community
cancel
Showing results for 
Search instead for 
Did you mean: 

alteryx server Knowledge Base

Definitive answers from Server experts.

Run As Settings

Community Operations Manager
Community Operations Manager
Created on

The Run the Worker as a Different User a.k.a “Run As” option in the System Settings allows the Worker to run the Alteryx Engine as a different user.  By default, the Scheduler runs using the Local System Account.

When accessing these other environments, credentials that have Admin rights are recommended. This removes any chance of workflow failure if permissions change for non Admin user.

 

Run as Different User:

 

  • Scheduler: - If a Worker machine needs to run workflows that access files or data from a location that requires specific credentials to access it, the machine can be configured to run the workflows as a specified user or account.

 

  • Server: - When clients are sending database connections to the Gallery, they will need to send the app to the Gallery that works with their system settings. Otherwise, the app will fail since it will not connect to their local instance of the database on their machine.

 

Alteryx > Options > Advanced Options > System Settings

Run As.png

 

 

Troubleshoot:

 

My workflow runs fine through the GUI but it fails through the Scheduler

 

This is can be a sign of permission issues.  For the workflow to run successfully it needs access to the resources it is referencing such as network drives, files, database connections, and such. Check all of your Inputs and Outputs to verify whether the connections are local or remote.  If you are connecting to a network file share open Alteryx > Options > Advanced Options > System Settings and click Next until reaching Run the Worker As a different user……..and???

 

I have configured Alteryx Server to run workflows as a specified user, but they are failing.

 

You may be encountering this issue if the Worker machine that is configured to run the workflows as a specified user does not have the appropriate permissions in the workspace folder where files are stored. Double-click the System Settings icon on your desktop to open the System Settings window and check the following settings:

 

  • Identify the Workspace folder specified on the Worker > General screen.
  • Open Windows Explorer and navigate to that folder.
  • View the folder properties.
  • On the Security tab, verify that the user specified as the Run As user exists in the list of users. If it does not, add it.
  • On the same tab, highlight the specified user and ensure it has the following permissions: Modify / Read & Execute / Read / Write.


I’ve set up the Run As and it has been working, but now my modules have started failing.

Check if the password has changed recently


Additional Information:

 

Safe and Semi-safe options for the Alteryx Gallery can only be used if the Worker > Run As setting has been enabled.

 

 

 

Comments
Meteoroid

what are the minimum privs and rights that the run as account should have?  is 'logon locally' one of them?

Community Operations Manager
Community Operations Manager

@dwalker3rd We recommend setting the Run As user to an Admin user since the Gallery may contain directories and files that need to be accessed across the organization. This will allow the server to access anything that is loaded into the server without specific permissions each time. If 'logon locally' is setup as the highest level of accessibility or at the level you know will be able to handle any of the permissions that your users will be needing, then that is fine. No real minimum, just what works best for the server and your organization.

Community Operations Manager
Community Operations Manager

Correction - 

Apologize the "No real minimum" isn't exaclty true, as local login is required as it is the minimum requirement to run software. 

 

If you are a power user on the box and have local login rights on the server you should have no issues running the workflows on the Scheduler or Gallery using those credentials. Keep in mind that if you are attempting to connect through a network or connecting to databases that those privileges will need to be considered as well.

Meteor

What are the minimum access rights for the run as in Alteryx 10.6 as it appears there are other setting? 

 

I have an account that is a power user and I have given them full control to the directory and I am getting a "User cannot be validated"  I can use the account to log into the machine and access the files through Windows Explorer.  Please of security policies I cannot make the account an admin of the server which we need to run the workflows.

 

Thanks!

Community Operations Manager
Community Operations Manager

@kdmoloney As mentioned in the article, the minimum is to be a power user on the box and have local login rights on the server. If the workflows or user is accessing a network or database connections, that user will need to have access granted to those places. If they are logging on via a remove desktop the permissions are usually seperate and not necessarily the local logon.

 

If this is use for the Gallery, you also have the option to configure the Gallery to have users login with their credentials instead of using the Run As setting. This is a new feature in 10.6.

 

In the Gallery, go to the Admin and System window. You will see a Default behavior for workflow credentials. 

2016-12-07_9-33-06.jpg

 

Once this option is selected, the user who creates the app can set the app to have the user enter their credentials when the app is loaded to the Gallery on the Server.

 

2016-12-07_9-51-58.jpg

Moderator
Moderator

UPDATE for 10.6.8.17850 and beyond

 

As of 10.6.8.17850, "Allow log on locally" is no longer a requirement, but the group/user will need the ability to "Log on as a batch job".  From the server documentation...

 

First, edit the local group policy on the machine to give the run-as user account permission to log on as a batch job.

  1. Click Start on the Windows task bar.
  2. In Search, type "gpedit.msc" or "local group policy" and click the result (gpedit).
  3. In the left side of the Local Group Policy Editor window, click Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment.
  4. To the right, find and double-click Log on as a batch job.
  5. In Log on as a batch job Properties, click Add User or Group.
  6. Complete the required information to add the user or group.
  7. Click OK and Apply.

Then, set permissions on each of the folders requiring run-as user permissions. See Required run-as user permissions.

  1. Right-click the folder and click Properties.
  2. Click the Security tab and click Edit.
  3. In Group or user names, click the name of the user you want to grant permissions to, or click Add to add a user that does not appear in the list.
  4. In Permissions for Run As User, select the required run-as permissions for the user.
  5. Click Add after selecting all required permissions.
  6. Click Apply.
Asteroid

Really hate to be critical here but there are multiple points in this post that are confusing. This needs to be broken down with more clarity and definition. Has an updated post been generated in an effort to address the challenges with configuring server and local/network accounts?