Run a workbook with service account credentials
If you use OAuth to connect to your data platform, you might want some workbooks to run using service account credentials instead of as the individual users viewing the workbook. For example, if your workbook contains critical scheduled exports and materializations owned by a user that inconsistently accesses the workbook. If that user's OAuth token expires, the exports and materializations fail to run.
You can set a workbook to run using service account credentials in one of two ways, depending on the configuration of the OAuth connection to your data platform used for the workbook data sources:
- The connection uses the same OAuth configuration as the one used to log in to your Sigma organization (organization-level OAuth): A user assigned the Admin account type can configure the workbook to run queries using the service account configured on the connection. See the requirements and setup instructions.
- The connection uses an OAuth configuration specific to the connection (connection-level OAuth): A user with access to edit the workbook can swap the data source of the workbook to a different connection configured with service account credentials.
If you choose to run a workbook using service account credentials, Sigma queries data and evaluates permissions for the workbook differently. Refer to the following table to compare the behavior across different settings:
| Connection used as workbook data source | Is Run as service account configured? | How Sigma queries data and evaluates permissions |
|---|---|---|
Workbook using a non-OAuth connection. | N/A | Sigma evaluates the workbook owner's access to the source data and runs queries using the user account credentials set in the connection settings. |
Workbook using an OAuth connection. | Yes | Sigma queries the published version of the workbook using the service account credentials configured for the data connection whenever the workbook is viewed from within Sigma or run as part of a scheduled export. This ensures that any user with access to a workbook can view it, regardless of their data access in the data platform. |
Workbook using an OAuth connection. | No | Sigma always runs queries with the user's OAuth credentials, including when viewing workbooks owned by others. |
Workbook using some data from an OAuth connection and other data from a non-OAuth connection. | Yes | For the data from the OAuth connection, Sigma runs queries for the published version of the workbook using the service account credentials configured on the connection whenever the workbook is viewed within Sigma or run as part of a scheduled export. This ensures that any user with access to a workbook can view it, regardless of their data access in the data platform. For the data from the non-OAuth connection, Sigma evaluates the workbook owner's permission to the source data and runs queries using the user account credentials set in the connection settings. |
Workbook using some data from an OAuth connection and other data from a non-OAuth connection | No | For data from the OAuth connection, Sigma always runs queries with the user's OAuth credentials using the permissions configured in the IdP, including when users are viewing workbooks owned by others. For the data from the non-OAuth connection, Sigma evaluates the workbook owner's permission to the source data and runs queries using the user account credentials set in the connection settings. |
Workbook using data from two different OAuth connections with different OAuth configurations. | Yes | Sigma runs queries for the published version of the workbook using the service account credentials for each data connection whenever the workbook is viewed in Sigma or run as part of a scheduled export. This ensures that any user with access to a workbook can view it, regardless of their data access in the data platform. |
Workbook using data from two different OAuth connections with different OAuth configurations. | No | Sigma always runs queries with the user's OAuth credentials configured for each connection, using the permissions configured in the IdP, including when users are viewing workbooks owned by others. |
Requirements
-
To configure this setting on a workbook, you must be assigned the Admin account type.
-
The Run as service account option is only available on workbooks that use an OAuth connection that meets the following criteria:
-
A service account has been configured for the OAuth connection.
For information on how to configure a connection with a service account, see the documentation for your connection type:
-
OAuth is configured at the organization level. If your connection uses OAuth at the connection level, this option is not available. Instead, set up a second connection that uses service account credentials and change the source of the workbook to use that connection.
-
Run an individual workbook as a service account
- Open the workbook.
- Click the down arrow (
) to open the workbook menu. - Select Share....
- Turn on the Run as service account toggle.
Updated 3 days ago