limited enterprise roles do not support least privilege principal

[byrneh]

As a security concept, Least Privileges refers to the principle of assigning users only the minimum privileges necessary to complete their job. This is a widely adopted principle be that NIST, OWASP or GitHub's own best practise.

There is a need to access enterprise endpoints when the user SHOULD only have READ like role permissions such as
Get the audit log for an enterprise (admin:enterprise scope token)
List enterprise consumed licenses (read:enterprise permission scope token}

Requiring a token with admin:enterprise scope for what is only a GET (READ) operation is overly permissive.
Only providing an enterprise admin role for a user that only needs READ/QUERY of enterprise REST or GraphQL apis is overly permissive and does not comply with least privilege principle.

GitHub needs to provide roles, or some form of custom role or assignable permissions that support least privilege principle.

[spaltrowitz]

hi @byrneh 👋 this has now shipped to dotcom! https://github.blog/changelog/2022-11-14-access-audit-log-api-using-tokens-scoped-to-only-read-audit-logs

[skwashp]

@spaltrowitz that link is showing a 404. Searching the blog for audit log token scopes doesn't show anything either. The read:audit_log scope is available on the token generation page. Has something changed in the last 2 weeks that makes the blog post invalid?

Here is the full text courtesy of the google cache:

Enterprise and organizations administrators can now create personal access tokens (classic) and OAuth apps with the read:audit_log scope. Stolen and compromised credentials are the number one cause of data breaches across the industry. To mitigate the risk of compromised credentials, GitHub recommends adhering to the principle of least privilege which promotes "giving a user account or process only those privileges which are essential to perform its intended function." The new scope will enable access to the audit log endpoints, without requiring full administrative privileges. This feature is generally available for GitHub Enterprise Cloud customers, and will be released to GitHub Enterprise Server in version 3.8.

To learn more, read our documentation on using the audit log API for your enterprise.

[spaltrowitz]

@skwashp thanks for reaching out! here is the updated post - https://github.blog/changelog/2022-12-19-access-the-audit-log-rest-api-using-scoped-tokens/
cc @nearlythere