04-14-2016 03:36 PM - edited 08-28-2022 07:11 PM
The Run the Worker as a Different User a.k.a “Run As” option in the System Settings allows the Worker to run the Alteryx Engine as a different user. By default, the Scheduler runs using the Local System Account.
When accessing these other environments, credentials that have Admin rights are recommended. This removes any chance of workflow failure if permissions change for non Admin user.
Run as Different User:
Alteryx > Options > Advanced Options > System Settings
Troubleshoot:
My workflow runs fine through the GUI but it fails through the Scheduler
This can be a sign of permission issues. For the workflow to run successfully it needs access to the resources it is referencing, such as network drives, files, and database connections. Check all of your Inputs and Outputs to verify whether the connections are local or remote (e.g. network drive). If you are connecting to a network drive, you may need to add a Run As user in the Alteryx System Settings (if one is not already present) in order for the Scheduler to adopt permissions.
I have configured Alteryx Server to run workflows as a specified user, but they are failing.
You may be encountering this issue if the Worker machine that is configured to run the workflows as a specified user does not have the appropriate permissions in the workspace folder where files are stored. Double-click the System Settings icon on your desktop to open the System Settings window and check the following settings:
I’ve set up the Run As and it has been working, but now my modules have started failing.
Check if the password has changed recently.
Additional Information:
Safe and Semi-safe options for the Alteryx Gallery can only be used if the Worker > Run As setting has been enabled.
what are the minimum privs and rights that the run as account should have? is 'logon locally' one of them?
@dwalker3rd We recommend setting the Run As user to an Admin user since the Gallery may contain directories and files that need to be accessed across the organization. This will allow the server to access anything that is loaded into the server without specific permissions each time. If 'logon locally' is setup as the highest level of accessibility or at the level you know will be able to handle any of the permissions that your users will be needing, then that is fine. No real minimum, just what works best for the server and your organization.
Correction -
Apologize the "No real minimum" isn't exaclty true, as local login is required as it is the minimum requirement to run software.
If you are a power user on the box and have local login rights on the server you should have no issues running the workflows on the Scheduler or Gallery using those credentials. Keep in mind that if you are attempting to connect through a network or connecting to databases that those privileges will need to be considered as well.
What are the minimum access rights for the run as in Alteryx 10.6 as it appears there are other setting?
I have an account that is a power user and I have given them full control to the directory and I am getting a "User cannot be validated" I can use the account to log into the machine and access the files through Windows Explorer. Please of security policies I cannot make the account an admin of the server which we need to run the workflows.
Thanks!
@kdmoloney As mentioned in the article, the minimum is to be a power user on the box and have local login rights on the server. If the workflows or user is accessing a network or database connections, that user will need to have access granted to those places. If they are logging on via a remove desktop the permissions are usually seperate and not necessarily the local logon.
If this is use for the Gallery, you also have the option to configure the Gallery to have users login with their credentials instead of using the Run As setting. This is a new feature in 10.6.
In the Gallery, go to the Admin and System window. You will see a Default behavior for workflow credentials.
Once this option is selected, the user who creates the app can set the app to have the user enter their credentials when the app is loaded to the Gallery on the Server.
UPDATE for 10.6.8.17850 and beyond
As of 10.6.8.17850, "Allow log on locally" is no longer a requirement, but the group/user will need the ability to "Log on as a batch job". From the server documentation...
First, edit the local group policy on the machine to give the run-as user account permission to log on as a batch job.
Then, set permissions on each of the folders requiring run-as user permissions. See Required run-as user permissions.
Really hate to be critical here but there are multiple points in this post that are confusing. This needs to be broken down with more clarity and definition. Has an updated post been generated in an effort to address the challenges with configuring server and local/network accounts?
Regarding @JeradR's comment.
Why does this have to be so complicated? This option should be available from the Admin panel as a separate permission for a role and/or account(credential)
Hi @yuriy,
The "Log on as a Batch Job" is needed to allow the Alteryx Engine to impersonate a user account to perform some functions while that user is not logged on to the server. To enable a user account in this setting the Group Policy for the server will need to be edited. Editing the Group Policy is normally reserved for Admins of the server, but that can also be restricted depending on your IT's security policy.
More information about why the user account needs permissions on certain folders is available in our updated documentation available here: https://help.alteryx.com/current/server/configure-required-run-user-permissions
Let's assume the run-as user is an admin user on the Alteryx Server machine. Does the workflow with elevated privileges on Gallery?
This may sound like a strange question, but if I were to manually executes some workflows in Designer on the Server machine, there are certain things I cannot do unless I launch designer with right click, run as Admin. Just being and admin user is not enough, we have to specifically elevate before we run the workflow.
So my question is, when a workflow runs on gallery, is it using the elevated privileges?
+1 to @YEM 's question above ... any answers on this? Will workflows on the Gallery run with elevated permissions by default, when running with the default system user (Alteryx Gallery user account) ??