Rough draft

Author: jpipkin1

blog-service/2025-03-01-manage.md

@@ -0,0 +1,22 @@
+---
+title: Service Accounts (Manage)
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - manage
+  - access keys
+  - service accounts
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+We are happy to announce that you can now create service accounts in Sumo Logic. Service accounts allow you to create access keys that can be used in scripts or automation. Service accounts are not tied to user accounts, and can be used for authentication needed for system services.
+
+You can use services accounts to provide authentication for operations such as:
+* Infrastructure as code (for example, Terraform).
+* SCIM user and role management from an identity provider.
+* Third party integrations.
+
+[Learn more](/docs/manage/security/service-accounts).
+
+<img src={useBaseUrl('/img/security/service-accounts-page.png')} alt="Service Accounts tab" style={{border: '1px solid gray'}} width="800"/>

docs/manage/security/access-keys.md

@@ -10,6 +10,7 @@ In Sumo Logic, you'll need an access key to:
 
 * **Register new Collectors**. When you install a Collector, in addition to having a role that grants you the **Manage Collectors** capability, you must supply an access key. You can use a different access key for each Collector, or use the same access key for multiple Collectors. The only time a Collector uses the access key is at installation, so if a key is deleted after a Collector has been set up, the Collector isn't affected.
 * **Use Sumo Logic APIs**. You must supply an access key to use the Sumo Logic APIs. See [API Authentication](/docs/api/getting-started#authentication) for details.
+* **Run scripts or automation**. Create access keys on [service accounts](/docs/manage/security/service-accounts) to provide authentication for scripts or automation.
 
 ## Prerequisites
 
@@ -19,10 +20,10 @@ In Sumo Logic, you'll need an access key to:
 
 ## Create an access key
 
-### From the Personal Access Keys page
+### From the Personal Access Keys tab
 
 1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select your username and then **Preferences > Personal Access Keys**.<br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select your username, and then under **Preferences** select **Personal Access Keys**. You can also click the **Go To...** menu at the top of the screen and select **Personal Access Keys**.
-1. On the **Personal Access Keys** tab, click **+ Add Access Key**.<br/><img src={useBaseUrl('/img/security/access-key-preferences-page.png')} alt="Personal Access Keys page" style={{border: '1px solid gray'}} width="800"/><br/>The **Add New Access Key** window appears.<br/><img src={useBaseUrl('/img/security/create-access-key.png')} alt="Add New Access Key screen" style={{border: '1px solid gray'}} width="500"/>
+1. On the **Personal Access Keys** tab, click **+ Add Access Key**.<br/><img src={useBaseUrl('/img/security/access-key-preferences-page.png')} alt="Personal Access Keys tab" style={{border: '1px solid gray'}} width="800"/><br/>The **Add New Access Key** window appears.<br/><img src={useBaseUrl('/img/security/create-access-key.png')} alt="Add New Access Key screen" style={{border: '1px solid gray'}} width="500"/>
 1. **Name**. Enter a name for your access key.  
 1. **Allowed CORS Domains (optional)**. Create an allowlist of domains from which the access key can be used to access Sumo Logic APIs. For more information, see [CORS support](#cors-support). 
     :::note
@@ -41,15 +42,24 @@ In Sumo Logic, you'll need an access key to:
    After you click **Done**, you will not be able to recover this Access ID and Access Key.
    :::
 
-All personal access keys created in the organization are displayed in the **Access Keys** page, described next. 
+All personal access keys created in the organization are displayed in the **Access Keys** tab, described next. 
 
-### From the Access Keys page
+### From the Access Keys tab
 
-Administrators can create access keys under **Access Keys** as an alternative to doing it [from the Personal Access Keys page](#from-the-personal-access-keys-page).
+Administrators can create access keys under **Access Keys** as an alternative to doing it [from the Personal Access Keys tab](#from-the-personal-access-keys-tab).
 
