What's New in Security Administration in SAS 9.3

Overview

New and enhanced features in the following areas increase security and manageability:
  • auditing
  • authentication
  • authorization
  • encryption
  • user administration
  • documentation

Auditing

  • You can create audit records for additions, deletions, and updates to public objects (in the Audit.Meta.Updates.PublicObjects category). See Administering Logging for SAS Servers in SAS Intelligence Platform: System Administration Guide.
  • You can create audit records for additions, deletions, and updates to a user's contact information and external identity value (in the Audit.Meta.Security.UserAdm category. See Administering Logging for SAS Servers in SAS Intelligence Platform: System Administration Guide.

Authentication

  • In Integrated Windows authentication (IWA), support is extended to include servers on UNIX. You can use IWA from Windows desktop clients to servers on Windows and UNIX. See Integrated Windows Authentication.
  • In Integrated Windows authentication, the default service principal name (SPN) no longer includes a port value. The format is SAS/machine, where machine is the host machine’s fully qualified domain name. For example, SAS/A12345.company.com. See How to Configure Integrated Windows Authentication.
  • User IDs that include unrecognized @domain qualifiers are sent to the -primpd provider, if that option is specified. Previously, such IDs were sent to the host, regardless of whether -primpd was specified. The -primpd option is a SAS system option (PRIMARYPROVIDERDOMAIN). This minor change affects specialized configurations in which the metadata server directly uses LDAP as an authentication provider. See How to Configure Direct LDAP Authentication.
  • User IDs that include down-level domain qualifiers are examined to determine whether SAS recognizes the qualifier as an -authpd domain. If the qualifier is recognized, the submitted credentials are sent to the associated provider. Previously, such IDs were automatically sent to the host (or to the -primpd provider, if that option is specified). The -authpd option is a SAS system option (AUTHPROVIDERDOMAIN). This minor change affects specialized configurations in which the metadata server directly uses LDAP as an authentication provider. In such configurations, users can successfully log on even if they submit their user IDs in down-level format. For example, if -authpd ADIR:USA is specified in the metadata server start command, someone who logs on as USA\joe is now authenticated directly against Active Directory, regardless of whether -primpd is set. See How to Configure Direct LDAP Authentication.
  • In the initial configuration for a new deployment, the SAS Stored Process Web Application doesn’t accept PUBLIC-only users. See PUBLIC Access and Anonymous Access.

Authorization

  • You can use a new type of public object, the OLAP shared dimension, to help centralize access control. You define and secure a shared dimension once, and then include it in multiple cubes. Each shared dimension inherits effective permissions from its parent folder (not from the cubes that include it). See Object Inheritance and Working with SAS OLAP Shared Dimensions.
  • In metadata promotion, you can import and export access control templates (ACTs). See Promotion Details for Specific Object Types in SAS Intelligence Platform: System Administration Guide.
  • In SAS Management Console, you can find ACTs by searching or by navigating on the Folders tab.
  • In authorization reporting, if you use the MEMBERTYPES option and don't specify to include folders, folders are not included. See Overview of Authorization Reporting.
  • In authorization reporting, new options enable you to specify whether to include columns (when a table is returned) and cube components (when a cube is returned). See INCLUDETABLECOMPONENTS and INCLUDECUBECOMPONENTS in %MDSECDS.
  • In the authorization display for a SAS Application Server, the CheckInMetadata permission is listed. This helps to clarify the ability of change-managed users to associate objects (such as library definitions) to the server. Change management is an optional feature that is supported for only SAS Data Integration Studio. See the SAS Intelligence Platform: Desktop Application Adminstration Guide.

Encryption

  • In direct LDAP authentication, you can use LDAPS for direct connections between the metadata server and the LDAP server. This new feature is applicable in a specialized configuration in which the metadata server directly uses LDAP as an authentication provider. See How to Configure SSL between the Metadata Server and an LDAP Server.
  • In Secure Sockets Layer (SSL) configuration, you can exchange OpenSSL libraries. See Installing and Configuring SSL under UNIX in Encryption in SAS.
  • If you have SAS/SECURE, you can use SHA-256 hashing for SAS internal account passwords that are stored in the SAS metadata. New deployments that include SAS/SECURE use SHA-256 by default. A new metadata server option enables you to alter the default. See HashPasswords="SHA256 | MD5".
  • If you have SAS/SECURE, you can force it to use only services that are part of the Federal Information Processing Standard (FIPS) 140-2 specification. This feature can be enabled during installation, and is configured through a new SAS system option (ENCRYPTFIPS). See SAS/SECURE FIPS 140-2 Compliant Installation and Configuration in Encryption in SAS.

User Administration

  • In interfaces such as SAS Management Console and SAS Personal Login Manager, when you connect to a 9.3 metadata server, the Logins table displays a blank cell if no password is stored. When you connect to a 9.2 metadata server, empty password values are still displayed as eight asterisks.
  • In metadata promotion, you can import and export users, groups, roles, and authentication domains. See Promotion Details for Specific Object Types in SAS Intelligence Platform: System Administration Guide.
  • In SAS Management Console, you can find users, groups, and roles by searching or by navigating on the Folders tab.
  • In user bulk load and synchronization, the Active Directory sample code includes a check to prevent a synchronization that would delete all identities. See About the Sample Code for Active Directory.

Documentation Changes