Community Spring Cleaning week is here! Join your fellow Maveryx in digging through your old posts and marking comments on them as solved. Learn more here!

Alteryx Server Knowledge Base

Definitive answers from Server experts.

Run As Settings

DanM
Alteryx Community Team
Alteryx Community Team
Created

The Run the Worker as a Different User a.k.a “Run As” option in the System Settings allows the Worker to run the Alteryx Engine as a different user. By default, the Scheduler runs using the Local System Account.

When accessing these other environments, credentials that have Admin rights are recommended. This removes any chance of workflow failure if permissions change for non Admin user.

 

Run as Different User:

 

  • Scheduler: - If a Worker machine needs to run workflows that access files or data from a location that requires specific credentials to access it, the machine can be configured to run the workflows as a specified user or account.

 

  • Server: - When clients are sending database connections to the Gallery, they will need to send the app to the Gallery that works with their system settings. Otherwise, the app will fail since it will not connect to their local instance of the database on their machine.

 

Alteryx > Options > Advanced Options > System Settings

Run As.png

 

 

Troubleshoot:

 

My workflow runs fine through the GUI but it fails through the Scheduler

 

This can be a sign of permission issues. For the workflow to run successfully it needs access to the resources it is referencing, such as network drives, files, and database connections. Check all of your Inputs and Outputs to verify whether the connections are local or remote (e.g. network drive). If you are connecting to a network drive, you may need to add a Run As user in the Alteryx System Settings (if one is not already present) in order for the Scheduler to adopt permissions.  
 

I have configured Alteryx Server to run workflows as a specified user, but they are failing.

 

You may be encountering this issue if the Worker machine that is configured to run the workflows as a specified user does not have the appropriate permissions in the workspace folder where files are stored. Double-click the System Settings icon on your desktop to open the System Settings window and check the following settings:

 

  • Identify the Workspace folder specified on the Worker > General screen.
  • Open Windows Explorer and navigate to that folder.
  • View the folder properties.
  • On the Security tab, verify that the user specified as the Run As user exists in the list of users. If it does not, add it.
  • On the same tab, highlight the specified user and ensure it has the following permissions: Modify / Read & Execute / Read / Write.


I’ve set up the Run As and it has been working, but now my modules have started failing.

Check if the password has changed recently.

 

Additional Information:

 

Safe and Semi-safe options for the Alteryx Gallery can only be used if the Worker > Run As setting has been enabled.

 

 

 



Comments
dwalker3rd
6 - Meteoroid

what are the minimum privs and rights that the run as account should have?  is 'logon locally' one of them?

DanM
Alteryx Community Team
Alteryx Community Team

@dwalker3rd We recommend setting the Run As user to an Admin user since the Gallery may contain directories and files that need to be accessed across the organization. This will allow the server to access anything that is loaded into the server without specific permissions each time. If 'logon locally' is setup as the highest level of accessibility or at the level you know will be able to handle any of the permissions that your users will be needing, then that is fine. No real minimum, just what works best for the server and your organization.

DanM
Alteryx Community Team
Alteryx Community Team

Correction - 

Apologize the "No real minimum" isn't exaclty true, as local login is required as it is the minimum requirement to run software. 

 

If you are a power user on the box and have local login rights on the server you should have no issues running the workflows on the Scheduler or Gallery using those credentials. Keep in mind that if you are attempting to connect through a network or connecting to databases that those privileges will need to be considered as well.

kdmoloney
7 - Meteor

What are the minimum access rights for the run as in Alteryx 10.6 as it appears there are other setting? 

 

I have an account that is a power user and I have given them full control to the directory and I am getting a "User cannot be validated"  I can use the account to log into the machine and access the files through Windows Explorer.  Please of security policies I cannot make the account an admin of the server which we need to run the workflows.

 

Thanks!

DanM
Alteryx Community Team
Alteryx Community Team

@kdmoloney As mentioned in the article, the minimum is to be a power user on the box and have local login rights on the server. If the workflows or user is accessing a network or database connections, that user will need to have access granted to those places. If they are logging on via a remove desktop the permissions are usually seperate and not necessarily the local logon.

 

If this is use for the Gallery, you also have the option to configure the Gallery to have users login with their credentials instead of using the Run As setting. This is a new feature in 10.6.

 

In the Gallery, go to the Admin and System window. You will see a Default behavior for workflow credentials. 

2016-12-07_9-33-06.jpg

 

Once this option is selected, the user who creates the app can set the app to have the user enter their credentials when the app is loaded to the Gallery on the Server.

 

2016-12-07_9-51-58.jpg

JeradR
Alteryx
Alteryx

UPDATE for 10.6.8.17850 and beyond

 

As of 10.6.8.17850, "Allow log on locally" is no longer a requirement, but the group/user will need the ability to "Log on as a batch job".  From the server documentation...

 

First, edit the local group policy on the machine to give the run-as user account permission to log on as a batch job.

  1. Click Start on the Windows task bar.
  2. In Search, type "gpedit.msc" or "local group policy" and click the result (gpedit).
  3. In the left side of the Local Group Policy Editor window, click Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment.
  4. To the right, find and double-click Log on as a batch job.
  5. In Log on as a batch job Properties, click Add User or Group.
  6. Complete the required information to add the user or group.
  7. Click OK and Apply.

Then, set permissions on each of the folders requiring run-as user permissions. See Required run-as user permissions.

  1. Right-click the folder and click Properties.
  2. Click the Security tab and click Edit.
  3. In Group or user names, click the name of the user you want to grant permissions to, or click Add to add a user that does not appear in the list.
  4. In Permissions for Run As User, select the required run-as permissions for the user.
  5. Click Add after selecting all required permissions.
  6. Click Apply.
davidhenington
10 - Fireball

Really hate to be critical here but there are multiple points in this post that are confusing. This needs to be broken down with more clarity and definition. Has an updated post been generated in an effort to address the challenges with configuring server and local/network accounts? 

yuriy
8 - Asteroid

Regarding @JeradR's comment. 

 

Why does this have to be so complicated? This option should be available from the Admin panel as a separate permission for a role and/or account(credential)

MattH
Alteryx
Alteryx

Hi @yuriy,

 

Thank you for the feedback and I understand how complicated this feels with so many steps to go through. I wish there was a one-step setting to handle this for you.

 

The "Log on as a Batch Job" is needed to allow the Alteryx Engine to impersonate a user account to perform some functions while that user is not logged on to the server.  To enable a user account in this setting the Group Policy for the server will need to be edited.  Editing the Group Policy is normally reserved for Admins of the server, but that can also be restricted depending on your IT's security policy.

 

More information about why the user account needs permissions on certain folders is available in our updated documentation available here: https://help.alteryx.com/current/server/configure-required-run-user-permissions

YEM
8 - Asteroid

Let's assume the run-as user is an admin user on the Alteryx Server machine.  Does the workflow with elevated privileges on Gallery? 

 

This may sound like a strange question, but if I were to manually executes some workflows in Designer on the Server machine, there are certain things I cannot do unless I launch designer with right click, run as Admin.  Just being and admin user is not enough, we have to specifically elevate before we run the workflow.

 

So my question is, when a workflow runs on gallery, is it using the elevated privileges?  

johnsonTCP
5 - Atom

+1 to @YEM 's question above ... any answers on this? Will workflows on the Gallery run with elevated permissions by default, when running with the default system user (Alteryx Gallery user account) ??