 1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Administration > Security > Access Keys**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Administration**, and then under **Account Security Settings** select **Access Keys**. You can also click the **Go To...** menu at the top of the screen and select **Access Keys**.
-1. At the top right of the table, click **+ Add Access Key**. <br/><img src={useBaseUrl('/img/security/access-key-security-page.png')} alt="Sumo Logic interface showing a list of access keys with options to add a new access key, search access keys, and statuses of existing keys." width="700"/>
-1. Follow the steps in the [previous section](#from-the-personal-access-keys-page), starting with step 3.
+1. At the top right of the table, click **+ Add Access Key**. <br/><img src={useBaseUrl('/img/security/access-key-security-page.png')} alt="Sumo Logic interface showing a list of access keys with options to add a new access key, search access keys, and statuses of existing keys." style={{border: '1px solid gray'}} width="700"/>
+1. Follow the steps in [From the Personal Access Keys tab](#from-the-personal-access-keys-tab) section above, starting with step 3.
+
+### From a Service Account
+
+Administrators can create access keys on a [service account](/docs/manage/security/service-accounts) for use in scripts or automation.
+
+1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Administration > Security > Service Accounts**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Administration**, and then under **Account Security Settings** select **Service Accounts**. You can also click the **Go To...** menu at the top of the screen and select **Service Accounts**.
+1. Select a service account.
+1. Click **Add Access Key**.<br/><img src={useBaseUrl('/img/security/service-account-details.png')} alt="Add Access Key button on service account details pane" style={{border: '1px solid gray'}} width="300"/>
+1. Follow the steps in [From the Personal Access Keys tab](#from-the-personal-access-keys-tab) section above, starting with step 3.
 
 #### CORS support
 
@@ -89,7 +99,7 @@ an Access-Control-Allow-Origin header.
 If you have the [**Manage Access Keys** role capability](/docs/manage/users-roles/roles/role-capabilities#security), you can edit, deactivate, and delete any access keys created by other users in your organization.
 
 1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Administration > Security > Access Keys**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Administration**, and then under **Account Security Settings** select **Access Keys**. You can also click the **Go To...** menu at the top of the screen and select **Access Keys**. 
-1. Hover your mouse over an access key and click the three-dot kebab icon. This reveals the same modification options that appear on the **Personal Access Key** page, [as described above](#edit-deactivate-or-delete-access-keys).
+1. Hover your mouse over an access key and click the three-dot kebab icon. This reveals the same modification options that appear on the **Personal Access Key** tab, [as described above](#edit-deactivate-or-delete-access-keys).
 
 ### Access Keys deactivation policy
 

docs/manage/security/service-accounts.md

@@ -6,25 +6,56 @@ description: Service accounts allow you to create access keys that can be used i
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-A service account allows you to create [access keys](/docs/manage/security/access-keys/) that can be used in scripts or automation. Because access keys in a service account are not tied to an individual user, they can continue to be used even if the person who created the service account leaves the organization. Service accounts are an ideal way to ensure continuity of operation for critical services.
+A service account allows you to create [access keys](/docs/manage/security/access-keys/) that can be used in scripts or automation. You can use a service account to create multiple access keys. Because access keys in a service account are not tied to an individual user, they can continue to be used even if the creator’s user account is deactivated or deleted. Service accounts are an ideal way to ensure continuity of operation for critical services. 
 
-You might want to use services accounts to provide access keys for:
-* Infrastructure as code (such as Terraform).
+You can use services accounts to provide authentication for operations such as:
+* Infrastructure as code (for example, Terraform).
 * SCIM user and role management from an identity provider.
 * Third party integrations.
 
 ## Prerequisites
 
-You'll need the following [role capabilities](/docs/manage/users-roles/roles/role-capabilities#security):
-* **Create Access Keys** to create access keys on service accounts.
-* **Manage Access Keys** to deactivate, reactivate, or delete access keys on service accounts.
-
-Only administrators can create service accounts. If you are unsure whether you are an administrator, you can view your role in **Preferences** (see [Onboarding Checklists](/docs/get-started/onboarding-checklists/)).
+* To work with service accounts, you'll need the following [role capabilities](/docs/manage/users-roles/roles/role-capabilities#security):
+   * **Create Access Keys** to create access keys on service accounts.
+   * **Manage Access Keys** to deactivate, reactivate, or delete access keys on service accounts.
+* Only administrators can create service accounts. If you are unsure whether you are an administrator, you can view your role in **Preferences** (see [Onboarding Checklists](/docs/get-started/onboarding-checklists/)).
+* Service accounts use the permissions of the roles they are assigned. A service account must have the role capabilities needed to execute the tasks its access keys are needed for.
 
 ## Create a service account
 
 1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Administration > Security > Service Accounts**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Administration**, and then under **Account Security Settings** select **Service Accounts**. You can also click the **Go To...** menu at the top of the screen and select **Service Accounts**.
-1. At the top right of the table, click **+ Add Service Account**. 
+1. On the **Service Accounts** tab, click **+ Add Service Account**.<br/><img src={useBaseUrl('/img/security/service-accounts-page.png')} alt="Service Accounts tab" style={{border: '1px solid gray'}} width="700"/>
+<br/>The **Add Service Account** window appears.<br/><img src={useBaseUrl('/img/security/add-service-account.png')} alt="Add Service Account window" style={{border: '1px solid gray'}} width="300"/>
+1. **Name**. Enter a name for your service account. Make it descriptive enough so that others will be able to tell what its purpose is.
+1. **Email**. Enter an email to associate with the service account. It should be an email monitored by an organization rather than an email for an individual, so that it is not dependent on use by a single person.
+1. **Roles**. Select the roles to assign to the service account. A service account must have the [role capabilities](/docs/manage/users-roles/roles/role-capabilities) needed to execute the tasks its access keys are needed for. For example, if an access key associated with a service account needs be able to manage monitors, not only does the access key need the scopes to manage monitors, but the service account itself also needs to have the role capabilities to manage monitors. 
+   :::tip
+   Remember that the purpose of access key scopes is to limit authorization to only the permissions allowed by the scope. Therefore, you *may* also want to ensure that the roles assigned to the service account are also limited to only the authorization needed by the access keys on the service account.
+   :::
+1. Click **Save**.
+
+### Add an access key to a service account
+
+1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Administration > Security > Service Accounts**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Administration**, and then under **Account Security Settings** select **Service Accounts**. You can also click the **Go To...** menu at the top of the screen and select **Service Accounts**.
+1. Select a service account.
+1. Click **Add Access Key**.<br/><img src={useBaseUrl('/img/security/service-account-details.png')} alt="Add Access Key button on service account details pane" style={{border: '1px solid gray'}} width="300"/>
+1. The **Add New Access Key** window appears. Follow the steps to add an access key as described in [Create an access key](/docs/manage/security/access-keys/#create-an-access-key).
+
+:::note
+Any access keys you add on a service account appear on the [**Access Keys** tab](/docs/manage/security/access-keys/#from-the-access-keys-tab).
+:::
+
+## Modify a service account
+
+1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Administration > Security > Service Accounts**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Administration**, and then under **Account Security Settings** select **Service Accounts**. You can also click the **Go To...** menu at the top of the screen and select **Service Accounts**.
+1. Hover your mouse over a service account and click the three-dot kebab icon to reveal the modification options.<br/><img src={useBaseUrl('/img/security/modify-options-for-service-accounts.png')} alt="Edit a service account" style={{border: '1px solid gray'}} width="700"/>
+
+:::warning
+When a service account is deactivated, the access keys on the service account are also deactivated. For more information about deactivation, see [Access Keys deactivation policy](/docs/manage/security/access-keys/#access-keys-deactivation-policy).
+:::
+
+## Edit, deactivate, or delete an access key on a service account
 
+If instead of modifying a service account itself you want to modify only the access keys on the service account, open the service account, hover your mouse over an access key, and click the three-dot kebab icon to reveal the modification options.
 
-## Edit, deactivate, or delete a service account
+<img src={useBaseUrl('/img/security/edit-access-keys-on-service-account.png')} alt="Edit access keys on a service account" style={{border: '1px solid gray'}} width="300"/>

sidebars.ts

@@ -999,6 +999,7 @@ module.exports = {
         'manage/security/2-step-verification-admins',
         'manage/security/2-step-verification-users',
         'manage/security/access-keys',
+        'manage/security/service-accounts',
         {
           type: 'category',
           label: 'Audit Indexes',
@@ -1036,7 +1037,6 @@ module.exports = {
             'manage/security/saml/view-saml-debug-information',
           ]
         },
-        'manage/security/service-accounts',
         'manage/security/set-password-policy',
         'manage/security/set-limit-user-concurrent-sessions',
         'manage/security/set-max-web-session-timeout',