We are delighted to share our new EIC Delivery Methodology for efficiently managing Saviynt Implementations and delivering quick time to value. CLICK HERE.

Service Account for API calls

FranciscoS
New Contributor III
New Contributor III

Dear community,

Our project requires to connect from external application via API to Saviynt. 

Should we

1) use normal Saviynt user identity with an appropriate SAV role to perform API calls

OR

2) should we enable ADD/REMOVE service account workflow on the Saviynt security system and then create a service account identity which would be linked to that?

What is the best approach and why?

I kindly ask for your help, please.

Best regards,

Francisco J.

4 REPLIES 4

DixshantValecha
Saviynt Employee
Saviynt Employee

Hi @FranciscoS,

Please refer the below documentation for details on your requested information.

API Reference (saviynt.com)

Saviynt API Best Practices - Saviynt Forums - 36345

Kindly request your validation of the provided information and kindly inform us if additional details are required.

DixshantValecha
Saviynt Employee
Saviynt Employee

Hi @FranciscoS,

We are checking on this and we will keep you posted.

Hello @DixshantValecha ,

Thanks for your reply. According with best practices document, it would be well creating a normal Saviynt user and assigning endpoint access accordingly with least privilege approach to it. -> That would mean our option number 1).

What do you think about option 2?

Kind regards,

Francisco J.

DixshantValecha
Saviynt Employee
Saviynt Employee

Authentication to Saviynt API is typically done using a service account in Saviynt that should have read/write access to the application. This service account username and password need to be provided for authenticating into Saviynt before any APIs can be executed.

However, the best practice guide for managing Saviynt API service accounts recommends following a standard naming convention across all Saviynt API user identities. It also suggests implementing a least privilege approach by creating a custom SAV role that includes only the necessary web service permissions.

If possible, it’s recommended to use a Refresh token to generate an access token so that the static service account userid and password do not need to be stored in the application making API calls.

So, in your case, both options could work, but using a service account with an appropriate SAV role might provide more security and flexibility. This is because service accounts are designed to represent machine users, such as software or business processes, that require authenticated access to privileged resources.

Please let me know if further info is needed on this.