ALTERYX INSPIRE | Join us this May for for a multi-day virtual analytics + data science experience like no other! Register Now

Alteryx Server Knowledge Base

Definitive answers from Server experts.

How Workflow Credentials Work on a Private Gallery

Alteryx Alumni (Retired)

 Credentials are how we control who has access to what on a computer or a network. Credentials are a way to prevent people from touching data or folders or content they aren’t supposed to.


giphy (1).gif


Workflows on a Gallery are run on the Server machine the Gallery is hosted on. By default, all workflows are run as the service account. The service account on a machine will have the permissions of the base account set up by your IT.


If a workflow needs more permissions than what is granted to the service account to run successfully, there are three options; The Run As User, Subscription level credentials, or Workflow credentials.


Credentials for Gallery Workflows are an override system based on priority. If nothing else is set, by default The Gallery will run all workflows as the service account. If Run As Credentials are set then the Gallery defaults to the run as credentials, and so on. This is illustrated in the Pyramid of Credentials below.




All workflow credentials must have the permission to Log on as a batch job, or Local log on permission for the Server machine. Without these permissions, authentication will fail. For more details, please see our help documentation regarding Run As Permissions.


Setting Credentials on Your Private Gallery

The Run As User, found under System Settings > Worker > Run As is where you can change the default account workflows are run as from the service account to an account of your choosing.





Once this option is set, all workflows on the Gallery will default to running under these credentials.


The Service and Run As credentials can be overridden at the Subscription and Workflow levels. The next step is subscription, which is also referred to as a Studio in Alteryx Gallery.


Subscription Level credentials are set by the Gallery Administrator in the Admin view, under Subscriptions. The Default Workflow Credentials option is towards the end of the Subscriptions settings. A Gallery Admin can change the default workflow credentials by selecting the Change Account option.




In this selection window, you will be able to select from any Workflow credentials created on the Gallery (Workflow credentials are created in the Workflow Credentials Tab, demonstrated if you scroll a little further down in this article).




Subscription credentials are handy for department level permissions (e.g., the Human Resources Workflow Credentials would grant different permissions than the IT department credentials).


Workflow credentials are the most granular level of credentials, therefore they override all other workflow credential settings. Workflow credentials are added in the Admin view in Gallery, under the workflow credentials option.




There are two important things to note on this page. The first is the option to change the Credentials setting for workflows.




This setting has three options – use default credentials, require user credentials, and allow users to select credentials option.


The use default credentials option is what is selected by default. This option runs all workflows as the Run As User set in the system settings, or, if available, as the Subscription credentials.


The require user credentials option enables a prompt for users to enter their own credentials whenever they run a workflow.




The allow users to select credentials selection allows users to specify the credential requirements for a workflow when they publish a workflow from Designer to the Gallery. There are three options.




The second area of note in the Workflow Credentials tab is the Add New Credentials option allows you to add new credentials to your Gallery. These credentials can be applied to workflows, or used as Studio credentials. 




After credentials are created in the Gallery, they need to be shared with Users and Studios for use. You can edit who credentials are shared with by clicking on the credential…




And then navigating to the Users and Studios tab.




On the troubleshooting side of things, in Alteryx Server versions >= 2018.1 you can tell which credentials a workflow was run as in the Workflow Results Tab.




This can be helpful when trying to figure out why a workflow didn’t run – maybe it didn’t have the necessary permissions.


In Summary…


As described earlier in this post, credentials for Gallery Workflows are an override system based on priority. The highest available credentials will be used. If no credential options are set, then the Gallery defaults to the service account which can cause issues as service accounts often have limited permissions.


For additional information, please check out the Gallery Help Documentation.


11 - Bolide

Hi @SydneyF!


This was helpful, thank you. If I understand this correctly, the Workflow Credentials are only used by the server for 'built in' server actions like access the network, or running the Run Command tool as a user.


