Is there a way to run run scheduled reports/tasks, etc under a generic admin “service account” as opposed to an individual/admin’s having to run that under their id?
On that same topic we run REST API scripts using individual client_id/secret. Is there way to use the same “service account” client_id/secret?
Hi @mario_rod,
For instance, you can have a simple delimited source file for such “service account”, an identity profile based on this source and then create account in the source to have an identity.
Grant the lowest possible role for this identity and create a Personal Access Token (PAT) for it.
You can then use the corresponding client id/client secret of the PAT without relying on personal accounts.
We already have an “admins” csv source with the SA’s and other human accts. in it along with an iden. profile. The SA’s have the “admin” role assigned and we are using their client_id/secret.
When you say “create account in the source to have an identity”: Does this mean - import the the csv file?
“Grant the lowest possible role”: Are you referring to IDN roles or others?
If your source is tied to an identity profile, then it is considered an authoritative source. Any account aggregated from an authoritative source will create a new identity, or correlate to an existing identity. It sounds like you already have an “admins” CSV source that is tied to an identity profile, so that makes it authoritative. Any account you add to your admin CSV file will have an identity created once you import the CSV file into the admin source.
As for permissions, it is advisable to grant the least level of permissions needed by the service account to complete the automation tasks it needs to do. The user level matrix will give you an idea of what role your service account needs to accomplish its intended purpose. To set the role on the service account, navigate to the Identity List in the admin page of IDN, select a service account, and set the role:
A better solution is to leverage a non-employee source (NELM) to manage your service accounts. NELM has approvals/owner management built in. Just tie your NELM based service account source to an identity profile so each service account has an identity. You can then manually correlate the service accounts to a manager identity for access reviews. This means you can have all service accounts assigned to your identity as their manager, and run periodic certification campaigns to review all of your service accounts’ access.
What about creating an Active Directory service account, giving the proper permissions, then generating the PAT to use? Our AD service accounts have their password regularly rotated via our PAM tool so there’s an extra layer of security. Is there any drawback with this method?