Service Accounts, why?

[jacebenson]

What is the post about?

What things would help with writing the post

this post: https://community.servicenow.com/community?id=community_blog&sys_id=b4fca2a5dbd0dbc01dcaf3231f961900

[jacebenson]

vk:  Anyone could define some advantages of using a service account rather than a user account when it comes to integrations?
vk:  I already got one:smile:->Save a licence
wiz0floyd:  If the user leaves you don't need a new account.
wiz0floyd:  better siloing of what access the service account has
Shane C:   how do I make one?
vk:  @wiz0floyd - how can you distinguish? by checking the updatedBy fields on records?
wiz0floyd:  no I meant you don't have any additional roles or whatever on the service account that it doesn't necessarily need to do its function.
vk:  @Shane C:  - by checking the `web Service Access only` checkbox on user record
wiz0floyd:  but checking updatedBy is useful too
Shane C:   is this in Kingston even?
Shane C:   whats the sys name of that field vk?
wiz0floyd:  Yeah, it's part of the Non-Interactive Session Plugin, unless I'm mistaken.
Shane C:   not existing for me in Kingston
michaelacn  If you have SSO will the service account follow redirect?
vk:  @Shane C:  = web_service_access_only
Shane C:   not there for me... maybe it will be in the future! sounds handy
jace:  Password changes
wiz0floyd:  do you have that plugin enabled? I don't think it's enabled by default.
jace:  Granular permissions
Shane C:   the plugin isnt even listed
vk:  @Shane C  you can keep this handy - https://community.servicenow.com/community?id=community_blog&sys_id=b4fca2a5dbd0dbc01dcaf3231f961900
vk:  Does the `web_Service_Account` need to have any role for integrations? _rest_Admin etc?? @wiz0floyd: (edited)
Shane C:   ive been wanting this for years
Shane C:   I have special REST accounts setup... I;'d love to make them service accounts
jace:  we have a group we jsut make a local account, add to the group which gives it the "normal for us" roles for integrations we allow them to do.
jace:  `rest_api_explorer` and then when they figure out their calls
jace:  like others said web_services only
Shane C:   im not following jace:
vk:  me neither, a little confused
wiz0floyd:  I think he's answering @vk's last question not yours lol. Slack needs to let you thread inside of a thread
jace:  so normally, you have to at least give folks extra rights to do the api testing
jace:  however if you just give the Service Account rest_api_explorer and let them be used as a local account until the integration people workingon it figure out their calls
jace:  they then have access to that rest explorer
jace:  whihc can be helpful
Shane C:   I do do that, but then I make a specific account just for REST access, so it isnt an actual user account
Shane C:   specific account for web access with REST
jace:  right, then pair it down to web services only via the checkbox on the account
jace:  er user record
Shane C:   I want to, but I don't have that yet! :smile:
jace:  you srue?
jace:  check your xml
Shane C:   no `web_Service_Account` xml
jace:  hmm well
wiz0floyd:  
  Note: Non-Interactive Sessions is enabled for all new instances since the Calgary release

jace:  in anycase, i find it easiest to do that the way i wrote.
Shane C:   whats the full name of the plugin @wiz0floyd?
wiz0floyd:  trying to find it for you hang on :slightly_smiling_face:
wiz0floyd:  https://docs.servicenow.com/bundle/kingston-platform-administration/page/administer/users-and-groups/concept/c_NonInteractiveSessions.html
Shane C:   whats the plugin ID?
wiz0floyd:  It doesn't even show up in my list of plugins not on my PDI or on any of my company instances. I wonder if they just rolled it into the platform at some point
vk:  @jace Is this what you said:You manage the users via a group that has the `rest_api_explorer`, which gives them the access to the rest explorer and they pllay with it till they figure out their calls.Then you create separate web service accounts for each of them and assign REST or SOAP roles(Do you put them again in a group ie. REST group or SOAP group?)
vk:  I'm trying to keep up with people typing so fast lol
Shane C:   well, it's just not there for me!
Shane C:   I think I'll log a HI case
jace:  Sorry im not being clear.
Someone says hey we have this awesome thing, but we need API access to SN to fill it with data.  Oh and we need to update tasksSure.  We've done this lots.In prod we make the account (we have rules to propegate the local users from prod to all environments)
In prod we add the service account (user) to the group
group has an itil role, and the rest_api_explorer role
In prod we inactivate the accountLet the user know here's his account and creds.  He can login to the gui and get to the api explorer, we direct him there.  There he can fiddle with the calls into SN.  Once he's all set. We lock the account down to noninteractive only in prod and we open it up
jace:  because we have MFA they cant use their local account cause they cant auth via MFA and need a local account
jace:  w/o MFA anyone and their brother can make most rest calls.
jace:  HI/community is the same way
jace:  if you make a client side rest call you can read all the CSM tables tehy let you see on community
vk:  @jace: This part - _*Once he's all set. We lock the account down to noninteractive only in prod and we open it up*_ - means bascially you'll remove him from the group and just check the `web_Service_only` checkbox?, correct? (edited)
vk:  If you stay you'll leave him in the group and check `web_Service_access`. The user still gets an ITIL cos he's part of the group(might be waste of licence)
vk:  @wiz0floyd: @Shane C:  - please correct me if I'm not understanding this correctly
jace:  Leave the user in the group
jace:  Without it the service account cannot read the records needed generally
vk:  so ITIL is mandatory?
Shane C:   yeah that REST account or similar, will need the right ACLs to read your table records
Shane C:   so it will need ITIL
jace:  You still have to provision the account like any user to get past acls
vk:  ohhhhh so there's no way to save a licence being used....hmmm!!!
Shane C:   even if you make the account a web_service_account, it will still take a license
Shane C:   it just limits them from logging in
vk:  really?!
Shane C:   better info here https://docs.servicenow.com/bundle/kingston-platform-administration/page/administer/users-and-groups/concept/c_NonInteractiveSessions.html
Shane C:   `Non-interactive users can only connect to a ServiceNow instance from an API protocol. Use this feature to set up user accounts for web service authentication purposes.`
jace:  Also it’s been told to me at least at my work. Sn just reduces our count of roled users by the service accounts we have separated this way
jace:  But your contract may vary
vk:  interesting
vk:  I was thinking Web Service accounts as mainly intended for integrations granularity and they *can save a licence as well* (edited)
Shane C:   save money? thats crazy talk :rolling_on_the_floor_laughing:
jace:  You could make acls to get around your acls but that’s a slippery slope. If you have one user log in via curl and get around stuff then
jace:  So I’d recommend not doing that
vk:  lol, i learnt some new stuff today :smile:
vk:  appreciate you guys @jace: ++ @Shane C:  ++ @wiz0floyd: ++
Points ThingAPP   Congrats @jace: you now have 44 points (668 total)
Points ThingAPP   Way to help out @Shane C:  you now have 29 points (70 total)
Points ThingAPP   Give a hear-hear for @wiz0floyd: you now have 52 points (65 total)
jace:  Sunmarize this and I’ll post it on my blog
jace:  Or start your own
vk:  I've got one more question @jace:!
Do you guide users how to use the rest api explorer in SubProd environments?
Shane C:   I just email them links to the pages, and have them ask me questions if they got any :slightly_smiling_face:
vk:  @jace: would you mind giving me a head's up when you put this on your blog. I would love to show this practice to my team. Thanks!
Shane C:   jace: for the win! :