Managing Service Accounts

Prev Next

Use the Service Accounts page to manage the service accounts in the system. Use service accounts execute commands using the REST API. See Axonius REST API for more about using the Axonius REST API.

You can generate the API key, the API secret, and assign roles.

To access the Service Accounts page:

  1. From the top right corner of any page, click image.png. The System Settings page opens.
  2. In the Categories/Subcategories pane of the System Settings page, expand User and Role Management, and select Service Accounts.

ServiceAccountsTable

You can find the following information on the Service Accounts table:

  • Service Account Name - The name of the service account.
  • Description (optional) – Description of what the user can do.
  • Role – The role that defines what this API user can do. Only roles with API Access permission may be associated with a service account.
  • IP Range - The IP address ranges (in CIDR notation) that the account is authorized to use when accessing the API.
  • Data Scope - The Data Scope assigned to the service account.
  • API Key – The API key generated by the system for this user.
  • Key Creation Time – The time that the key was created. This parameter is useful to renew the key according to your organization’s policy.
  • Last Used – The date and time that the account was last used. The timestamp is updated for every action that the service account does in the system and if the user never logged in, it is 'Never'.
  • Last Updated - The date and time that the account was last updated.

Creating a Service Account

To create a Service Account

  1. Click Add Service Account. The New Service Account drawer opens.
    NewServiceAccountDrawer

  2. Type a Service account name. This name for the service account is mandatory and should not be changed once you set it.

  3. Type a Service account description (optional) that describes what the service account does in the system.

  4. Select a Role that defines what this service account can do. Only roles with API access permissions are available. This role must also have the necessary permissions to perform the actions it will execute using the API. For example, if the service account will be used to manage data scopes, this role will need permissions related to data scopes.

  5. Select a Main Data Scope to which this service account will have access. Data scopes determine what data, dashboards, queries, and other objects the Service Account can see. API requests sent using the service account can only apply to the assets and information within this data scope. This helps to control what a specific account can access with the API. See Data Scope Management for more information on data scopes. The Data Scope name appears in the Data Scope column on the Service Accounts page. Admin users are automatically assigned the Global Data Scope.

  6. Enter one or more IP Address Ranges (optional) that the account is authorized to use when accessing the system via API. The address range must be in CIDR notation: a.b.c.d/y where a.b.c.d is the first IP address and /y is the identifier for the range. For example: 192.168.20.0/24,192.168.10.3/24. This provides extra validation that service accounts are accessed via REST API calls only for known IP addresses.
    IPAddressRange1

  7. Click Save. The API Key and API Secret that allow the service account to access the API are generated and displayed.

Important:

ServiceAccountKey1

The API secret is only displayed in this message and not anywhere else in Axonius. You have to copy it as it cannot be recovered. If the API secret is lost, you can reset the API key to generate a new secret. Click ServiceAccountCopyIcon.png to copy the API secret and save it in a safe place, or manage it using a key management system.

  1. Click Close. The new Service Account is created and is now displayed on the Service Accounts page. Details about the service account can be found under Optional details in the service account's details drawer.
    ServiceAccountViewDetails

Searching and Filtering the Service Accounts Table

ServiceAccountsFilter.png

In the Search box, enter the text to search for in the service accounts you want to see. Description text is also searched.

You can also filter the service accounts by the following fields:

  • Role - Filters by role.
  • Data Scope - Filters by Data Scope.
  • Date Range - Filters by the selected date range.

Within a filter list, click Select All to select all options. Click Clear All to deselect all options.

Click Reset to clear all filter selections.

Editing a Service Account

You can edit a service account.

To edit a Service Account

  1. In the Service Accounts table, select a service account. The service account details drawer opens.
  2. Edit the details. You cannot change the API key.
  3. Click Save.
Note:

It is not possible to reset only the API key. When you reset the API key,
both the API key and the API secret are reset.

Rotating the API Key of a Service Account

The API key of a service account can be rotated at any time.

To rotate the API key of a service account:

  1. From the Service Accounts page, select the account whose API key you want to rotate.
  2. In the details drawer, scroll down and expand Optional details and click ServiceAccount-RotateAPIKeyButton.png.

ServiceAccount-RotateAPIKey.png

  1. Click ServiceAccountCopyIcon.png to copy the API key.

Deleting a Service Account

Service accounts can be deleted.

Note:

Delete a service account with caution, as once it is deleted, no one can use it or its associated key.

To delete a service account:

  1. In the Service Accounts table, select a service account. The service account details drawer opens.
  2. Click the ServiceAccountDeleteIcon.png in the drawer header. After clicking Delete to confirm the action, the service account is deleted.