- 23 Nov 2023
- 3 Minutes to read
- Print
- DarkLight
- PDF
Managing Service Accounts
- Updated on 23 Nov 2023
- 3 Minutes to read
- Print
- DarkLight
- PDF
Use Service Accounts to manage accounts that will only connect to the system using API.
You can generate the API key, the API secret, and assign roles.
Service accounts are listed on the Service Accounts page in System Settings.
To access the Service Accounts page:
- From the top right corner of any page, click
. The System Settings page opens.
- In the Categories/Subcategories pane of the System Settings page, expand User and Role Management, and select Service Accounts.
Creating a Service Account
To create a Service Account
Click Add Service Account. The New Service Account drawer opens.
Type a Service account name. This name for the service account is mandatory and should not be changed once you set it.
Type a Service account description (optional) that describes what the Service Account does in the system.
Select a Role that defines what this Service Account can do. Only roles with API access permissions are available.
Select a Main Data Scope to which this Service Account will have access. Data Scopes determine what data, dashboards, queries, and other objects the Service Account can see. See Data Scope Management for more information on Data Scopes. The Data Scope name appears in the Data Scope column on the Service Accounts page. Admin users are automatically assigned the Global Data Scope.
Enter one or more IP Address Ranges (optional) that the account is authorized to use when accessing the system via API. The address range must be in CIDR notation: a.b.c.d/y where a.b.c.d is the first IP address and /y is the identifier for the range. For example: 192.168.20.0/24,192.168.10.3/24. This provides extra validation that service accounts are accessed via REST API calls only for known IP addresses.
Click Save. The API Key and API Secret that allow the Service Account to access the API are generated and displayed.
The API Secret for the Service Account is not saved anywhere on the Axonius system. You have to copy it as it is not kept and cannot be recovered. Click to copy the API Secret and save it in a safe place, or manage it using a key management system.
- Click Close. The new Service Account is created and is now displayed on the Service Accounts page. Details about the Service Account can be found under Optional details in the Service Account's details drawer.
Service Accounts Table
You can find the following information on the Service Accounts Table:
- Service Account Name - The name of the Service Account.
- Description (optional) – Description of what the user can do.
- Role – The role that defines what this API user can do. Only roles with API Access permission may be associated with a Service Account.
- IP Range - The IP address ranges (in CIDR notation) that the account is authorized to use when accessing the API.
- Data Scope - The Data Scope assigned to the Service Account.
- API Key – The API key generated by the system for this user.
- Key Creation Time – The time that the key was created. This parameter is useful to renew the key according to your organization’s policy.
- Last Used – The date and time that the account was last used. The timestamp is updated for every action that the Service Account does in the system and if the user never logged in, it is 'Never'.
- Last Updated - The date and time that the account was last updated.
Searching and Filtering the Service Accounts Table
In the Search box, enter the text to search for in the Service Accounts you want to see. Description text is also searched.
You can also filter the Service Accounts by the following fields:
- Role - Filters by role.
- Data Scope - Filters by Data Scope.
- Date Range - Filters by the selected date range.
Within a filter list, click Select All to select all options. Click Clear All to deselect all options.
Click Reset to clear all filter selections.
Editing a Service Account
You can edit a Service Account.
To edit a Service Account
- In the Service Accounts table, click a Service Account. The Service Account drawer opens.
- Edit the details. You cannot change the API key.
- Click Save.
It is not possible to change only the API key. If you want to change the API key, you must change both the API key and its API secret.
Deleting a Service Account
You can delete a Service Account.
Delete a service account with caution, as once it is deleted, no one can use it or its associated key.
To delete a Service Account
- In the Service Accounts table, click a Service Account. The Service Account drawer opens.
- Click the
in the drawer header. After clicking Delete to confirm the action, the Service Account is deleted.