MinusNowDocumentation
Website
Getting Started ?
OS & PrerequisitesAgent InstallationService Accounts
Deployment ?
Cloud DeploymentLinux DeploymentWindows DeploymentSingle-Node InstallTwo-Node InstallHA & ClusteringGCP Deployment
Reference ?
Module GuideSaaS ArchitectureTroubleshooting
Downloads
Security & Access Control

Service Accounts & Permissions

Consolidated service account architecture, application-level RBAC, database permissions, and OS-level user configuration for MinusNow ITSM.

Version 3.0 February 2026 Classification: Internal / Security

On This Page

01 Overview & Design Philosophy

MinusNow uses a consolidated service account model with 4 accounts, matching the industry-standard approach used by platforms like ServiceNow, Jira Service Management, and BMC Helix. Module-level access control is enforced at the application RBAC layer, not at the database layer.

Why Consolidated?

MinusNow is a single Node.js process with one database connection pool. Creating separate database users for each module adds operational complexity with no security benefit — the application process already has access to all data. Instead, permissions are enforced by the application's RBAC engine, which is how all major ITSM platforms work.

How Security Is Maintained

  • Application RBAC — 6 roles control who can access which modules and what actions they can perform
  • OS-level isolation — Dedicated non-root user (minusnow) runs the app process
  • Agent isolation — Separate mnow-agent account on monitored hosts with minimal sudo
  • Audit trail — All actions logged with user, timestamp, and correlation ID
  • Credential rotation — Automated 90-day rotation via secrets manager
Consistency Note

This guide aligns with the account names used in the OS & Prerequisites Guide, Linux Deployment Guide, Windows Deployment Guide, and Cloud Deployment Guide. All deployment guides reference the same 4 service accounts documented here.

02 Industry Standards Comparison

How MinusNow's approach compares to major ITSM platforms.

PlatformApp DB AccountsModule Isolation MethodAgent Account
ServiceNow1 (single connection pool)Application ACLs + RolesMID Server service user
Jira Service Management1 (single connection pool)Permission Schemes + RolesN/A (SaaS)
BMC Helix ITSM1 (AR System user)Application permissions + groupsAgent service account
Freshservice1 (SaaS)Role-based permissionsDiscovery Probe user
MinusNow1 (minusnow)Application RBAC (6 roles)mnow-agent

Why Not Per-Module Database Users?

A common misconception is that each application module should have its own database user. This approach has significant drawbacks for a single-process platform:

  • Single process, single pool — MinusNow is one Node.js process. Module isolation at the DB layer provides no additional security because the same process handles all modules.
  • Connection pool fragmentation — Separate pools per user multiply resource consumption, draining PostgreSQL connection slots.
  • Operational burden — Rotating many passwords, monitoring many accounts, and debugging many connection issues is unsustainable.
  • Cross-module queries — Reporting, AI/XAI, RCA & Forensics, and Automation modules need to JOIN data across all modules. Per-module DB users would require complex cross-grants that negate isolation benefits.
  • Industry consensus — No major ITSM platform (ServiceNow, Jira, BMC, Freshservice) uses per-module DB accounts. All enforce permissions at the application layer.

03 Service Account Inventory

MinusNow requires exactly 4 service accounts across all deployment types (on-premises, cloud, and hybrid).

#AccountLayerPurposeWhere
1minusnowOS + DBPrimary application account — runs the Node.js process, owns the databaseITSM server
2mnow-agentOS onlyMonitoring agent — runs on each managed host for discovery, monitoring, auto-healingManaged hosts
3mnow_backupDB onlyDatabase backup — read-only access for pg_dumpBackup server
4mnow_monitorDB onlyDatabase health monitoring — read-only access to pg_stat_* viewsMonitoring server
APP

minusnow — Application Service Account

Primary account running the MinusNow ITSM platform process and owning the database

