Configuring a Client-side Pooling Workspace Server to Enforce Row-Level Security

About Row-Level Permissions Configuration

After the initial installation and configuration of the SAS Intelligence Platform, most sites have a single workspace server, which is part of the default SAS Application Server, SASApp. By default, this workspace server is a standard workspace server, which means that workspace server processes are spawned on an as-needed basis. If you need comprehensive security, set up the high-security configuration of SAS Web Report Studio. This configuration prevents regular users from circumventing row-level filters by accessing the target tables directly (without going through the information map that enforces the filters).
This section explains how to create a second client-side pooling workspace server that you can use as part of an environment in which row-level permissions are enforced. For more information about this environment, see Overview of BI Row-Level Permissions in SAS Guide to BI Row-Level Permissions.

Defining the Necessary Users and Groups

Overview of Defining the Necessary Users and Groups

The first step in setting up the new client-side pooling workspace server is to define two accounts for users who must be authenticated by the operating system on the workspace server host, and several user and group metadata objects.

Create User Accounts

Create user accounts that will enable the operating system on the workspace server host to authenticate the following users. On Windows systems, these accounts can be domain accounts or local accounts:
  • rpooladm - This account is for the client-side pool administrator, the user who handles requests for processes in the workspace server client-side pool. The password for this account should be unique.
  • rpoolsrv - This is the puddle login account. Each SAS Web Report Studio user who has access to the client-side pool must belong to a group that has a login that contains this user ID and the associated password.
On Windows systems, grant both of these users the Log on as a batch job right. If you created a SAS Server Users group when you first installed the SAS Intelligence Platform, you can give these users this right by adding them to that group.
Once you have created these user accounts, you should create the metadata objects described in the next section.

Create User and Group Objects

In SAS Management Console, use the User Manager to create one user and two groups:
  • User: Restricted Client-side Pool Administrator
  • Group: Restricted Client-side Pool Puddle Login
  • Group: Restricted Client-side Pool Puddle Access

Define the Restricted Client-side Pool Administrator

To define the Restricted Client-side Pool Administrator, follow these steps:
  1. Right-click User Manager, and select Newthen selectUser from the pop-up menu.
  2. In the New User Properties dialog box, on the General tab, enter the name Restricted Client-side Pool Administrator in the Name box.
  3. In the same dialog box, select the Accounts tab.
  4. Add a login to the user object by selecting New and entering the appropriate information in the New Login Properties dialog box. In the User ID box, enter the name rpooladm. If the operating system account for this user is a Windows account, qualify the name with a domain or machine name and a backslash. Then select the authentication domain for your workspace server from the Authentication Domain drop-down list. It is preferable, for security reasons, not to put the password in the metadata. Click OK at the bottom of the dialog box.
  5. Click OK in the New User Properties dialog box.

Define the Restricted Pool Puddle Login Group

To define the Restricted Pool Puddle Login group, follow these steps:
  1. Right-click User Manager, and select Newthen selectGroup from the pop-up menu. A New Group Properties dialog box appears.
  2. On the General tab, enter the name Restricted Client-side Pool Puddle Login in the Name box.
  3. On the Members tab, select the Restricted Client-side Pool Administrator, and click the right-arrow button to move the user to the Current Members list.
  4. On the Accounts tab, create a new login that contains the credentials for rpoolsrv and the authentication domain of the workspace server. (See step 4 in the Define the Restricted Client-side Pool Administrator for details about how to create this login.)
  5. Click OK in the New Group Properties dialog box.
Create a second group named Restricted Client-side Pool Puddle Access. Add any users or groups that you want to be able to use the restricted client-side pool as members of this group. No logins are necessary.

