Security Overview

Authentication and Identity Management Overview

Authentication is an identity verification process that attempts to determine whether users (and other entities) are who they say they are. In the simplest case, users already have accounts that are known to the metadata server's host. For example, if the metadata server is on UNIX, then users might have accounts in an LDAP provider that the UNIX host recognizes. If the metadata server is on Windows, then users might have Active Directory accounts.

For accountability, we recommend that you create an individual SAS identity for each person who uses the SAS environment. These identities enable you to make access distinctions and audit individual actions in the metadata layer. The identities also provide personal folders for each user. The metadata server maintains its own copy of each user ID for the purpose of establishing a SAS identity.

You can perform identity management tasks manually using SAS Management Console, or you can use the following batch processes:

To load user information into the metadata repository, you first extract user and group information from one or more enterprise identity sources. Then you use SAS bulk-load macros to create identity metadata from the extracted information. SAS provides sample applications that extract user and group information and logins from an Active Directory server and from UNIX /etc/passwd and /etc/group files.
To periodically update user information in the metadata repository, you extract user and group information from your enterprise identity sources and from the SAS metadata. Then you use SAS macros to compare the two sets of data and identify the needed updates. After validating the changes, you use SAS macros to load the updates into the metadata repository.

Note: You cannot use these batch processes to manage passwords. Users can manage their own passwords with the SAS Personal Login Manager. [cautionend]

The metadata identity information is used by the security model's credential management and authorization features. For example, when a user logs on to SAS Data Integration Studio, the metadata server wants to know who the user is so that it can determine which libraries, stored processes, and jobs should be displayed in the desktop client. If a user makes a request in SAS Data Integration Studio to run a job against an Oracle table, the Oracle server wants to know who the user is so that it can determine whether the user has access to the data in the table.

Top of Page