Previous Page | Next Page

Users, Groups, and Roles

Windows Privileges

Access this computer from the network
Description This privilege is required in order to connect to SAS servers.
To Whom Give this privilege to all users who access SAS servers on Windows.
How Typically, this right is already granted to the Windows group Everyone. To confirm, check the Windows local policy settings.

Log on as a batch job
Description This privilege is required in order to run a stored process server or any type of workspace server.
To Whom On the Windows computer that hosts the SAS object spawner, give this privilege to the accounts under which workspace servers and stored process servers run:
  • any service account under which one of these servers run

  • all puddle logins for any client-side pooled workspace servers

  • any user accounts under which a standard workspace server runs1

How Modify the local security policy. For example, on Windows XP, this right is managed from the Windows control panel under Administrative Tools [arrow] Local Security Policy [arrow] User Rights Assignment [arrow] Log on as a batch job. If you have an operating system group (such as SAS Server Users) that has this right, you just add users and service account identities to that group.
1 Users who authenticate to the standard workspace server by Integrated Windows authentication or SAS token authentication don't need this privilege.

Trusted for delegation
Description This privilege enables a process to allow each user's credentials to be sent to further machines for authentication (for example, to access a UNC path). The privilege is needed if the workspace server is accessed through Integrated Windows authentication and provides access to Windows network resources.1
To Whom Give this privilege to the account under which the object spawner runs. By default, the spawner runs as a service under the local system account, so the computer account for spawner's host needs the privilege.
How As a Windows domain administrator, under Start [arrow] Control Panel [arrow] Administrative Tools [arrow] Active Directory Users and Computers, access the properties dialog box for the relevant account and grant the privilege.

For example, if the spawner runs under the local system account, select the spawner host machine under Computers. On the Delegation tab (or the General tab), select the Trust this computer for delegation check box.

Or, if the spawner runs under a service account, select that account under Users. On the Delegation tab (or the Accounts tab), select the Account is trusted for delegation check box. This setting is available only for service accounts that have registered service principal names.

1 With Integrated Windows authentication, the workspace server does not receive the requesting user's credentials, so the workspace server cannot provide credentials for downstream servers. Instead, the spawner account must be trusted to delegate each requesting user's identity as necessary.

Note:   In most cases, an object spawner on Windows runs as a service under the local system account account. If the spawner instead runs under some other account, that account must be a Windows administrator on the spawner's host and have the Windows user rights Adjust memory quotas for a process and Replace a process level token. These user rights assignments are part of the local security policy for the Windows computer that hosts the spawner.  [cautionend]

See Also

Host Authentication

Integrated Windows Authentication

Previous Page | Next Page | Top of Page