Page tree
Skip to end of metadata
Go to start of metadata

Introduction

There are various reasons why you might need a MyAccess account other than your personal account. If you’re building an application that uses MyAccess for authentication, for example, a service account might make it easier for you to monitor or test your application. Please follow the instructions below to get a MyAccess service account.

Request an Active Directory (AD) Resource Account

Go to this account request form list and click on "ARF: Active Directory Resource Account Request (Campus only)" to request an AD resource account.  Fill in the owner name and department information at the top. When asked "What do you want to name this account," use the format svc-<service name>-<purpose>. For example, if your service is called "Widgets" and the account is going to be for testing, you might request a service account named svc-widgets-test. You can use the same format for the requested email address.  The Resource Account Type should be "Mailbox Entity".  For the field asking about the purpose of the account, put a short description of what the account will be used for, such as "used for testing the Widgets application."  When the AD group has created the account, they will inform you by email.

Enable the AD Account for MyAccess

Follow these steps to set up your new AD resource account as a MyAccess Service Account.

  1. IMPORTANT: Remember the account password.  The only way to reset the password is through the IT Service Desk.  If you forget the password, you'll need to contact the Service Desk at http://help.ucsf.edu and use the "Service Desk Chat" link at the top right or call them at (415) 514-4100.
  2. Once the AD resource account is associated with your Password Manager profile, change the initial password.  Go to https://password.ucsf.edu and click "Change passwords."  Click in the box that lists AD resource account and follow the directions to reset the password.
  3. Close all web browser windows (so that you’re completely logged out of the MyAccess authentication system).
  4. Open a new web browser window and go to https://myaccess.ucsf.edu/serviceaccount/
  5. You’ll be prompted to login to MyAccess.  Use your AD resource account Username and Password.  DO NOT use your own login credentials.  If you see "This is not a service account" then you used the wrong username to login. Start from step 3.
  6. Once logged in, fill out the information requested on the web form.
    1. The “High-level organization” should be your department or group name.
    2. The “Low-level organization” should be your group or application name.
    3. The “Requester” should be your first and last name.
    4. If the new AD resource account was not mail enabled, the “Email address” should be your email address.  If it was mail enabled, the "email address" should be the email address assigned to the new resource account (most likely something like "svc-widgets-test@ucsf.edu" if using example above, where "widgets" is the name of your service.
    5.  Press Update Account. You should see the message "Account created" or "Account modified."

You can now log into most MyAccess-enabled applications with your service account. Note that using a service account with some applications may not work correctly because the application either requires an affiliation value, a valid employee ID or other information that is not assigned to service accounts.  Additionally, MyAccess integrated applications that use the email address to identify users, such as Box and DocuSign, will incorrectly identify the Service Account as the person whose email address was entered in step 6.d. above.

  • No labels

2 Comments

  1. Thanks for the guide. It was very easy to follow. A couple of notes:

    • The service desk no longer attaches service accounts to user's password management profile (INC5550967) 
    • You may need to request that the service account attributes be imported over to IdP-stage if you plan to sure it on MyAccess Stage. The folks over at ITS_TA_Identity_Management were able to assist me with that. Thanks!
  2. Thanks Rob.  I've updated the article to remove the reference to associating the Service Account with your Password Manager profile.