Minimum permissions necessary for api scripts

Hi all,

We’re looking at reducing our security risks by creating permission groups for API scripts that are all off except for pretty much exactly what is needed for each script. Would love to know if anyone else tested this, and if so what were the gotchas. For instance, I can imagine that if you’re looking at a field on a Shot you probably also need read access to the Fields entity.

Thanks so much!


Hey Dennis –

Not much to suggest from the Toolkit team, but we have been talking about some sort of validation at pipeline configuration initialization time that would confirm that the necessary permissions exist (eg, that the user has read access to tank name), so it doesn’t bite them further down the line in their workflows. Is this something that you think would be useful?


1 Like

We have come across permissions errors when using Toolkit since it uses the human’s permission, any validations or error message clarifications there would be helpful. Personally I’d like to see a way to make the website permissions slightly different - so Toolkit users can get at fields for app purposes but not in Shotgun.


Hey Dennis - just wanted to let you know I’ve shared this conversation with the product team – these are good potential feature requests. Thanks!

1 Like

Thanks! I definitely want to reiterate the desire for a field like the Key field in the Script entity which is a one-time human read so I can store sensitive data in Shotgun which can only be read via script.