Configure Required Run As User Permissions

In hardened server environments with restrictive permissions policies, you might need to enable Windows Server security permissions in support of run-as credentials. These steps are intended for server admins when run-as credentials don't work out of the box. For help running workflows as another user, go to the Run a Workflow as a Different User help page.

To use a run-as user account to execute workflows, server admins have to enable all required permissions on each Server worker machine. Verify the Secondary Logon service is running to allow alternative users to run other services.

First, edit the local group policy on the machine to give the Run As user account permission to log on as a batch job.

Select Start on the Windows taskbar.
In Search, enter gpedit.msc or local group policy.
In the Local Group Policy Editor window, select Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment.
Select Log on as a batch job.
In Log on as a batch job Properties, select Add User or Group.
Complete the required information to add the user or group.
Select OK and Apply.

Then, set permissions on each of the folders requiring Run As user permissions. Go to Required Run As User Permissions.

Right-click the folder for which you want to set permissions and select Properties.
Select the Security tab and select Edit.
In Group or user names, select the name of the user you want to grant permissions to or select Add to add a user that doesn't appear in the list.
In Permissions for Run As User, select the required Run As permissions for the user.
Select Add after selecting all required permissions.
Select Apply.

Complete these steps on each worker machine for each of the user accounts you want to add as a Run As user.

Required Run As User Permissions

Each Run As user has to have all these permissions set on each worker machine. You might need to enable additional permissions on the machine depending on the workflow and the data and program files the workflow accesses.

The Run As user also needs permissions to access the data sources included in the workflows run in the Server. Necessary permissions and data sources vary based on the workflow.

Note

The file paths listed are the default paths and can be changed. Some locations might not be displayed due to users changing the default location.

Table 10. Required Run As User Permissions

The folder where Alteryx is installed contains Alteryx program files.

Location: [Install Directory] (The default location is C:\Program Files\Alteryx. This might be hidden by Windows.)
Permissions: Read & Execute, List, Read

The Windows Program Data folder contains content related to encryption keys used by Windows APIs.

Location: %ProgramData%\Microsoft\Crypto\RSA\MachineKeys
Permissions: Read, Write

The folder that contains Server license files.

Location: %ProgramData%\SRC
Permissions: Read & Execute

The Server program files folder contains installed spatial data. Spatial data can also be installed in other locations. Access is only necessary if spatial data is included in workflows.

Location: %ProgramFiles(x86)%\Alteryx
Permissions: Read & Execute

In the staging folder specified in System Settings > Worker > General > Workspace.This folder contains temporary files, such as unpackaged workflows, or other files used to execute workflows. Ensure that these subfolders inherit permissions: MapTileCache, Results, Cache, TileSetInfoCache, and XProcessCache.

Location: %ProgramData%\Alteryx\Service\Staging
Permissions: Modify, Read & Execute, List Folder Contents, Read, Write

The engine folder in System Settings > Engine > General > Temporary Directory. This folder contains temporary files used in processed workflows and apps.

Location: %ProgramData%\Alteryx\Engine
Permissions: Modify, Read & Execute, List Folder Contents, Read, Write

The logging directory is specified in System Settings > Engine > General > Logging Directory. This folder contains output files created when workflows or apps are processed. By default, logging isn't enabled so the directory might be empty.

Permissions: Modify, List Folder Contents, Read, Write (Write permission is only needed if logging is enabled.)

The Run As and workflow credentials user account has to have a profile on the local machine where the workflow is executed and needs to have full control of that profile. This profile should be created automatically with the correct permissions the first time a job runs with the specified credential.

Location: C:\Users\<UserName>: %HOMEDRIVE%%HOMEPATH%
Permissions: Full Control

This is the minimum permission required on the windows profile storage folder so profiles can be created successfully.

Location: C:\Users: %HOMEDRIVE%\Users
Permissions: Read & Execute, List Folder Contents, Read

Set Default Workflow Credential

Users and admins can set a default workflow credential (Run As Credential) as follows:

As a user, you can choose to use any workflow credential that has been shared with you, or set a custom credential (typically your own) via your profile.
As an admin, you can set the Run As Credential for a user via the Server API.
- You can either do this on account creation via the POST /v3/users endpoint or when you update an existing user with the PUT /v3/users/{id} endpoint.
- To set a credential via these API endpoints, you need to set the defaultCredentialId to the Id of a workflow credential that exists in the Server environment. You can only choose credentials that have been shared with the user. To find a credential Id or to share it with the user, you can use the various credentials endpoints /v3/credentials. For more information about the credential endpoints, visit the Credential Endpoints help page.
As ad admin, you can set the Default Workflow Credentials via the studio details page. This applies to all users in the studio.

In this section:

Configure Required Run As User Permissions

Required Run As User Permissions

Search results