Service Accounts

When users leave an organization, their access tokens are revoked. If these tokens are being used for machine-to-machine communication, the communication is disrupted on the revocation of the tokens. To avoid such disruptions, you can use service accounts.

A service account is a special user in an organization. Service account users are the only users who can use the OAuth credential flow. In such a case, the callers can obtain an access token provided they have a client ID and client secret.

Features of a Service Account

  • As an organization owner, you can create a new service account user or designate existing users in the organization as service account users.

  • You can invite a service account user to any of your domain subscriptions. In such a case, the service account user occupies a seat on the subscription just like a normal user.

  • You can use a service account non-interactively in scripts. Only a service account user can generate OAuth access tokens by using client credentials to authenticate. Normal users must use the web UI to generate the first OAuth access token.

  • By default, you can invite up to five service account users per organization. To invite more service account users, contact the TIBCO Support team.

  • A service account user might also be an owner as long as there is at least one other owner who is not a service account user.

  • Operations performed on service account users in a parent organization are not synced with the child organizations even when the sync-user setting is set to true.

  • When a child organization is created, the user is inherited as a normal user without inheriting service account user privileges. Such users have to be manually assigned as service account users in the child organization by the organization owner.

  • Service account users can be re-designated as normal users and all other roles, privileges, and OAuth tokens are left untouched.