> ## Documentation Index
> Fetch the complete documentation index at: https://docs.elementum.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Service Accounts

> Create dedicated API users for agents and automations with managed permissions and security controls

## Overview

Service accounts are dedicated API users that provide controlled access for agents and automations. Unlike regular user accounts, service accounts cannot be used for interactive login—they exist solely to execute automated tasks with specific, managed permissions.

When you assign a service account to an automation or agent:

* The automation or agent runs with the exact permissions granted to that service account
* Data access policies assigned to the service account determine which records it can access
* All actions are logged under the service account in the [Activity Log](/administration/activity-log), providing a clear audit trail

<Warning>
  Service accounts have no default access to your data. You must explicitly configure data access policies for any app, element, or table the service account needs to interact with.
</Warning>

***

## Create a Service Account

1. Go to your Elementum organization and select the app where you want to create the service account
2. In the app subnavigation, navigate to **Security** → **Service Accounts**
3. Click **Create Service Account**
4. Fill in the required information:
   * **First Name** and **Last Name**: The service account's display name
   * **Purpose**: A description explaining the intended use—this helps other administrators understand what the service account was created for
   * **Profile Photo** (optional): An avatar image that appears in agent conversations and activity logs
5. Save the service account, then configure its permissions and data access

<Tip>
  Use descriptive names and clear purpose statements. For example, name it "Support Bot" with purpose "Handles L1 support ticket creation and routing."
</Tip>

***

## Configure Permissions

After creating a service account, configure its permissions from the service account row.

### Roles

The **Roles** tab controls what actions the service account can perform within the app. Service accounts follow the same role-based permission model as regular users.

1. Click the <Icon icon="ellipsis" size={16} /> **More** icon next to the service account
2. Select **Permissions**, then navigate to the **Roles** tab
3. Select the roles that grant the permissions your automation or agent needs
4. Save your changes

<Tabs>
  <Tab title="Common Role Scenarios">
    * **Automation Service Account**: Assign roles with permissions for Create Records, Update Records, and Run Automations
    * **Agent Service Account**: Assign roles with permissions for Records, Comments, Attachments, and Agent access
    * **Read-Only Service Account**: Assign roles with only Read permissions for reporting or monitoring automations
  </Tab>

  <Tab title="Best Practices">
    * **Least Privilege**: Grant only the minimum permissions required for the service account's intended purpose
    * **Separation of Concerns**: Create separate service accounts for different types of automations rather than reusing a single account for unrelated tasks
    * **Regular Audits**: Periodically review and remove unnecessary permissions
  </Tab>
</Tabs>

### User/Group Access

The **User/Group Access** tab controls which users and groups are authorized to use this service account when configuring agents or automations.

1. Click the <Icon icon="ellipsis" size={16} /> **More** icon next to the service account, then select **Permissions**
2. Navigate to the **User/Group Access** tab
3. Add individual users or user groups who should be able to use this service account

***

## Configure Data Access

Service accounts follow the same data access model as regular users. To grant data access:

1. Navigate to **App Settings** → **Security** → **Data Access**
2. Create a new policy or edit an existing one
3. In the **Users and Groups** section, add the service account
4. Define which records the service account can access based on your security requirements

<Info>
  Elementum will warn you when configuring agents and automations if your selected service account is missing required permissions or data access.
</Info>

<Tip>
  Before publishing an automation that uses a service account, run [Validate Only](/workflows/automation-system#validate-access-before-publishing) from the **Publish** dropdown to confirm the service account has sufficient access to every object the automation touches.
</Tip>

<AccordionGroup>
  <Accordion title="Broad Access for Automations">
    An automation that processes all records in an element needs a policy with no conditions (access to all records) assigned to the specific service account.
  </Accordion>

  <Accordion title="Scoped Access for Agents">
    An agent that should only access records in a specific status or category needs a policy with matching conditions (e.g., `Status` `is` `Open`).
  </Accordion>

  <Accordion title="Cross-App Access">
    An automation that works across multiple apps needs data access policies configured in each app.
  </Accordion>
</AccordionGroup>

***

## Assign to Automations and Agents

When creating or editing an automation or agent, you are prompted to select a service account. The process is similar for both:

<Tabs>
  <Tab title="Automations">
    1. Navigate to **Workflow** → **Automations**
    2. Create or edit an automation
    3. Select the service account that should execute the automation
    4. Verify the service account has the necessary roles and data access for the automation's actions
  </Tab>

  <Tab title="Agents">
    1. Navigate to **Workflow** → **Intelligence** (Agents)
    2. Create or edit an agent
    3. Select the service account that should represent the agent
    4. Verify the service account has the necessary roles and data access for the agent's tools

    When an agent uses a service account, the service account's profile photo and name appear as the agent's identity in conversations. This provides users with a consistent experience regardless of which agent variant they interact with.
  </Tab>
</Tabs>

Once assigned, all actions performed by the automation or agent are attributed to the service account in the [Activity Log](/administration/activity-log).

***

## Troubleshooting

<Note>
  Service accounts cannot currently generate OAuth tokens for A2A and API connections.
</Note>

<AccordionGroup>
  <Accordion title="Automation/Agent Can't Access Records">
    **Symptom**: Automation fails or agent reports no records found

    1. Verify data access policies include the service account
    2. Check that policy conditions allow access to the expected records
    3. Ensure policies exist in all apps/elements the automation needs
  </Accordion>

  <Accordion title="Permission Denied Errors">
    **Symptom**: Actions fail with permission errors

    1. Review roles assigned to the service account
    2. Verify the required permissions are included in assigned roles
    3. Check if the specific action requires additional permissions
  </Accordion>

  <Accordion title="Can't Select Service Account">
    **Symptom**: Service account doesn't appear in dropdown when configuring an automation or agent

    1. Verify you have been granted access in the User/Group Access tab
    2. Check if the service account was created in the correct app
    3. Contact the service account owner to request access
  </Accordion>

  <Accordion title="Wrong Identity Appearing">
    **Symptom**: Actions show a different user than expected in Activity Log

    1. Confirm the service account is properly assigned to the automation/agent
    2. Check for any "Run as current user" settings that might override the service account
    3. Verify the automation/agent configuration was saved after assigning the service account
  </Accordion>
</AccordionGroup>

***

## Related Features

<CardGroup cols={2}>
  <Card title="Roles & Permissions" icon="user-shield" href="/administration/roles-permissions">
    Service accounts use the same role-based permission system as regular users
  </Card>

  <Card title="Object Data Access" icon="database" href="/workflows/object-data-access">
    Configure data access policies to control which records service accounts can access
  </Card>

  <Card title="Automations" icon="bolt" href="/workflows/automation-system">
    Assign service accounts to automations for controlled, auditable execution
  </Card>

  <Card title="Activity Log" icon="clipboard-list" href="/administration/activity-log">
    All service account actions are tracked in the Activity Log
  </Card>
</CardGroup>
