Preset Feature Feedback
At present, it seems that an API key for a Preset Team Admin is necessary to embed a Preset dashboard via API using the guest token. This is an overly-permissive requirement that creates risks for enterprises wishing to embed. There are three different scenarios to consider.
1. Internal data governance and access - The individuals who maintain the application where the embedded dashboard is served may not be Team Admins in Preset. Having access to the Team Admin API key allows internal actors to elevate their own permissions to manage Preset users and access all other data in Preset in an unrestricted manner.
2. Environment separation/protection - Separation between production applications and non-production applications is impossible without purchasing and configuring an entirely separate Preset Team. Even if multiple Preset users are involved (e.g. one for Prod and one for Staging), both would need to be Team Admins, which means that both have the same Preset permissions within a single Team.
3. Breach surface area - The potential loss if the API key were ever compromised by an external bad actor is much higher because the access is not limited to just the data or administrative permissions for the embedded dashboard(s).
The suggested enhancement: allow embeds with API keys that have view-only (user) permissions at the dashboard and/or workspace level. This would allow for appropriate access to mitigate all three of the risk scenarios above.
