Service users
A service user is for
server-to-server authentication as part of the replication process and does not consume a license. To learn more, see service user under p4 user in the P4 CLI Reference.
On this page:
Multiple service users
Create a separate service user for each commit server, edge server, replica server, or proxy server that you control. This makes it easier to interpret your server logs.
Having service users improves security by requiring that communication between participating servers takes place using an authenticated user with a ticket.
| Type | Service user is logged in according to: |
|---|---|
| proxy | The server specified by the -t on the proxy startup command. |
| replica | The server specified by the P4TARGET. |
|
edge |
|
| commit |
The |
Group for service users (recommended)
For ease of administration, it is a best practice to create a group for the service users, such as serviceusergroup. Adding each service user to the group makes it easier to set the access level to super for the all the service users because you only to set it one time for the entire group. Otherwise, you will need to set the access level for each service user. To learn more, see the Example of a group specification in P4 CLI Reference.
Tickets and timeouts for service users
The ticket for a service user defaults to unlimited in 2025.2 and later, so setting the Timeout value applies to 2025.1 and earlier. If the server is prior to 2025.2, a newly-created service user that is not a member of any group is
subject to the default ticket timeout of 12 hours. To avoid issues that
arise when a service user’s ticket ceases to be valid, set the Timeout: and
PasswordTimeout: values to unlimited.
-
On the commit server, create a group with a name such as
serviceusergroup:p4 group serviceusergroup
-
Add one or more service users to the list of
Users:in the group.
Group: serviceusergroup
Timeout: unlimited
PasswordTimeout: unlimited
Subgroups:
Owners:
Users:
serviceuser1
serviceuser2Access level for service users
To ensure the full functionality of replication, the service user needs the super access level A permission assigned to a user to control which commands the user can run. See also the 'protections' entry in this glossary and the 'p4 protect' command in the P4 CLI Reference.. Granting the super access level to the serviceusergroup is safe because service users are tightly restricted in the commands they can run. To learn more, see service user in the P4 CLI Reference.
On the commit server, use p4 protect to grant the group named serviceusergroup the super access level A permission assigned to a user to control which commands the user can run. See also the 'protections' entry in this glossary and the 'p4 protect' command in the P4 CLI Reference.:
Protections:
super group serviceusergroup * //...