https://communities.sas.com/t5/SAS-Viya/Prevent-Studio-users-from-accessing-custom-Compute-Context/m-p/985719#M3051 <P>We have a web application that makes use of a custom Compute Context with a dedicated system account (SYSUSERID).&nbsp; &nbsp; Similar to a Stored Process context in SAS 9.<BR /><BR />The problem is that end users are able to select that context in other Viya applications, such as SAS Studio, and hence run their own code using that SYSUSERID.<BR /><BR />For a batch job, you would simply restrict which users can access the context.&nbsp; But in this case, we need the end users to be able to access the context, albeit only for Jobs within a particular Viya Folder.<BR /><BR /><STRONG>Is there any way to restrict access to a Compute Context to specific Jobs?</STRONG>&nbsp; As opposed to specific users/groups?&nbsp;&nbsp;<BR /><BR />Alternatively, is there any setting (analogous to the INIT setting of SAS 9 STPs) that will run whenever the compute session is launched?&nbsp; As perhaps custom logic can be added there (<A href="https://docs.datacontroller.io/dci-stpinstance/#stp-server-context" target="_self">in this fashion</A>).&nbsp; Note that the autoexec is not helpful here, as the runtime variables are injected after the autoexec executes.<BR /><BR /><BR /></P> Tue, 31 Mar 2026 15:34:33 GMT AllanBowe 2026-03-31T15:34:33Z https://communities.sas.com/t5/SAS-Viya/Prevent-Studio-users-from-accessing-custom-Compute-Context/m-p/985719#M3051 <P>We have a web application that makes use of a custom Compute Context with a dedicated system account (SYSUSERID).&nbsp; &nbsp; Similar to a Stored Process context in SAS 9.<BR /><BR />The problem is that end users are able to select that context in other Viya applications, such as SAS Studio, and hence run their own code using that SYSUSERID.<BR /><BR />For a batch job, you would simply restrict which users can access the context.&nbsp; But in this case, we need the end users to be able to access the context, albeit only for Jobs within a particular Viya Folder.<BR /><BR /><STRONG>Is there any way to restrict access to a Compute Context to specific Jobs?</STRONG>&nbsp; As opposed to specific users/groups?&nbsp;&nbsp;<BR /><BR />Alternatively, is there any setting (analogous to the INIT setting of SAS 9 STPs) that will run whenever the compute session is launched?&nbsp; As perhaps custom logic can be added there (<A href="https://docs.datacontroller.io/dci-stpinstance/#stp-server-context" target="_self">in this fashion</A>).&nbsp; Note that the autoexec is not helpful here, as the runtime variables are injected after the autoexec executes.<BR /><BR /><BR /></P> Tue, 31 Mar 2026 15:34:33 GMT https://communities.sas.com/t5/SAS-Viya/Prevent-Studio-users-from-accessing-custom-Compute-Context/m-p/985719#M3051 AllanBowe 2026-03-31T15:34:33Z https://communities.sas.com/t5/SAS-Viya/Prevent-Studio-users-from-accessing-custom-Compute-Context/m-p/985861#M3052 Access to a context would be driven by authorization rules against the CREATE (HTTP POST) permission on the URI /compute/contexts/&lt;context-id&gt;/sessions. Such a request would not include which job is being run for you to attach a condition to the access, but you could perhaps limit it based on the clientId being used to make the request. How is your web application running jobs? Thu, 02 Apr 2026 15:46:41 GMT https://communities.sas.com/t5/SAS-Viya/Prevent-Studio-users-from-accessing-custom-Compute-Context/m-p/985861#M3052 gwootton 2026-04-02T15:46:41Z https://communities.sas.com/t5/SAS-Viya/Prevent-Studio-users-from-accessing-custom-Compute-Context/m-p/985935#M3053 <P>Hi Greg - thanks for the followup.<BR /><BR />The web content is being served from the Files service, and as such it just passes the web token automatically in the SAS api requests and we have not needed to create a CLIENT_ID, nor invoke SASLogon.&nbsp; &nbsp;The url is in the pattern <A href="https://SASSERVER/SASJobExecution?_file=/path/to/file.html" target="_blank" rel="noopener">https://SASSERVER/SASJobExecution?_file=/path/to/file.html</A><BR /><BR />If we were to use a client id (with auth / refresh token) we would still have the same problem though, as users could presumably still grab that token from their browser and spawn remote sessions under the remote credentials.<BR /><BR />In the SAS 9 world it was very much possible (and very common) for an administrator or developer to carefully define a Stored Process, running under a system account, and allow end users to run that Stored Process _without_ giving them the ability to run their own code in that same context.<BR /><BR />I guess my real question is, how to recreate that functionality with Viya (let end users safely run predefined jobs under system credentials) in the context of a single page web app (no external server, no browser leakage of secrets).<BR /><BR /><BR /><BR /></P> Fri, 03 Apr 2026 18:19:20 GMT https://communities.sas.com/t5/SAS-Viya/Prevent-Studio-users-from-accessing-custom-Compute-Context/m-p/985935#M3053 AllanBowe 2026-04-03T18:19:20Z https://communities.sas.com/t5/SAS-Viya/Prevent-Studio-users-from-accessing-custom-Compute-Context/m-p/986574#M3058 <P>To the point about "preventing studio users from accessing the context", Greg's post answers the question<BR /><BR />Regarding the part about triggering jobs under a system account without letting user inject code into that context, have raised a SAS Track with ServiceNow:&nbsp; &nbsp;CS0398400</P> Mon, 20 Apr 2026 21:13:57 GMT https://communities.sas.com/t5/SAS-Viya/Prevent-Studio-users-from-accessing-custom-Compute-Context/m-p/986574#M3058 AllanBowe 2026-04-20T21:13:57Z