Create a Restricted Workspace Server Client-side Pool

To create the restricted client-side pooling workspace server, follow these steps:
  1. In the directory SAS-configuration-directory\SASApp—or SASMain—create a directory called RestrictedPool. Then, in the RestrictedPool directory, create a logs directory.
  2. In the directory SAS-configuration-directory\SASApp\RestrictedPool, create a configuration file that will be used when the restricted workspace server is started. The way in which you perform this step depends on whether the workspace server will run on a Windows host or a UNIX host.
    Windows
    In the directory SAS-configuration-directory\SASApp\RestrictedPool, create a file named sasv9.cfg, and enter the following lines in the file: -config "SAS-configuration-directory\SASApp\sasv9.cfg"
    UNIX
    In the directory, SAS-configuration-directory/SASApp/RestrictedPool, create a file named workspaceServer.cfg, and enter the following lines in the file: -config !SASROOT/sasv9.cfg -config sasv9.cfg
    Later in the procedure, you will test the connection to the workspace server. If the test fails, you can remove the comments from the lines that relate to logging in order to enable logging. You can then repeat the test and check the workspace server log file for error messages.
  3. Choose one of the following authentication methods for the workspace servers to use in connecting to the metadata server. Also, perform any tasks associated with the method that you choose.
    • If you use the TRUSTSASPEER object server parameter in your metadata server's configuration file (the default), then you can rely on that mechanism for workspace server authentication. The restricted pool workspace servers connect to the metadata server under the rpoolsrv identity when launched by SAS Web Report Studio and connect under the end user's identity when launched by a desktop application. In this mode, if you are working with an external DBMS, you must ensure that both the Restricted Client-side Pool Puddle Login group and any allowed individuals have database credentials.
    • You can also use the METAUSER and METAPASS options in the restricted client-side pool workspace server's configuration file. With this approach, the TRUSTSASPEER option is not required, and only the Restricted Client-side Pool Puddle Login group needs database credentials. For this approach, edit the configuration file that you created in step 2 to add these lines:
      -metauser "rpoolsrv"
      -metapass "encrypted-rpoolsrv-password"
      On Windows systems, be sure to prepend a domain or host-name qualifier to the user ID. You can encrypt the password using PROC PWENCODE.
      Note: The configuration file for the restricted workspace server must be locked down at the operating system level. The client-side pool administrator launches workspace servers under an operating system user ID of rpoolsrv. Workspace servers executed against this pool (such as those that are run by the SAS Information Map Studio Test dialog box) run under the end-user ID. Remember to change this configuration file if site policy requires periodic changes on service accounts.
  4. In SAS Management Console, define a new SAS Application Server, named RestrictedPool, that contains a workspace server.
    1. Right-click Server Manager, and select New Server from the pop-up menu. The New Server Wizard starts.
    2. On the wizard's first page, select SAS Application Server and click Next.
    3. On the wizard's second page, enter the name RestrictedPool in the Name box and click Next.
    4. On the wizard's third page, accept the default values and click Next.
    5. On the wizard's fourth page, select Workspace Server and click Next.
    6. On the wizard's fifth page, select the Custom radio button and click Next.
    7. On the wizard's sixth page, enter the following values in the Command and Object server parameters boxes. The first command is appropriate for a workspace server that is running on a Windows host, and the second is appropriate for a UNIX host. The value that you enter in the Object server parameters field is not dependent on the operating system.
      Command (Windows)
      sas -config "SAS-configuration-directory\SASApp\RestrictedPool\sasv9.cfg"
      Command (UNIX)
      SAS-configuration-directory/SASApp/sas.sh -config 
      RestrictedPool/workspaceServer.cfg
      Then click Next.
    8. On the wizard's seventh page, specify the following values.
      Authentication domain
      Specify the same authentication domain that you used when you defined your first workspace server. By default, this will be DefaultAuth.
      Bridge port
      Change the default value, 8591, to the number of an unassigned port, such as 9591.
    9. On the wizard's eighth page, click Finish.
  5. Update the metadata definition of your object spawner to indicate that the spawner should start processes for the new workspace server.
    1. Right-click the icon that represents the spawner, and select Properties from the pop-up menu. A Spawner Properties dialog box appears.
    2. Select the Servers tab.
    3. Move RestrictedPool - Workspace Server from the list of Available servers to the list of Selected servers.
    4. Click OK.
    5. Restart your object spawner.
  6. Test the connection to your new workspace server.
    1. In the left pane of SAS Management Console, select RestrictedPool - Workspace Server. Information about a connection displays in the right pane.
    2. Right-click the icon representing the connection, and select Test Connection from the pop-up menu.
    3. If you are logged in to SAS Management Console as an unrestricted user, such as sasadm@saspw, you will be prompted for the credentials of a user who can start a workspace server. Enter the credentials for a user such as sasdemo. You should see a message indicating that the test was successful.
      Note: If you happen to enter invalid credentials for a login, clear the credentials cache and the SAS Management Console will prompt you again to re-enter the credentials (Filethen selectClear Credentials Cache.)
    If the connection test fails, look at the log files for the object spawner and the new workspace server. The most likely cause of the problem is that you made a mistake in editing the configuration file for the new workspace server—the configuration file in the RestrictedPool directory.
  7. Convert the new workspace server to client-side pooling.
    1. Right-click RestrictedPool - Logical Workspace Server, and select Convert Tothen selectPooling from the pop-up menu.
    2. You are asked whether you want to continue. Click Yes. The Pooling Options dialog box appears.
    3. In this dialog box, click New to bring up the New Puddle dialog box.
    4. In the New Puddle dialog box, supply the following values:
      Defining a New Puddle
      Field
      Value
      Name
      restrictedPoolPuddle
      Minimum available server
      0
      Minimum number of servers
      0
      Login
      rpoolsrv
      Grant access to group
      Restricted Pool Puddle Access
      Then click OK.
    5. Click OK in the Pooling Options dialog box.

