|Users, Groups, and Roles|
|Description||This privilege is required in order to connect to SAS servers.|
|To Whom||Give this privilege to all users who access SAS servers on Windows.|
|How||Typically, this right is already granted to the Windows group Everyone. To confirm, check the Windows local policy settings.|
|Description||This privilege is required in order to run a stored process server or any type of workspace server.|
On the Windows computer that hosts the SAS object spawner,
give this privilege to the accounts under which workspace servers and stored
process servers run:
|How||Modify the local security policy. For example, on Windows XP, this right is managed from the Windows control panel under Administrative Tools Local Security Policy User Rights Assignment Log on as a batch job. If you have an operating system group (such as SAS Server Users) that has this right, you just add users and service account identities to that group.|
|1 Users who authenticate to the standard workspace server by Integrated Windows authentication or SAS token authentication don't need this privilege.|
|Description||This privilege enables a process to allow each user's credentials to be sent to further machines for authentication (for example, to access a UNC path). The privilege is needed if the workspace server is accessed through Integrated Windows authentication and provides access to Windows network resources.1|
|To Whom||Give this privilege to the account under which the object spawner runs. By default, the spawner runs as a service under the local system account, so the computer account for spawner's host needs the privilege.|
As a Windows domain administrator, under Start Control
Panel Administrative Tools Active
Directory Users and Computers, access the properties
dialog box for the relevant account and grant the privilege.
For example, if the spawner runs under the local system account, select the spawner host machine under Computers. On the Delegation tab (or the General tab), select the Trust this computer for delegation check box.
Or, if the spawner runs under a service account, select that account under Users. On the Delegation tab (or the Accounts tab), select the Account is trusted for delegation check box. This setting is available only for service accounts that have registered service principal names.
|1 With Integrated Windows authentication, the workspace server does not receive the requesting user's credentials, so the workspace server cannot provide credentials for downstream servers. Instead, the spawner account must be trusted to delegate each requesting user's identity as necessary.|
Note: In most cases, an object spawner on Windows runs as a service under the local system account account. If the spawner instead runs under some other account, that account must be a Windows administrator on the spawner's host and have the Windows user rights Adjust memory quotas for a process and Replace a process level token. These user rights assignments are part of the local security policy for the Windows computer that hosts the spawner.