service account docs

docs/accounts/index.md

@@ -9,6 +9,6 @@ Turbot Pipes is available in multiple plans, providing flexibility to deliver th
 
 - When you sign up for Turbot Pipes or are added to a tenant, you will have your own [Developer Account](/pipes/docs/accounts/developer).  Your developer account allows you to create workspaces for your own personal use; you cannot share them with other Pipes users.
 
-- If you have a [Team](/pipes/docs/accounts/org#team-plan) or [Enterprise](/pipes/docs/accounts/tenant#enterprise-plan) plan  you can create [Organizations](/pipes/docs/accounts/org).  Organizations may include multiple users, enabling you to collaborate and share workspaces and connections.
+- If you have a [Team](/pipes/docs/accounts/org#team-plan) or [Enterprise](/pipes/docs/accounts/tenant#enterprise-plan) plan you can create [Organizations](/pipes/docs/accounts/org).  Organizations may include multiple users, enabling you to collaborate and share workspaces and connections.
 
 - With the [Enterprise Plan](/pipes/docs/accounts/tenant#enterprise-plan), you can create your own [Tenant](/pipes/docs/accounts/tenant) to provide enterprise-wide security, compliance and scalability. A tenant allows you to create your own private organizations and developer accounts, which are available only to your users.

docs/accounts/org/members/index.md

@@ -0,0 +1,42 @@
+---
+title: Members
+sidebar_label: Members
+---
+
+# Members
+
+You can grant and revoke access to users and service accounts from the **Members** tab on your organization page.
+
+## Organization Roles
+
+| Role       | Description 
+| ---------- | --------------------------------------------------------------------------------
+| **Member** | Can be granted permissions in workspaces and see members of the organization. Members are not granted access to any workspaces by default.
+| **Owner** | Have full administrative rights to the organization, including complete access to all workspaces, connections, users, groups, and permissions. Owners are essentially superusers in the organization- they have full implicit access to all workspaces, and their access cannot be removed at the workspace level.
+
+**Org Owners** have implicit access to all workspaces in the organization, and you cannot revoke their access at the workspace level.  **Members**, on the other hand, are not granted access to any workspaces by default; you may [grant access to a workspace](/pipes/docs/workspaces/members) from the **Members** tab on your workspace after they have been added to your organization.
+
+
+
+## Adding Organization Members [Enterprise plan]
+If you are on an [Enterprise Plan](/pipes/docs/accounts/tenant#enterprise-plan), you can grant access to your organization to any users and [service accounts](/pipes/docs/accounts/tenant/members/service-accounts) in your tenant.  You cannot invite users or create service accounts at the organization level - they must be members of the tenant. 
+
+To add a user to your workspace, click **Add Member**. Enter an email address or user handle of an existing user or service account and select a [role](#organization-roles) for the user
+
+
+## Inviting Organization Members [Team plan]
+
+If you are on a [Team Plan](/pipes/docs/accounts/org#team-plan), you can invite users to your organization from this page.
+
+To invite a user to your organization, click the **Add Member** button and then select **Invite Member** from the dropdown options. Enter an email address or the user handle of an existing user, select a [role](#organization-roles) for the user, and click **Add**.
+
+To revoke access from a user, select the options menu button ('three dots' button) to the right of the user and click **Remove**. 
+
+## Managing Service Accounts [Team plan]
+
+If you are on a [Team Plan](/pipes/docs/accounts/org#team-plan), you can [create, delete, and manage service accounts](/pipes/docs/accounts/org/members/service-accounts) from this page.  Service accounts are a specialized type of user designed for programmatic access to Turbot Pipes.
+
+
+## Last Activity
+
+The **Last Activity** column represents the most recent date on which an activity was performed by a user in an organization. This includes interactions such as accessing the organization or any associated workspace, running a Steampipe query in a workspace belonging to the organization, or engaging with any other resources under the organization. This timestamp helps track the latest user engagement, offering valuable insights into activity trends and system usage within the organization.

