0

Impersonation in service accounts

What is impersonation?

Impersonation in a service account is the ability to act on behalf of a user or an item inside your Kissflow account. By impersonating a user, the service account can complete items or access resources as if the user acted on it. Impersonation is helpful when a service account needs to perform tasks on behalf of another user but does not have the necessary permissions to do so without granting the service account direct access to flows.  

Consider a scenario where two processes, Purchase Request and Purchase Order, are connected through Kissflow process integration. The integration is configured so that when an item reaches the completion state in the Purchase Request, a subsequent item gets created in the Purchase Order. If you try to do this without service accounts, the initiator of all the items in the Purchase Order process is the person who created the integration, as their Access key ID and secret are used. But with service accounts, you can use the service account's Access key ID and secret to enable impersonation and impersonate the user who initiates an item in the Purchase Request to initiate an item in the Purchase Order automatically. 

Configuring impersonation access to shared resources 

Each Kissflow account has three common resources that a service account can access. They are Global my items, User and Group management, All flows and integrations. To access shared resources, go to Account Administration > Account security > Impersonation security and click Configure to choose which one of the created service accounts can impersonate these shared resources. You can edit impersonation access based on your requirements or remove it for dormant service accounts. Only Super Admins and IAM Admins can extend impersonation access to shared resources. 

Global my items

Global My Items has the complete list of items created and assigned to all users in a respective Kissflow account. Giving a service account impersonation access to Global My items can allow the service account to read the Created by me and Assigned to me of a particular user in Kissflow. However, if the service account needs to act on a specific item from a flow, it requires access to the respective flow. Access to the Global My Items page is helpful when a service account needs to show a specific user's My Items page externally. 

User and Group management

User and Group management have the list of all the groups and users in a Kissflow account. Impersonating allows the service account to make changes to the User and Group management table by editing the details of a user, activating or deactivating users, deleting users, and making changes to groups in a Kissflow account. To change the User and Group management table, the service account must impersonate Super Admins, IAM Admins or User Admins who can access it.

All flows and integrations

Impersonating All flows and integration allows the service account to access the list of all the processes, boards, datasets, integrations, apps, chats, and spaces particular to a Kissflow account and make changes to them. 

Configuring impersonation access to flows

Impersonation access allows the service account to change a particular flow. It enables the service account to impersonate the flow on behalf of another user in the Kissflow account. While impersonating, a service account temporarily gains the permissions granted to the respective user inside the flow. If the user is a Flow Admin, the impersonating service account is given all permissions. A service account's actions using impersonation are restricted to what a member can do manually inside the flow.

Only Flow Admins can extend impersonation access to flows. Super Admins can add themselves as an admin to any flow in a Kissflow account, and expand impersonation access. Impersonation access to flows can be configured using the following steps:

  1. Go to the process, board, or dataset you want to configure impersonation. 
  2. Click the More options () button > Settings and click Security settings
  3. Scroll down to impersonation and click Configure. Select the service account to which you want to extend impersonation access and click Add

You can use the Associated resources page of a service account to view the list of flows with impersonation access enabled and choose to remove it for inactive service accounts.

Note:
You cannot configure impersonation access to a chat or an integration. 

Sharing flow access to a service account

You can also add a service account as a member of a particular flow, which is different from giving it impersonation access. Adding a service account to a specific flow will provide the service account with the same permissions as given to a user who is part of the flow. A service account can be assigned different roles based on the flow it is added to, and the permissions will vary based on the role assigned to it. To add a service account to a flow, click the Add members button () and click + Add members to add any service account. Service accounts have a unique identifier () next to their name.

You can view the list of flows and common resources a service account can access by going to the Associated resources page under the specific service account.

Login to view replies

Content aside

Related Articles
Impersonating users using a service account
Creating and managing access keys
Creating and managing service accounts
Impersonation in service accounts
Service account overview