Skip to main content

Overview

Service accounts are dedicated API users that provide controlled access for agents and automations. Unlike regular user accounts, service accounts cannot be used for interactive login—they exist solely to execute automated tasks with specific, managed permissions. When you assign a service account to an automation or agent:
  • The automation or agent runs with the exact permissions granted to that service account
  • Data access policies assigned to the service account determine which records it can access
  • All actions are logged under the service account in the Activity Log, providing a clear audit trail
Service accounts have no default access to your data. You must explicitly configure data access policies for any app, element, or table the service account needs to interact with.

Create a Service Account

  1. Go to your Elementum organization and select the app where you want to create the service account
  2. In the app subnavigation, navigate to SecurityService Accounts
  3. Click Create Service Account
  4. Fill in the required information:
    • First Name and Last Name: The service account’s display name
    • Purpose: A description explaining the intended use—this helps other administrators understand what the service account was created for
    • Profile Photo (optional): An avatar image that appears in agent conversations and activity logs
  5. Save the service account, then configure its permissions and data access
Use descriptive names and clear purpose statements. For example, name it “Support Bot” with purpose “Handles L1 support ticket creation and routing.”

Configure Permissions

After creating a service account, configure its permissions from the service account row.

Roles

The Roles tab controls what actions the service account can perform within the app. Service accounts follow the same role-based permission model as regular users.
  1. Click the More icon next to the service account
  2. Select Permissions, then navigate to the Roles tab
  3. Select the roles that grant the permissions your automation or agent needs
  4. Save your changes
  • Automation Service Account: Assign roles with permissions for Create Records, Update Records, and Run Automations
  • Agent Service Account: Assign roles with permissions for Records, Comments, Attachments, and Agent access
  • Read-Only Service Account: Assign roles with only Read permissions for reporting or monitoring automations

User/Group Access

The User/Group Access tab controls which users and groups are authorized to use this service account when configuring agents or automations.
  1. Click the More icon next to the service account, then select Permissions
  2. Navigate to the User/Group Access tab
  3. Add individual users or user groups who should be able to use this service account

Configure Data Access

Service accounts follow the same data access model as regular users. To grant data access:
  1. Navigate to App SettingsSecurityData Access
  2. Create a new policy or edit an existing one
  3. In the Users and Groups section, add the service account
  4. Define which records the service account can access based on your security requirements
Elementum will warn you when configuring agents and automations if your selected service account is missing required permissions or data access.
An automation that processes all records in an element needs a policy with no conditions (access to all records) assigned to the specific service account.
An agent that should only access records in a specific status or category needs a policy with matching conditions (e.g., Status is Open).
An automation that works across multiple apps needs data access policies configured in each app.

Assign to Automations and Agents

When creating or editing an automation or agent, you are prompted to select a service account. The process is similar for both:
  1. Navigate to WorkflowAutomations
  2. Create or edit an automation
  3. Select the service account that should execute the automation
  4. Verify the service account has the necessary roles and data access for the automation’s actions
Once assigned, all actions performed by the automation or agent are attributed to the service account in the Activity Log.

Troubleshooting

Symptom: Automation fails or agent reports no records found
  1. Verify data access policies include the service account
  2. Check that policy conditions allow access to the expected records
  3. Ensure policies exist in all apps/elements the automation needs
Symptom: Actions fail with permission errors
  1. Review roles assigned to the service account
  2. Verify the required permissions are included in assigned roles
  3. Check if the specific action requires additional permissions
Symptom: Service account doesn’t appear in dropdown when configuring an automation or agent
  1. Verify you have been granted access in the User/Group Access tab
  2. Check if the service account was created in the correct app
  3. Contact the service account owner to request access
Symptom: Actions show a different user than expected in Activity Log
  1. Confirm the service account is properly assigned to the automation/agent
  2. Check for any “Run as current user” settings that might override the service account
  3. Verify the automation/agent configuration was saved after assigning the service account

Roles & Permissions

Service accounts use the same role-based permission system as regular users

Data Access

Configure data access policies to control which records service accounts can access

Automations

Assign service accounts to automations for controlled, auditable execution

Activity Log

All service account actions are tracked in the Activity Log