When a staff user (internal or external contractor) is required to be provided access to the 'Setting and Tools' menu (ie. a product lister in order to import product data) there is no provision in Neto within 'Edit Permission Group settings' or otherwise to deny them access to the 'API Settings'. Therefore the user has the ability to regenerate the; Maropost API Key, Webhook Tokin and URL which enables anyone with this information to; add, update, delete and download; customer, product and order data.
We have verified this with Neto customer support. This is a design limitation/ oversight which requires rectification.
Setup & Tools > API Settings
Note: The above refers to the global API Settings and is completely separate to the API Key which can be setup within a user profile under 'Edit User' profile. Access to this can be denied within the 'edit permission group' settings.
