Run a workbook with service account credentials

On workbooks created with data from an OAuth connection with a service account, an admin can configure the workbook to run queries using the service account instead of each user’s OAuth credentials.

OAuth tokens can expire if the owner goes a significant amount of time without logging in to Sigma. If this happens, scheduled exports and materialization schedules configured by that user fail. This limitation can be avoided by running the workbook with service account credentials.

This setting changes how Sigma queries data and evaluates permissions for the workbook. Refer to the following table to compare the behavior:

Workbook connectionsIs Run as service account configured?How Sigma queries data and evaluates permissions
Workbook using a non-OAuth connection.N/ASigma evaluates the workbook owner's permission to the source data and then runs queries using the user account credentials set in the connection settings.
Workbook using an OAuth connection.YesSigma queries the published version of the workbook using the data connection’s service account credentials whenever it is viewed from within Sigma or run as part of a scheduled report. This ensures that any user with permissions on a workbook can view it, regardless of their permissions in the cloud data warehouse.
Workbook using an OAuth connection.NoSigma always runs queries with the organization member's OAuth credentials. This includes when users are viewing workbooks owned by others.
Workbook using some data from an OAuth connection and other data from a non-OAuth connection.Yes

For the data from the OAuth connection, Sigma queries the published version of the workbook using the data connection’s service account credentials whenever it is viewed from within Sigma or run as part of a scheduled report. This ensures that any user with permissions on a workbook can view it, regardless of their permissions in the cloud data warehouse.

For the data from the non-OAuth connection, Sigma evaluates the workbook owner's permission to the source data and then runs queries using the user account credentials set in the connection settings.

Workbook using some data from an OAuth connection and other data from a non-OAuth connectionNo

For data from the OAuth connection, Sigma always runs queries with the user's OAuth credentials using the permissions configured in the IdP. This includes when users are viewing workbooks owned by others.

For the data from the non-OAuth connection, Sigma evaluates the workbook owner's permission to the source data and then runs queries using the user account credentials set in the connection settings.

Workbook using data from two different OAuth connections with different OAuth configurations.YesSigma queries the published version of the workbook using each data connection’s service account credentials whenever it is viewed from within Sigma or run as part of a scheduled report. This ensures that any user with permissions on a workbook can view it, regardless of their permissions in the cloud data warehouse.
Workbook using data from two different OAuth connections with different OAuth configurations.NoSigma always runs queries with the user's OAuth credentials as they are configured for each connection, using the permissions configured in the IdP. This includes when users are viewing workbooks owned by others.

Requirements

  • To configure this setting on a workbook, you must be assigned the Admin account type.
  • The Run as service account option is only available on workbooks using an OAuth connection for which a service account has been configured. For information on how to configure a connection with a service account, see the documentation for your connection type:

Run an individual workbook as a service account

  1. Open the workbook in Published mode.

  2. Click the caret () to open the workbook menu.

  3. Select Share….

  4. Turn on the toggle next to Run as service account.