Requirements for Using Personal Access Tokens

OneStream IdentityServer and Environment Setup

To use PATs, you must:

• Work with the Cloud Operations team to configure users and environments for OneStream IdentityServer. See Onboarding Process and Considerations and Best Practices.

• Have group-based access to the system security roles that determine the tasks you can perform with PATs. See Required System Security Roles.

Required System Security Roles

Even if you are an administrator, you need group-based access to one or both of these required system security roles to create, manage, and use PATs in API calls:

• AccessAsNonInteractiveUser: Enables a user to:

  • Create PATs for their own use in API calls.

  • Revoke their own PATs.

  • Access details about their own PATs.

• AdministerNonInteractiveUser: Enables a user to revoke another user's PATs and access information about all PATs.

You do not need to be in the administrator group to be assigned either of these roles.

By default, the Nobody group that does not include administrators is assigned to both of these roles. To assign the required roles, you must have the ManageSystemSecurityRoles role. To add users to an existing group, you must have the ManageSystemSecurityGroups role. See:

• Apply Security Roles.

• "Managing Users and Groups" in the Design and Reference Guide.

Apply Security Roles

1. If one does not exist, create a group to which you add all users who will work with PATs. Otherwise, go to step 2.

   1. Go to System > Security > Groups.

   2. Click the Create Group icon.

   3. Enter a group name and description that reflects how users will work with PATs.

      For example, use PATs Users as the group name for users who will create and revoke their own PATs, and assign the AccessAsNonInteractiveUser role. Similarly, create a PATs Admin group for users who must access all PAT details and be able to revoke all PATs and assign the AdministerNonInteractiveUser role.
      

   4. In Group Membership, click the Add Users icon or the Add Child Groups icon to include the users or groups of users who will use PATs.

   5. Click the Save icon.

2. Click System Security Roles, then the ellipsis next to AccessAsNonInteractiveUser or AdministerNonInteractiveUser.

3. Select the group containing the users who will work with PATs.

4. Click the OK button, then the Save icon.

See "Managing Users and Groups" in the Design and Reference Guide.