Fine grained user permissions for API access

[rolinh]

Request Type

Feature Request / Question

Work Environment

Question	Answer
OS version (server)	Irrelevant
OS version (client)	Irrelevant
TheHive version / git hash	2.12.0
Package Type	Irrelevant
Browser type & version	Irrelevant

Problem Description

This is a feature request for API access permission restrictions. I looked at issues #103 and #162 and took note that you will be working on fine grained user roles/permissions for version 3.0. It seems that you consider using a tag based approach to manage permissions. How would this approach work for API access?

Let me give you a use case. Let's say you have a script, foo.py, which needs to create alerts and this is the only thing that it needs to do. To create alerts, it requires API access with write permissions. Currently, this is done by creating a new user and using its credentials via basic authentication. With the current version of TheHive, such a user needs writes permissions which allows it to CRUD cases and so on even though this user only needs to be able to create new alerts (and possibly update) them. I am sure that this is a quite common scenario.

I think that a mechanism to fine grained restrict API access permissions would be a welcome addition to TheHive. If this is deemed to complicated, could the addition of a role to allow access to the /api/alert endpoint be considered?

[nadouani]

Hi @rolinh, once again this is a good question.

I think that there are two things: the permissions and the scope. The tags might be used to define the scope that a user can have access to. The permissions would define what a can do on it's available scope. (That said, some apis don't require a scope, like the alert api).

I agree with what you said, creating a user that have access to alert API only is a legitimate requirement. We will do our best to bring that to TheHive ;)

[rolinh]

Hi @nadouani,

This is great, thanks a lot :)
Let me know if I can help in any way.