Accounts like the "svc_foundation-hub" account are special built-in accounts of type "ServiceAccount" which has an internal password.

The Account Type "ServiceAccount" is an internal user type that is intended for service accounts needed when running background tasks like communication between Foundation Applications to synchronize data, resolving URNs, running certain Pipeline Pilot protocols etc. Such Service Accounts are created during the registration of a product with Foundation Hub. Although the UI does not prevent this, customers should not be using the ServiceAccount type when creating users. If you open such an account from the user table, you will notice that they cannot be edited through the UI.

When a service account is created, it gets a randomly generated and encrypted password. Each application is responsible for storing this securely. The Foundation Hub stores its own service account encrypted in the database and it is not possible, even for an administrator, to decrypt this. Although the account is a standard account in the sense that it can technically be used to login through the UI or API, only the decrypted password will be accepted. Since only the specific instance of Foundation Hub knows how to decrypt the password, the logins with this account can only be made by background tasks by the Foundation Hub itself.

Related to this, there is also a group named "Foundation/Service Accounts" where e.g. the "svc_foundation-hub" user is a member. This is a special group where only service accounts should be members. The different service accounts are responsible for running various jobs and this group has the permissions required to run those jobs. Changing this group's permissions will break Foundation Hub.