Service Users have been around in Dynatrace for some time now. Although first only createable via API, they can now be created via the Account management UI as well. However I ran into a not-so obvious challenge there when I wanted to create a service user for my monaco deployment pipeline.
Monaco requires an OAuth Client to work. So I wanted to create an OAuth Client for a service user. When you do that via the UI you will be challenged by this message:

The problem is that you cannot easily assign the "account-user-mangement" permission to a service user. If you try to edit the service user you will not get this permission listed to add it (likely because it is a account permission with no policy available?).

My intuitive thought was:

"OK, lets create a group; give that group account user management permissions; bind monaco required policies to it and then add the service user to that group"

This also fails because you can't add a service user to a group like any other user! (IMO that is a bug!)

So I tried this, which worked:

First: create a group "Monaco" assign it account permissions and bind some policies to it:

Second: since you can't add a service user to the group via UI, add it to the "Monaco" group via API.
In my case I did this via monaco (using another OAuth client):

Now the service user has the required permissions so that we can create a OAuth client for it. The UI will not complain about missing permissions of the service user:

And you can now change your Monaco setup to use the new service user OAuth client. Any configuration change will now be recorded as done by the service user instead of any personalized account:

I think after the creation of the OAuth client you can also remove the service user from the "Monaco" group again, but I haven't tested that so far.