Is there a way to use these same Workflow Credentials in the Alteryx Connector tools that require authentication to various systems? E.g. the Download tool has fields in the configuration for providing the crendentials, and the SharePoint connectors likewise. Seems like I can set up Server Studios to use a special 'team' account to run workflows and access the network (by entering 'Default Workflow Credentials'), but I can't use that same 'team' account in my tools unless I manually enter the user and password into each tool. Is that right?


Alteryx Alumni (Retired)

Hi @c2willis,


If Run As User or Workflow credentials are set, when a workflow is executed (by the scheduler or from the Gallery) and the Alteryx Service calls the Alteryx Engine, it does so while impersonating the account of the user the workflow is set to use. This means that all processes in the workflow are executed as that workflow, so any databases or other shared resources (e.g., network drives) that are accessed are done so as that account.


As for your second question - the Workflow Credentials will typically not be applied to Connectors. This is because more often than not, the Connectors use types of authentication other than Windows Authentication (which is what the Workflow Credentials use). One option to dynamically update the connector credentials might be to create an Alteryx Application that updates tool configuration(s) based on user inputs. For help getting started with something like that, please check out the Tool Mastery | Action Tool, the Sample Workflows for Interface Tools in Designer, or post to the Designer Discussion Thread.

11 - Bolide

Thanks @SydneyF!


From the Apps 302 class at Inspire, my own experimentation, and from digging around in the community posts, there doesn't seem to be a way to pass the Workflow Credentials to the Interface controls of an Analytic App. Hence, there is no way to schedule an App in Server and have the Connectors credentials updated at run time. When I schedule an App with Interface inputs, it doesn't ask me to enter any inputs, so I would have to save the credentials into the App and change them in Designer. This is limiting factor in cases where we are required to run a workflow/app as a system/team account instead of as a user account.


The 'credentials' stored on the Server for runtime are Data Connections and Workflow Credentials, but if the Connector can't use one of those methods to connect, the workflow or app can't be scheduled with system/team credentials.


Is something on the roadmap yet to add to Server a third category of connection credentials? Or should I create an Idea for it?


Seems like all three types of stored connections could be grouped into one location in the server, and then provide a mechanism to securely access the credentials (user/studio level permissions) and pass them to the App Interface controls.





Alteryx Alumni (Retired)

Currently, the functionality you are describing is not available. Please do post to Server Product Ideas forum. Our product managers are very active on these pages and are always looking for great new ideas to enhance our product. 


Thank you!

11 - Bolide

Thanks @SydneyF!


I went to the Ideas forum and searched (I need to remember to do this first .... 🙂   ). A few different ideas have already been submitted along the same lines as my suggestion. So I just added my 'star' to a couple of them, but decided to leave one here in case future readers have the same questions:


Thanks again for your initial post, and for your patience with me as I learn the appropriate places to look for guidance. Much appreciated!


Kind regards,



5 - Atom

It would also be nice to be able to specify a particular AD credential to authenticate to a Data Connector (SQL Server, Oracle and others support AD authentication to their DB engines out of the box).


This would allow us to "define once, use many" the service account.


The collection of data connectors is then available as a shared resource to the developers.

5 - Atom

Where do we configure service account in the Alteryx server ?


Hi @ravisaiteja,


It can be set up in Windows Services for Alteryx Service.


Right Click Alteryx Service - Properties - Log On. 

Tick "This account".





5 - Atom

Hi All,

What i can infer is if we have Workflow credentials and Run as user set up , the workflows must run with the default workflow credentials set up in the Subscriptions.

But there is a scenario where an Artisan has shared the workflow on the Collections , the non-artisan members are added as Members to the studio as well as collections . However when the non-artisans run the workflow , it run with the local user or run as user which doesn't have sufficient permissions to the shared drive etc and it fails.

Is there a way where we can set the default workflow credentials for the Collections which would allow any user to run the workflow shared on the Collections with default workflow credentials instead of local user?



5 - Atom

Hi Rajib,


You will need to be on version 2020.2 to access the new functionality of the api endpoint to get the credential id.  Older versions will have to utilize the run as user setting in the Alteryx System Settings with may pose a security risk as it would have to have more access/permissions.



5 - Atom

Hi Josue, Thank you