Implementing Authorization for the SAS Content Server

Overview of SAS Content Server Authorization

SAS users and groups are defined in a SAS Metadata Repository. The SAS Web Administration Console enables you to specify which users or groups are authorized to access specific folders in the SAS Content Server repository, and what type of access permissions they have for the folders.
Use the SAS Web Administration Console to create folders and associate access controls with the folders.
Note: This topic does not describe authentication for the SAS Content Server. By default, SAS Content Server users are authenticated by using SAS token authentication.
Before you can associate access controls with a folder, you must complete these tasks:
  1. Use the SAS Web Administration Console to create the folder on the SAS Content Server.
  2. Ensure that the appropriate user and group definitions exist on the SAS Metadata Server for the SAS Content Server users and groups for whom you want to control access to the folder.
After you have created the WebDAV folders and have ensured that the appropriate user and group definitions are created on the SAS Metadata Server, use SAS Web Administration Console to associate access controls with the folders.

Example Scenario: SAS Content Server Authorization

Within your portal implementation, you might use the publish and subscribe capabilities to publish (write) and subscribe to (read) group folders on a WebDAV publication channel.
The following scenario shows the application's publish and subscribe setup for sales and executive teams that need different access to read (subscribe to) and write (publish) information that is stored in three different directories on the SAS Content Server. On the SAS Metadata Server, these teams are represented by two groups, Americas Sales and Sales Executives.
This publish and subscribe scenario has a requirement for three different content areas, or group folders, on the SAS Content Server:
  • Catalog Sales: The /sasdav/Catalog Sales directory contains catalog sales information. The Americas Sales and Sales Executives groups can both read (subscribe to) and write (publish) information.
  • Field Sales: The /sasdav/Field Sales directory contains direct sales information. The Americas Sales and Sales Executives groups can both read, but only the Sales Executives group can write information.
  • Sales Execs: The /sasdav/Sales Execs directory contains executive-level sales information. Only the Sales Executives group can read and write information.
The following table summarizes this scenario's group-based folders on the SAS Content Server, and the permissions for each group:
Summary of WebDAV Folders on the SAS Content Server
Folder
Americas Sales
Sales Executives
/sasdav/Catalog Sales
Read, Write
Read, Write
/sasdav/Field Sales
Read
Read, Write
/sasdav/Sales Execs
(none)
Read, Write
To create this sample configuration, follow these steps:
  1. In SAS Management Console, define the users, groups, and login credentials that need to access the SAS Content Server. When you define login credentials, you must specify the same authentication domain name that you specified for the SAS Content server during installation.
    For this example, the following users, groups, and logins are defined:
    Example Users, Groups, and Logins
    Group Metadata Identities
    User Metadata Identities
    User ID
    Authentication Domain
    America Sales
    salesusr1
    salesusr1
    DefaultAuth
    Sales Executives
    execusr1
    execusr1
    DefaultAuth
    SAS Trusted User
    sastrust
    sastrust
    DefaultAuth
    For example, the America Sales group contains a user named salesusr1 as a member, and salesusr1 has an associated login with a user ID of salesusr1 and an authentication domain of DefaultAuth. The America Sales group might include other members as well.
  2. In the SAS Web Administration Console, create your new directory under the sasdav directory. For this example, navigate to the sasdav directory, and then create these three subdirectories: Catalog Sales, Field Sales, and Sales Execs.
  3. In the SAS Web Administration Console, configure the access permissions for the folders that you created. For this example, set the access permissions for each subdirectory, using the following tables as guides:
WebDAV Permissions for /sasdav/Catalog Sales
Group
Read
Write
Delete
Inherit Read
Inherit Write
Inherit Delete
Americas Sales
Yes
Yes
No
Yes
Yes
No
Sales Executives
Yes
Yes
No
Yes
Yes
No
WebDAV Permissions for /sasdav/Field Sales
Group
Read
Write
Delete
Inherit Read
Inherit Write
Inherit Delete
Americas Sales
Yes
No
No
Yes
No
No
Sales Executives
Yes
Yes
No
Yes
Yes
No
WebDAV Permissions for /sasdav/Sales Execs
Group
Read
Write
Delete
Inherit Read
Inherit Write
Inherit Delete
Americas Sales
No
No
No
No
No
No
Sales Executives
Yes
Yes
No
Yes
Yes
No