docs/accounts/org/members/service-accounts.md

@@ -0,0 +1,86 @@
+---
+title: Service Accounts
+sidebar_label: Service Accounts
+---
+
+# Service Accounts
+
+Service accounts are a specialized type of user designed for programmatic access to Turbot Pipes.
+
+The primary use case for service accounts is to enable automation and integration scenarios, where a non-human user needs to interact with the Pipes platform. 
+Service accounts can be used in CI/CD pipelines, automated scripts, or other systems that require access to Pipes resources without human intervention.
+
+Service accounts are managed within Turbot Pipes and, as such, do not require a provisioned user from your user directory (SAML, Google, GitHub, etc).
+
+## Limitations
+
+Service accounts have the following limitations:
+- Cannot log in via the Console (web interface).
+- Cannot create/manage personal resources, i.e., workspaces.
+- Cannot modify themselves or other service accounts.
+- Can only be created and managed from either the organization or tenant level, depending on your plan.
+  - **[Team Plan](/pipes/docs/accounts/org#team-plan)**: Service accounts can be [created at the organization](/pipes/docs/accounts/org/members#service-accounts) level.
+  - **[Enterprise Plan](/pipes/docs/accounts/tenant#enterprise-plan)**: Service accounts can be [created at the tenant](/pipes/docs/accounts/tenant/members#service-accounts) level.
+
+## Billing Considerations
+
+From a billing standpoint, each service account is classified as a user in your [Team](/pipes/docs/accounts/org#team-plan) or [Enterprise](/pipes/docs/accounts/tenant#enterprise-plan) plan. 
+
+Service accounts are billed like any other user. They will count against the included users in your plan and are billed at the same rate as individual users.
+
+
+## Creating Service Accounts
+
+To create a service account, navigate to **Members** for your organization. Click the **Add Member** button and select **Create Service Account** from the dropdown options, enter a title and if desired, an _optional_ description for the service account, and click **Create**.
+
+<img src="/images/docs/pipes/pipes-service-account-create.png" width="400pt"/><br />
+
+The service account will be created with the **Member** role by default. You can change the role if desired via the **Change Role** action on the options menu button ('three dots' button). 
+
+<img src="/images/docs/pipes/pipes-service-account-member.png" width="400pt"/><br />
+
+Once you have created a service account in your organization, you can grant it permissions from the **Members** page for [workspaces](/pipes/docs/workspaces/members) in the organization.
+
+
+## Managing Service Accounts
+
+Management of a service account is available to owners of the billing entity (organization or tenant) in which the service account was created.
+
+To manage a service account, navigate to the **Members** tab of the organization or tenant in which the service account was created. Select the cog button to the right of the service account you wish to manage.
+
+<img src="/images/docs/pipes/pipes-service-account-member.png" width="400pt"/><br />
+
+### Tokens
+
+The **Tokens** tab allows you to create and manage API tokens for your service account. API tokens are used for authenticating API requests made by the service account.
+
+A service account can have a maximum of **2** API tokens.
+
+Click **New Token** to create a new API token. You will be prompted to enter an optional `Title` and select an `Expiration` date for the token. The expiration can be set to a specific duration or to `Never`, which means the token will not expire.
+
+<img src="/images/docs/pipes/cloud-user-create-token.png" width="400pt"/>
+<br />
+
+> [!NOTE]
+> If you're on an [Enterprise Plan](/pipes/docs/accounts/tenant#enterprise-plan) with a custom [Tenant](/pipes/docs/accounts/tenant), the [Maximum Token Expiration](/pipes/docs/accounts/tenant/authentication#maximum-token-expiration) setting will apply to the token expiration.
+
+The token will be masked, but you can reveal it by clicking the eye icon or hovering over it and clicking the clipboard icon to copy it. Make a secure note of the token, as you will not be able to retrieve it again.
+
+You can `deactivate` or `delete` a token from the list by clicking the options menu button ('three dots' button) and selecting **Deactivate** or **Delete** from the menu.
+
+### Audit Log
+
+The **Audit Log** tab provides a log of API activity associated with your service account, including _who_ did _what_ and _when_.
+
+<img src="/images/docs/pipes/pipes-service-account-audit.png" width="400pt"/><br />
+
+### Settings
+
+The **Settings** tab allows you to update or delete the service account.
+
+<img src="/images/docs/pipes/pipes-service-account-settings.png" width="400pt"/><br />
+
+You may update the **Title** or **Description** of the service account. Click **Save** to apply your changes.
+
+You may delete the service account by clicking the **Delete Service Account** button. You will be prompted to confirm deletion; enter the service account identifier shown and click **Delete**.
+

