SAS workspace sessions require an OS user account to authenticate and log onto the SAS App server and start a SAS session, so you can't use an account only defined in SAS metadata. Using an account like sasdemo which is defined as an OS account as well as in SAS metadata could be useful for a test environment.

Yes, OS account is stored inside a metadata group.

It is just to divide the metadata permissions to different levels.

The question is: with 4 metadata internal users how can I open a workspace with one OS user?

Assign the user to the group with credentials seems doesn’t take any effect.

Create an Auth domain for the one OS user, then add that Auth domain to the 4 metadata internal users.

Thanks for the reply.

Where do I have to add the new Auth domain to the 4 internal users?

In the Accounts tab of the internal users properties, select the New button to add the new Auth domain with associated OS account.

With this solution I will have 1 internal account with 1 OS account right?

In this case using an internal account is not useful.

But 4 internal account and 1 shared os account?

Sorry, if I understand your requirements correctly you need to create a User Group and then assign the new Authentication Domain linked to the single OS account under the Accounts tab for this group.

Then create your internal users and add them to the above User Group in the Groups and Roles tab. That should enable the OS account to be shared across the users.

Yes the user group with OS credentials is what I did but when I authenticate with internal user in EG it shows me the popup to put the credentials for the connection to SasApp.

This Is what I did in production environment with LDAP and works well, but with the internal users EG doesn’t assign automatically the OS group user.

What I’m forgetting?

When I create the profile in EG do I have to specify the AuthDomain of the OS user or leave it blank?

And could I use the DefaultAuth domain for the OS group user or I have to create another one?

It's been a while, but would configuring the Workspace server for token authentication not solve this?

(although, officially, use of internal accounts for this kind of thing still isn't recommended)

http://documentation.sas.com/?docsetId=bisecag&docsetVersion=9.4&docsetTarget=p06o3ymf2cuw16n1cmyi47...

Probably yes, but I will have to create another workspace to do this...

I think this is your only way. I did some testing, I don't think inherited (DefaultAuth) session credentials work for spawning sessions, they have to be owned by the authenticated user directly. 

You could just, again in theory, define a second token-authenticated application server context in metadata only, the paths for which point to the same one you have defined at the moment. Haven't tested this but it's worth a try. 

Nik

Thank you very much.

I noticed that I can authenticate an internal user (or ldap) with a bad workaround:

I stored credentials in a group with DefaultAuth and in the EG profile I go with my internal account but in the Authorization Domain text box in EG I have to put a virtual domain that doesn’t exist in SAS metadata. In this way I can open the workspace...why?

Is there an explanation?