Use case: We are integrating RM with our enterprise data platform (Snowflake) for analytics purposes. The integration only requires read access. Our internal Cybersecurity policy mandates that service accounts operate under least-privilege principles, including the ability to demonstrate that a credential cannot perform destructive or modifying operations. The current token model forces us to use a credential with full administrative scope for a use case that only needs reads, which complicates security approval and creates avoidable risk in the event of a credential compromise.
Requested capability: The ability to issue Resource Management API tokens with one or more of the following options:
- Read-only mode (the token can only execute GET operations).
- Per-dataset scope (the token can only access specified resource types).
- Tokens tied to user permissions, similar to the core Smartsheet API model, so that a service user with restricted access produces a correspondingly restricted token.