Real people have user accounts, but the service accounts tend to be specific to a service or an application. The service account should represent a non-human user who can authenticate and be authorized to access data in an application. Service accounts are needed to perform actions on the application user's behalf. The service account will allow Okta to authenticate in the app to access data, run processes, or perform actions. Service accounts do not incur additional charges and are considered normal user accounts. Service accounts count towards Okta user licenses.

 

• Administrator
• Service Account
• Provisioning

In Okta, application service accounts enable the provisioning flow. The provisioning connector usually cannot handle MFA prompts. The permissions granted to the service account determine the specific resources that can be accessed and actions that can be performed.

Best practices for service accounts

• The service account is a non-sharable credential and should be managed by only one person.

• Do not use default vendor passwords, which are easily guessable and available online.

• Passwords should be changed regularly (this process is known as password rotation).

• A service account should have only the bare minimum privileges it needs to perform its job, based on the Principle of Least Privilege (PoLP). This strategy minimizes the amount of damage a compromised account can cause.

• If possible, do not use the same service account for multiple applications.