topic Re: Do SAS spawned server account (sassrv) and first user account (sasdemo) need to be local admins in Administration and Deployment

Do SAS spawned server account (sassrv) and first user account (sasdemo) need to be local admins ?

thesasuser — Tue, 04 Jan 2022 18:25:31 GMT

Hello
I apologize if this question is very trivial.
My question is do SAS Spawned Server Account (sassrv) and the first user account (sasdemo) need to be local administrators?
The context is of SAS 9.4 being installed on a Windows Server.
As I see in the documentation these are external accounts and the spawned server account account(sassrv) needs to be a member of the group of the sas installer account( typically sas). In addition it needs to have log in as batch privileges'.
I haven't seen any requirement that sassrv and sasdemo should have local admin rights (i.e. members of the local administrator group).

I request experienced administrator and superusers for their guidance.

Re: Do SAS spawned server account (sassrv) and first user account (sasdemo) need to be local admins

gwootton — Tue, 04 Jan 2022 18:27:12 GMT

No, these users should not be local admins.

Re: Do SAS spawned server account (sassrv) and first user account (sasdemo) need to be local admins

AllanBowe — Wed, 05 Jan 2022 07:27:06 GMT

This account should actually have quite restricted permissions, especially if you are allowing business users to create stored processes (eg, using EG).

This is because - unless you configure the STP to run under the end user OS creds - you are granting those users the ability to run code under a different OS account.

Where you need to run SAS Apps with STPs with elevated OS credentials (such as in our product, Data Controller for SAS) then you are recommended to create a dedicated STP context and restrict the STPs that can run under that context. More info: https://docs.datacontroller.io/dci-stpinstance/