User Access Tokens

A user access token is a unique and randomly-generated string which can be used to authenticate a user to DiveLine, similar to a password. Access tokens are revocable and can be set to automatically expire. Access tokens are useful for where the user doesn't want to store their actual password in a script or configuration file, such as in batch processing or systems integration.

Access tokens start with "ditok-", followed by twenty random characters from a mix of letters, numbers, hyphens, or underscores. The value of the token is never stored in DiveLine's configuration. Instead, a hash of the token is stored. A user can have any number of access tokens.

Two access tokens for a given user cannot have the same name, ignoring case.

Only certain products can be used with access tokens:

• DIAL

• dicfg

• disch

• DI-ODBC

There are some restrictions while in sessions that authenticate using an access token. In these sessions, you may not change the user's password, request a one-time password, or create or remove access tokens.

NOTE:User access tokens can be added using the Workbench GUI. For more information, see User Access Tokens Tab.

By default, access tokens are disabled. To use access tokens, an administrator must first enable them with the following dicfg command:

dicfg -dataroot <dataroot> set boolean -name access_tokens_enabled -value true

Access token information is stored in DiveLine's dataroot/config/atlcfg.cfg file. For each user there is an access_tokens.

The following dicfg commands can be used to manage access tokens:

dicfg get boolean -name access_tokens_enabled [ -q ]

dicfg set boolean -name access_tokens_enabled -value <true or false>

dicfg add access_token -user <user> -name <name> [ -comment <comment> ] [ -expires <YYYY-MM-DD> ]

dicfg delete access_token -user <user> -name <name>

dicfg get user -user <user> -access_tokens [ -q ]

dicfg list access_tokens [ -q ]