community
cancel
Showing results for 
Search instead for 
Did you mean: 

alteryx server Knowledge Base

Definitive answers from Server experts.

How Workflow Credentials Work on a Private Gallery

Sr. Data Science Content Engineer
Sr. Data Science Content Engineer
Created on

 Credentials are how we control who has access to what on a computer or a network. Credentials are a way to prevent people from touching data or folders or content they aren’t supposed to.

 

giphy (1).gif

 

Workflows on a Gallery are run on the Server machine the Gallery is hosted on. By default, all workflows are run as the service account. The service account on a machine will have the permissions of the base account set up by your IT.

 

If a workflow needs more permissions than what is granted to the service account to run successfully, there are three options; The Run As User, Subscription level credentials, or Workflow credentials.

 

Credentials for Gallery Workflows are an override system based on priority. If nothing else is set, by default The Gallery will run all workflows as the service account. If Run As Credentials are set then the Gallery defaults to the run as credentials, and so on. This is illustrated in the Pyramid of Credentials below.

 

pyramid.png

 

All workflow credentials must have the permission to Log on as a batch job, or Local log on permission for the Server machine. Without these permissions, authentication will fail. For more details, please see our help documentation regarding Run As Permissions.

 

Setting Credentials on Your Private Gallery

The Run As User, found under System Settings > Worker > Run As is where you can change the default account workflows are run as from the service account to an account of your choosing.

 

2018-06-21_14-28-33.png

 

 

Once this option is set, all workflows on the Gallery will default to running under these credentials.

 

The Service and Run As credentials can be overridden at the Subscription and Workflow levels. The next step is subscription, which is also referred to as a Studio in Alteryx Gallery.

 

Subscription Level credentials are set by the Gallery Administrator in the Admin view, under Subscriptions. The Default Workflow Credentials option is towards the end of the Subscriptions settings. A Gallery Admin can change the default workflow credentials by selecting the Change Account option.

 

2018-05-04_10-55-16.png

 

In this selection window, you will be able to select from any Workflow credentials created on the Gallery (Workflow credentials are created in the Workflow Credentials Tab, demonstrated if you scroll a little further down in this article).

 

2018-05-08_9-37-53.png

 

Subscription credentials are handy for department level permissions (e.g., the Human Resources Workflow Credentials would grant different permissions than the IT department credentials).

 

Workflow credentials are the most granular level of credentials, therefore they override all other workflow credential settings. Workflow credentials are added in the Admin view in Gallery, under the workflow credentials option.

 

2018-05-04_10-59-47.png

 

There are two important things to note on this page. The first is the option to change the Credentials setting for workflows.

 

2018-05-08_9-37-21.png

 

This setting has three options – use default credentials, require user credentials, and allow users to select credentials option.

 

The use default credentials option is what is selected by default. This option runs all workflows as the Run As User set in the system settings, or, if available, as the Subscription credentials.

 

The require user credentials option enables a prompt for users to enter their own credentials whenever they run a workflow.

 

2018-05-08_13-44-51.png

 

The allow users to select credentials selection allows users to specify the credential requirements for a workflow when they publish a workflow from Designer to the Gallery. There are three options.

 

2018-05-08_13-42-09.png

 

The second area of note in the Workflow Credentials tab is the Add New Credentials option allows you to add new credentials to your Gallery. These credentials can be applied to workflows, or used as Studio credentials. 

 

2018-05-08_9-25-54.png

 

After credentials are created in the Gallery, they need to be shared with Users and Studios for use. You can edit who credentials are shared with by clicking on the credential…

 

2018-05-08_13-46-28.png

 

And then navigating to the Users and Studios tab.

 

2018-05-08_9-56-11.png

 

On the troubleshooting side of things, in Alteryx Server versions >= 2018.1 you can tell which credentials a workflow was run as in the Workflow Results Tab.

  

 2018-05-14_16-03-49.png

 

This can be helpful when trying to figure out why a workflow didn’t run – maybe it didn’t have the necessary permissions.