OS-Level Properties
PropertyLinuxWindows
Usernameminusnowminusnow (local) or DOMAIN\svc-minusnow (AD)
Shell/bin/bash (needed for deployment tasks)Standard user (no admin)
Home directory/opt/minusnowC:\MinusNow\ITSM
File accessRead/write: /opt/minusnow, /var/log/minusnow, /var/lib/minusnowModify on C:\MinusNow
PrivilegesNon-root, no sudoNon-admin, "Log on as a service"
Database Permissions
PermissionScopeRationale
OWNERminusnow_itsm databaseApplication manages its own schema via Drizzle ORM migrations
ALL PRIVILEGESAll tables in public schemaFull CRUD needed — module permissions enforced by application RBAC
NOSUPERUSERCluster-levelCannot modify other databases or PostgreSQL configuration
NOCREATEDBCluster-levelCannot create additional databases
NOCREATEROLECluster-levelCannot create other database roles
Modules Served (via Application RBAC)

This single account serves all 21 modules: Incidents, Alerts, Changes, Problems, Assets/CMDB, Service Catalog, Knowledge Base, SLA Management, On-Call/Escalation, Reporting/Analytics, Security/Compliance, AI/Explainable AI, Notifications, Audit/Logging, Status Page, Agent Management, Backup/DR, Automation & Self-Healing, RCA & Forensics, Capacity Management, and Vulnerability & Patch Management.

See also
OS & Prerequisites — User Permissions  |  Linux Deployment Guide  |  Windows Deployment Guide  |  Cloud Guide
AGT

mnow-agent — Monitoring Agent Account

Runs on each managed host for monitoring, discovery, auto-healing, capacity scanning, and vulnerability assessment

OS-Level Properties
PropertyLinuxWindows
Usernamemnow-agentmnow-agent (local service account)
Shell/usr/sbin/nologin (no interactive login)Standard user, "Log on as a service"
Groupsmnow-agent, systemd-journalPerformance Monitor Users
SSH accessDisabledN/A
Home directoryNone (--no-create-home)Default (restricted)
Sudo Permissions (Linux)
# /etc/sudoers.d/mnow-agent
mnow-agent ALL=(ALL) NOPASSWD: \
  /usr/bin/systemctl restart *, \
  /usr/bin/systemctl status *, \
  /usr/sbin/service * restart, \
  /usr/bin/apt-get update, \
  /usr/bin/apt-get install -y --only-upgrade *, \
  /usr/bin/yum update -y *, \
  /usr/bin/dmidecode, \
  /usr/sbin/lshw -json
Capabilities Served

Monitoring metrics collection, service auto-healing (restart), asset/hardware discovery, capacity scanning (CPU/RAM/disk), vulnerability assessment (OS package checks), agent self-update.

See also
OS & Prerequisites — Agent User Permissions  |  Agent Installation Guide
BKP

mnow_backup — Database Backup Account

Read-only PostgreSQL user for automated database backups via pg_dump

Database Permissions
PermissionScopeRationale
pg_read_all_dataAll tables (read-only)Required for full database dump
NOSUPERUSERCluster-levelCannot modify database or config
NOCREATEDBCluster-levelCannot create databases
CONNECTION LIMIT 2Per-user limitOnly one backup runs at a time; extra slot for monitoring
Security Controls
  • Credentials stored in HashiCorp Vault or cloud secrets manager
  • Access restricted by IP (pg_hba.conf) to backup server only
  • Backup files encrypted at rest (AES-256) with checksum validation
  • Password rotated every 60 days
MON

mnow_monitor — Database Health Monitor

Read-only PostgreSQL user for Prometheus/Grafana database metrics collection

Database Permissions
PermissionScopeRationale
pg_monitorMonitoring viewsAccess to pg_stat_activity, pg_stat_user_tables, pg_locks, etc.
CONNECTminusnow_itsm databaseCan connect but not read application data
CONNECTION LIMIT 3Per-user limitPrometheus scrapes + dashboard queries
No Access To
  • Application tables (incidents, users, assets, etc.)
  • Audit logs or sensitive data
  • Write operations of any kind

04 OS-Level User Configuration

Create and configure service accounts at the operating system level. These commands match the deployment guides exactly.

