on 07-11-201810:23 AM - edited on 06-22-202203:07 AM by csalgado5
Screenshots in this article were taken with Alteryx Server version 2022.1.
Credentials are how we control who has access to what on a computer or a network. Credentials are a way to prevent people from touching data or folders or content they aren’t supposed to.
Workflows on a Gallery are run on the Server machine. By default, all workflows are run as the service account. The service account on a machine will have the permissions of the base account set up by your IT department.
If a workflow needs more permissions than what is granted to the service account to run successfully, there are three options; the Run As User, Subscription/User level credentials, or Workflow credentials.
Credentials for Gallery Workflows are an override system based on priority. If nothing else is set, by default the Server will run all workflows as the service account. If Run As Credentials are set, then the Server defaults to the run as credentials, and so on. This is illustrated in the Pyramid of Credentials below.
All workflow credentials must have certain permissions on the Server machine. Without these permissions, authentication will fail. For more details, please see our help documentation regarding Run As Permissions.
The Run As User, found under System Settings > Worker > Run As is where you can change the default account workflows are run as from the service account to an account of your choosing.
Once this option is set, all workflows on the Server will default to running under these credentials.
The Service and Run As credentials can be overridden at the Subscription, User, and Workflow levels. The next step is Subscription, which is also referred to as a Studio in Alteryx Gallery.
Subscription-level credentials are set by the Gallery Administrator in the Admin view, under Subscriptions. A Gallery Admin can change the default workflow credentials by selecting the Change Account option.
In this selection window, you will be able to select from any credentials created on the Gallery (Workflow credentials are created in the Workflow Credentials Tab, demonstrated later in this article).
Subscription credentials are handy for department-level permissions (e.g., the Human Resources Workflow Credentials would grant different permissions than the IT department credentials).
Adding Credentials in Gallery
Workflow credentials are the most granular level of credentials, therefore they override all other workflow credential settings. Workflow credentials are added in the Admin view in Gallery, under the Credentials section.
There are different options for Workflow Credentials settings, which can be changed from the Configuration section of Gallery Admin. The Workflow Credentials Setting determines whether users are required to enter their credentials when they run workflows.
This setting has three options – use default credentials, require user credentials, and allow users to select credentials option.
The use default credentials option is what is selected by default. This option runs all workflows as the Run As User set in the system settings, or, if available, as the Subscription credentials.
The "Require User Credentials" option enables a prompt for users to enter their own credentials whenever they run a workflow.
The "Allow Users to Select" credentials option allows users to specify the credential requirements for a workflow when they publish a workflow from Designer to the Gallery. There are three options.
The second area of note in the Credentials section is the Add New Credentials option which allows you to add new credentials to your Gallery. These credentials can be applied to workflows or used as Studio/User/Custom Group credentials (User and Custom Group credential availability is dependent on your version of Alteryx Server and is available in more recent versions).
After credentials are created in the Gallery, they need to be shared with Users, Subscriptions, and Custom Groups for use. You can edit who credentials are shared with by clicking on the credential.
And then selecting the appropriate tab (Users or Custom Groups) and clicking Add.
Note: Newer version of Server do not allow you to add Private Studios to these credentials; Studios/Subscriptions will be removed in a future release and this ability is limited in order to help support that future transition). Only Studios added from previous versions of Server will be visible on that tab.
As a user, you can tell which credentials a workflow was run as in the Workflow Results Tab in the Run As column.
This can be helpful when trying to figure out why a workflow didn’t run – maybe it didn’t have the necessary permissions.
As described earlier in this post, credentials for workflows are an override system based on priority. The highest available credentials will be used. If no credential options are set, then the Gallery defaults to the service account which can cause issues as service accounts often have limited permissions.