[MIG] EOC LongBarrel•32d ago
No, but they are restricted under the same persmissions granted
Any actions done via their API Key will be logged under their account in audit
Hex•32d ago
I'll be quite frank here but that does not seem secure in the least to be honest with you.
There are countless instances where you'd want people to have access to GDRP protected information like IP-addresses in the context of their responsibilities whilst using BM but you by no means would ever want to grant them the ability to export said data through an API where it can be distributed without prior consent or used in contexts in which it shouldn't be.
It seems reckless not even having the minimum amount of safeguards granting the ability to restrict that through roles.
Hordicus•32d ago
It's primarily a problem of logistics. The user needs API access in order to use the site itself. The only reasonable restriction we could put in place would be to try and differentiate between browser traffic and non-browser traffic. The exercise is kinda futile though since there are many ways to fake a browser to gain the same level of access.
If we force them into the browser impersonation route it would undermine the quality of your audit logs since you would no longer be able to tell what was automated vs what was viewed with their own eyes (both would appear under the "website" category)
As for the IPs, are you not using hashed identifiers for these low-trust admins?
Hex•32d ago
I can see your point, but I'm sure you can also see where I'm coming from. And for those, yes we do. But that's only a temporary phase till people grow into their full moderation capabilities. That still doesn't mean that cause we trust them within the confines of the website to use that information, that we'd be comfortable with any of them building out tools which allows them to extract the entirety of the dataset we have, that should be a right only granted to very select individuals for very specific tasks I feel like.
Hordicus•32d ago
I completely understand the concern. It's just a difficult problem to actually "solve" since there will inevitably be a way around whatever we do
Somewhere trust has to come into the equation
and perhaps NDAs with your staff to keep them on a leash
Hex•32d ago
I'll definitely have to re-evaluate and look how we can adopt a more secure way of working. I appreciate the response.
Hordicus•32d ago
For sure. If we can find some reasonable restrictions that don't have major drawbacks, I'm all ears as well.
For now we at least have some mechanisms in place for monitoring this user activity
Hex•32d ago
Without having the knowledge of how your infrastructure works its kind of hard to do so but the lowest hanging fruit to me would have seemed to have an option in the roles creation that allows a role to create an API key or not. That'd be my initial thoughts but again without a clearer picture its hard to make suggestions.
[MIG] EOC LongBarrel•32d ago
Simply put, the way the system works, everything is run off API.
This includes the full website.
So when you log on via website, your login is assigned an API Key which has permissions to access the orgs they have,
The org owner then sets the permissions on what they can & can't do within the org.
That same permission is accessible via the API Endpoint also.
Which as hordicus stated, it's hard to restrict, even if you restrict key creation, they could still do it via browser emulation as they both run via the API Backend.
3.8KMembers
View on DiscordWant results from more Discord servers?
More PostsPlayers online vanishedHey there. I was just wondering what could have caused this to happen? My server is: https://www.batadding arma 3 serverwebsite says cant connect to server. iv verified all inputs are correct and same with settings on tThe problem of long nicknamesThere was a problem with the layout of the table with bans (see screenshot).
The player indicated aSquad rcon Player Kicks not being picked upPlayer kicks done from in-game producing the rcon line that can be matched with `/^Kicked player (?<send commandsHi,
How do I send a warn with the battlemtrics api to a player on Squad?
I wish my Python script cCan we add Rename Squad button for squadit would be good if there is a "rename squad" button for renaming squad name to default on squad lisApplication for correction (Definition of links)I use translate.google.com
Look at the picture.
This started with the update: https://discord.com/cGhost temp bansHow do we get rid of these ghost bans?
For whatever reason I can sit there clicking remove forever aGeneral QuestionHow long does it take for a suggestion to be implemented? I submitted a suggestion on the [ideas.batWhat happened to the "player log"Previously, the player log displayed the nickname with which you were on the server at n time
Now itWebsite infected with Phishing?My antivirus and Opera has blocked my attempt to access Battlemetrics because it was infected with *Strip steamid inputs in player tab upon RCON searchI notice when I search a SteamID, it will often have a trailing space. Could the web interface auto-HLL Server de-rankedHello guys
I have a HLL Server and its show a warning message bellow
"Server Rank
This server has bPurchased Battlemetrics RCON through host - going to old IP addressI purchased Battlemetrics RCON through my hosting provider and received an email to activate my subsThis server has been de-ranked and hidden from default server lists. Servers can be de-ranked for reHow do i get my server re-ranked? I have connected it to my RCON port and stuff i believe, do i justNew RCON commands for squad 7.2There are a few new commands to do with faction choices when changing a layer, wondering if it wouldRCON issueAn incorrect RCON Port. **(RCON correct.)**
Firewall, antivirus, or other security system blocking tUpdating IP Address for Exisiting ServerHello, I have the subscription to Battlemetrics RCON and am trying to update my server’s IP. I had tI can’t add a server, it gives an error.please help me solve the problem with adding a server, I get an error, see screenshot.I can't top up my accounthelp