Service User FAQ
Answers to common questions about Service Users, including creation, lifecycle management, and security.
General
What is a Service User?
A Service User is a dedicated user account created specifically for automation and integrations. Unlike Personal Access Tokens (PATs) that are tied to individual users, Service Users are managed centrally by administrators and remain active independent of individual user lifecycles.
What is the difference between a Service User and a Personal Access Token?
Service Users are dedicated accounts designed for automation and are managed exclusively by Admins. Personal Access Tokens are tied to individual user accounts and are self-service. If a user leaves the organization, any automation using their PAT will break. For production workloads, always use a Service User.
Who can create a Service User?
Only users with the Admin role can create and manage Service Users. This ensures centralized control over automated system access.
Lifecycle
What happens when a user who created the Service User leaves?
Nothing. Service Users are independent of individual user lifecycles. They remain active and functional regardless of changes to the administrator who created them.
Can a Service User log into the Qualytics web interface?
No. Service Users cannot log into the Qualytics web interface. They are designed exclusively for API access and automated integrations.
Can I assign teams to a Service User?
Yes. Service Users can be assigned to specific teams during creation or updated later. The Public team is automatically included. Team membership determines which datastores and resources the Service User can access.
What is the @service suffix in the user_id?
When you create a Service User, the system auto-generates an internal ID from the name using sanitization rules (lowercase, spaces converted to underscores, special characters removed) and appends the @service suffix. For example, Airflow Service User → airflow_service_user@service. This suffix distinguishes Service Users from Personal Accounts in audit logs and API responses.
Why can't I deactivate this Service User?
A Service User cannot be deactivated while it has active tokens. Revoke all active tokens first, then retry the deactivation. The system returns a 400 Bad Request error if you try to deactivate with active tokens.
What happens to Service User tokens when the account is deactivated?
Authentication is blocked at the account level — even if a token still exists, the platform rejects all API requests from a deactivated Service User. To restore access, reactivate the Service User and either restore individual tokens or generate new ones.
Can a Service User be the only Admin in the workspace?
No. The platform enforces at least one active human Admin at all times. Service Users with the Admin role do not count toward this requirement.
Security
For questions about Service Token security (storage, expiration, rotation, compromised tokens), see the Service Token FAQ.