docs/accounts/tenant/advanced.md

@@ -5,7 +5,7 @@ sidebar_label: Advanced
 
 # Advanced Settings
 
-To manage your tenant's advanced settings, navigate to your tenant, then click the double arrow button from the navigation at the top of the page, select **Tenant Settings** from the dropdown, and then go to the **Advanced** tab.  This option will only be visible in a custom tenant for which you are a [tenant owner](/pipes/docs/accounts/tenant/people#tenant-roles). 
+To manage your tenant's advanced settings, navigate to your tenant, then click the double arrow button from the navigation at the top of the page, select **Tenant Settings** from the dropdown, and then go to the **Advanced** tab.  This option will only be visible in a custom tenant for which you are a [tenant owner](/pipes/docs/accounts/tenant/members#tenant-roles). 
 
 
 ## Tenant Profile

docs/accounts/tenant/authentication.md

@@ -8,7 +8,7 @@ sidebar_label: Authentication
 The **Authentication** page allows you to control which [domains are trusted](#trusted-login-domains), as well as to enable, disable, and configure [authentication methods](#authentication-methods) like Email, [SAML](#saml), [GitHub](#github), and [Google](#google).
 
 To manage the authentication settings for your tenant, navigate to your tenant, then click the double arrow button from the navigation at the top of the page and select **Tenant Settings** from the dropdown. 
-This option will only be visible in a custom tenant for which you are a [tenant owner](/pipes/docs/accounts/tenant/people#tenant-roles). 
+This option will only be visible in a custom tenant for which you are a [tenant owner](/pipes/docs/accounts/tenant/members#tenant-roles). 
 
 
 ## Trusted Login Domains
@@ -72,13 +72,13 @@ Once you have entered the required information from the SAML IdP configuration,
 
 ### GitHub
 
-You can enable GitHub authentication by toggling the radio button.  When GitHub authentication is enabled, any user that has been authenticated by GitHub whose primary email address is from a [trusted login domain](#trusted-login-domains) will be able to log in to your tenant - they do not need to be invited.  A user will be created the first time they log in to Pipes, and they will be assigned the [Member role](/pipes/docs/accounts/tenant/people#tenant-roles) in the tenant. 
+You can enable GitHub authentication by toggling the radio button.  When GitHub authentication is enabled, any user that has been authenticated by GitHub whose primary email address is from a [trusted login domain](#trusted-login-domains) will be able to log in to your tenant - they do not need to be invited.  A user will be created the first time they log in to Pipes, and they will be assigned the [Member role](/pipes/docs/accounts/tenant/members#tenant-roles) in the tenant. 
 
 **Please note** the user's *primary GitHub email address* is presented and therefore used when evaluating [trusted login domain](#trusted-login-domains) restrictions.
 
 
 ### Google
-You can enable Google authentication by toggling the radio button.  When Google authentication is enabled, any user who has been authenticated by Google whose email address is from a [trusted login domain](#trusted-login-domains) will be able to log in to your tenant - they do not need to be invited.  A user will be created the first time they log in to Pipes, and they will be assigned the [Member role](/pipes/docs/accounts/tenant/people#tenant-roles) in the tenant. 
+You can enable Google authentication by toggling the radio button.  When Google authentication is enabled, any user who has been authenticated by Google whose email address is from a [trusted login domain](#trusted-login-domains) will be able to log in to your tenant - they do not need to be invited.  A user will be created the first time they log in to Pipes, and they will be assigned the [Member role](/pipes/docs/accounts/tenant/members#tenant-roles) in the tenant. 
 
