Feature name
Limited Permission API Keys
Feature function
Our situation is that we wish to have an on-premise script download our Bitwarden Organisation’s audit logs on a schedule, using the API.
The problem is that the Organisation’s API key has far more access than just ‘reading logs’; there’s the ability to manage and delete groups and collections, users, etc.
As a result, we’ve decided not to implement the functionality we wanted to with the API due to there being no way to lock down the access available to our single, org-wide API key.
It would be a great win for security if we could generate keys with restricted permissions, adopting a principle of least privilege approach for API keys.