Requirements for Using Personal Access Tokens

OneStream IdentityServer and Environment Setup

To use PATs, you must:

Required System Security Roles

Even if you are an administrator, you need group-based access to one or both of these required system security roles to create, manage, and use PATs in API calls:

  • AccessAsNonInteractiveUser: Enables a user to:

    • Create PATs for their own use in API calls.

    • Revoke their own PATs.

    • Access details about their own PATs.

  • AdministerNonInteractiveUser: Enables a user to revoke another user's PATs and access information about all PATs.

You do not need to be in the administrator group to be assigned either of these roles.

By default, the Nobody group that does not include administrators is assigned to both of these roles. To assign the required roles, you must have the ManageSystemSecurityRoles role. To add users to an existing group, you must have the ManageSystemSecurityGroups role. See:

Apply Security Roles

The following instructions provide an example of applying security roles. This may be configured differently depending on your security needs.

  1. If one does not exist, create a group to which you add all users who will work with PATs. Otherwise, go to step 2.

    1. Go to System > Administration > Security.

    2. Click the Create Group icon.

      The security page has a toolbar row at the top of the page with icons. The Create Group icon is highlighted. It has the silhouettes of three users with a blue circle connecting them as a group. The navigation column on the left shows the System tab selected, the Administration option expanded, and the Security option selected.

    3. Enter a group name and description that reflects how users will work with PATs.

      For example, use PATs Users as the group name for users who will create and revoke their own PATs, and assign the AccessAsNonInteractiveUser role.

      The Create Group page has a grid with row headings that have a blue background with blue text and can be expanded to display fields with a white background and black text. This example displays the Name, Description, and Child Groups and Users fields. The Name field has the example text: PATs Users. The Description field has the example text: Users who will create and revoke their own tokens.

      Similarly, create a PATs Admin group for users who must access all PAT details and be able to revoke all PATs and assign the AdministerNonInteractiveUser role.

      The Create Group page has a grid with row headings that have a blue background with blue text and can be expanded to display fields with a white background and black text. This example displays the Name, Description, and Child Groups and Users fields. The Name field has the example text: PATs Admins. The Description field has the example text: Users who access all PAT details and can revoke all PATs.

    4. In Group Membership, click the Add Child Groups icon or the Add Users icon to include the users or groups of users who will use PATs.

      The Add Child Groups dialog box displays the list of child groups on the left of the screen as the Source List. Instructions explain that you can double-click or drag items to the right of the screen to add them to the Result List. There is also a source filter field at the top of the screen that can be used to search for a specific child group.

    5. Click the Save icon.

  2. Click System Security Roles, and then click the ellipsis next to AccessAsNonInteractiveUser or AdministerNonInteractiveUser.

    The System Security Roles page has a grid with row headings that have a blue background with blue text and can be expanded to display fields with a white background and black text. This example highlights the fields AccessAsNonInteractiveUser and AdministerNonInteractiveUser and the ellipsis next to each field.

    IMPORTANT: The AccessAsNonInteractiveUser role enables a user to create PATs for their own use in API calls, revoke their own PATs, and access details about their own PATs. The AdministerNonInteractiveUser role enables a user to revoke another user's PATs and access information about all PATs.

  3. Select the group containing the users who will work with PATs.

    The Object Lookup dialog box displays the list of security groups.

  4. Click the OK button, then the Save icon.

See "Managing Users and Groups" in the Design and Reference Guide.