The Api Key will works only when the user that it belongs to is fully functional and in good standings. Disabled or Locked users can not operate their Api Keys. When the user is functional, enabled and in good standings the api key will work. In that condition the Api Key can either be used for Full Access or Read-Only Access.
***If SSO is not enabled in the Rally Subscription, then the APIKey will not work if the password is expired for the associated user. The password will need to be reset in order for the APIKey to work again. When SSO is enabled the password policy in the subscription settings will be ignored (except for those users on the exceptions list as expected)
Full Access will equal the capabilities under this key to those of its user based on his/her permissions.
Read-Only key will not allow creating or modifying objects.
You can learn more on the reasons to consider generating Read-Only access key here: