As an Organization Owner user in an Identity Governance and Administration (IGA) activated Organization, you monitor the API tokens created in your Organization and set constraints for idle and maximum Time to live (TTL) for all newly created tokens.
To access the API Tokens dashboard, open the Tanzu Platform cloud services console and navigate to Identity & Access Management > Governance > API Tokens. The dashboard that opens gives you a list of all API tokens created by users in your Organization.
For each API token, you can view details, such as token name, name of the Organization user who created the API token, creation and expiration dates, the date the token was last used, and the scopes of the token – the Organization roles assigned to the token.
The API Tokens dashboard list displays an alert icon () if the TTL policies for your Organization have been violated. The TTL policies set for your Organization apply to all new API tokens created by the users in your Organization. If you change a TTL policy, an alert icon will appear next to all previously created API tokens which are violating the new setting.
There are two TTL policy settings you can activate, deactivate or modify:
Idle Token TTL.
This setting defines what is the allowed idle Time to live for an API token before it violates the policy.
Max Token TTL.
This setting defines what is the maximum allowed Time to live for any API token created in your Organization. Organization users will not be able to generate API tokens with a Max Token TTL greater than the one defined by this setting.
If an API token violates a TTL policy in your Organization or in any way looks suspicions to you, you can deactivate the token from the API Tokens dashboard. This way it cannot be used to access the resources in the Organization.
Click the Deactivate link.
The API token status changes from Activated to Deactivated. The owner of the API token receives an email notification from Tanzu Platform cloud services that a token they’ve been using to access the Organization has been deactivated by an Organization Owner.
To reactivate an API token that has been deactivated, select the API token on the dashboard, then click the Activate link. The owner of the API token receives an email notification confirming the reactivation.
To modify the API tokens TTL policies, do the following:
On the API Tokens dashboard, click Settings.
To… | Do this… |
---|---|
Activate or deactivate a policy. | Use the Policy status slider. |
Change a TTL setting | Enter a new value in the respective TTL setting section and select a time unit from the drop-down list. The time unit can be minutes, hours, or days. |
Click Save.
Validation runs of existing tokens against the policies take place once in 24hours. This means it may take some time before the API Tokens dashboard list of violations gets updated as a result of the change you made.
Parent topic:What is Identity Governance and Administration and how does it work with Tanzu Platform cloud services