For accountability,
we recommend that you create an individual SAS identity for each person
who uses the SAS environment. This enables you to make access distinctions
and audit individual actions in the metadata layer. This also provides
a personal folder for each user. To create a SAS identity for someone,
store a copy of the person’s user ID in the SAS metadata.
Each user should have
at least the following attributes:
-
a name that is unique among users
within the metadata server.
-
a login that includes the user's
external account ID. This might be any type of account that is known
to the metadata server's host (an LDAP, Active Directory, host, or
other type of account).
Note: If your site uses Web authentication,
you might assign logins to a different authentication domain.
Here are some details
and tips:
-
If the workspace server is on Windows,
give anyone who accesses that server using credential-based host authentication
the Windows privilege
Log on as a batch job.
-
As an alternative to adding users
interactively, you can batch import users from a provider such as
LDAP into the SAS metadata.
-
The metadata server maintains its
own copy of each ID, but doesn't keep copies of passwords for identification
purposes.
-
Registered users automatically
belong to PUBLIC (everyone who can access the metadata server) and
SASUSERS (those members of PUBLIC who have a well-formed user definition).
-
A user who doesn't have a well-formed
definition has only the PUBLIC identity. In the standard configuration,
a PUBLIC-only user can't access any resources. Not all applications
allow a PUBLIC-only user to log on.
-
Authorization settings within a
user definition do not determine what that user can do. Those settings
affect the ability of other users to update or delete that user definition.