First-Priority Setup Tasks

Summary of First-Priority Setup Tasks

The following tasks are necessary to protect the integrity of your system. Complete these steps as soon as possible after installation, before you complete any of the other tasks that are outlined in this chapter.

Task	Description
Secure the SAS configuration on each server machine.	For a secure deployment, the configuration directory on each server machine must be protected by operating system controls. These controls will prevent inappropriate access to repository data sets, server scripts, server logs, and configuration files. On Windows systems, all configuration directories, files, and scripts are owned by the user who performs the installation. You must update the permissions as shown in Recommended Operating System Protections for Windows Machines. These recommendations assume that your SAS servers and spawners run as services under the Local System account. On UNIX and z/OS systems, the SAS Deployment Wizard automatically applies the appropriate permissions. The default permissions are shown in Default Operating System Protections for UNIX and z/OS Machines.
Establish a formal, regularly scheduled backup process.	Establish a formal, regularly scheduled backup process that includes your metadata repositories as well as the associated physical files. The SAS 9.3 Metadata Server includes a new server-based facility that performs metadata server backups automatically on a scheduled basis. By default, a schedule of daily backups is configured by the SAS Deployment Wizard. As a best practice, you should modify your backup configuration to specify a storage device other than the device that is used to store the metadata repositories and the server configuration files, and you should be sure to include this backup location in your regular system backups. See Backing Up and Recovering the SAS Metadata Server. It is important to also back up the physical data that is associated with the metadata so that related information will be synchronized if a restore becomes necessary. For guidance in setting up a backup process, see Best Practices for Backing Up and Restoring Your SAS Content.

Task

Description

Secure the SAS configuration on each server machine.

For a secure deployment, the configuration directory on each server machine must be protected by operating system controls. These controls will prevent inappropriate access to repository data sets, server scripts, server logs, and configuration files.

On Windows systems, all configuration directories, files, and scripts are owned by the user who performs the installation. You must update the permissions as shown in Recommended Operating System Protections for Windows Machines. These recommendations assume that your SAS servers and spawners run as services under the Local System account.

On UNIX and z/OS systems, the SAS Deployment Wizard automatically applies the appropriate permissions. The default permissions are shown in Default Operating System Protections for UNIX and z/OS Machines.

Establish a formal, regularly scheduled backup process.

Establish a formal, regularly scheduled backup process that includes your metadata repositories as well as the associated physical files.

The SAS 9.3 Metadata Server includes a new server-based facility that performs metadata server backups automatically on a scheduled basis. By default, a schedule of daily backups is configured by the SAS Deployment Wizard. As a best practice, you should modify your backup configuration to specify a storage device other than the device that is used to store the metadata repositories and the server configuration files, and you should be sure to include this backup location in your regular system backups. See Backing Up and Recovering the SAS Metadata Server.

It is important to also back up the physical data that is associated with the metadata so that related information will be synchronized if a restore becomes necessary. For guidance in setting up a backup process, see Best Practices for Backing Up and Restoring Your SAS Content.

Recommended Operating System Protections for Windows Machines

On Windows server machines, we recommend that you apply the following operating system protections to your configuration directory. All of these directories are located in SAS-configuration-directory\Lev1.

