Alteryx Server Knowledge Base

Definitive answers from Server experts.

How Workflow Credentials Work on a Gallery

SydneyF
Alteryx Alumni (Retired)
Created

Screenshots in this article were taken with Alteryx Server version 2022.1.

Credentials are how we control who has access to what on a computer or a network. Credentials are a way to prevent people from touching data or folders or content they aren’t supposed to.

 

giphy (1).gif

 

Workflows on a Gallery are run on the Server machine. By default, all workflows are run as the service account. The service account on a machine will have the permissions of the base account set up by your IT department.

 

If a workflow needs more permissions than what is granted to the service account to run successfully, there are three options; the Run As User, Subscription/User level credentials, or Workflow credentials.

 

Credentials for Gallery Workflows are an override system based on priority. If nothing else is set, by default the Server will run all workflows as the service account. If Run As Credentials are set, then the Server defaults to the run as credentials, and so on. This is illustrated in the Pyramid of Credentials below.

 

image.pngimage.png

 

All workflow credentials must have certain permissions on the Server machine. Without these permissions, authentication will fail. For more details, please see our help documentation regarding Run As Permissions.

 

Setting Credentials
 

The Run As User, found under System Settings > Worker > Run As is where you can change the default account workflows are run as from the service account to an account of your choosing.

 

image.pngimage.png

 

Once this option is set, all workflows on the Server will default to running under these credentials.

 

Subscription-level Credentials

 

The Service and Run As credentials can be overridden at the Subscription, User, and Workflow levels. The next step is Subscription, which is also referred to as a Studio in Alteryx Gallery.

 

Subscription-level credentials are set by the Gallery Administrator in the Admin view, under Subscriptions. A Gallery Admin can change the default workflow credentials by selecting the Change Account option.

 

image.pngimage.png

 

In this selection window, you will be able to select from any credentials created on the Gallery (Workflow credentials are created in the Workflow Credentials Tab, demonstrated later in this article).

 

image.pngimage.png

 

Subscription credentials are handy for department-level permissions (e.g., the Human Resources Workflow Credentials would grant different permissions than the IT department credentials).

 

Adding Credentials in Gallery
 

Workflow credentials are the most granular level of credentials, therefore they override all other workflow credential settings. Workflow credentials are added in the Admin view in Gallery, under the Credentials section.

 

image.pngimage.png
 

There are different options for Workflow Credentials settings, which can be changed from the Configuration section of Gallery Admin. The Workflow Credentials Setting determines whether users are required to enter their credentials when they run workflows. 

image.pngimage.png

This setting has three options – use default credentials, require user credentials, and allow users to select credentials option.

image.pngimage.png

The use default credentials option is what is selected by default. This option runs all workflows as the Run As User set in the system settings, or, if available, as the Subscription credentials.

Refer to this article for more details on the three settings, and the implications of changing this setting for Schedules: Select the Workflow Credentials Setting for Your Server | Alteryx Help

The "Require User Credentials" option enables a prompt for users to enter their own credentials whenever they run a workflow.

 

image.pngimage.png

 

The "Allow Users to Select" credentials option allows users to specify the credential requirements for a workflow when they publish a workflow from Designer to the Gallery. There are three options.

 

image.pngimage.png
 

The second area of note in the Credentials section is the Add New Credentials option which allows you to add new credentials to your Gallery. These credentials can be applied to workflows or used as Studio/User/Custom Group credentials (User and Custom Group credential availability is dependent on your version of Alteryx Server and is available in more recent versions).
 

image.pngimage.png

 

After credentials are created in the Gallery, they need to be shared with Users, Subscriptions, and Custom Groups for use. You can edit who credentials are shared with by clicking on the credential.

 

image.pngimage.png

 

And then selecting the appropriate tab (Users or Custom Groups) and clicking Add

Note: Newer version of Server do not allow you to add Private Studios to these credentials; Studios/Subscriptions will be removed in a future release and this ability is limited in order to help support that future transition). Only Studios added from previous versions of Server will be visible on that tab.