Assign Libraries to the New Server

You must assign each library that you plan to access from the locked-down instance of SAS Web Report Studio to the server RestrictedPool. To assign each library, follow these steps:
  1. Right-click the icon for the library, and select Edit Assignments from the pop-up menu. The Edit Assignments dialog box appears.
  2. Hold down the CTRL key and click the list entry for RestrictedPool. (This action selects RestrictedPool and leaves items that are already selected in a selected state.) Then click OK.
  3. Right-click the library again, and select Properties from the pop-up menu. The Library-name Properties dialog box appears.
  4. Select the Options tab.
  5. Click the Advanced Options button. The Advanced Options dialog box appears.
  6. Select the Library is pre-assigned option, and click OK.
  7. Click OK in the properties dialog box.
In the future, when you create information maps that you want to access from the locked-down instance of SAS Web Report Studio, make sure that you locate relational data sources by using the RestrictedPool server. Also, save these maps in a separate folder: /BIP Tree/ReportStudio/RestrictedData/Maps.

Create a Second SAS Web Report Studio Deployment

When you deploy SAS, the SAS Deployment Wizard creates an initial SAS Web Report Studio deployment using the inputs that you supply. Later, you can re-run the SAS Deployment Wizard to create additional deployments. For more information, see Install and Configure SAS Interactively in SAS Intelligence Platform: Installation and Configuration Guide.
Follow these guidelines when running the SAS Deployment Wizard to add another SAS Web Report Studio deployment:
  • Use a deployment plan that contains the SAS middle tier.
  • Choose the Custom configuration prompting level. You want to be able to access the configuration dialog box where you can set the SAS Metadata Server and the SAS Web Report Studio deployment instance name. The Express prompt level does not allow you to access these configuration settings.
  • Define the SAS Metadata Server connection information for the metadata server that you are currently using.
  • Use the correct machine name on which you are adding the SAS Web Report Studio deployment.
  • Name the second SAS Web Report Studio deployment instance, RestrictedDataReporting.

Secure Sensitive Data Resources

Ensure that sensitive data resources are readable only by rpoolsrv (not sassrv) and the IT staff.
For target data that is in third-party databases, set up credentials in the metadata to enable the puddle account to access those servers. You can make credentials for a database server available to the puddle account by storing those credentials in a login as part of the Restricted Puddle Access group definition.
For example, to enable the puddle account to access a DB2 server, you would give the Restricted Puddle Access group a login that includes a DB2 user ID and password and that is associated with the DB2 server's authentication domain.
Note: Some members of your IT staff will also need to be able to authenticate to the database server.