Question

Admin-managed service account for team CI/CD (beyond PATs)?

0

Hi all,our team needs an admin-managed service account that can perform the same tasks as a regular user ( build, deploy via the Deploy API), but is centrally owned by the team rather than tied to one person.What I know alreadyPersonal Access Tokens (PATs) exist and they solve the password-expiry problem nicely. But a PAT is bound to a single personal user account, which has two downsides for us:- If that person leaves the company or gets deactivated, all CI/CD pipelines break.- It implicitly ties team-wide automation to one individual's permissions.My questionIs there an option as an admin to create a dedicated service account and add it to a project, similar to how you'd manage a bot user in GitLab? Something that is not tied to a real person but can still be subscribed to apps and used with the Deploy API.Maybe I have overlooked this feature somewhere in Control Center or in the admin portal?If this doesn't exist today: how do other teams handle this? Do you just create a generic mailbox-backed user and treat it as a service account, or is there a cleaner pattern?Thanks!Best regards,Marvin

asked 2026-05-20

Marvin Timm

1 answers

Ahmet Kudu · Accepted Answer · 2026-05-20

Yes, this exists. Mendix added Service Accounts to Control Center for exactly this use case.

- Created and managed by company admins in Control Center -> Service Accounts.

- Not tied to a real person, so they survive employee offboarding.

- Added to apps with a role (e.g., Deployment Manager) just like a regular user.

- You generate PATs against the service account and use them in CI/CD for the Deploy API.

If you don't see the menu, you likely need company-level admin rights, or the feature may be license/edition-gated. worth pinging your license manager.

Until you get it enabled, the historical workaround is the generic mailbox-backed user (shared inbox, normal Mendix account, PAT on top). It works but consumes a regular user seat and shows up as a real user in audits, so I'd push for the native Service Account route.

If this resolves your issue, you can mark it as accepted.