 

image.pngimage.png

 

 As a user, you can tell which credentials a workflow was run as in the Workflow Results Tab in the Run As column.
 

image.pngimage.png

 

This can be helpful when trying to figure out why a workflow didn’t run – maybe it didn’t have the necessary permissions.

 

In Summary…

 

As described earlier in this post, credentials for workflows are an override system based on priority. The highest available credentials will be used. If no credential options are set, then the Gallery defaults to the service account which can cause issues as service accounts often have limited permissions.



Additional Resources

 
Comments
cam_w
11 - Bolide

Hi @SydneyF!

 

This was helpful, thank you. If I understand this correctly, the Workflow Credentials are only used by the server for 'built in' server actions like access the network, or running the Run Command tool as a user.

 

Is there a way to use these same Workflow Credentials in the Alteryx Connector tools that require authentication to various systems? E.g. the Download tool has fields in the configuration for providing the crendentials, and the SharePoint connectors likewise. Seems like I can set up Server Studios to use a special 'team' account to run workflows and access the network (by entering 'Default Workflow Credentials'), but I can't use that same 'team' account in my tools unless I manually enter the user and password into each tool. Is that right?

 

SydneyF
Alteryx Alumni (Retired)

Hi @cam_w,

 

If Run As User or Workflow credentials are set, when a workflow is executed (by the scheduler or from the Gallery) and the Alteryx Service calls the Alteryx Engine, it does so while impersonating the account of the user the workflow is set to use. This means that all processes in the workflow are executed as that workflow, so any databases or other shared resources (e.g., network drives) that are accessed are done so as that account.

 

As for your second question - the Workflow Credentials will typically not be applied to Connectors. This is because more often than not, the Connectors use types of authentication other than Windows Authentication (which is what the Workflow Credentials use). One option to dynamically update the connector credentials might be to create an Alteryx Application that updates tool configuration(s) based on user inputs. For help getting started with something like that, please check out the Tool Mastery | Action Tool, the Sample Workflows for Interface Tools in Designer, or post to the Designer Discussion Thread.

cam_w
11 - Bolide

Thanks @SydneyF!

 

From the Apps 302 class at Inspire, my own experimentation, and from digging around in the community posts, there doesn't seem to be a way to pass the Workflow Credentials to the Interface controls of an Analytic App. Hence, there is no way to schedule an App in Server and have the Connectors credentials updated at run time. When I schedule an App with Interface inputs, it doesn't ask me to enter any inputs, so I would have to save the credentials into the App and change them in Designer. This is limiting factor in cases where we are required to run a workflow/app as a system/team account instead of as a user account.

 

The 'credentials' stored on the Server for runtime are Data Connections and Workflow Credentials, but if the Connector can't use one of those methods to connect, the workflow or app can't be scheduled with system/team credentials.

 

Is something on the roadmap yet to add to Server a third category of connection credentials? Or should I create an Idea for it?

 

Seems like all three types of stored connections could be grouped into one location in the server, and then provide a mechanism to securely access the credentials (user/studio level permissions) and pass them to the App Interface controls.

 

Thanks,

 

Cameron

SydneyF
Alteryx Alumni (Retired)

Currently, the functionality you are describing is not available. Please do post to Server Product Ideas forum. Our product managers are very active on these pages and are always looking for great new ideas to enhance our product. 

 

Thank you!

cam_w
11 - Bolide

Thanks @SydneyF!

 

I went to the Ideas forum and searched (I need to remember to do this first .... :)   ). A few different ideas have already been submitted along the same lines as my suggestion. So I just added my 'star' to a couple of them, but decided to leave one here in case future readers have the same questions:

 

https://community.alteryx.com/t5/Alteryx-Server-Ideas/Make-Server-User-a-System-Constant/idc-p/30616...

 

Thanks again for your initial post, and for your patience with me as I learn the appropriate places to look for guidance. Much appreciated!

