1. Account Administration
  2. Authentication
  3. Secrets Management
  4. Access to Secrets

Access to Secrets

If you are not using the Administrator role, you need a custom role with the Secrets Management permission to view the API Secrets page and create a new secret.

The Secrets Management permission controls access to the API Secrets page in the UI.

Permission level

User with the permission level:

View

Can see secrets where the current user is listed as the owner​

Create

  • Can create a new secret​ in the current account

  • Can make a secret he or she creates shareable with SuiteApps

  • Can set owners. The default owner is pre-set to the entry author

  • Can make a secret he or she owns shareable with SuiteApps

Edit

  • Can edit secrets where the current user is listed as the owner​

  • Can make a secret he or she owns shareable with SuiteApps

Full

  • Can create secrets and set owners

  • Can see all secrets

  • Can set Allowed for SuiteApps​

  • Can edit all secret entry fields, except for script ID

  • Can delete any secret created in this account

  • Can make any secret shareable with SuiteApps

Restricting Access to API Secrets

Secrets cannot be locked in the same way that SSH keys and certificates can be locked. However, you can restrict access to API secrets using the settings on the Restrictions tab of the secret in the UI.

You can restrict API secrets in the following ways:

  • Employees — Employees you select in the Owner field can edit the secret and change the password. Employees must also either have Edit access to the Secrets Management permission with the role they are using or use the Administrator role. Roles with Full level of the Secrets Management permission can edit or delete any secret, even if they are not listed as an owner. Use the Restrict to Employees field to restrict secret decryption to specific employees. Only those employees listed can decrypt the secret when executing a script that uses the secret.

  • Scripts — Clear the Allow for All Scripts box and enter script IDs in the Restrict to Scripts field to restrict a secret from bring decrypted using any scripts other than those listed.

  • SuiteApps — To limit secret usage to a specific SuiteApp, check the Available to SuiteApp box, and enter the SuiteApp ID where the secret can be accessed. If the secret should be accessible from specific accounts for testing purposes, enter the account numbers if the Allow On Test Accounts field.

    Warning:

    When the Available to SuiteApp box is checked, and a SuiteApp ID is entered, the secret is automatically distributed to all accounts in the SuiteApp's install base.

  • Domains — Clear the Allow for All Domains box and enter domains in the Restrict to Domains field to restrict a secret from being decrypted on any domain other than those listed. If you do not want the secret decrypted on any domain, you can enter an invalid domain name.

Related Topics

General Notices