Give a look into: http://support.sas.com/documentation/cdl/en/appsrvtuning/66878/PDF/default/appsrvtuning.pdf SAS(R) 9.4 Intelligence Platform: Middle-Tier Administration Guide, Second Edition SAS(R) 9.4 Web Applications: Tuning for Performance and Scalability http://support.sas.com/resources/papers/proceedings14/SAS315-2014.pdf ... View more

SASkiwi, a trust of the local system account is impossible, as the name implies it is local. Windows has at least 5 build in system accounts for several purposes. With Unix there is only root (0) and you are seeing to come the (1) coming with SELINUX for security confinement. Microsoft User ilinks: Service User Accounts (Windows) (local system, networkservice, local service) at the domain level (domain adminm guest). The local system account is a mighty one on you local machine (like root). LocalSystem Account (Windows).  For groups: Using Default Group Accounts  some policy why not use the domain admin account (root of all machines) Security Watch: Why You Should Disable the Administrator Account. Yep it will probably give you no security questions to solve using that one for all. That approach however should be pre-historic these days. Security Watch: Why You Should Disable the Administrator Account   In security policies there is "do not use root" and set your limits to the lowest need (do not grant rights that are not needed). Now you are coming in a with a default SAS installation... ouch it is violating a lot those.  Problems problems.... you can do two two things, change or take over the world tyring to follow SAS defaults or do adjustments to SAS defaults and try to implement them. The local-system-account is used be default. SAS(R) 9.3 Intelligence Platform: Security Administration Guide  SAS(R) 9.4 Intelligence Platform: Security Administration Guide, Second Edition (Windows Privileges) Want to run more secure according policies, used dedicated users for sas services and have a sas group in your windows domain. The "Trusted for Delegation" property of the needed dedicated sas accounts is described.  (at AD-domain level!) The additional "logon as batch job" for alls spawned processes is described.  (at AD-domain level!) Instead of documenting and explaining this approach by SAS institute so it is accepted by MS-security architects and admins it is your work (and everybody else) to do this. Those MS-security guys do not want to implement those risky high priviledged processes when nothing underpinned. Be prepared for the discussions     Having all your needed account being well defined at the AD-Domain level all servers are tsusted within that. Wy SAS did follow this pre-historic approach like the own machine root usage? Well it is easy selling and getting it up on a single machine. ... View more