cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
BookmarkSubscribeRSS Feed

New "Run As" functionality - "No service account available"

Started ‎02-02-2023 by
Modified ‎02-02-2023 by
Views 2,564

Symptoms

After applying hotfix on Viya 3.5, users are no longer able to right-click a job/flow and select "run-as".

Error message displayed is: "No service account available":

 

Capture.PNG

 

Diagnosis

This functionality for all users to be able to select "run as" has been removed as a security measure by SAS.

 

Solution

The Problem Note #69519 explains that you have to enable "group-managed service accounts" in order for specific users/groups to be able to select specific service accounts.

https://support.sas.com/kb/69/519.html

It refers to the documentation regarding "Allow a Group-Managed Service Account to Manage the Credentials for a Token Domain", but to me, this was a bit unclear.

So here's a step-by-step guide to set this up.

 

Suppose you have a service account you want users to be able to run jobs as.

User id on this service account is for instance "svc-user".

 

1. Logged inn as a SAS Administrator, Create a new domain by selecting "Domains" in the left-hand menu:

Screen Shot 2023-02-01 at 12.07.47.png

 

Type in an ID-name (runAsSvcDomain in this example) and select "Authentication token" as the Type.

 Screen Shot 2023-02-01 at 12.09.32.png

2. Create 4 new rules to allow the "svc-user" username to be able to access SAS Environment Manager and do the necessary steps, step 3 below.

The rules listed here has the domain ID-name "runAsSvcDomain" and the "svc_user" in them. You need to change this to fit your environment.

 

In this example, the rules you need to create are:

/SASEnvironmentManager/domains
PrincipalType: User
Principal: svc-user
Permission: READ

/credentials/domains/runAsSvcDomain/groups/*
PrincipalType: User
Principal: svc-user
Permission: Create,Read,Update,Delete

/credentials/domains/runAsSvcDomain/users/*
PrincipalType: User
Principal: svc-user
Permission: Create,Read,Update,Delete

/credentials/domains/runAsSvcDomain/credentials
PrincipalType: User
Principal: svc-user
Permission: Read

 

In reality, you create them in Environment Manager by selecting "Rules" in the left-hand-side menu:

For instance, the first rule you need to create looks like this:

Screen Shot 2023-02-01 at 12.28.07.png

 

After the 4 rules are created, you need to log in as the service user:

 

3. Log into SAS Environment Manager as the service user and go to "Domains" in the left-hand-side menu.

 

Right-click the domain you created (runAsSvcDomain in this example) and select "Credentials".

Screen Shot 2023-02-01 at 12.52.51.png

 

Create a new credential where you select either single users or groups to be included in this domain. In this example, I select the group called "PerformanceTest":

Screen Shot 2023-02-01 at 12.35.22.png

 

The users you select, or the groups you select into this domain are the one who are now allowed to right-click a job/flow and select "run-as", and the only user they are allowed to select is the service-user "svc_user".

 

 

Version history
Last update:
‎02-02-2023 03:19 AM
Updated by:
SAS Employee
Contributors

hackathon24-white-horiz.png

The 2025 SAS Hackathon Kicks Off on June 11!

Watch the live Hackathon Kickoff to get all the essential information about the SAS Hackathon—including how to join, how to participate, and expert tips for success.

YouTube LinkedIn

SAS AI and Machine Learning Courses

The rapid growth of AI technologies is driving an AI skills gap and demand for AI talent. Ready to grow your AI literacy? SAS offers free ways to get started for beginners, business leaders, and analytics professionals of all skill levels. Your future self will thank you.

Get started

Article Labels
Article Tags