Overview

Security rules in Scalr are how admins can enforce rules on the entire account. The permission security-rules: is required to make updates to any of the security rules. All security rules can be configured at the admin level under security -> rules.

API Tokens Max Lifetime

Account admins can set maximum lifetimes for personal or service account tokens through the account security rules. The max lifetime is set in minutes and can be up to one year (525,600 minutes)

After it is set, users will not be able to set an API token lifetime higher than the limit specified:

Service Account Owner

Forcing service account owners helps reduce the risks of orphaned API tokens or unauthorized access. When enabled, this rule requires at least one owner team to be assigned during service account creation or updates, with validation preventing operations without proper ownership assignment. Account admins can activate this feature through the "Require service account owners" toggle.

Enforce Execution on Self-Hosted Agents

Admins can enable a security rule that requires all workspaces to run on self-hosted agents. When enabled, all new and existing workspaces must have a self-hosted agent pool configured to execute runs or save workspace updates.

If users try to execute a run without a self-hosted agent set in the workspace, it will error:

Workspaces cannot be updated until the self-hosted agent is set in the pipeline settings: