BookmarkSubscribeRSS Feed
🔒 This topic is solved and locked. Need further help from the community? Please sign in and ask a new question.
barry_van_dijk
Obsidian | Level 7

Our ICT partner is holding back when it comes to provide the required privilege 'Replace Process Level Token' for the cas account, which is one of the prerequisites for the installation of our Viya machine (on Windows). Their main issue is that our Active Directory is a shared one, used by multiple local government parties. With the mentioned privilege it is possible to act as another user..

 

They are willing to grant the privilege, but would like answers to the following questions:

 

  • What does the privilege do in relation to the SAS Viya software?
  • Is this privilege necessary during installation only or also while using the environment?
  • Does the account need to remain enabled after installation, or can it be disabled afterwards?
  • Can the account's permissions be limited by the option 'Deny log on locally'?

Does anyone know answers to above questions and/or solutions to mitigate the identified risks?

 

Thank you!

 

Best regards,

Barry van Dijk

1 ACCEPTED SOLUTION

Accepted Solutions
alexal
SAS Employee

@barry_van_dijk ,

 

Replace Process Level Token - is an equivalent of setuid on UNIX. This right is required in order to start a process under a different user account such as with the CreateProcessAsUser() Win32 API.

What does the privilege do in relation to the SAS Viya software?

Starts the CAS processes on behalf of other users, if necessary.

Is this privilege necessary during installation only or also while using the environment?

That is required while using the environment.

Does the account need to remain enabled after installation, or can it be disabled afterwards?

Yes, the CAS account should be enabled at all times.

Can the account's permissions be limited by the option 'Deny log on locally'?

No.

View solution in original post

1 REPLY 1
alexal
SAS Employee

@barry_van_dijk ,

 

Replace Process Level Token - is an equivalent of setuid on UNIX. This right is required in order to start a process under a different user account such as with the CreateProcessAsUser() Win32 API.

What does the privilege do in relation to the SAS Viya software?

Starts the CAS processes on behalf of other users, if necessary.

Is this privilege necessary during installation only or also while using the environment?

That is required while using the environment.

Does the account need to remain enabled after installation, or can it be disabled afterwards?

Yes, the CAS account should be enabled at all times.

Can the account's permissions be limited by the option 'Deny log on locally'?

No.

sas-innovate-2024.png

Available on demand!

Missed SAS Innovate Las Vegas? Watch all the action for free! View the keynotes, general sessions and 22 breakouts on demand.

 

Register now!

Discussion stats
  • 1 reply
  • 661 views
  • 1 like
  • 2 in conversation