First-Priority Setup Tasks

Summary of First-Priority Setup Tasks

The following tasks are necessary to protect the integrity of your system. Complete these steps as soon as possible after installation, before you complete any of the other tasks that are outlined in this chapter.
First-Priority Setup Tasks
Task
Description
Secure the SAS configuration on each server machine.
For a secure deployment, the configuration directory on each server machine must be protected by operating system controls. These controls will prevent inappropriate access to repository data sets, server scripts, server logs, and configuration files.
On Windows systems, all configuration directories, files, and scripts are owned by the user who performs the installation. You must update the permissions as shown in Recommended Operating System Protections for Windows Machines. These recommendations assume that your SAS servers and spawners run as services under the Local System account.
On UNIX and z/OS systems, the SAS Deployment Wizard automatically applies the appropriate permissions. The default permissions are shown in Default Operating System Protections for UNIX and z/OS Machines.
Establish a formal, regularly scheduled backup process.
Establish a formal, regularly scheduled backup process that includes your metadata repositories as well as the associated physical files.
The SAS 9.3 Metadata Server includes a new server-based facility that performs metadata server backups automatically on a scheduled basis. By default, a schedule of daily backups is configured by the SAS Deployment Wizard. As a best practice, you should modify your backup configuration to specify a storage device other than the device that is used to store the metadata repositories and the server configuration files, and you should be sure to include this backup location in your regular system backups. See Backing Up and Recovering the SAS Metadata Server in SAS Intelligence Platform: System Administration Guide.
It is important to also back up the physical data that is associated with the metadata so that related information will be synchronized if a restore becomes necessary. For guidance in setting up a backup process, see Best Practices for Backing Up and Restoring Your SAS Content in SAS Intelligence Platform: System Administration Guide.

Recommended Operating System Protections for Windows Machines

On Windows server machines, we recommend that you apply the following operating system protections to your configuration directory. All of these directories are located in SAS-configuration-directory\Lev1.
Recommended Operating System Protections on Windows
Directories
Users
Recommended Permissions
SAS-configuration-directory
SYSTEM and Administrators
Full Control
All other users
List Folder Contents, Read
SAS-configuration-directory\Lev1
SYSTEM and Administrators
Full Control
SAS Spawned Servers (sassrv)
On Windows Vista, Windows 7, and Windows Server 2008: Special Permissions to read and execute1
On Windows XP: Read and Execute1
All other users
List Folder Contents, Read
Lev1\SASApp
SYSTEM and Administrators
Full Control
SAS Spawned Servers (sassrv)
Windows Vista, Windows 7, and Windows Server 2008 only: Special Permissions to read and execute1
All other users
List Folder Contents, Read
Lev1 subdirectories: Documents, ReportBatch, SASMeta, Utilities, Web
SYSTEM and Administrators
Full Control
All other users
List Folder Contents, Read
Lev1 subdirectories:
  • ConnectSpawner
  • Logs
  • ObjectSpawner
  • SASApp\OLAPServer
  • SASMeta\MetadataServer
  • FrameworkServer
  • ShareServer
SYSTEM and Administrators
Full Control
Remove all other users and groups
SASApp subdirectories : PooledWorkspaceServer, StoredProcessServer
SYSTEM, Administrators
Full Control
SAS Spawned Servers (sassrv)
On Windows Vista, Windows 7, and Windows Server 2008 only: Read & Execute, List Folder Contents, and Read1
All other users
No access
SASApp subdirectories : PooledWorkspaceServer\Logs, StoredProcessServer\Logs
SYSTEM, Administrators, and SAS Spawned Servers (sassrv)
Full Control1
SASApp subdirectories:
  • ConnectServer\Logs
  • Data\wrsdist
  • Data\wrstemp
  • PooledWorkspaceServer\sasuser
  • StoredProcessServer\sasuser
  • WorkspaceServer\Logs
SASMeta\WorkspaceServer\Logs
SYSTEM, Administrators, and SAS Spawned Servers (sassrv)
Full Control
sasv9_meta.cfg file
SYSTEM and Administrators
Read and Write
Remove all other users and groups
1Effective with the second maintenance release for SAS 9.3, the SAS Deployment Wizard automatically sets these permissions for sassrv.
Note:
  • These recommendations assume that your SAS servers and spawners run as services under the Local System account. If servers and spawners are run under a different account, then grant that account the permissions that are recommended for SYSTEM.
  • You might have selected the custom installation option to place all of your log files in a single directory. If you selected this option, then you will need to grant the SAS Spawned Servers (sassrv) user Full Control of the central log destination (for example, SAS-configuration-directory\Lev1\Logs).
  • If users will be using SAS Enterprise Guide to create stored processes, then the SAS Spawned Servers (sassrv) account must have Write access to the directory in which stored processes will be stored.
  • If you enable logging for a workspace server, then you will need to grant all users of the workspace server Full Control of the log directory. (See Create a Log File for Workspace Server Troubleshooting in SAS Intelligence Platform: System Administration Guide).
For details about the configuration directory structure, see Overview of the Configuration Directory Structure in SAS Intelligence Platform: System Administration Guide.

Default Operating System Protections for UNIX and z/OS Machines

The following table shows the default operating system protections that are provided automatically for configuration directories on UNIX and z/OS machines. All of these directories are located in SAS-configuration-directory/Lev1.
Default Operating System Protections on UNIX and z/OS
Directories
Users
Default Permissions
SAS-configuration-directory
SAS-configuration-directory/Lev1
Lev1 subdirectories: Documents, ReportBatch, SASApp, SASMeta, Utilities, Web
SAS Installer
Read, Write, and Execute
All other users
Read and Execute
Lev1 subdirectories:
  • ConnectSpawner
  • Logs
  • ObjectSpawner
  • SASApp/OLAPServer
  • SASMeta/MetadataServer
  • FrameworkServer
  • ShareServer
SAS Installer
Read, Write, and Execute
All other users
No access
SASApp subdirectories : PooledWorkspaceServer, StoredProcessServer
SAS Installer
Read, Write, and Execute
sas group
Read and Execute
SASApp subdirectories :
  • ConnectServer/Logs
  • Data/wrsdist
  • Data/wrstemp
  • PooledWorkspaceServer/Logs
  • PooledWorkspaceServer/sasuser
  • StoredProcessServer/Logs
  • StoredProcessServer/sasuser
  • WorkspaceServer/Logs
SASMeta/WorkspaceServer/Logs
SAS Installer
Read, Write, and Execute
sas group
Read, Write, and Execute
sasv9_meta.cfg file
SAS Installer
Read and Write
All other users
no access
Note:
  • Make sure that the SAS Spawned Servers account (sassrv) is a member of the sas group, which has the necessary permissions to server configuration files and log directories.
  • You might have selected the custom installation option to place all of your log files in a single directory. If you selected this option, then you will need to grant either the sas group or the SAS Spawned Servers (sassrv) user Read, Write, and Execute permission on the central log destination (for example, SAS-configuration-directory/Lev1/Logs).
  • If users will be using SAS Enterprise Guide to create stored processes, then the SAS Spawned Servers (sassrv) account must have Write access to the directory in which stored processes will be stored.
  • If you enable logging for a workspace server, then you will need to grant all users of the workspace server Read, Write, and Execute permission on the log directory. (See Create a Log File for Workspace Server Troubleshooting in SAS Intelligence Platform: System Administration Guide).
  • For details about the configuration directory structure, see Overview of the Configuration Directory Structure in SAS Intelligence Platform: System Administration Guide.