Linux (Ubuntu / RHEL / Debian)

#!/bin/bash
# === MinusNow Application User ===
# Matches: Linux On-Prem Guide, Cloud Guide, OS & Prerequisites Guide
sudo useradd -r -m -d /opt/minusnow -s /bin/bash minusnow

# Create application directories
sudo mkdir -p /opt/minusnow-itsm
sudo mkdir -p /var/log/minusnow
sudo mkdir -p /var/lib/minusnow/{data,backups}
sudo chown -R minusnow:minusnow /opt/minusnow-itsm
sudo chown -R minusnow:minusnow /var/log/minusnow
sudo chown -R minusnow:minusnow /var/lib/minusnow

# === Monitoring Agent User (on managed hosts only) ===
# Matches: OS & Prerequisites Guide, Agent Installation Guide
sudo useradd -r -s /usr/sbin/nologin mnow-agent

# Grant agent limited sudo for auto-healing and discovery
echo "mnow-agent ALL=(ALL) NOPASSWD: \
  /usr/bin/systemctl restart *, \
  /usr/bin/systemctl status *, \
  /usr/sbin/service * restart, \
  /usr/bin/apt-get update, \
  /usr/bin/apt-get install -y --only-upgrade *, \
  /usr/bin/yum update -y *, \
  /usr/bin/dmidecode, \
  /usr/sbin/lshw -json" \
  | sudo tee /etc/sudoers.d/mnow-agent
sudo chmod 0440 /etc/sudoers.d/mnow-agent

Windows Server

# === MinusNow Application User ===
# Matches: Windows On-Prem Guide, Cloud Guide
$pw = [System.Web.Security.Membership]::GeneratePassword(32, 8)
New-LocalUser -Name "minusnow" `
    -Password (ConvertTo-SecureString $pw -AsPlainText -Force) `
    -Description "MinusNow ITSM service account" `
    -PasswordNeverExpires $false

# Create and secure application directory
New-Item -ItemType Directory -Path "C:\MinusNow\ITSM" -Force
New-Item -ItemType Directory -Path "C:\MinusNow\ITSM\data" -Force
New-Item -ItemType Directory -Path "C:\MinusNow\ITSM\logs" -Force
New-Item -ItemType Directory -Path "C:\MinusNow\ITSM\backups" -Force

$acl = Get-Acl "C:\MinusNow"
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(
    "minusnow", "Modify", "ContainerInherit, ObjectInherit", "None", "Allow")
$acl.AddAccessRule($rule)
Set-Acl "C:\MinusNow" $acl

# === Monitoring Agent User (on managed hosts only) ===
# Matches: Agent Installation Guide
$agentPw = [System.Web.Security.Membership]::GeneratePassword(32, 8)
New-LocalUser -Name "mnow-agent" `
    -Password (ConvertTo-SecureString $agentPw -AsPlainText -Force) `
    -Description "MinusNow monitoring agent" `
    -PasswordNeverExpires $false `
    -UserMayNotChangePassword $true

Add-LocalGroupMember -Group "Performance Monitor Users" -Member "mnow-agent"
Cross-Reference
These commands are consistent with: Linux Deployment Guide (Step 3)  |  Windows Deployment Guide (Step 2)  |  Cloud Guide (Steps 3 & 5)  |  OS Prerequisites — User Permissions

05 Database Accounts & Grants

PostgreSQL user creation and permission grants. These match the database setup in the deployment guides.

Create All Database Users

-- =============================================================
-- MinusNow Database Setup
-- Matches: OS & Prerequisites, Linux/Windows/Cloud Deploy Guides
-- =============================================================

-- 1. Primary application user (data owner)
CREATE USER minusnow WITH PASSWORD 'REPLACE_WITH_SECURE_PASSWORD'
  NOSUPERUSER NOCREATEDB NOCREATEROLE;
CREATE DATABASE minusnow_itsm OWNER minusnow;
GRANT ALL PRIVILEGES ON DATABASE minusnow_itsm TO minusnow;

-- Connect to application database for remaining setup
\c minusnow_itsm

-- Grant schema ownership (Drizzle ORM manages migrations)
GRANT ALL ON SCHEMA public TO minusnow;
ALTER DEFAULT PRIVILEGES IN SCHEMA public
  GRANT ALL ON TABLES TO minusnow;
ALTER DEFAULT PRIVILEGES IN SCHEMA public
  GRANT ALL ON SEQUENCES TO minusnow;

-- Enable required extensions
CREATE EXTENSION IF NOT EXISTS "uuid-ossp";    -- UUID generation
CREATE EXTENSION IF NOT EXISTS "pg_trgm";      -- Fuzzy text search

