Configure Required Run As User Permissions
Server supports the ability to run workflows using specific user accounts referred to as Run As user accounts. Set Run As user account to execute workflows as that user and read and write data and program files the user can access.
You can configure Server and subscriptions (studios) in the Gallery to use specific Run As user accounts. See Worker and Subscriptions (Studios). You can also require Gallery users to enter their personal credentials to run a workflow making each user's account a Run As user account. See Credentials.
To use a Run As user account to execute workflows, enable all required permissions on each Server worker machine. Verify the Secondary Logon Service is running to enable alternative users to be run for other Services.
Set Run As User Permissions
First, edit the local group policy on the machine to give the Run As user account permission to log on as a batch job.
- Click Start on the Windows task bar.
- In Search, type "gpedit.msc" or "local group policy" and click the result (gpedit).
- In the left side of the Local Group Policy Editor window, click Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment.
- To the right, find and double-click Log on as a batch job.
- In Log on as a batch job Properties, click Add User or Group.
- Complete the required information to add the user or group.
- Click OK and Apply.
Then, set permissions on each of the folders requiring Run As user permissions. See Required Run As user permissions.
- Right-click the folder and click Properties.
- Click the Security tab and click Edit.
- In Group or user names, click the name of the user you want to grant permissions to, or click Add to add a user that does not appear in the list.
- In Permissions for Run As User, select the required Run As permissions for the user.
- Click Add after selecting all required permissions.
- Click Apply.
Complete these steps on each Server worker machine for each of the user accounts you want to give Run As user account permissions.
Required Run As User Permissions
Each Run As user must have all the following required permissions set on each Server worker machine. You may need to enable additional permissions on the machine depending on the workflow and the data and program files the workflow accesses.
The Run As user also needs permissions to access the data sources included in the workflows run in the Gallery. Necessary permissions and data sources vary based on the workflow.
| Location | Permission | Notes |
|---|---|---|
| In the Server program files: [Install Directory] |
Read & Execute, List, Read | This folder contains Alteryx program files; it is where Alteryx was installed. By default, this is at: C:\Program Files\Alteryx which may be hidden by Windows. |
| In the Windows Program Data Directory: %ProgramData%\Microsoft\ Crypto\RSA\MachineKeys |
Read, Write | This folder contains content related to encryption keys used by certain Windows APIs. |
| In the Server program files: %ProgramData%\SRC |
Read, Execute | This folder contains Server license files. |
| In the Server program files: %ProgramFiles(x86)%\Alteryx |
Read, Execute | This folder may contain installed spatial data. Spatial data can also be installed in other locations. Access is only necessary if spatial data is included in workflows. |
| In System Settings Worker > General > Workspace %ProgramData%\Alteryx\ Service\Staging |
Modify, Read & Execute, List Folder Contents, Read, Write | This folder contains temporary files, such as unpackaged workflows, or other files used to execute workflows. Ensure that these subfolders inherit permissions: MapTileCache, Results,Cache, TileSetInfoCache and XProcessCache. |
| In System Settings: Engine > General > Temporary Directory %ProgramData%\Alteryx\Engine |
Modify, Read & Execute, List Folder Contents, Read, Write | This folder contains temporary files used in processed workflows and apps. |
| In System Settings: Engine > General > Logging Directory |
Modify, List Folder Contents, Read, Write | This folder contains output files created when workflows or apps are processed. By default, logging is not enabled so the directory may be empty. Write permission is only needed if logging is enabled. |
|
In C:\Users: %HOMEDRIVE%%HOMEPATH% |
Full Control | The Run As and/or workflow credentials user account must have a profile on the local machine where the workflow is executed, and needs to have full control of that profile. This profile should be created automatically with the correct permissions the first time a job runs with the specified credential. |
|
In C:\Users\<UserName>: %HOMEDRIVE%\Users |
Read & Execute, List Folder Contents, Read | This is the minimum permission required on the windows profile storage folder so profiles can be created successfully. |