This site uses different types of cookies, including analytics and functional cookies (its own and from other sites). To change your cookie settings or find out more, click here. If you continue browsing our website, you accept these cookies.
Workflows being run on Gallery or Scheduler return with an error Access is Denied for various file types.
The Alteryx Server is not able to perform expected actions (Signing into Gallery, Service unable to start, etc.). The Service or Gallery logs reference that the Service is unable to open/read specific files with Access Denied.
This issue has multiple potential causes, all related to permissions:
The Run As account does not have permission to dependency or file being referenced.
The Alteryx Service account does not have permission to dependency or file being referenced.
The Alteryx Service account does not have the proper permissions required to run the Alteryx Service.
Isolating the Run As Account
A workflow being run on the Server will run as whichever account is set up in either workflow credentials, the Worker Run As, or the Alteryx Service Account. The account in workflow credentials will take priority, followed by the Worker Run As, and then the Alteryx Service Account. For more information on Server Run As accounts and permissions, see this article.
To check the accounts being used at each level, look in the following locations:
Workflow credentials are established on Gallery Admin’s page under Workflow Credentials.
The Worker Run As account is set under Alteryx System Settings > Worker > Run As.
The Alteryx Service account can be found under Services (please see Isolating the Service Account to find which account is running the Service).
A quick test to see if the Run As account will have access to the proper dependencies is to log into the Worker node of the Server as the Run As account, open and run the problematic workflow in Designer.
If the Run As account does not have access to certain locations that should seem accessible by the Server, please go to Solution A.
Isolating the Service Account (error returned from workflow execution)
If workflow credentials are not enabled and there is no Worker Run As account, the Server will run workflows on the account outlined by the Alteryx Service. To find the account that is running the Alteryx Service please follow the steps below:
1. Open Services (Windows menu -> Run -> services.msc)
2. Find Alteryx Service; Right-click on the service and select Properties. Click the Log On tab.
If the Alteryx Service account does not have access to certain locations that should seem accessible by the Server, please go to Solution A.
By default, the Alteryx Service account will be run as the Local System. The Local System account normally has pre-determined permissions. More information on the Local System, see this article.
If the Local System Account does not have access to certain locations that should seem accessible by the Server, please go to Solution B.
Isolating the Service Account (error found in Service logs)
When reviewing the Service or Gallery logs, if the Service account does not have access to required folders and/or files, there will be an Access Denied error. An example is below:
Exception caught by ErrorHandler and marshalled to Client,"Alteryx.Cloud.Common.Exceptions.ForbiddenException: Access denied
If receiving the above error, please go to Solution B.
If the Run As account does not have the proper permissions to access a dependency, either grant the appropriate permission to the account for the dependency or change the Run As account to an account that does have permission.
If Service or Gallery logs are displaying Access Denied, ensure that the Alteryx Service account has all the required permissions needed to run the Alteryx Service.
If the Alteryx Service account is set to Local System, please work with IT to enable more permissions for the Local System or assign a Service account to the Alteryx Service that can have all the required permissions.
Credentials are how we control who has access to what on a computer or a network. Credentials are a way to prevent people from touching data or folders or content they aren’t supposed to. This article goes over the different options for setting credentials on a private gallery.