cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
BookmarkSubscribeRSS Feed

New "Run As" functionality - "No service account available"

Started ‎02-02-2023 by
Modified ‎02-02-2023 by
Views 1,238

Symptoms

After applying hotfix on Viya 3.5, users are no longer able to right-click a job/flow and select "run-as".

Error message displayed is: "No service account available":

 

Capture.PNG

 

Diagnosis

This functionality for all users to be able to select "run as" has been removed as a security measure by SAS.

 

Solution

The Problem Note #69519 explains that you have to enable "group-managed service accounts" in order for specific users/groups to be able to select specific service accounts.

https://support.sas.com/kb/69/519.html

It refers to the documentation regarding "Allow a Group-Managed Service Account to Manage the Credentials for a Token Domain", but to me, this was a bit unclear.

So here's a step-by-step guide to set this up.

 

Suppose you have a service account you want users to be able to run jobs as.

User id on this service account is for instance "svc-user".

 

1. Logged inn as a SAS Administrator, Create a new domain by selecting "Domains" in the left-hand menu:

Screen Shot 2023-02-01 at 12.07.47.png

 

Type in an ID-name (runAsSvcDomain in this example) and select "Authentication token" as the Type.

 Screen Shot 2023-02-01 at 12.09.32.png

2. Create 4 new rules to allow the "svc-user" username to be able to access SAS Environment Manager and do the necessary steps, step 3 below.

The rules listed here has the domain ID-name "runAsSvcDomain" and the "svc_user" in them. You need to change this to fit your environment.

 

In this example, the rules you need to create are:

/SASEnvironmentManager/domains
PrincipalType: User
Principal: svc-user
Permission: READ

/credentials/domains/runAsSvcDomain/groups/*
PrincipalType: User
Principal: svc-user
Permission: Create,Read,Update,Delete

/credentials/domains/runAsSvcDomain/users/*
PrincipalType: User
Principal: svc-user
Permission: Create,Read,Update,Delete

/credentials/domains/runAsSvcDomain/credentials
PrincipalType: User
Principal: svc-user
Permission: Read

 

In reality, you create them in Environment Manager by selecting "Rules" in the left-hand-side menu:

For instance, the first rule you need to create looks like this:

Screen Shot 2023-02-01 at 12.28.07.png

 

After the 4 rules are created, you need to log in as the service user:

 

3. Log into SAS Environment Manager as the service user and go to "Domains" in the left-hand-side menu.

 

Right-click the domain you created (runAsSvcDomain in this example) and select "Credentials".

Screen Shot 2023-02-01 at 12.52.51.png

 

Create a new credential where you select either single users or groups to be included in this domain. In this example, I select the group called "PerformanceTest":

Screen Shot 2023-02-01 at 12.35.22.png

 

The users you select, or the groups you select into this domain are the one who are now allowed to right-click a job/flow and select "run-as", and the only user they are allowed to select is the service-user "svc_user".

 

 

Version history
Last update:
‎02-02-2023 03:19 AM
Updated by:
SAS Employee
Contributors

sas-innovate-2024.png

Available on demand!

Missed SAS Innovate Las Vegas? Watch all the action for free! View the keynotes, general sessions and 22 breakouts on demand.

 

Register now!

Free course: Data Literacy Essentials

Data Literacy is for all, even absolute beginners. Jump on board with this free e-learning  and boost your career prospects.

Get Started

Article Labels
Article Tags