cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
BookmarkSubscribeRSS Feed
freshstarter
Quartz | Level 8 freshstarter
Quartz | Level 8

SAS Viya gMSA Scheduling and Refresh Token Behavior Clarification

Posted Friday (125 views)

Hello All,

 

This is regarding our implementation of a Group Managed Service Account (gMSA) in our latest SAS Viya environment.

 

We have created a service account in Entra and provisioned it to SAS via SCIM for scheduling purposes. Based on this, we are planning to use a gMSA-style approach where a group of users from our OPS team can schedule jobs using this service account.

Current setup:

  1. Created a service account and added it to a custom group: “Service Account User for Schedule”
  2. Created an Entra ID group: OPS_Schedule_Team and added relevant members  and then provisioned to SAS
  3. Logged in via CLI using the service account and executed the following commands to create the authentication domain and store credentials:
sas-viya credentials domains create --domain-id Scheduling_OPS_TokenAuth --type oauth2.0

sas-viya credentials groups create --domain-id Scheduling_OPS_TokenAuth --identity-id OPS_Schedule_Team --allowed-client sas.scheduler --allowed-client sas.jobExecution --allowed-client sas.jobFlowScheduling

 

  • The domain was created successfully, and I can see an entry in the credentials store for this authentication domain with identity as OPS_Schedule_Team
  • In SAS Environment Manager, users in the OPS team are able to select the service account under the “Run as” option when scheduling jobs. Everything is working as expected so far.

Going forward, we will not be logging in interactively using the service account. Instead, OPS team members will schedule jobs using it via the gMSA approach.

 

My question is regarding the refresh token lifecycle:

 

  • Since we are not logging in interactively with the service account, will scheduled jobs continue to run only until the refresh token remains valid? Is this understanding correct?
  • If the refresh token expires, what is the recommended way to automate token renewal for the service account without manual intervention?
  • I came across this document:https://communities.sas.com/t5/SAS-Communities-Library/SAS-Viya-2023-07-Run-As-Authentication-Update... It mentions a scheduled job for automatic token rotation, but it appears to apply only up to the 2023.11 release. We are currently on the 2026.03 release—has this approach changed in newer versions?

Additional clarification:

If we do not use the gMSA approach and instead log in interactively with the service account to schedule jobs, would we face the same issue? For example, if a job is scheduled daily and no one logs in again for an extended period, will the job continue to run only until the refresh token expires?

 

Any clarification or best practices around this setup would be greatly appreciated. Thanks in advance.

 

0 Likes
Reply

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

Get Started with SAS Information Catalog in SAS Viya

Learn how to explore data assets, create new data discovery agents, schedule data discovery agents, and much more.

Watch Get Started with SAS Information Catalog in SAS Viya on YouTube

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 0 replies
  • Friday
  • 126 views
  • 0 likes
  • 1 in conversation