Services

Office of Information Security

Service Accounts

WHAT IS A SERVICE ACCOUNT AND WHAT CAN IT BE USED FOR?

A Service Account is a non-person account.  A non-person account is an account that is used by a system or application rather than by a person.  The Service Account allows the system for which it was created to authenticate to other Penn State Systems in order to access data, run processes, or perform actions on the other system.  The specific resources that can be accessed and actions that can be performed depends on the permissions that have been granted to the account.

A Service Account is a non-sharable credential.  Even though a Service Account is a non-person account, each Service Account must be associated with one (and only one) person who is responsible for the use and management of the account.  That person (the owner of the account) is not to share the password with anyone else. If you need a shared credential, you should create a collaborative space that others can access with their own Penn State Accounts (e.g. a Microsoft Teams space).

There are two types of Service Accounts, Group Managed Service Accounts (gMSA) and Standard Service Accounts. If you are unsure of which type of Service Account to request, see “Which Kind of Service Account Do I Need?”

HOW HAS THE PROCESS FOR CREATING AND MANAGING SERVICE ACCOUNTS CHANGED?

What’s Changed?   The system previously used to create and manage service accounts was decommissioned at the end of October 2020 as part of Penn State’s IT Modernization Project.  Going forward, all service accounts will be created and managed in IdentityIQ (IIQ).

Why the Change?  The move to IIQ will ensure that the proper controls are in place to ensure the security of Penn State systems, data, and users.  It also means that, in the future, we will be able to provide additional self-service options for managing service accounts.

How does that affect service accounts created before November 2020?  In order to complete the transition to the new system, it is necessary to replace all in-use service accounts with new accounts created in IIQ.

IMPORTANT!   IF YOUR APPLICATION USES A SERVICE ACCOUNT CREATED BEFORE NOVEMBER 2020

  • The Identity & Access Management team (IAM) may have contacted the person responsible for the service account to request information and provide instructions regarding the account.
  • If you’re responsible for a service account or an application that uses a service account and IAM has not contacted you about it by the end of May 2021, please send the following information to identity@psu.edu:
    1. The service ID.
    2. Whether or not you’re still using the account.
    3. If so, whether it’s being used by a system or software program,
      or only for the purpose of forwarding email.
  • If the service account is still in use, and it’s being used by a system or software program, you will need to do the following:
    1. Create a new service account in IIQ.
    2. Update systems or programs to use the new service account instead of the old one.
    3. After testing to confirm that the new service account is working correctly, contact IAM at identity@psu.edu so that the old service account can be removed.
  • Since IIQ now handles the management as well as the creation of service accounts, changes to legacy service accounts (for example, change in ownership or access requirements) are no longer possible.  Changes can only be made to accounts in IIQ.
  • NOTE THAT ALL SERVICE ACCOUNTS NOT IN IIQ WILL BE REMOVED AT SOME POINT!

HOW DO I REQUEST A SERVICE ACCOUNT?

EAD Service Accounts

All Other Service Accounts

DO SERVICE ACCOUNTS OR SERVICE ACCOUNT PASSWORDS EXPIRE?

Service Accounts do not have an expiration date;  therefore they do not expire automatically and do not need to be periodically renewed.

Service Account passwords no longer expire automatically, so there’s no need to change the password except when one of the following events occurs:

  • The account has been compromised (the password has been shared with or accessed by an unauthorized user)
  • The account is transferred to a different owner

your roll

WHO IS THE OWNER OF A SERVICE ACCOUNT AND WHAT ARE THEY RESPONSIBLE FOR?

 

Who is responsible for the appropriate use of a Service Account?

The owner of the account is responsible for its appropriate use.  The owner must be identified when the Service Account is requested.  The owner is the individual who will configure the application or applications to use the account; that is, the person who needs to know the ID and password for the Service Account. Their responsibilities include:

  • Ensuring that there’s a record of the process or application that uses the account
  • Ensuring that appropriate security measures are taken to protect the ID and password from compromise
  • Requesting that the owner be changed if you are no longer the appropriate person to oversee the account (for example, before you leave Penn State, or when you move to a different department or position)
  • Ensuring that the account is used only for appropriate interaction/integration with other systems
  • Otherwise complying with Penn State policies (including AD95 and its associated Security Standards).

 

Who is responsible for configuring a system to use a Service Account?

The unit or department responsible for the application that uses a Service Account is responsible for configuring the application to use it.

  • Any questions regarding configuration should be directed to the owners of the services(s) to which the account requires access.
  • Responsibility for configuration may be delegated, but accountability for the credential itself may not be.
  • If it becomes necessary to delegate some portion of the configuration (for example, to a vendor or another developer), the account owner is responsible for the other party’s use of the account, and for changing the password once the delegated work is complete.