 

Kind regards,

 

Cameron

Mfishlock
5 - Atom

It would also be nice to be able to specify a particular AD credential to authenticate to a Data Connector (SQL Server, Oracle and others support AD authentication to their DB engines out of the box).

 

This would allow us to "define once, use many" the service account.

 

The collection of data connectors is then available as a shared resource to the developers.

ravisaiteja
5 - Atom

Where do we configure service account in the Alteryx server ?

MichaelAd
Alteryx
Alteryx

Hi @ravisaiteja,

 

It can be set up in Windows Services for Alteryx Service.

 

Right Click Alteryx Service - Properties - Log On. 

Tick "This account".

 

 

 

Thanks.

RajibM
5 - Atom

Hi All,

What i can infer is if we have Workflow credentials and Run as user set up , the workflows must run with the default workflow credentials set up in the Subscriptions.

But there is a scenario where an Artisan has shared the workflow on the Collections , the non-artisan members are added as Members to the studio as well as collections . However when the non-artisans run the workflow , it run with the local user or run as user which doesn't have sufficient permissions to the shared drive etc and it fails.

Is there a way where we can set the default workflow credentials for the Collections which would allow any user to run the workflow shared on the Collections with default workflow credentials instead of local user?

Regards,

Rajib

Josue
6 - Meteoroid

Hi Rajib,

 

You will need to be on version 2020.2 to access the new functionality of the api endpoint to get the credential id.  Older versions will have to utilize the run as user setting in the Alteryx System Settings with may pose a security risk as it would have to have more access/permissions.

Best,

Josue

RajibM
5 - Atom

Hi Josue, Thank you

Rahul3
8 - Asteroid

I added a new credential under "Credentials" admin page in Alteryx Server. Then I shared the same credential with my private studio by navigating to the "Users and Studio" tab . But still when i run any workflow in my Private studio, it runs with the local user.

 

Thanks

LisaL
Alteryx
Alteryx

@Rahul3 

Please review the latter half of the article ( and also the help documentation for your version of Server) about how to override the Run As User and its designation as the default credentials.  That requires action by the Administrator.

Rahul3
8 - Asteroid

@LisaL 

thanks for your reply. We are using Alteryx Server 2019 version . After creating the new credentials I assigned the same credential at subscription level to my colleague and then he is able to run the workflow in server using my created credentials. Is this approach right ?

Also, our Alteryx Server have “use default credentials” selected. If the admin changes it to “allow users to select credentials options” then would it hamper the execution of already hosted workflows on the same Alteryx Server or the scheduled workflows.

LisaL
Alteryx
Alteryx

@Rahul3 

That is a very good question (about changing the server configuration affecting existing workflows).  I wouldn't necessarily recommend it in that situation, but I don't know.  I'll try to find out and get someone to post something more authoritative.

Paul_Holden
8 - Asteroid

Hi,

 

Thanks for the article.

 

We have migrated our Gallery to a new host server but with the same service account.

We now have some workflows that are saying they cannot access files that were successfully accessed on the old server.

We have confirmed that the service account (which has not changed) still has full access to the files.

 

Any comments or suggestions as to the issue?

 

ToolId 27: Failed to run external program "\\path\with spaces in it to\batch\files\folder\ALTERYX\Batch\MyBatchFile.bat": The directory name is invalid. (267)

 

[EDIT]

I am able to RDP onto the new Gallery host server as the service account and navigate to the relevant folder in File Explorer. I can open the batch file in notepad.

Ariharan
10 - Fireball

Hi @SydneyF , 

 

We have restored the PROD machine MongoDB to the UAT machine. We weren't able to use the saved credentials anymore after that. We removed the saved credentials and added them again. This behavior of Alteryx is an excepted one.?

 

Regards, 

Ariharan R

LisaL
Alteryx
Alteryx

@Ariharan 
That behavior is absolutely expected.  Encryption of things like credentials is machine-specific.  If you are authorized to change machines, you can follow the steps in the Help section entitled Server Host Recovery Guide to restore to a different machine.