This site uses different types of cookies, including analytics and functional cookies (its own and from other sites). To change your cookie settings or find out more, click here. If you continue browsing our website, you accept these cookies.
on 07-11-201810:23 AM - edited on 02-27-202012:18 PM by KylieF
Credentials are how we control who has access to what on a computer or a network. Credentials are a way to prevent people from touching data or folders or content they aren’t supposed to.
Workflows on a Gallery are run on the Server machine the Gallery is hosted on. By default, all workflows are run as the service account. The service account on a machine will have the permissions of the base account set up by your IT.
If a workflow needs more permissions than what is granted to the service account to run successfully, there are three options; The Run As User, Subscription level credentials, or Workflow credentials.
Credentials for Gallery Workflows are an override system based on priority. If nothing else is set, by default The Gallery will run all workflows as the service account. If Run As Credentials are set then the Gallery defaults to the run as credentials, and so on. This is illustrated in the Pyramid of Credentials below.
All workflow credentials must have the permission to Log on as a batch job, or Local log on permission for the Server machine. Without these permissions, authentication will fail. For more details, please see our help documentation regarding Run As Permissions.
Setting Credentials on Your Private Gallery
The Run As User, found under System Settings > Worker > Run As is where you can change the default account workflows are run as from the service account to an account of your choosing.
Once this option is set, all workflows on the Gallery will default to running under these credentials.
The Service and Run As credentials can be overridden at the Subscription and Workflow levels. The next step is subscription, which is also referred to as a Studio in Alteryx Gallery.
Subscription Level credentials are set by the Gallery Administrator in the Admin view, under Subscriptions. The Default Workflow Credentials option is towards the end of the Subscriptions settings. A Gallery Admin can change the default workflow credentials by selecting the Change Account option.
In this selection window, you will be able to select from any Workflow credentials created on the Gallery (Workflow credentials are created in the Workflow Credentials Tab, demonstrated if you scroll a little further down in this article).
Subscription credentials are handy for department level permissions (e.g., the Human Resources Workflow Credentials would grant different permissions than the IT department credentials).
Workflow credentials are the most granular level of credentials, therefore they override all other workflow credential settings. Workflow credentials are added in the Admin view in Gallery, under the workflow credentials option.
There are two important things to note on this page. The first is the option to change the Credentials setting for workflows.
This setting has three options – use default credentials, require user credentials, and allow users to select credentials option.
The use default credentials option is what is selected by default. This option runs all workflows as the Run As User set in the system settings, or, if available, as the Subscription credentials.
The require user credentials option enables a prompt for users to enter their own credentials whenever they run a workflow.
The allow users to select credentials selection allows users to specify the credential requirements for a workflow when they publish a workflow from Designer to the Gallery. There are three options.
The second area of note in the Workflow Credentials tab is the Add New Credentials option allows you to add new credentials to your Gallery. These credentials can be applied to workflows, or used as Studio credentials.
After credentials are created in the Gallery, they need to be shared with Users and Studios for use. You can edit who credentials are shared with by clicking on the credential…
And then navigating to the Users and Studios tab.
On the troubleshooting side of things, in Alteryx Server versions >= 2018.1 you can tell which credentials a workflow was run as in the Workflow Results Tab.
This can be helpful when trying to figure out why a workflow didn’t run – maybe it didn’t have the necessary permissions.
As described earlier in this post, credentials for Gallery Workflows are an override system based on priority. The highest available credentials will be used. If no credential options are set, then the Gallery defaults to the service account which can cause issues as service accounts often have limited permissions.