Create "constrained" user under SAML pattern

My organization is using parent and sub-account pattern with SAML enabled at parent.
This means all my users must authenticate towards my enterprise identity.

My user id is enabled at parent as I am admin “globally” and at the same time I am responsible for a sub-account too operationally for my business unit.

I want to create an API key so that other users (different sub-account) can create alerts from the my sub-account data. I want to achieve this by having a user id with “alert manager” only.

My possible options:

  1. Reuse my userid in the sub-account - this is risky 'cos I am admin for the sub-account.
  2. Constraint my user id in the sub-account to “alert manager” only - this is constraining myself not able to do other operations.
  3. Create another user “e.g. robot” in the sub-account - but I am not able to see the API keys.

Can you please comment what is the best way to create a user that is restricted to “alert manager” and I can have the api keys for that user?

Thx.