Creating and managing service accounts

Edit online

A service account is used by client applications to authenticate to the cloud subscription. Create a service account by generating service credentials.

Before you begin

To manage service accounts, you must have the Account Administrator role.

About this task

Service credentials consist of a unique functional ID and a password.

Functional ID: The functional ID is generated from the alias you specify for the service account.
Like regular user IDs, you grant functional IDs permissions for the cloud environments that the client applications access and the roles that the applications might need. However, you cannot use these IDs to manually log in to one of the tools in the cloud portal, such as Process Portal. You also cannot use the User Management API to create or delete functional IDs.
Password: The password is a randomly generated character string that is sufficiently long and complex to be considered safe against brute-force attacks. Passwords never expire. However, for security reasons, consider changing passwords on a regular basis.
Important: When you change a password, all applications automatically lose access rights to the cloud subscription. Plan a password change so that client applications are stopped beforehand and before they are restarted, ensure that they are configured to use the new password.

As an alternative to changing passwords directly in the Access management view, consider rolling over credentials instead.

You decide how many service accounts your subscription needs. For example, several applications might share one account and other applications might have their own accounts.

Procedure

To create a service account, complete the following steps:

Log in to the cloud subscription.
Navigate to the Access management view.
- Click All environments > Administer subscription > Access management.
- Click Admin > Access Management.
Create the credentials for the service account.
1. On the Service Credentials page, click Create credentials to open the Create service credentials window.
2. Enter a functional ID alias and click Create.
  Tip: A functional ID alias can contain only the following characters: A through Z, a through z, 0 through 9, . (period), - (dash), and _ (underscore).
  
  The Credentials created window opens, which shows the functional ID and password.
3. Save the credentials by clicking Copy to clipboard.
  Important: The credentials are displayed only when you create them. If you close the window without copying the credentials, you cannot display them again, and you must create a new set.
Give the functional ID access to the workflow server environments and assign the roles that the associated applications need.
On the Users page, find the functional ID in the list of users, and grant it the roles and permissions for the appropriate environments. For example, if the functional ID is used by user provisioning applications, assign the Account Administrator role to the functional ID. If the functional ID is used by a workflow administrative client, assign the functional ID the process administrators role. For more information, see User roles and Assigning roles and permissions.

Content: If the functional ID is used by a content services application, assign the functional ID to the Content Platform Engine Administrator role.

What to do next

Share service credentials across subscriptions: To share service credentials, use operations provided by the Credentials API. All API calls require the caller to have the Account Administrator role. For more information, see Using service credentials to authenticate client applications.

Distribute service credentials: To enable password policies to be easily applied to client applications, your programmers should never hardcode service credentials in their application code. Instead, make the credentials available to the client application environment so that they can be easily accessed by client applications, for example, in a configuration file or credential vault. Ensure that you store and distribute these credentials securely so that they cannot be accessed by third parties. When you change a password, remember to update the credentials resource used by client applications. For information on using the credentials in a client application, see Using service credentials to authenticate client applications.

Roll over service credentials

To ensure that applications don’t lose access rights to the cloud subscription when you renew service credentials, keep both the old and new credentials valid for a period of time. Coordinate the length of this overlap period with your programmers so that it reflects the maximum time that all clients in the application environment need to refresh their service credentials.

To renew credentials:

Create a set of service credentials from the Service credentials page.
In the client application environment, replace the old service credentials with the new ones.
Wait for your chosen overlap period.
Delete the old service account.

Delete service accounts: You might want to delete a service account that is no longer needed, for example, because you generated a new set of service credentials for the client applications that use the account. Before you delete the account, ensure that the functional ID is not used by any running applications. On the Users page, delete the service account by removing the functional ID.