Hey everyone, thinking of creating a service account to associate all scripts, bundles, workflows, etc., for shared visibility into errors and easier updates. Plan: custom admin role (no 2FA) + credentials in a shared vault. Any best practices or recommendations?

Some thoughts... You're going to lose visibility into what actual user made changes to records or customizations. You'll need to reset password anytime someone that had access to shared credentials leaves the company. You can send all script errors to a group rather than individuals if that's a problem you're having today. Any user with an admin role should already have access and visibility to all customizations so I'd be curious to hear what you mean by "shared visibility".

you can have 2FA you just have to use an authenticator app instead of a phone number

I have seen this work pretty well. It's especially nice to not have to change the Owner on custom Objects whenever someone leaves. I definitely prefer to use a custom email group for distributing error emails from Scripts and such, as opposed to making everyone monitor the email address of the service account. It doesn't need to be a UI account because, like Eric said, Admins and Devs should have the visibility they need already. For me, these sorts of users are more about collecting and containing the ownership of customizations than they are about providing reporting.

Thank you everyone! There are two main end goals. First is to have the ability to change owner of custom objects - in particular we have an issue with a locked bundle where the owner has left the company, and all errors pertaining to that bundle process is being sent to the inactive owner's email. Second is to send out errors to larger group than individual - I think email group is a great suggestion for us in this regard.

its not a real permanent fix, but the locked bundle, you can just update the email address for that no longer active employee and set it to an email you want errors to go to

We thought about that, but not sure that will be permitted

In the script record for unhandled errors instead of checking on notifying the script owner, you can notify a group. And you can update that group anytime. It will be dynamic and much better.

I'd caution you against bundles and workflows. A service account is a no-brainer. I'd point the logging to a topic.

Hi everyone, thank you for your suggestions - if we do create a service account, how can we deal with 2fa? Given that the service account will have an admin access, we are trying to figure out 2fa without having to tie it to individual's phone device.

you can use an authenticator app, instead of a phone number. we use google authenticator for our system accounts

If the Service Account needs to be used by multiple users, is it secure for multiple people to have access using authenticator app?

its the 2nd factor - you still have the 1st factor of the password

Hmm I see what you mean, can multiple people have same MFA in multiple devices?

i think maybe just setup an auth app for your own logins to get familiar with the process

That makes sense - it sounds like its technically possibly to share the email, password as well as share the mfa codes across multiple devices. Thank you for your input

hopefully you don't have to worry about the 10 reset codes.. I've never used one in my entire life 😄

Hahah me neither