Access this computer from the network
|
Description |
This privilege is required in order to connect to SAS servers. |
|
To Whom |
Give this privilege to all users who access SAS servers on
Windows. |
|
How |
Typically, this right is already granted to the Windows group Everyone. To confirm, check the Windows
local policy settings. |
Log on as a batch job
|
Description |
This privilege is required in order to run a stored process
server or any type of workspace server. |
|
To Whom |
On the Windows computer that hosts the SAS object spawner,
give this privilege to the accounts under which workspace servers and stored
process servers run:
-
any service account under which one of these
servers run
-
all puddle logins for any client-side pooled
workspace servers
-
any user accounts under which a standard workspace
server runs1
|
|
How |
Modify the local security policy. For example, on Windows
XP, this right is managed from the Windows control panel under Administrative Tools ![[arrow]](../../../../common/63294/HTML/default/images/arrow.gif) Local
Security Policy User Rights Assignment Log on as a batch job. If you have
an operating system group (such as SAS Server Users) that has this right,
you just add users and service account identities to that group. |
| 1
Users who authenticate to the standard workspace server by
Integrated Windows authentication or SAS token authentication don't need this
privilege. |
Trusted for delegation
|
Description |
This privilege enables a process to allow each user's credentials
to be sent to further machines for authentication (for example, to access
a UNC path). The privilege is needed if the workspace server is accessed through
Integrated Windows authentication and provides access to Windows network resources.1 |
|
To Whom |
Give this privilege to the account under which the object
spawner runs. By default, the spawner runs as a service under the local system
account, so the computer account for spawner's host needs the privilege. |
|
How |
As a Windows domain administrator, under Start Control
Panel Administrative Tools Active
Directory Users and Computers, access the properties
dialog box for the relevant account and grant the privilege.
For example, if the spawner runs under the local system account,
select the spawner host machine under Computers.
On the Delegation tab (or the General tab), select the Trust this computer
for delegation check box.
Or, if the spawner runs under a service account, select that
account under Users. On the Delegation tab (or the Accounts tab),
select the Account is trusted for delegation
check box. This setting is available only for service accounts that have registered
service principal names. |
| 1
With Integrated Windows authentication, the workspace
server
does not receive the requesting user's credentials, so the workspace server
cannot provide credentials for downstream servers. Instead, the spawner account
must be trusted to delegate each requesting user's identity as necessary. |
Note: In most cases, an object spawner on Windows
runs as a service under the local system account account. If the spawner instead
runs under some other account, that account must be a Windows administrator
on the spawner's host and have the Windows user rights Adjust
memory quotas for a process and Replace
a process level token. These user rights assignments are part
of the local security policy for the Windows computer that hosts the spawner. ![[cautionend]](../../../../common/63294/HTML/default/images/cautend.gif)
See
Also
Copyright © 2011 by SAS Institute Inc., Cary, NC, USA. All rights reserved.