 

In Summary…

 

As described earlier in this post, credentials for Gallery Workflows are an override system based on priority. The highest available credentials will be used. If no credential options are set, then the Gallery defaults to the service account which can cause issues as service accounts often have limited permissions.

 

For additional information, please check out the Gallery Help Documentation.

 

Comments
Comet

Hi @SydneyF!

 

This was helpful, thank you. If I understand this correctly, the Workflow Credentials are only used by the server for 'built in' server actions like access the network, or running the Run Command tool as a user.

 

Is there a way to use these same Workflow Credentials in the Alteryx Connector tools that require authentication to various systems? E.g. the Download tool has fields in the configuration for providing the crendentials, and the SharePoint connectors likewise. Seems like I can set up Server Studios to use a special 'team' account to run workflows and access the network (by entering 'Default Workflow Credentials'), but I can't use that same 'team' account in my tools unless I manually enter the user and password into each tool. Is that right?

 

Sr. Data Science Content Engineer
Sr. Data Science Content Engineer

Hi @c2willis,

 

If Run As User or Workflow credentials are set, when a workflow is executed (by the scheduler or from the Gallery) and the Alteryx Service calls the Alteryx Engine, it does so while impersonating the account of the user the workflow is set to use. This means that all processes in the workflow are executed as that workflow, so any databases or other shared resources (e.g., network drives) that are accessed are done so as that account.

 

As for your second question - the Workflow Credentials will typically not be applied to Connectors. This is because more often than not, the Connectors use types of authentication other than Windows Authentication (which is what the Workflow Credentials use). One option to dynamically update the connector credentials might be to create an Alteryx Application that updates tool configuration(s) based on user inputs. For help getting started with something like that, please check out the Tool Mastery | Action Tool, the Sample Workflows for Interface Tools in Designer, or post to the Designer Discussion Thread.

Comet

Thanks @SydneyF!

 

From the Apps 302 class at Inspire, my own experimentation, and from digging around in the community posts, there doesn't seem to be a way to pass the Workflow Credentials to the Interface controls of an Analytic App. Hence, there is no way to schedule an App in Server and have the Connectors credentials updated at run time. When I schedule an App with Interface inputs, it doesn't ask me to enter any inputs, so I would have to save the credentials into the App and change them in Designer. This is limiting factor in cases where we are required to run a workflow/app as a system/team account instead of as a user account.

 

The 'credentials' stored on the Server for runtime are Data Connections and Workflow Credentials, but if the Connector can't use one of those methods to connect, the workflow or app can't be scheduled with system/team credentials.

 

Is something on the roadmap yet to add to Server a third category of connection credentials? Or should I create an Idea for it?

 

Seems like all three types of stored connections could be grouped into one location in the server, and then provide a mechanism to securely access the credentials (user/studio level permissions) and pass them to the App Interface controls.

 

Thanks,

 

Cameron

Sr. Data Science Content Engineer
Sr. Data Science Content Engineer

Currently, the functionality you are describing is not available. Please do post to Server Product Ideas forum. Our product managers are very active on these pages and are always looking for great new ideas to enhance our product. 

 

Thank you!

Comet

Thanks @SydneyF!

 

I went to the Ideas forum and searched (I need to remember to do this first .... :)   ). A few different ideas have already been submitted along the same lines as my suggestion. So I just added my 'star' to a couple of them, but decided to leave one here in case future readers have the same questions:

 

https://community.alteryx.com/t5/Alteryx-Server-Ideas/Make-Server-User-a-System-Constant/idc-p/30616...

 

Thanks again for your initial post, and for your patience with me as I learn the appropriate places to look for guidance. Much appreciated!

 

Kind regards,

 

Cameron

It would also be nice to be able to specify a particular AD credential to authenticate to a Data Connector (SQL Server, Oracle and others support AD authentication to their DB engines out of the box).

 

This would allow us to "define once, use many" the service account.

 

The collection of data connectors is then available as a shared resource to the developers.