Symptoms
After applying hotfix on Viya 3.5, users are no longer able to right-click a job/flow and select "run-as".
Error message displayed is: "No service account available":
Diagnosis
This functionality for all users to be able to select "run as" has been removed as a security measure by SAS.
Solution
The Problem Note #69519 explains that you have to enable "group-managed service accounts" in order for specific users/groups to be able to select specific service accounts.
https://support.sas.com/kb/69/519.html
It refers to the documentation regarding "Allow a Group-Managed Service Account to Manage the Credentials for a Token Domain", but to me, this was a bit unclear.
So here's a step-by-step guide to set this up.
Suppose you have a service account you want users to be able to run jobs as.
User id on this service account is for instance "svc-user".
1. Logged inn as a SAS Administrator, Create a new domain by selecting "Domains" in the left-hand menu:
Type in an ID-name (runAsSvcDomain in this example) and select "Authentication token" as the Type.
2. Create 4 new rules to allow the "svc-user" username to be able to access SAS Environment Manager and do the necessary steps, step 3 below.
The rules listed here has the domain ID-name "runAsSvcDomain" and the "svc_user" in them. You need to change this to fit your environment.
In this example, the rules you need to create are:
/SASEnvironmentManager/domains PrincipalType: User Principal: svc-user Permission: READ /credentials/domains/runAsSvcDomain/groups/* PrincipalType: User Principal: svc-user Permission: Create,Read,Update,Delete /credentials/domains/runAsSvcDomain/users/* PrincipalType: User Principal: svc-user Permission: Create,Read,Update,Delete /credentials/domains/runAsSvcDomain/credentials PrincipalType: User Principal: svc-user Permission: Read
In reality, you create them in Environment Manager by selecting "Rules" in the left-hand-side menu:
For instance, the first rule you need to create looks like this:
After the 4 rules are created, you need to log in as the service user:
3. Log into SAS Environment Manager as the service user and go to "Domains" in the left-hand-side menu.
Right-click the domain you created (runAsSvcDomain in this example) and select "Credentials".
Create a new credential where you select either single users or groups to be included in this domain. In this example, I select the group called "PerformanceTest":
The users you select, or the groups you select into this domain are the one who are now allowed to right-click a job/flow and select "run-as", and the only user they are allowed to select is the service-user "svc_user".
... View more