-- 2. Backup user (read-only for pg_dump)
CREATE USER mnow_backup WITH PASSWORD 'REPLACE_WITH_SECURE_PASSWORD'
  NOSUPERUSER NOCREATEDB NOCREATEROLE CONNECTION LIMIT 2;
GRANT pg_read_all_data TO mnow_backup;

-- 3. Monitoring user (stats only, no application data)
CREATE USER mnow_monitor WITH PASSWORD 'REPLACE_WITH_SECURE_PASSWORD'
  NOSUPERUSER NOCREATEDB NOCREATEROLE CONNECTION LIMIT 3;
GRANT pg_monitor TO mnow_monitor;
GRANT CONNECT ON DATABASE minusnow_itsm TO mnow_monitor;

-- Revoke public access
REVOKE ALL ON ALL TABLES IN SCHEMA public FROM PUBLIC;

Connection Limits

AccountConnection LimitRationale
minusnow50 (default pool)Application connection pool — sized for production load
mnow_backup2One active backup + one monitoring connection
mnow_monitor3Prometheus scraper + Grafana dashboard queries

pg_hba.conf Access Control

# MinusNow application (local connections only)
local   minusnow_itsm   minusnow                                md5
host    minusnow_itsm   minusnow        127.0.0.1/32            md5
host    minusnow_itsm   minusnow        ::1/128                 md5

# Backup user (restrict to backup server IP)
host    minusnow_itsm   mnow_backup     10.0.1.100/32           md5

# Monitoring user (restrict to monitoring server IP)
host    minusnow_itsm   mnow_monitor    10.0.1.101/32           md5

# Deny everything else
host    all             all             0.0.0.0/0               reject
Cross-Reference
Database setup matches: OS Prerequisites — Database Setup  |  Linux Deployment (Step 4)  |  Windows Deployment (Step 3)

06 Application-Level RBAC

Module-level access control is enforced by the MinusNow application, not at the database layer. This is the primary security boundary for user permissions.

Application Roles

RoleDescriptionScopeTypical Users
adminFull platform administrationAll modules + system configIT Directors, Platform Admins
managerTeam management, approvals, reportsAssigned modules + reportsIT Managers, Team Leads
operatorCreate, update, and resolve recordsAssigned modules (CRUD)Support Analysts, Engineers
viewerRead-only dashboards and recordsAssigned modules (read)Stakeholders, Executives
requesterSubmit and track own requestsService catalog + own itemsEnd Users, Employees
auditorRead-only access + audit logsAll modules (read-only)Compliance Officers, External Auditors
Key Principle

Human users are assigned roles. The application checks roles on every API request. The database user (minusnow) has full access, but the application only executes queries that the user's role permits. This is the same model used by ServiceNow, Jira, and every major ITSM platform.

07 Full Module Permission Matrix

Complete RBAC mapping for all 21 platform modules, including Automation & Self-Healing, RCA & Forensics, Capacity Management, and Vulnerability & Patch Management.

Moduleadminmanageroperatorviewerrequesterauditor
IncidentsCRUDCRUDCRURR
AlertsCRUDCRUCRURR
ChangesCRUDCRUDCRURR
ProblemsCRUDCRUDCRURR
Assets / CMDBCRUDCRUCRURR
Service CatalogCRUDCRUCRURCRR
Knowledge BaseCRUDCRUDCRURRR
SLA ManagementCRUDCRURRR
On-Call / EscalationCRUDCRURRR
Reporting / AnalyticsCRUDCRURRR
Security / ComplianceCRUDRR
AI / Explainable AICRUDRURRRR
NotificationsCRUDCRURRRR
Status PageCRUDCRUCRURRR
Automation & Self-HealingCRUDCRUCRURR
RCA & ForensicsCRUDCRUDCRURR
Capacity ManagementCRUDCRURRR
Vulnerability & Patch MgmtCRUDCRUCRURR
Agent ManagementCRUDCRURRR
Users & TeamsCRUDCRURRR
System ConfigCRUDR
Audit LogsRRR
Backup / DRCRUDR
Legend

C = Create   R = Read   U = Update   D = Delete   = No access. Highlighted rows are modules added in v3.0.

