Skip to main content

Overview

Service Accounts are dedicated API users that provide controlled access for agents and automations. Unlike regular user accounts, service accounts cannot be used for login—they exist solely to execute automated tasks with specific, managed permissions.

Purpose-Built API Users

Service accounts allow your agents and automations to operate with defined permissions, ensuring consistent security controls and complete auditability of automated actions.
Key Benefits:
  • Controlled Access: Grant automations and agents only the permissions they need
  • Security: Cannot be used for interactive login—API-only access
  • Auditability: All actions performed by service accounts are tracked in the Activity Log
  • Accountability: Clear ownership and purpose documentation for each service account
  • Collaboration: Control which users and groups can use each service account

How Service Accounts Work

Service accounts act as the identity under which your agents and automations operate. When you assign a service account to an automation or agent:
1

Permissions Apply

The automation or agent runs with the exact permissions granted to that service account—no more, no less
2

Data Access Enforced

Data access policies assigned to the service account determine what records the automation or agent can access
3

Actions Attributed

All actions performed are logged as being performed by the service account, providing clear audit trails
Important: Service accounts have no default access to your data. You must explicitly configure data access policies for any app, element, or table the service account needs to interact with.

Creating a Service Account

1

Navigate to Your Organization

Go to your Elementum organization and select the app where you want to create the service account
2

Access Service Accounts

In the app subnavigation, navigate to SecurityService Accounts
3

Create New Service Account

Click “Create Service Account” in the upper right corner
4

Configure Account Details

Fill in the required information:
  • First Name: The service account’s display first name
  • Last Name: The service account’s display last name
  • Purpose: A description explaining the intended use for this API user—this helps other authorized users understand what the service account was created for
  • Profile Photo (optional): Add an avatar image that will appear in agent conversations and activity logs
5

Save and Configure Permissions

After creating the service account, you’ll need to configure its permissions and data access
Tip: Use descriptive names and clear purpose statements. For example, name it “Support Bot” with purpose “Handles L1 support ticket creation and routing” so other administrators understand its intended use.

Configuring Permissions

After creating a service account, configure its permissions through the overflow menu (⋮) on the service account row.

Roles

The Roles tab controls what actions the service account can perform within the app.

Role-Based Permissions

Assign roles to grant specific capabilities like creating records, running automations, or accessing agents. Service accounts follow the same role-based permission model as regular users.
1

Access Role Settings

Click the overflow menu on the service account and select permissions, then navigate to the Roles tab
2

Assign Roles

Select the roles that grant the permissions your automation or agent needs to perform its tasks
3

Apply Changes

Save your changes to apply the role assignments
Automation Service Account:
  • Assign roles with permissions for Create Records, Update Records, and Run Automations
Agent Service Account:
  • Assign roles with permissions for Records, Comments, Attachments, and Agent access
Read-Only Service Account:
  • Assign roles with only Read permissions for reporting or monitoring automations

User/Group Access

The User/Group Access tab controls which users and groups are authorized to use this service account.

Access Control for Service Accounts

Restrict who can assign this service account to their agents and automations. This provides an additional layer of security by ensuring only authorized personnel can leverage specific service accounts.
1

Access User/Group Settings

Click the overflow menu on the service account and select permissions, then navigate to the User/Group Access tab
2

Add Authorized Users

Select individual users who should be able to use this service account
3

Add Authorized Groups

Select user groups whose members should be able to use this service account
Only users and groups listed in the User/Group Access tab can select this service account when configuring agents or automations.

Configuring Data Access

Critical: Service accounts have no data access by default. You must explicitly add data access policies for every app, element, and table the service account needs to access.
Service accounts follow the same data access model as regular users. To grant data access:
1

Navigate to Data Access

Go to App SettingsSecurityData Access
2

Create or Edit a Policy

Create a new policy or edit an existing one
3

Add Service Account

In the Users and Groups section, add the service account
4

Configure Access Conditions

Define which records the service account can access based on your security requirements

Data Access Considerations

Scenario: An automation that processes all records in an elementConfiguration: Create a policy with no conditions (access to all records) and assign only the specific service account
Scenario: An agent that should only access records in a specific status or categoryConfiguration: Create a policy with conditions matching the records the agent should see (e.g., Status is Open)
Scenario: An automation that needs to work across multiple appsConfiguration: Add data access policies in each app the service account needs to access
Elementum will attempt to warn you when configuring agents and automations if your selected service account doesn’t have the correct permissions or is missing required data access.

