Imposing more control over Statuspage API keys

 

As incident communication teams grow larger, Statuspage admins are often interested in restricting page permissions at the user level. These permissions include the ability to manage status pages, post or update incidents, or develop custom integrations.

Historically, all Statuspage users have had full access to all of these features - however, this level of access can become a risk for organizations with dozens, or even hundreds, of team members. We are committed to introducing more role-based access control (RBAC) features this year for Statuspage admins to solve this problem.

API keys are migrating to account owner control

As a first step, we are changing the way API keys are distributed and managed inside the product – so that account owners are in full control.

Today, every user has their own individual API key with full read/write access, which can be found on the API info page (in your user menu when you click your avatar). Any team member can use their key to manage the status page externally (risk of unauthorized use).

In addition, if a team member account is removed by admin and their individual key has been used for a custom integrationthe key is no longer active and the integration may break.

Starting February 2020, all API keys will migrate to the organization level – so only account owners have access to them. Other users will still be able to find supporting information on the API info page, but they will need to request an API key from the account owner.

After the migration, all existing API keys will remain functional, to ensure all custom integrations work without any interruptions. The only change is that they API keys will no longer “belong” to individual users, but to a Statuspage account as a whole.

We’ll be also adding some helpful tools to identify actively used API keys (“last used”), create additional keys, or remove unused ones.

- - - - -

If you have any questions, contact Statuspage support here.

10 comments

Ross McKelvie January 15, 2020

How will this look in the slack integration? Will the "user" making the update be removed completely from the Slack notification or will it say something else? 

Like Hannah McKenzie likes this
Victor Dronov
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
January 15, 2020

Ross, 

For the updates made via Statuspage UI, there will be no change. For the updates made via API, it will show up in Slack channel like "<Your API key name> via the API updated component <Component Name> from Operational to Major Outage".

Account owner will have a way to set a meaningful name for every API key, from the "API info" page.

Like # people like this
Ross McKelvie January 15, 2020

This is an amazing improvement, we're looking forward to it!

Like # people like this
Dave Hollinden January 21, 2020

Do you have plans to allow for multiple owners? Thanks. 

Like Clive Lawrence likes this
Victor Dronov
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
January 21, 2020

Dave,

We do have plans along these lines, however not at the moment of API keys migration described here.

Elie Sarafian January 26, 2020

Victor, can you give me some pointers on how the API works? Also, how would this change affect slack integrations? 

Victor Dronov
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
January 26, 2020

Elie,

This article is a good place to start with Statuspage API. Slack integration won't be affected, please see some details in the comments above, in this thread.

Like # people like this
anielka527 February 6, 2020

Wydaje się że wszystko się zmienia na lepsze.  Oby tak było 😉

Like Victor Dronov likes this
Bircan Basal February 8, 2020

harıka program

wworek October 4, 2022

It looks like there is no rbac on the keys it's full access to the page. We have an audience specific page but there is no ability to have audience specific API users?

Comment

Log in or Sign up to comment
TAGS
AUG Leaders

Atlassian Community Events