Configure Service Account Permissions
Sunset of Traditional Service Accounts
All Traditional Service Accounts will sunset on March 24, 2025.
Traditional Service Accounts were deprecated on December 9, 2021. Beginning January 21, 2025, we will no longer allow the creation of new Traditional Service Accounts. Existing Traditional Service Accounts will continue to function until March 24, 2025.
In accordance with this timeline, developers of data connection applications that currently use Traditional Service Accounts are required to update their applications to use Developer Managed Service Accounts, and customers will be required to install these updated applications before the sunset date. All data connection applications not migrated by the sunset date will cease to function. Any application listed on the Procore App Marketplace that is not using a supported method for accessing the Procore API will be removed by the sunset date. See Migrating Data Connection Applications to Use DMSAs for additional information.
Objective
To configure permissions for service accounts on the Contact Information page in the company's Directory tool.
Background
When you initially create a service account, default permissions are set to 'None' for all company level tools. You must set proper permissions for the service account prior to using it to access the Procore API. In addition, you can further refine and customize these permissions in order to implement and enforce more stringent security policies.
Important
Bear in mind that although you may be able to generate an OAuth 2.0 access token using a service account with default ('None') permissions, this token will not work for making successful calls to the Procore API. Therefore, you must set proper permissions for the service account prior to using it to access the Procore API.
Things to Consider
- Required User Permissions:
- 'Admin' level permissions on the company's Directory tool.
- Access Considerations:
- Existing service account permissions are set to 'none' on any new tool added since the service account was created.
- Be mindful of sensitive data and exercise caution when defining permissions on Service Accounts.
- Important Company Directory Considerations:
- Once you create a service account, the associated email address must not be changed in the company directory. If you modify the service account email address, the service account will no longer be functional
- The service account contact cannot be added to more than one company directory (just the one it was created in), or else it will stop working.
Steps
- Log in to Procore and navigate to the company's Directory tool.
- In the company Directory, locate the service account you want to configure permissions for and click Edit.
- On the contact information page for the selected service account, scroll down to the permissions matrix.
- Configure service account access levels by selecting None, Read-Only, Standard, or Admin for each tool in the permissions matrix.
- Click Save to update your service account with the new permissions settings.