We have an application that uses app-based authentication using OAuth2.0 appid and secret workflow. The development team is concerned that they might need to recycle the secret of the OAuth2.0 application (in case of a breach, or to comply by other security standards) while the Portal item owner is away (vacation, sick leave, etc.).
We tried adding the OAuth Portal item to a shared update group, but members of the shared upgrade group couldn't recycle the secret on behalf of the owner. Is there another pattern that Esri wants us to follow in this case, short of creating system / headless accounts (which I think is prohibited anyway). These system accounts would need to not only own the OAuth2.0 app but also any of the data layers its scoped to.