---
title: >-
  Identity domain users with tenancy administrator permissions should not have
  API keys
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Identity domain users with tenancy
  administrator permissions should not have API keys
---

# Identity domain users with tenancy administrator permissions should not have API keys
 
## Description{% #description %}

Oracle Cloud identity domain users with tenancy administrator permissions should not have API keys. Administrator accounts with API keys present an elevated security risk, as compromised keys provide programmatic access with full administrative privileges. Removing API keys from administrator accounts reduces the attack surface and enforces the principle of least privilege.

**Note**: Only active users in a default identity domain who are members of the `Administrators` group are assessed.

## Remediation{% #remediation %}

Remove API keys from users with tenancy administrator permissions. Consider using alternative authentication methods or creating separate service accounts with limited permissions for programmatic access. For guidance on managing API keys, refer to the [Working with API Keys](https://docs.oracle.com/iaas/Content/Identity/access/working-with-console-passwords-and-API-keys.htm) section in the Oracle Cloud Infrastructure Documentation.