Service accounts
Service accounts are typically intended to be used when setting up integration components between ShareAspace and other systems. By using a service account it is possible to trace what integration component interacted with and/or altered data in ShareAspace. All interactions made by a service account are logged in the same way as interactions from a normal user account are logged.
ShareAspace uses a key based approach for the service accounts. An administrator registers service accounts and issues Personal Access Tokens (PAT) for the service accounts. An issued PAT can be handed over to an integration component.
Important
The integration component is responsible for handling and storing the PAT in a secure manner. A good practice is to have a rotation schedule for the PAT.
A ShareAspace administrator can, if needed,
- revoke an issued PAT.
- extend the life time of an issued PAT.
Note
While it is possible to issue a PAT for a normal user account and use that PAT in an integration component, it is important to note that the integration component in such a scenario will operate as if it was the user. i.e. while auditing there is no explicit way of knowing if an audit log entry was caused by the actual user or the integration component acting on behalf of the user.
Administration
A collection administrator can use the ShareAspace web application to register and manage service accounts. This is managed via the collection administration menu on the collection.
A collection administrator can:
- Register new service accounts.
- Change the display name of existing service accounts.
- Request new Personal Access Token (PAT) for a service account.
- Revoke existing personal access tokens.
- Extend the validity of an access token.
When registering a new service account a unique identifier and a display name must be provided. The full id of the service account uses the pattern {UNIQUE_ID}@shareaspace-service-account
where {UNIQUE_ID}
is replaced by the unique id, e.g. myserviceaccount@shareaspace-service-account
.
Note
That a service account will never be able to receive emails.
Tip
It is possible to manage the service accounts as a collection administrator via the ShareAspace collection REST APIs.
Authorization
Once a service account has been registered on the collection by a collection administrator it is possible to start using the service account within a space.
In order to give a service account access within a space, a space profile must be created within the space and the space profile must be assigned one ore more roles in participant(s) within a space. This is simply done by treating the service account identifier as an email address and follow the same process as when inviting and managing a regular user.
Typically this is managed in the Security module of a space. When inviting a service account, provide the full id of the service account ({UNIQUE_ID}@shareaspace-service-account
e.g. myserviceaccount@shareaspace-service-account
) as if it was an email address.
Note
That the name of the "Security" module depends on the configuration used for the Space.
Using the service account PAT
Please refer to the developer documentation.