Permissions on Servers |
Initially, all registered users can use almost all servers. In general, the SASUSERS group has the ReadMetadata permission on all server metadata.
Note: The logical workspace server within the SASMeta application server has limited availability. This avoids the potentially confusing situation in which a regular user is offered the SASMeta server context in applications such as SAS Enterprise Guide. SASMeta should be used only as instructed in a few specialized administrative tasks.
These initial settings are appropriate until you want to allow only certain users to use certain servers. Here are some reasons why you might choose to limit use of a server:
to create different levels of host access from a particular server component , logical server , or application server . This is one part of the configuration.
to direct high priority users to a server on hardware that offers superior performance.
to direct power users to a server with settings that offer advanced options.
to enable users in SAS Information Map Studio to use a standard workspace server even when a logical pooled workspace server is present.
If you choose to limit use of a server, preserve access as follows:
Make sure that the SAS System Services group has ReadMetadata permission for server metadata. This enables the SAS Trusted User to see server definitions. This is necessary because the object spawner uses the SAS Trusted User to discover and read all server metadata.
Note: Users should not be members of the SAS System Services group. This group is for service identities. In the standard configuration, the only member of this group is the SAS Trusted User.
Make sure that the SAS General Servers group has ReadMetadata permission for server metadata. This enables the metadata identity of the launched server to see the server definition. This is a requirement for stored process servers and pooled workspace servers. This isn't a requirement for standard workspace servers.
Note: Users should not be members of the SAS General Servers group. This group is for service identities. In the standard configuration, the only member of this group is the SAS Trusted User.
In general, the SAS Administrators group should have ReadMetadata permission for all server metadata.
In order to use a server-side pooled workspace server, a user must have the ReadMetadata permission for that server and for a standard logical workspace server definition within the same application server. An application server that contains only a server-side pooled workspace server is not accessible to users through SAS clients.
Any user who will use a particular server needs ReadMetadata permission for that server, with these exceptions:
The requirement for ReadMetadata permission doesn't apply to requests to use a client-side pooled workspace server. A user can use a client-side pooled workspace server even if that user can't see that server definition.
The requirement for ReadMetadata permission isn't enforced if the Use Server Access Security check box on a logical server's Options tab is present and not selected. This check box should always be selected.
To efficiently set the permissions, create an access control template (ACT) that includes the core grants and denials that you would use when you hide any server. To enable selected users to use a particular server, supplement the ACT settings with a grant of ReadMetadata permission on that server. The following instructions explain one way you can set these permissions:
Log on to SAS Management Console as a member of the SAS Administrators group (for example, sasadm@saspw). Select the Plug-ins tab.
(Optional) To examine the current settings:
Expand Server Manager, right-click the server or server component that you are limiting use of and select Properties.
On the Authorization tab, select SASUSERS. Notice that this group (which includes all registered users) has ReadMetadata permission. The application server inherits the grant from the standard repository-level settings. Click OK to close the dialog box.
To create the ACT:
Expand Authorization Manager , right-click Access Control Templates, and select New Access Control Template.
On the General tab, enter a name such as HideServer.
On the Permission Pattern tab, define general settings for hiding servers:
Click Add. In the Add Users and Groups dialog box, clear the Show Users check box. Move PUBLIC, SAS Administrators, SAS General Servers, and SAS System Services to the Selected Identities list box and click OK.
On the Permission Pattern tab:
Select PUBLIC and add a denial of ReadMetadata permission.
Make sure that the other three groups each have a grant of ReadMetadata permission.
Group | Permission Pattern1 | |
---|---|---|
PUBLIC | Denial | ReadMetadata |
SAS Administrators | Grant | ReadMetadata |
SAS General Servers | Grant | ReadMetadata |
SAS System Services | Grant | ReadMetadata |
1 Gives SAS Administrators and service identities exclusive read access to metadata. |
This pattern, when applied to a standard workspace server, grants a little more access than is strictly necessary. For a standard workspace server, the SAS General Servers group doesn't need ReadMetadata permission. If you want to avoid this, consider omitting the SAS General Servers group from this ACT and remembering to add an explicit grant for this group when you are hiding a stored process server or pooled workspace server.
On the Authorization tab, protect the ACT that you are creating. Either apply the Protect ACT or add explicit settings that deny WriteMetadata permission to PUBLIC and grant WriteMetadata permission to the SAS Administrators group.
Note: If the Users and Groups list box on the ACT's Authorization tab is empty, click OK to save the ACT. Then, right-click the new ACT, select Properties, and select the Authorization tab again.
Click OK.
(Optional) If you don't already have a group that represents the users who will use the server, create a new custom group.
Right-click User Manager and select New Group.
On the General tab, enter a name such as GroupA.
On the Members tab, move users (or groups) to the Selected Identities list box.
Click OK to save the new group. You will grant ReadMetadata permission to this group in step 5c. This group doesn't participate in the general pattern because this group doesn't need ReadMetadata permission on all servers.
Note: As an alternative to creating a group for only this purpose, you can skip this step and instead assign the permissions directly to specific users in step 5c.
To set the permissions:
Under Server Manager, right-click the server that you are limiting use of and select Properties.
On the Authorization tab, click Access Control Templates. In the Add and Remove Access Control Templates dialog box, move the HideServer ACT to the Currently Using list box (you have to expand the Foundation node to get to the ACT). Click OK to return to the Authorization tab.
Note: If the Currently Using list already includes another ACT (such as the Protect ACT), don't remove that assignment.
Note: Review the revised settings. Notice that SASUSERS is now denied ReadMetadata permission and that PUBLIC and SAS Administrators have some green settings . The green settings come from the HideServer ACT.
Click Add, add one or more identities to the Authorization tab, and give each of those identities an explicit grant of ReadMetadata permission. For example, you might assign the grant to a group (such as GroupA) or to individual users.
Click OK to save the settings for this object.
For example, the following table summarizes settings that you might add to provide mutually exclusive access to two server components beneath a standard workspace server that is configured for SAS token authentication:
Object | Added Settings1 | |
---|---|---|
ACT | Supplemental Grants | |
SASApp - ServerA | HideServer | GroupA: +RM |
SASApp - ServerB | HideServer | GroupB: +RM |
1 These settings don't determine which of the users who can see the server can also update or delete the server. See the preceding topic, "Protecting Server Definitions." |
Note: Someone who has ReadMetadata permission for both ServerA and ServerB (for example, members of the SAS Administrators group) uses the first server in the object spawner's list of servers.
If you are limiting use of a logical server or server component, ensure that the Use Server Access Security check box on the logical server's Options tab is selected. If the check box is present and not selected, requirements for ReadMetadata permission for that server and its components are not enforced. This option affects only enforcement of the ReadMetadata permission.
Note: User access to a client-pooled workspace server is determined by the user's puddle group memberships, not by permissions on the server definition.
See Also
Copyright © 2011 by SAS Institute Inc., Cary, NC, USA. All rights reserved.