search cancel

How to allow service accounts to make DX-APM API calls when tenant configured to use SSO authentication

book

Article ID: 215909

calendar_today

Updated On:

Products

CA Application Performance Management SaaS DX Application Performance Management DX APM SaaS

Issue/Introduction

To automate aspects of DX-APM SaaS tenant configuration we need to make APIs calls with a token linked to a service account (a service account is not tied to a specific user).  The tenant is configured to use SSO authentication and therefore the only accounts that can authenticate are personal accounts.   

The DX-APM Settings > Security UI only appears to let user create a token linked to their own account.  Is it possible to create a token related to another account?  If so, how would roles for a service account be configured, since roles a user holds for any session are defined by the roles the SSO SAML response when user's session starts and I assume that an API call with a valid token is not passed to IdP for authentication.

Environment

Release : SAAS

Component :

Resolution

The DX OI 'SERVICE-ACCOUNT-USER'  is not a special case. It will only be treated as a USER role in APM. For admin tasks that require Admin roles privileges via API in APM side you would need to generate a token from a Tenant Admin account.

Public API tokens inherit the user id and privilege of the user which created them