Hello I apologize if this question is very trivial. My question is do SAS Spawned Server Account (sassrv) and the first user account (sasdemo) need to be local administrators? The context is of SAS 9.4 being installed on a Windows Server. As I see in the documentation these are external accounts and the spawned server account account(sassrv) needs to be a member of the group of the sas installer account( typically sas). In addition it needs to have log in as batch privileges'. I haven't seen any requirement that sassrv and sasdemo should have local admin rights (i.e. members of the local administrator group).
I request experienced administrator and superusers for their guidance.
This account should actually have quite restricted permissions, especially if you are allowing business users to create stored processes (eg, using EG).
This is because - unless you configure the STP to run under the end user OS creds - you are granting those users the ability to run code under a different OS account.
Where you need to run SAS Apps with STPs with elevated OS credentials (such as in our product, Data Controller for SAS) then you are recommended to create a dedicated STP context and restrict the STPs that can run under that context. More info: https://docs.datacontroller.io/dci-stpinstance/
/Allan SAS Challenges - SASensei MacroCore library for app developers SAS networking events (BeLux, Germany, UK&I) Data Workflows, Data Contracts, Data Lineage, Drag & drop excel EUCs to SAS 9 & Viya - Data Controller DevOps and AppDev on SAS 9 / Viya / Base SAS - SASjs