Create a Restricted Workspace Server

  1. In the host layer, create directories and a configuration file:
    1. In your equivalent of SAS-configuration-directory\SASApp, create a directory called RestrictedPool and a subdirectory (below RestrictedPool) called logs.
    2. In the RestrictedPool directory, create a configuration file to be used when the restricted workspace server is started.
      • On Windows, create a file named sasv9.cfg with the following content: 
        -config "SAS-configuration-directory\SASApp\sasv9.cfg"
      • On UNIX, create a file named workspaceServer.cfg with the following content: 
        -config !SASROOT/sasv9.cfg
-config sasv9.cfg
  2. Decide how the restricted workspace server will connect to the metadata server. Choose one of the following approaches:
    • Use trusted peer connections, which the metadata server accepts without requiring credentials. In the initial configuration, the metadata server accepts trusted peer connections from all user IDs and machines, so no special configuration is required. See the Trusted Peer Connections in SAS Intelligence Platform: Security Administration Guide.
      Note: In this approach, the restricted server’s processes that are initiated from SAS Web Report Studio run under the rpoolsrv identity, and the restricted server’s processes that are initiated from a desktop application run under the requesting users’s identity. The Restricted Puddle Login Group and any allowed individual desktop users must have access to any external DBMS credentials.
    • Use credential-based connections, where the workspace server provides a user ID and password that are stored in its configuration file. In this approach, you add the METAUSER and METAPASS options to the configuration file that you created in step 1b. For example: 
      -metauser "rpoolsrv"
-metapass "encrypted-rpoolsrv-password"
      CAUTION:
      With this approach, it is essential to provide host protection of the configuration file for the restricted workspace server (because it contains privileged credentials).
      Tip
      On Windows, qualify the user ID (for example, WIN\rpoolsrv).
      Tip
      Encrypt the password using the PWENCODE procedure. See PWENCODE Procedure in Encryption in SAS.
      Tip
      If you change the rpoolsrv account password, you must also manually update the password in this configuration file.
      Note: In this approach, all of the restricted server’s processes are launched under the rpoolsrv identity. Only the Restricted Puddle Login Group needs access to any DBMS credentials.
  3. In the metadata, define the restricted server.
    1. On the Plug-ins tab of SAS Management Console, right-click Server Manager and select New Server.
    2. In the New Server wizard, select Resource Templatesthen selectServersthen selectSAS Application Server.
      Note: The restricted workspace server must be in its own dedicated SAS Application Server.
      Click Next.
    3. Enter the name RestrictedPool.
      Click Next.
    4. Accept the default version and vendor information.
      Click Next.
    5. Select Workspace Server.
      Click Next.
    6. Select the Custom radio button.
      Click Next.
    7. Enter a value in the Command box as follows:
      For a workspace server on Windows:
      sas -config "SAS-configuration-directory\SASApp\RestrictedPool\sasv9.cfg"
      For a workspace server on UNIX:
      SAS-configuration-directory/SASApp/sas.sh
-config RestrictedPool/workspaceServer.cfg
      Click Next.
    8. Specify the following values:
      Authentication domain
      Select the authentication domain of your existing, general-purpose workspace server. Usually, this is DefaultAuth.
      Bridge port
      Change the default value (8591) to an unassigned port value (such as 9591).
      Click Next.
    9. Click Finish.
  4. Tell the object spawner about the restricted server.
    1. Under Server Manager, right-click the object spawner, and select Properties.
    2. On the Servers tab, move RestrictedPool - Workspace Server to the Selected servers list. Click OK.
    3. Restart the object spawner.
  5. Test the connection to the restricted server.
    1. Under Server Manager, expand the RestrictedPool application server and the RestrictedPool - Logical Workspace Server. Select the RestrictedPool - Workspace Server.
    2. In the right pane, right-click the connection icon and select Test Connection.
      Note: If you are logged on with an internal account (an account that has the @saspw suffix), you are prompted for credentials. Enter the credentials for a user that has an external account, an individual metadata identity, and (on Windows) the Log on as a batch job Windows privilege.
      Tip
      If the connection fails, select Filethen selectClear Credentials Cache from the main menu and try again. You can also check the log files for the object spawner and the workspace server and make sure the contents of the configuration file in the RestrictedPool directory are correct.
  6. Configure the restricted server to support client-side pooling.
    1. Right-click the RestrictedPool - Logical Workspace Server and select Convert Tothen selectPooling. In the message box, click Yes.
    2. In the Pooling Options dialog box, click New.
    3. In the New Puddle dialog box, provide values as follows:
      Field
      Value
      Name
      restrictedPoolPuddle
      Minimum available servers
      0
      Minimum number of servers
      0
      Login
      rpoolsrv
      Grant access to group
      Restricted Puddle Access Group
      Click OK.
    4. Click OK in the Pooling Options dialog box.
Note: For more information about client-side pooling, see the SAS Intelligence Platform: Application Server Administration Guide.
Copyright © SAS Institute Inc. All rights reserved.