Set up Service Accounts

Service accounts are recommended to ensure reliable, auditable provisioning activity—separate from individual user behavior.

Why Use a Service Account?

  • Keeps auto-provisioning activity separate from day-to-day user actions

  • Avoids confusion in app logs or audit trails

  • Ensures consistent execution of provisioning tasks

  • Can be tightly scoped and monitored

Requirements

To work properly, your service account must:

  • Have the permissions required to create users and assign roles in the third-party app

  • Authenticate using username and password (not Single Sign-On), so Agent Cake can reliably log in

  • Be active in the target application (not suspended, pending invite, or limited access)

How to Create a Service Account

You have two options:

1. Create a dedicated user

  • Set up a separate user in your Identity Provider (e.g. Google Workspace, Entra ID)

  • Assign the account to the third-party app with the required permissions

2. Use an email alias of an existing user

  • If you prefer not to create a new user, you can use an alias

  • This still allows separation in the app but uses an existing mailbox

Note: Be aware that some third-party tools may charge for the additional seat used by the service account. For less security-critical apps, you may choose to use a real user account instead.

Additional Tips

  • You can often reuse a single service account across multiple apps, as long as access rights are properly configured

  • Always review the permission levels in each third-party app to make sure the account can complete the necessary actions

  • Keep service accounts clearly named and auditable for easier tracking

Last updated

Was this helpful?