Minimum permission API key should have to delete anonymous user

I have implemented the solution provided by @Pavel_Duchovny, mentioned in the topic - Delete anonymous users upon log out: trigger?

I found that anonymous users are not deleted with API key having “Organization Member” only permission. But users get deleted only if it is having “Organization Owner” permission.

Can anybody please guide what minimum permission this API Key should have in order to delete anonymous user? What is the best practice?

Because giving API key “Organization Owner Permission” i.e, root permission to delete only anonymous users is very risky and unnecessary.

1 Like

You’re deleting users and so it doesn’t surprise me that you’d need elevated privs. Did you try creating an API key at the project rather than org level – at least the privs would be constrained to a specific project.

Initially, I have created API keys from Project Access Manager only, with following permission. But it did not wor - could not able to delete users. Tried with different other combinations of permission, still it did not work.

After that I went to Organization Access Manager and found the same key is available there also. I elevated its privilege to Organization Owner. Then It started working.

As per my thought, API Keys having a project level permission of “Project Data Access Admin” should be able to delete user.

Did you try “Project Owner”?

Yaah… Tried. But that too did not work…

For me, it works with “Project Owner” and “Organization member” levels. It doesn’t work with any level below “Project Owner”.

1 Like

Still, having "read-only access to the organization (settings, users, and billing) " seems a bit overkill for the task. Why does an API key created in a project automatically have access to the organization data?

I have tried this combination. It worked for me also.