cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
BookmarkSubscribeRSS Feed
☑ This topic is solved. Need further help from the community? Please sign in and ask a new question.
AllanBowe
Barite | Level 11 AllanBowe
Barite | Level 11
Go to Solution

Prevent Studio users from accessing custom Compute Context

Posted 03-31-2026 11:33 AM (685 views)

We have a web application that makes use of a custom Compute Context with a dedicated system account (SYSUSERID).    Similar to a Stored Process context in SAS 9.

The problem is that end users are able to select that context in other Viya applications, such as SAS Studio, and hence run their own code using that SYSUSERID.

For a batch job, you would simply restrict which users can access the context.  But in this case, we need the end users to be able to access the context, albeit only for Jobs within a particular Viya Folder.

Is there any way to restrict access to a Compute Context to specific Jobs?  As opposed to specific users/groups?  

Alternatively, is there any setting (analogous to the INIT setting of SAS 9 STPs) that will run whenever the compute session is launched?  As perhaps custom logic can be added there (in this fashion).  Note that the autoexec is not helpful here, as the runtime variables are injected after the autoexec executes.


/Allan
MacroCore library for app developers
Data Workflows, Data Contracts, Data Lineage, Drag & drop excel EUCs to SAS 9 & Viya - Data Controller
DevOps and AppDev on SAS 9 / Viya / Base SAS - SASjs
0 Likes
Reply
1 ACCEPTED SOLUTION

Accepted Solutions
gwootton
SAS Super FREQ gwootton
SAS Super FREQ

Re: Prevent Studio users from accessing custom Compute Context

Posted 04-02-2026 11:46 AM (564 views)  |   In reply to AllanBowe
Access to a context would be driven by authorization rules against the CREATE (HTTP POST) permission on the URI /compute/contexts/<context-id>/sessions. Such a request would not include which job is being run for you to attach a condition to the access, but you could perhaps limit it based on the clientId being used to make the request. How is your web application running jobs?
--
Greg Wootton | Principal Systems Technical Support Engineer

View solution in original post

0 Likes
Reply
3 REPLIES 3
gwootton
SAS Super FREQ gwootton
SAS Super FREQ

Re: Prevent Studio users from accessing custom Compute Context

Posted 04-02-2026 11:46 AM (565 views)  |   In reply to AllanBowe
Access to a context would be driven by authorization rules against the CREATE (HTTP POST) permission on the URI /compute/contexts/<context-id>/sessions. Such a request would not include which job is being run for you to attach a condition to the access, but you could perhaps limit it based on the clientId being used to make the request. How is your web application running jobs?
--
Greg Wootton | Principal Systems Technical Support Engineer
0 Likes
Reply
AllanBowe
Barite | Level 11 AllanBowe
Barite | Level 11

Re: Prevent Studio users from accessing custom Compute Context

Posted 04-03-2026 02:18 PM (533 views)  |   In reply to gwootton

Hi Greg - thanks for the followup.

The web content is being served from the Files service, and as such it just passes the web token automatically in the SAS api requests and we have not needed to create a CLIENT_ID, nor invoke SASLogon.   The url is in the pattern https://SASSERVER/SASJobExecution?_file=/path/to/file.html

If we were to use a client id (with auth / refresh token) we would still have the same problem though, as users could presumably still grab that token from their browser and spawn remote sessions under the remote credentials.

In the SAS 9 world it was very much possible (and very common) for an administrator or developer to carefully define a Stored Process, running under a system account, and allow end users to run that Stored Process _without_ giving them the ability to run their own code in that same context.

I guess my real question is, how to recreate that functionality with Viya (let end users safely run predefined jobs under system credentials) in the context of a single page web app (no external server, no browser leakage of secrets).



/Allan
MacroCore library for app developers
Data Workflows, Data Contracts, Data Lineage, Drag & drop excel EUCs to SAS 9 & Viya - Data Controller
DevOps and AppDev on SAS 9 / Viya / Base SAS - SASjs
0 Likes
Reply
AllanBowe
Barite | Level 11 AllanBowe
Barite | Level 11

Re: Prevent Studio users from accessing custom Compute Context

Posted 2 weeks ago (211 views)  |   In reply to AllanBowe

To the point about "preventing studio users from accessing the context", Greg's post answers the question

Regarding the part about triggering jobs under a system account without letting user inject code into that context, have raised a SAS Track with ServiceNow:   CS0398400

/Allan
MacroCore library for app developers
Data Workflows, Data Contracts, Data Lineage, Drag & drop excel EUCs to SAS 9 & Viya - Data Controller
DevOps and AppDev on SAS 9 / Viya / Base SAS - SASjs
0 Likes
Reply

Catch up on SAS Innovate 2026

Dive into keynotes, announcements and breakthroughs on demand.

Explore Now →
Discussion stats
  • 3 replies
  • ‎03-31-2026 11:33 AM
  • 686 views
  • 0 likes
  • 2 in conversation