08 Credential Rotation & Lifecycle

Rotation schedules and lifecycle management for the 4 service accounts.

Rotation Schedule

AccountCredential TypeRotationMethod
minusnowDB password + API keyEvery 90 daysAutomated via Vault / secrets manager
mnow-agentAgent registration tokenEvery 90 daysAutomated via agent auto-update
mnow_backupDB passwordEvery 60 daysAutomated via Vault + backup script
mnow_monitorDB passwordEvery 90 daysAutomated via Vault + Prometheus config reload

Rotation Script (Primary Application Account)

#!/bin/bash
# Automated password rotation for minusnow DB user
# Cron: 0 2 1 */3 * /opt/minusnow/scripts/rotate-db-password.sh

NEW_PASSWORD=$(openssl rand -hex 32)

# 1. Update PostgreSQL password
PGPASSWORD=$ADMIN_PW psql -U postgres -d minusnow_itsm -c \
  "ALTER USER minusnow WITH PASSWORD '${NEW_PASSWORD}';"

# 2. Update secrets manager
vault kv put secret/minusnow/db password="${NEW_PASSWORD}"

# 3. Log the rotation (no secrets in log)
echo "$(date -u +%Y-%m-%dT%H:%M:%SZ) - Rotated DB password for minusnow" \
  >> /var/log/minusnow/rotation.log

# 4. Gracefully restart application to pick up new credentials
sudo systemctl restart MinusNow

Account Lifecycle

PhaseActionsResponsible
ProvisioningCreate OS user, DB user, generate credentials, store in VaultPlatform Admin (initial install)
ActiveMonitor usage, rotate credentials on schedule, audit accessAutomated + Security Team
Quarterly ReviewValidate permissions, check unused accounts, review audit logsSecurity / Compliance Team
ModificationAdjust connection limits, update IP restrictions, add/remove sudo entriesPlatform Admin
DecommissioningDisable account, revoke all DB grants, remove OS user, archive logsPlatform Admin + Security

09 Compliance & Audit Trail

Framework mapping and audit log format for regulatory compliance.

Compliance Framework Mapping

RequirementFrameworkHow MinusNow Satisfies
Least privilege accessSOC 2, ISO 270014 consolidated accounts with minimum required permissions; application RBAC for user access
Separation of dutiesSOX, NIST 800-536 application roles separate admin, operator, viewer, and auditor. Backup account is read-only.
Credential rotationPCI-DSS, SOC 260–90 day automated rotation via secrets manager
Audit trailAll frameworksAppend-only audit logs with user, timestamp, action, and correlation ID
Access reviewSOC 2, ISO 27001Quarterly automated review of all 4 accounts + RBAC role assignments
Non-interactive accountsCIS BenchmarksAgent account has nologin shell; DB-only accounts have no OS user

Audit Log Format

{
  "timestamp": "2026-02-25T14:30:00Z",
  "user": "john.doe@company.com",
  "role": "operator",
  "action": "incidents:update",
  "resource_type": "incident",
  "resource_id": "INC-2026-001234",
  "details": {
    "field": "status",
    "old_value": "In Progress",
    "new_value": "Resolved"
  },
  "source_ip": "10.0.1.50",
  "user_agent": "Mozilla/5.0 ...",
  "session_id": "sess_abc123",
  "correlation_id": "req_xyz789",
  "db_user": "minusnow"
}
Audit Design

The db_user is always minusnow. The important fields for audit are user (human identity) and role (RBAC role). This is the same audit model used by ServiceNow, Jira, and BMC.

10 Application User Management

Provisioning, administering, and offboarding human application users.

Initial Admin Bootstrapping

On first deployment, MinusNow creates a default administrator account. At least one admin user is required at all times.

PropertyDefault ValueNotes
Emailadmin@<your-domain>Set via ADMIN_EMAIL env var
RoleAdminFull CRUD on all modules
PasswordGenerated on first runPrinted once to stdout; must be changed immediately
MFARequired after first loginTOTP, SMS, or email verification
Important: The initial admin password is displayed only once during first startup. Save it securely and change it immediately upon first login.

