List users with personal access token in a group.

[TheTraille18]

Hey, does anyone know if it's possible to identify the users that have an personal access token in a group? According to the documentation you can use "gl.personal_access_tokens.list(user_id=25)" for each user but only if you are admin and since I'm not using a self hosted gitlab, I get a authorized error message.

Is there a workaround to this?

[nejch]

@TheTraille18 this really is restricted to admins only on the server side, yes.

Not sure what exactly you're trying to achieve, but enabling 2FA on the group will give you at least a little more security.

You can also list active group access tokens, project access tokens, deploy tokens and keys to have some more auditability.
But I just checked and even GitLab EE's audit events don't cover personal access tokens at group level unfortunately, so not much our library can extract from the API.