Recommended Operating System Protections on Windows

Directories	Users	Recommended Permissions
SAS-configuration-directory	SYSTEM and Administrators	Full Control
SAS-configuration-directory	All other users	List Folder Contents, Read
SAS-configuration-directory`\Lev1`	SYSTEM and Administrators	Full Control
	SAS Spawned Servers (sassrv)	On Windows Vista, Windows 7, and Windows Server 2008: Special Permissions to read and execute1 On Windows XP: Read and Execute1
	All other users	List Folder Contents, Read
`Lev1\SASApp`	SYSTEM and Administrators	Full Control
	SAS Spawned Servers (sassrv)	Windows Vista, Windows 7, and Windows Server 2008 only: Special Permissions to read and execute1
	All other users	List Folder Contents, Read
`Lev1` subdirectories: `Documents`, `ReportBatch`, `SASMeta`, `Utilities`, `Web`	SYSTEM and Administrators	Full Control
	All other users	List Folder Contents, Read
`Lev1` subdirectories: `ConnectSpawner` `Logs` `ObjectSpawner` `SASApp\OLAPServer` `SASMeta\MetadataServer` `FrameworkServer` `ShareServer`	SYSTEM and Administrators	Full Control Remove all other users and groups
`SASApp` subdirectories : `PooledWorkspaceServer`, `StoredProcessServer`	SYSTEM, Administrators	Full Control
	SAS Spawned Servers (sassrv)	On Windows Vista, Windows 7, and Windows Server 2008 only: Read & Execute, List Folder Contents, and Read1
	All other users	No access
`SASApp` subdirectories : `PooledWorkspaceServer\Logs`, `StoredProcessServer\Logs`	SYSTEM, Administrators, and SAS Spawned Servers (sassrv)	Full Control1
`SASApp` subdirectories: `ConnectServer\Logs` `Data\wrsdist` `Data\wrstemp` `PooledWorkspaceServer\sasuser` `StoredProcessServer\sasuser` `WorkspaceServer\Logs` `SASMeta\WorkspaceServer\Logs`	SYSTEM, Administrators, and SAS Spawned Servers (sassrv)	Full Control
sasv9_meta.cfg file	SYSTEM and Administrators	Read and Write Remove all other users and groups
1Effective with the second maintenance release for SAS 9.3, the SAS Deployment Wizard automatically sets these permissions for sassrv.

Note:

These recommendations assume that your SAS servers and spawners run as services under the Local System account. If servers and spawners are run under a different account, then grant that account the permissions that are recommended for SYSTEM.
You might have selected the custom installation option to place all of your log files in a single directory. If you selected this option, then you will need to grant the SAS Spawned Servers (sassrv) user Full Control of the central log destination (for example, SAS-configuration-directory\Lev1\Logs).
If users will be using SAS Enterprise Guide to create stored processes, then the SAS Spawned Servers (sassrv) account must have Write access to the directory in which stored processes will be stored.
If you enable logging for a workspace server, then you will need to grant all users of the workspace server Full Control of the log directory. (See Create a Log File for Workspace Server Troubleshooting).

For details about the configuration directory structure, see Overview of the Configuration Directory Structure.

Default Operating System Protections for UNIX and z/OS Machines

The following table shows the default operating system protections that are provided automatically for configuration directories on UNIX and z/OS machines. All of these directories are located in SAS-configuration-directory/Lev1.

Default Operating System Protections on UNIX and z/OS

Directories	Users	Default Permissions
SAS-configuration-directory SAS-configuration-directory`/Lev1` `Lev1` subdirectories: `Documents`, `ReportBatch`, `SASApp`, `SASMeta`, `Utilities`, `Web`	SAS Installer	Read, Write, and Execute
	All other users	Read and Execute
`Lev1` subdirectories: `ConnectSpawner` `Logs` `ObjectSpawner` `SASApp/OLAPServer` `SASMeta/MetadataServer` `FrameworkServer` `ShareServer`	SAS Installer	Read, Write, and Execute
	All other users	No access
`SASApp` subdirectories : `PooledWorkspaceServer`, `StoredProcessServer`	SAS Installer	Read, Write, and Execute
	sas group	Read and Execute
`SASApp` subdirectories : `ConnectServer/Logs` `Data/wrsdist` `Data/wrstemp` `PooledWorkspaceServer/Logs` `PooledWorkspaceServer/sasuser` `StoredProcessServer/Logs` `StoredProcessServer/sasuser` `WorkspaceServer/Logs` `SASMeta/WorkspaceServer/Logs`	SAS Installer	Read, Write, and Execute
	sas group	Read, Write, and Execute
sasv9_meta.cfg file	SAS Installer	Read and Write
sasv9_meta.cfg file	All other users	no access

Note:

Make sure that the SAS Spawned Servers account (sassrv) is a member of the sas group, which has the necessary permissions to server configuration files and log directories.
You might have selected the custom installation option to place all of your log files in a single directory. If you selected this option, then you will need to grant either the sas group or the SAS Spawned Servers (sassrv) user Read, Write, and Execute permission on the central log destination (for example, SAS-configuration-directory/Lev1/Logs).
If users will be using SAS Enterprise Guide to create stored processes, then the SAS Spawned Servers (sassrv) account must have Write access to the directory in which stored processes will be stored.
If you enable logging for a workspace server, then you will need to grant all users of the workspace server Read, Write, and Execute permission on the log directory. (See Create a Log File for Workspace Server Troubleshooting).
For details about the configuration directory structure, see Overview of the Configuration Directory Structure.