Minimum Admin Requirements

Deployment ScaleMin Admin UsersMin OperatorsRecommended Setup
Small (1–50 users)111 admin + 1 operator + viewers
Medium (50–250 users)222 admins + 2 operators + 1 manager + viewers
Enterprise (250+ users)353 admins + 5 operators + 2 managers + 1 auditor + viewers
Recommendation: Always maintain at least 2 admin accounts in production to prevent lockout scenarios. Store break-glass credentials in a secure vault.

User Provisioning Methods

MethodHowBest For
Manual inviteSettings → Team & Roles → Invite UserSmall teams, individual onboarding
Directory SyncDirectory Integration page → Configure AD/LDAP → SyncEnterprises with Active Directory
SCIM provisioningIdentity provider (Okta, Azure AD) pushes users via SCIM 2.0 endpointAutomated JML workflows
Self-registrationEnable in Settings → General; users register at /authInternal portals, requesters

User Deactivation & Offboarding

When a user leaves the organization or no longer requires access:

StepActionWhere
1Disable user login (preserves audit trail)Settings → Team & Roles → User → Revoke Access
2Reassign open tickets and owned assetsIncident/Change Management → Bulk Reassign
3Revoke all active sessionsSettings → Security → Session Management (or API)
4Revoke API tokens belonging to userSettings → API Keys → Revoke
5Directory Sync auto-disable (if configured)Directory Integration → Deprovisioning Policy
Data Retention: Deactivated users are soft-deleted — their profiles and audit trail entries are retained per your data retention policy (default: 7 years for compliance). To permanently delete, use Settings → Data Management.

11 Directory Integration & SSO

Synchronize users from Active Directory, LDAP, or SAML/OIDC identity providers.

Supported Providers

ProviderProtocolUser SyncSSO LoginSCIM Provisioning
Microsoft Active DirectoryLDAP / LDAPS✅ (via AD FS / Azure AD)
Azure Active DirectoryOIDC / SAML 2.0
OktaSAML 2.0 / OIDC
Google WorkspaceOIDC
OpenLDAPLDAP / LDAPS

LDAP/AD Sync Configuration

Configure in-app via Directory Integration page:

SettingExampleDescription
LDAP Hostldaps://dc01.corp.example.com:636Domain controller address (use LDAPS for TLS)
Bind DNCN=svc-minusnow,OU=ServiceAccounts,DC=corp,DC=example,DC=comService account for LDAP queries
Base DNOU=Users,DC=corp,DC=example,DC=comUser search scope
User Filter(&(objectClass=user)(memberOf=CN=MinusNow-Users,OU=Groups,DC=corp,DC=example,DC=com))Only sync users in the MinusNow group
Sync IntervalEvery 15 minutesPoll frequency for delta changes
Attribute MappingsAMAccountName → username, mail → email, displayName → nameMap AD attributes to MinusNow fields
TLS Required: Production deployments must use LDAPS (port 636) or StartTLS. Plain LDAP (port 389) is disabled by default and should only be used in dev/testing environments.

Role Mapping

Map Active Directory groups to MinusNow application roles:

AD GroupMinusNow RoleAuto-Provision
MinusNow-AdminsAdminYes
MinusNow-ManagersManagerYes
MinusNow-OperatorsOperatorYes
MinusNow-ViewersViewerYes
MinusNow-RequestersRequesterYes
MinusNow-AuditorsAuditorYes

12 API Token Management

Create, scope, rotate, and revoke API tokens for programmatic access.

Token Types

Token TypePrefixScopeMax LifetimeCreated By
Personal Access Tokenmn_pat_Inherits user role permissions365 daysAny user
Service Tokenmn_svc_Configurable per-module scopesNo expiry (rotation required)Admin only
Agent Registration Tokenmn_agt_Agent registration + heartbeat30 daysAdmin / Operator
Webhook Signing Tokenmn_whk_Webhook endpoint verificationNo expiryAdmin only

