Service Accounts


Service accounts are logins that are not linked to a human identity, and most likely do not exist in corporate directories.

Since these logins can't be multi-factored they are secured with connection policies restricting them to a IP address range, target system, client name and/or time of day.

The goal is to

  • block any connection to a target database using a service login when the client IP is not the app server ip
  • send an alert on the misuse of a service account


To create and lock down a service account


Create an alert channel for non-compliant connection attempts

Step 1 - Create a mamori user without 2FA

Step 2 - Create connection policy to lock down the mamori user

Create Service Account User

Click Users


Enter user details & Click Create

Enter user permissions

Create Connection Policy

Click Policies

Click Connection Policies

Click Before Connection

Next, enter rule details

Rule descriptionreference
enableddefaults to true
ActionAllow, Allow & Log, Deny, Deny No Log
RuleUse the rule builder to create the rule

DENY WHEN User Is your_service_login AND Datasource Is a_target_database AND Client IP Is Not app_server_ip

AlertSelect the alert channel for non-compliant connection attempts

Click OK

Edit this page on GitHub Updated at Thu, Nov 11, 2021