page.

Not being the developer on the CW integration, I believe the intent is for each user to create their own API keys. This requires that users have the permission to create API Keys or someone to create individual keys for each user, but at least this way disabling the user's account would also disable the API Keys and the API would have the exact same access as the user already has. There are still concerns with this method, but it solves the major issues. It may be a good idea to put a WAF in front of CW that only allows API access from very specific public IP addresses to prevent a user's API keys from leaking somewhere and granting MFA-free access to the server.

I still think a full OIDC authorization process would be better for the users, but it isn't supported by CW. It may be possible to get it to work, but it wouldn't be supported.

Or some way to setup an integration where you don't have to share the API keys with everyone in the business.