Windows Privileges :: SAS(R) 9.3 Intelligence Platform: Security Administration Guide

Access This Computer from the Network

Description	This privilege is required in order to connect to SAS servers.
To Whom	Give this privilege to all users who access SAS servers on Windows.
How	Typically, this right is already granted to the Windows group Everyone. To confirm, check the Windows local policy settings.

Log on as a Batch Job

Description	This privilege is required in order to run a stored process server or any type of workspace server.
To Whom	On the Windows computer that hosts the SAS object spawner, give this privilege to the accounts under which workspace servers and stored process servers run: any service account under which one of these servers run all puddle logins for any client-side pooled workspace servers any user accounts under which a standard workspace server runs (users who authenticate by Integrated Windows authentication or SAS token authentication don't need this privilege)
How	Modify the local security policy. For example, on Windows XP, this right is managed from the Windows control panel under Administrative ToolsLocal Security PolicyUser Rights AssignmentLog on as a batch job. If you have an operating system group (such as SAS Server Users) that has this right, you just add users and service account identities to that group.

Trusted for Delegation

Description	This privilege enables a process to allow each user's credentials to be sent to further machines for authentication (for example, to access a UNC path). The privilege is needed if the workspace server is accessed through Integrated Windows authentication and provides access to network resources. Note: With Integrated Windows authentication, the workspace server does not receive the requesting user's credentials, so the workspace server cannot provide credentials for downstream servers. Instead, the spawner account must be trusted to delegate each requesting user's identity as necessary.
To Whom	If the workspace server runs on Windows, give this privilege to the account under which the object spawner runs. By default, the spawner runs as a service under the local system account, so the computer account for spawner's host needs the privilege. If the workspace server runs on UNIX, give this privilege to the service principal account that is referenced in the relevant keytab (the keytab is based on service principal names that correspond to a particular service principal account). For more information, see the chapter "Configuring Integrated Windows Authentication" in Configuration Guide for SAS Foundation for UNIX Environments at http://support.sas.com/documentation/installcenter ).
How	As a Windows domain administrator, under StartControl PanelAdministrative ToolsActive Directory Users and Computers, access the properties dialog box for the relevant account and grant the privilege. If your spawner runs on Windows under the local system account, select the spawner host machine in Active Directory under Computers. On the Delegation tab (or the General tab), select the Trust this computer for delegation check box. If your spawner runs on Windows under a domain account, select that account in Active Directory under Users. On the Delegation tab (or the Accounts tab), select the Account is trusted for delegation check box. If your spawner runs on UNIX, select the appropriate service principle account in Active Directory under Users. On the Delegation tab (or the Accounts tab), select the Account is trusted for delegation check box.

Note: In most cases, an object spawner on Windows runs as a service under the local system account. If the spawner instead runs under some other account, that account must be a Windows administrator on the spawner's host and have the Windows user rights Adjust memory quotas for a process and Replace a process level token. These user rights assignments are part of the local security policy for the Windows computer that hosts the spawner.

Windows Privileges

Access This Computer from the Network

Log on as a Batch Job

Trusted for Delegation

See Also