Using Service Accounts with Automations

When creating or editing automations, you’ll be prompted to select a service account.
1

Navigate to Automations

Go to your app and navigate to WorkflowAutomations
2

Create or Edit an Automation

Create a new automation or edit an existing one
3

Select Service Account

When prompted, select the service account that should execute this automation
4

Verify Permissions

Ensure the service account has the necessary roles and data access for the automation’s actions

Automation Execution Identity

Once assigned, the automation runs as the service account. All records created, updated, or accessed by the automation will be attributed to that service account in the Activity Log.

Using Service Accounts with Agents

Agents can be configured to operate under a service account identity, which affects both permissions and how the agent appears to users.
1

Navigate to Intelligence

Go to your app and navigate to WorkflowIntelligence (Agents)
2

Create or Edit an Agent

Create a new agent or edit an existing one
3

Select Service Account

When prompted, select the service account that should represent this agent
4

Verify Permissions

Ensure the service account has the necessary roles and data access for the agent’s tools

Agent Identity and Appearance

When an agent uses a service account:

Profile Photo

The service account’s profile photo appears as the agent’s avatar in conversations

Display Name

The service account’s name appears as the sender in chat messages

Activity Attribution

All actions performed by the agent are logged under the service account

Consistent Identity

Users see a consistent brand/identity regardless of which agent variant they interact with

Activity Log Integration

All actions performed by service accounts are fully tracked in the Activity Log.
  • Record creation, updates, and deletions
  • Automation executions and their outcomes
  • Agent conversations and tool invocations
  • Permission changes and data access
  • Any API calls made using the service account
For complete details on Activity Log capabilities, see Activity Log.

Security Best Practices

Service Account Management

Purpose Documentation

Always document the intended purpose clearly so other administrators understand the service account’s role

Minimal Permissions

Apply the principle of least privilege—grant only permissions necessary for the specific use case

Regular Audits

Periodically review service account permissions and data access policies

Access Controls

Restrict which users and groups can use each service account

Common Security Patterns

Strategy: Create separate service accounts for different automation typesBenefits:
  • Clear separation of concerns
  • Easier permission management
  • Better auditability
  • Simpler troubleshooting when issues arise
Strategy: Create service accounts with different permission levelsExample:
  • Read-Only SA: For reporting and monitoring automations
  • Standard SA: For routine data processing
  • Admin SA: For administrative automations (use sparingly)
Strategy: Create service accounts owned by specific teamsBenefits:
  • Teams manage their own automation identities
  • Clear ownership and accountability
  • User/Group access controls limit usage to team members

Troubleshooting

Common Issues

Symptom: Automation fails or agent reports no records foundSolutions:
  1. Verify data access policies include the service account
  2. Check that policy conditions allow access to the expected records
  3. Ensure policies exist in all apps/elements the automation needs
Symptom: Actions fail with permission errorsSolutions:
  1. Review roles assigned to the service account
  2. Verify the required permissions are included in assigned roles
  3. Check if the specific action requires additional permissions
Symptom: Service account doesn’t appear in dropdown when configuring automation/agentSolutions:
  1. Verify you have been granted access in the User/Group Access tab
  2. Check if the service account was created in the correct app
  3. Contact the service account owner to request access
Symptom: Actions show different user than expected in Activity LogSolutions:
  1. Confirm the service account is properly assigned to the automation/agent
  2. Check for any “Run as current user” settings that might override the service account
  3. Verify the automation/agent configuration was saved after assigning the service account

Integration with Other Features

Roles & Permissions

Service accounts use the same role-based permission system as regular users

Data Access

Configure data access policies to control which records service accounts can access

Automations

Assign service accounts to automations for controlled, auditable execution

Activity Log

All service account actions are tracked in the comprehensive audit trail
Remember: Service accounts are the recommended way to run agents and automations in production. They provide security, accountability, and clear separation between automated processes and human user actions.