Token Permission Scopes

ScopeDescriptionExample Endpoints
incidents:readRead incidents, comments, timelineGET /api/incidents
incidents:writeCreate, update, close incidentsPOST /api/incidents, PATCH /api/incidents/:id
changes:readRead change requests and approvalsGET /api/changes
changes:writeCreate and approve change requestsPOST /api/changes
monitoring:readRead alerts, metrics, host statusGET /api/monitoring/alerts
monitoring:writeAcknowledge, silence alertsPOST /api/monitoring/alerts/:id/ack
cmdb:readRead configuration items, relationshipsGET /api/cmdb/items
cmdb:writeCreate, update CIs and relationshipsPOST /api/cmdb/items
users:readList users, roles, teamsGET /api/users
users:adminCreate, deactivate, change rolesPOST /api/users, DELETE /api/users/:id
admin:*Full admin API access (all scopes)All endpoints

Token Lifecycle

StageActionDetails
CreationGenerate via Settings → API Keys, or POST /api/tokensToken value shown once; hash stored server-side
UsageInclude in Authorization: Bearer mn_pat_... headerRate-limited to 1,000 req/min per token
RotationGenerate new token, update integrations, revoke old tokenRecommended: 90-day rotation for service tokens
RevocationSettings → API Keys → Revoke, or DELETE /api/tokens/:idImmediate; existing sessions using token are terminated
Security: API tokens provide direct access to the platform. Never commit tokens to source control. Use environment variables or a secrets manager. All token usage is recorded in the audit log.

13 Password Policy & Session Management

Configure password complexity, multi-factor authentication, and session controls.

Password Policy

SettingDefaultConfigurableCompliance
Minimum length12 characters8–128 via Settings → SecurityNIST 800-63b
Uppercase requiredYesYesPCI-DSS
Number requiredYesYesPCI-DSS
Special character requiredYesYesPCI-DSS
Password expiry90 days30–365 days or neverSOC 2
Password historyLast 12 passwords5–24ISO 27001
Breached password checkEnabledYesNIST 800-63b

Multi-Factor Authentication

MFA MethodDefaultSupported
Authenticator App (TOTP)PrimaryGoogle Authenticator, Authy, 1Password, etc.
SMS CodeFallbackTwilio, AWS SNS
Email VerificationFallbackBuilt-in email provider

Configure MFA enforcement in Settings → Security → Multi-Factor Authentication. When enforced, all users must enroll on their next login.

Session Management

SettingDefaultConfigurable Range
Session timeout (idle)30 minutes15–480 minutes
Max concurrent sessions5 per user1–20
Max login attempts before lockout5 attempts3–15
Lockout duration15 minutes5–60 minutes
IP allowlistDisabledCIDR ranges via Settings → Security

14 Quick Reference

Complete summary and cross-documentation links.

Account Summary

AccountTypeWhere It RunsDB AccessRotation
minusnowOS + DBITSM serverOwner (full CRUD)90 days
mnow-agentOS onlyManaged hostsNone (API only)90 days
mnow_backupDB onlyBackup serverRead-only (pg_dump)60 days
mnow_monitorDB onlyMonitoring serverStats views only90 days

Environment Variables

# =====================================================
# MinusNow Service Account Configuration
# Production: Use Vault, AWS Secrets Manager, or Azure Key Vault
# =====================================================

# Primary application account
DATABASE_URL=postgresql://minusnow:<from-secrets-manager>@localhost:5432/minusnow_itsm
SESSION_SECRET=<from-secrets-manager>
APP_BASE_URL=https://minusnow.yourdomain.com

# Agent communication
AGENT_API_KEY=<from-secrets-manager>
AGENT_REGISTRATION_TOKEN=<from-secrets-manager>

# Backup account (used by backup script only)
BACKUP_DB_USER=mnow_backup
BACKUP_DB_PASS=<from-secrets-manager>

# Monitoring account (used by Prometheus postgres_exporter)
MONITOR_DB_USER=mnow_monitor
MONITOR_DB_PASS=<from-secrets-manager>

Cross-Documentation Reference

TopicGuideSection
OS user creation (Linux)Linux Deployment GuideStep 3 — Create Application User
OS user creation (Windows)Windows Deployment GuideStep 2 — Directory Structure
OS user creation (Cloud)Cloud Deployment GuideSteps 3 & 5 — Install
Database setup & user creationOS & PrerequisitesDatabase Setup
Agent user & sudo setupOS & PrerequisitesUser Permissions
Agent installationAgent Install GuideFull guide
Module capabilitiesComprehensive Module GuideAll 21 modules
Firewall portsOS & PrerequisitesFirewall & Ports