Access to Secrets
If you are not using the Administrator role, you need a custom role with the Secrets Management permission to view the API Secrets page and create a new secret.
The Secrets Management permission controls access to the API Secrets page in the UI.
|
Permission level |
User with the permission level: |
|
View |
Can see secrets where the current user is listed as the owner |
|
Create |
|
|
Edit |
|
|
Full |
|
Restricting Access to API Secrets
Secrets cannot be locked in the same way that SSH keys and certificates can be locked. However, you can restrict access to API secrets using the settings on the Restrictions tab of the secret in the UI.
You can restrict API secrets in the following ways:
-
Employees — Employees you select in the Owner field can edit the secret and change the password. Employees must also either have Edit access to the Secrets Management permission with the role they are using or use the Administrator role. Roles with Full level of the Secrets Management permission can edit or delete any secret, even if they are not listed as an owner. Use the Restrict to Employees field to restrict secret decryption to specific employees. Only those employees listed can decrypt the secret when executing a script that uses the secret.
-
Scripts — Clear the Allow for All Scripts box and enter script IDs in the Restrict to Scripts field to restrict a secret from bring decrypted using any scripts other than those listed.
-
SuiteApps — To limit secret usage to a specific SuiteApp, check the Available to SuiteApp box, and enter the SuiteApp ID where the secret can be accessed. If the secret should be accessible from specific accounts for testing purposes, enter the account numbers if the Allow On Test Accounts field.
-
Domains — Clear the Allow for All Domains box and enter domains in the Restrict to Domains field to restrict a secret from being decrypted on any domain other than those listed. If you do not want the secret decrypted on any domain, you can enter an invalid domain name.