I am a little confused with how to restrict the access permissions of API tokens. For clarity I was hoping to be able to restrict specific tokens to apps or resources ideally matching the access permissions of the user that created them.
This would seem to be supported as the create token dialog states -
Personal access tokens carry the access permissions of the user who created the token. We recommend each user create their own.
However, only users within the admin group can create tokens and, by definition, admins have full access to all resources and apps. This seems to make a nonsense of the statement (above) shown on the create token dialog.
What am I missing?
thanks in advance