diff --git a/src/aou-sas/Dockerfile b/src/aou-sas/Dockerfile
index 77f8a144..6fbb55e6 100644
--- a/src/aou-sas/Dockerfile
+++ b/src/aou-sas/Dockerfile
@@ -11,15 +11,29 @@ COPY --from=load-envs /dist/load-env /dist/load-env.sh /opt/sas/aou/
 # Workbench startup scripts (post-startup.sh, resource-mount.sh) expect
 # apt-get / apt.  These shims delegate to yum on this RHEL-based SAS image.
 ###############################################################################
-RUN printf '#!/bin/bash\ncase "$1" in\n  update) exec yum makecache -y ;;\n  install) shift; exec yum install -y "$@" ;;\n  *) exec yum "$@" ;;\nesac\n' > /usr/local/bin/apt-get && \
+RUN printf '#!/bin/bash\ncase "$1" in\n  update) exec yum makecache -y ;;\n  install) shift; exec yum install -y --allowerasing "$@" ;;\n  *) exec yum "$@" ;;\nesac\n' > /usr/local/bin/apt-get && \
     chmod +x /usr/local/bin/apt-get && \
     cp /usr/local/bin/apt-get /usr/local/bin/apt && \
     chmod +x /usr/local/bin/apt
 
+###############################################################################
+# Disable SAS-internal repos (unreachable outside SAS network) and enable
+# public UBI + EPEL repos so packages like jq, fuse, git can be resolved.
+###############################################################################
+RUN dnf config-manager --set-disabled \
+        crackles-epel-everything \
+        sas-rhel-9-baseos sas-rhel-9-appstream sas-rhel-9-codeready \
+        sas-ubi-9-baseos sas-ubi-9-appstream sas-ubi-9-codeready-builder && \
+    dnf config-manager --set-enabled \
+        ubi-9-baseos-rpms ubi-9-appstream-rpms ubi-9-codeready-builder-rpms && \
+    rpm -ivh https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm && \
+    yum clean all
+
 ###############################################################################
 # System packages required by Workbench startup scripts
 ###############################################################################
-RUN yum install -y jq curl fuse fuse-libs tar wget sudo git && \
+RUN yum install -y --allowerasing curl fuse fuse-libs wget sudo git \
+        java-17-openjdk-headless && \
     yum clean all
 
 ###############################################################################
@@ -39,10 +53,11 @@ RUN curl -O https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cl
     rm -f google-cloud-cli-565.0.0-linux-x86_64.tar.gz
 
 ###############################################################################
-# AoU user (non-root, no sudo)
+# AoU user — a separate, unprivileged user for SAS Studio sessions.
+# GID 1100 matches the original Helm chart (sasAouGroup).
 ###############################################################################
-RUN groupadd -g 1001 aougroup && \
-    useradd -u 1001 -g aougroup -m -d /data -s /bin/bash aou && \
+RUN groupadd -g 1100 aougroup && \
+    useradd -g aougroup -m -d /data -s /bin/bash aou && \
     echo "aou:aou" | chpasswd && \
     rm -f /etc/sudoers.d/aou
 
diff --git a/src/aou-sas/docker-compose.yaml b/src/aou-sas/docker-compose.yaml
index 89849d8b..6250970b 100644
--- a/src/aou-sas/docker-compose.yaml
+++ b/src/aou-sas/docker-compose.yaml
@@ -22,7 +22,7 @@ services:
       # the SAS_LICENSE_PATH file descriptor instead.
       - ./sasinside:/sasinside
     tmpfs:
-      - /data/workspace:uid=1001,gid=1001
+      - /data/workspace:uid=1002,gid=1100
     environment:
       HOST_AUTH: ""
       SAS_DEBUG: "0"