 ## Maximum Token Expiration
 

docs/accounts/tenant/connections.md

@@ -16,7 +16,7 @@ You can create connections and folders manually, but they may also be created by
 
 ## Managing Connections
 
-You can manage your tenant's connections and folders from the **Connections** tab.  Navigate to your tenant by clicking the double arrow button from the tenant switcher at the top of the Pipes console.  Select your tenant, and then select **Tenant Settings**. This option will only be visible in a custom tenant for which you are a [tenant owner](/pipes/docs/accounts/tenant/people#tenant-roles).  
+You can manage your tenant's connections and folders from the **Connections** tab.  Navigate to your tenant by clicking the double arrow button from the tenant switcher at the top of the Pipes console.  Select your tenant, and then select **Tenant Settings**. This option will only be visible in a custom tenant for which you are a [tenant owner](/pipes/docs/accounts/tenant/members#tenant-roles).  
 
 The **Connections** tab will show all the tenant-level connections and folders.
 

docs/accounts/tenant/index.md

@@ -30,6 +30,6 @@ The creation process can vary in time and may take up to 5 minutes. You don't ha
 
 ## Initial login
 
-The initial login to a new tenant can only be performed via email. The Pipes user that created the tenant will be added as a [tenant owner](/pipes/docs/accounts/tenant/people#tenant-roles) in the new tenant and will have full control of the tenant after they log in.
+The initial login to a new tenant can only be performed via email. The Pipes user that created the tenant will be added as a [tenant owner](/pipes/docs/accounts/tenant/members#tenant-roles) in the new tenant and will have full control of the tenant after they log in.
 
 Once you have logged in, you can set up other [authentication methods](/pipes/docs/accounts/tenant/advanced#authentication-methods), or you can invite other users to the tenant.

docs/accounts/tenant/members/index.md

@@ -0,0 +1,35 @@
+---
+title: Members
+sidebar_label: Members
+---
+
+# Tenant Members
+
+You can add and remove users and service accounts from the **Members** tab on your **Tenant Settings** page. Select your profile picture at the top right of the Pipes console, and select **Tenant Settings** from the menu.
+
+Only users who have been invited to the tenant or have logged in via a [trusted login domain](/pipes/docs/accounts/tenant/authentication#trusted-login-domains) will have access to the tenant.
+
+A user can be invited as either a **Member** or an **Owner**. A service account will always be created as a **Member** by default, but can be given an **Owner** role if desired.
+
+## Tenant Roles
+
+| Role     | Description
+|----------|------------------------------------------------------
+| `Member` |  The user has access to the tenant but no implied permissions. Members cannot see tenant settings, invite other tenant members, or create an organization.
+| `Owner` |  The user has full ownership of the tenant and can manage tenant settings and tenant members.  Owners have full control of all organizations in the tenant.
+
+## Inviting Tenant Members
+
+To invite a new tenant member, navigate to **Members** from the **Tenant Settings** section. Click the **Add Member** button and then select **Invite Member** from the dropdown options. Enter the email address of the user you wish to invite and select the role you wish to assign them. Click **Invite**.
+
+<img src="/images/docs/pipes/pipes-enterprise-people-invite-member.png" width="400pt"/><br />
+
+
+## Managing Service Accounts
+
+You can [create, delete, and manage service accounts](/pipes/docs/accounts/tenant/members/service-accounts) for your tenant from this page.  Service accounts are a specialized type of user designed for programmatic access to Turbot Pipes.
+
+
+## Last Activity
+
+The **Last Activity** column represents the most recent date on which an activity was performed by a user in the tenant. This includes any interaction or action initiated by a user, such as logging into the tenant, accessing an organization or workspace, running a Steampipe query, or performing any other activity on any resource under the tenant. The column serves as a timestamp to track the latest user engagement within the tenant, providing insights into user activity and system usage trends.