Add fine-grained permission control for service accounts #774
Description
Problem
Currently, when creating service accounts via the API, permissions are tied to the global admin flag. This means users can only create accounts with either:
- Full admin access (admin=true) - all permissions to all environments
- Read-only access (admin=false) - only read permission
There is no way to create service accounts with specific combinations of permissions like:
- Read + Query (for monitoring tools)
- Read + Carve (for forensics tools)
- Read + Query + Carve + Admin (for environment-specific admins)
Solution
Implement fine-grained permission control by adding individual permission flags to the API user creation endpoint:
user_access- Read access (view nodes, queries, environments, etc.)query_access- Query execution accesscarve_access- File carving accessadmin_access- Admin access for specified environments
Benefits
- Security: Principle of least privilege - give accounts only the permissions they need
- Flexibility: Support various use cases (monitoring, forensics, CI/CD, etc.)
- Backward Compatibility: Existing API clients continue to work without changes
- Better Service Account Management: Create purpose-specific accounts
Implementation
- Add permission fields to
ApiUserRequesttype - Update
UserActionHandlerto use fine-grained permissions - Update Swagger documentation
- Add comprehensive testing tools
- Maintain backward compatibility
Testing Tools
Added testing scripts in tools/testing/:
- Create service accounts with random permissions
- Validate permissions via API calls
- Export credentials to CSV
- Debug API connectivity
API Usage
POST /api/v1/users/my-service-account/add
{
"username": "my-service-account",
"password": "secure_password",
"email": "service@example.com",
"service": true,
"admin": false,
"environments": ["env-uuid"],
"user_access": true,
"query_access": true,
"carve_access": true,
"admin_access": false
}