Service Accounts

Service accounts are special accounts designed for automated systems and integrations that interact with the RAMP API. Unlike regular user accounts, service accounts are not tied to individual people and are intended for machine-to-machine communication.

Required role: Administrator

Accessing Service Accounts

Navigate to Administration > Service Accounts (or /_admin/service-accounts).

When to Use Service Accounts

Service accounts are appropriate for:

Use Case	Example
CI/CD pipelines	Automated deployment tools that create or update instances in RAMP
Monitoring systems	External monitoring tools that read instance status or execution progress
Integration platforms	Middleware that connects RAMP with ticketing systems, CMDB, or orchestration tools
Scheduled automation	Cron jobs or scheduled tasks that interact with the RAMP API
Reporting tools	Business intelligence tools that pull data from RAMP for dashboards

Tip

Use service accounts instead of personal user accounts for automation. This avoids tying automated processes to individual employees and prevents disruption when people leave the organization.

Creating a Service Account

1. Click Create Service Account.
2. Enter a Name that clearly identifies the account’s purpose (e.g., “Jenkins CI Pipeline”, “Monitoring Service”, “CMDB Integration”).
3. Optionally add a Description explaining what the service account is used for and who maintains it.
4. Click Create.
5. RAMP generates API credentials for the service account. Copy and store these credentials securely.

Danger

API credentials are shown only once when the service account is created. Store them securely immediately. If credentials are lost, you will need to regenerate them.

Assigning Roles

Service accounts use the same role system as regular users. Assign only the roles needed for the integration’s functionality.

1. Click on the service account.
2. Open the Roles tab.
3. Click Add Role.
4. Select the appropriate application role.
5. Click Assign.

Recommended Role Assignments

Integration Type	Recommended Roles
Read-only monitoring	GlobalInstanceObserver, GlobalTemplateViewer
Instance creation	GlobalInstanceEditor or GlobalInstanceExecutor
Full automation	GlobalInstanceHead (use carefully)
Template management	GlobalTemplateEditor
Reporting	GlobalTemplateViewer, GlobalInstanceObserver

Caution

Follow the principle of least privilege. A monitoring service that only reads data should not have write permissions. An instance creation tool does not need template management access.

Managing Service Accounts

Editing a Service Account

1. Click on the service account in the list.
2. Modify the name or description.
3. Click Save.

Regenerating Credentials

If credentials are compromised or lost:

1. Click on the service account.
2. Click Regenerate Credentials.
3. Copy and store the new credentials securely.
4. Update all systems that use the old credentials.

Caution

Regenerating credentials immediately invalidates the old credentials. Any system using the old credentials will lose API access until updated.

Deactivating a Service Account

To temporarily disable a service account without deleting it:

1. Click on the service account.
2. Toggle the status to Inactive.
3. Click Save.

Deactivated service accounts cannot authenticate. All API calls using their credentials will be rejected.

Deleting a Service Account

1. Click on the service account.
2. Click Delete.
3. Confirm the deletion.

Danger

Deleting a service account permanently removes it and invalidates its credentials. Ensure no active integrations depend on the account before deleting.

API Authentication

Service accounts authenticate with the RAMP API using their credentials to obtain a JWT token. This token is then included in the Authorization header of subsequent API requests.

Authorization: Bearer <token>

The authentication flow is:

1. Send credentials to the authentication endpoint.
2. Receive a JWT token.
3. Include the token in all API requests.
4. Refresh the token before it expires.

Note

For detailed API authentication instructions and examples, see the API documentation.

Best Practices

• One account per integration — create separate service accounts for each system or integration. This makes it easy to revoke access for a specific integration without affecting others.
• Descriptive names — name service accounts after their purpose, not the person who set them up.
• Document owners — add the responsible team or person in the description so others know who to contact.
• Rotate credentials — periodically regenerate credentials as a security measure, especially for accounts with broad permissions.
• Monitor usage — review service account activity periodically to ensure they are being used as intended.
• Least privilege — assign only the minimum roles needed for the integration to function.

Related topics

Personal Access Tokens Create and manage personal access tokens for API authentication

Roles Understand the RAMP role system and choose appropriate roles for service accounts