BookmarkSubscribeRSS Feed

New "Run As" functionality - "No service account available"

Started ‎02-02-2023 by
Modified ‎02-02-2023 by
Views 898

Symptoms

After applying hotfix on Viya 3.5, users are no longer able to right-click a job/flow and select "run-as".

Error message displayed is: "No service account available":

 

Capture.PNG

 

Diagnosis

This functionality for all users to be able to select "run as" has been removed as a security measure by SAS.

 

Solution

The Problem Note #69519 explains that you have to enable "group-managed service accounts" in order for specific users/groups to be able to select specific service accounts.

https://support.sas.com/kb/69/519.html

It refers to the documentation regarding "Allow a Group-Managed Service Account to Manage the Credentials for a Token Domain", but to me, this was a bit unclear.

So here's a step-by-step guide to set this up.

 

Suppose you have a service account you want users to be able to run jobs as.

User id on this service account is for instance "svc-user".

 

1. Logged inn as a SAS Administrator, Create a new domain by selecting "Domains" in the left-hand menu:

Screen Shot 2023-02-01 at 12.07.47.png

 

Type in an ID-name (runAsSvcDomain in this example) and select "Authentication token" as the Type.

 Screen Shot 2023-02-01 at 12.09.32.png

2. Create 4 new rules to allow the "svc-user" username to be able to access SAS Environment Manager and do the necessary steps, step 3 below.

The rules listed here has the domain ID-name "runAsSvcDomain" and the "svc_user" in them. You need to change this to fit your environment.

 

In this example, the rules you need to create are:

/SASEnvironmentManager/domains
PrincipalType: User
Principal: svc-user
Permission: READ

/credentials/domains/runAsSvcDomain/groups/*
PrincipalType: User
Principal: svc-user
Permission: Create,Read,Update,Delete

/credentials/domains/runAsSvcDomain/users/*
PrincipalType: User
Principal: svc-user
Permission: Create,Read,Update,Delete

/credentials/domains/runAsSvcDomain/credentials
PrincipalType: User
Principal: svc-user
Permission: Read

 

In reality, you create them in Environment Manager by selecting "Rules" in the left-hand-side menu:

For instance, the first rule you need to create looks like this:

Screen Shot 2023-02-01 at 12.28.07.png

 

After the 4 rules are created, you need to log in as the service user:

 

3. Log into SAS Environment Manager as the service user and go to "Domains" in the left-hand-side menu.

 

Right-click the domain you created (runAsSvcDomain in this example) and select "Credentials".

Screen Shot 2023-02-01 at 12.52.51.png

 

Create a new credential where you select either single users or groups to be included in this domain. In this example, I select the group called "PerformanceTest":

Screen Shot 2023-02-01 at 12.35.22.png

 

The users you select, or the groups you select into this domain are the one who are now allowed to right-click a job/flow and select "run-as", and the only user they are allowed to select is the service-user "svc_user".

 

 

Version history
Last update:
‎02-02-2023 03:19 AM
Updated by:
Contributors

SAS INNOVATE 2024

Innovate_SAS_Blue.png

Registration is open! SAS is returning to Vegas for an AI and analytics experience like no other! Whether you're an executive, manager, end user or SAS partner, SAS Innovate is designed for everyone on your team. Register for just $495 by 12/31/2023.

If you are interested in speaking, there is still time to submit a session idea. More details are posted on the website. 

Register now!

Free course: Data Literacy Essentials

Data Literacy is for all, even absolute beginners. Jump on board with this free e-learning  and boost your career prospects.

Get Started

Article Labels
Article Tags