Skip to main content
Version: latest

Manage Service Users

This is a guide for Administrators about to how to create, list, and delete service users in SENSA Fabric using the CLI.

Service users are non-human system access accounts that allow for programmatic access through a system-owned personal access token. Service users are recommended for automated access across teams.

Prerequisites

  • SENSA Fabric CLI is installed
  • Administrator role in the SENSA Fabric system

Create Service User

  1. In the CLI enter:

    cortex users create <user-name>

    Example

    cortex users create agentInvoker

    Response

    {
      "success": true,
      "config": {
        "jwk": {
          "crv": "xxxx",
          "x": "xxxx",
          "d": "xxxx",
          "kty": "xxx",
          "kid": "xxxx"
        },
        "issuer": "cognitivescale.com",
        "audience": "cortex",
        "username": "xxxx",
        "url": "https://api.test.eks.insights.ai"
      },
      "token": "xxxx"
    }

    The config property of the response contains the Personal Access Token assigned to authenticate the service user so it can create JWT tokens for system access.

    The token property contains a currently valid JWT token for this user.

  2. Save the PAT returned when you create the user. This is the value that is needed to generate JWT tokens.

    caution

    You will not have another chance to view this token.

    If the service user's PAT is lost or compromised, delete it and create a new service user.

  3. You can use the token from the response immediately to call API methods directly by entering the JWT in the Authorization API header.

    To authenticate to the CLI as the service user, run cortex configure and provide the PAT token (the config property of response in {}) when prompted.

  4. Service users are created without roles/grants. By default a service user has access to API methods so assigning roles/grants is optional.

    Use the instruction found here if you want to manage grants for this user.

    caution

    Service users must be assigned the "Administrator" role or specific administrator grants to be able to perform actions like creating secrets, managing authorization, promoting agents FabricOps, creating Projects, and importing-exporting Campaigns.

List Service Users

To get a list of service users that have been created by team admins run the following:

cortex users list

Response

{
  "success": true,
  "users": [
    "agentInvoke"
  ]
}

Delete Service Users

To delete a service user and invalidate all existing tokens created by this service user in Fabric run:

cortex users delete agentInvoke

Response

{
  "success": true,
  "message": "agentInvoke deactivated"
}

When the user is deleted, any assigned roles and grants are persisted and are enforced if a user with the same name is recreated.

If you are working as system user, and another admin deletes the user you will no longer be able to make requests into the system.