If you choose to limit
the availability of a server, preserve access as follows:
-
Make sure that the SAS System Services
group has ReadMetadata permission for server metadata. This enables
the SAS Trusted User to see server definitions. This is necessary
because the object spawner uses the SAS Trusted User to discover and
read all server metadata.
Note: Users should not be members
of the SAS System Services group. This group is for service identities.
In the standard configuration, the only member of this group is the
SAS Trusted User.
-
Make sure that the SAS General
Servers group has ReadMetadata permission for server metadata. This
enables the metadata identity of the launched server to see the server
definition. This is a requirement for stored process servers and pooled
workspace servers. This isn't a requirement for standard workspace
servers.
Note: Users should not be members
of the SAS General Servers group. This group is for service identities.
In the standard configuration, the only member of this group is the
SAS Trusted User.
-
Metadata administrators should
have ReadMetadata permission for all server metadata.
-
Any user who will use a particular
server needs ReadMetadata permission for that server, with the following
exceptions:
-
The requirement for ReadMetadata
permission doesn't apply to requests to use a client-side pooled workspace
server. A user can use a client-side pooled workspace server even
if that user can't see that server definition.
-
The requirement for ReadMetadata
permission isn't enforced if the
Use Server Access Security check box on a logical server's
Options tab is present and not selected. This check box should always be
selected.
To efficiently set the
permissions, create an ACT that includes the baseline grants and denials
that you would use when you hide any server. To enable selected users
to use a particular server, supplement the ACT settings with an explicit
grant of ReadMetadata permission on that server.
For example, the following
table summarizes settings that you might add to provide mutually exclusive
access to two server components beneath a standard workspace server
that is configured for SAS token authentication:
Example: Hiding Server Definitions
|
|
|
|
SASApp - ServerA
|
HideServer
|
GroupA: +RM
|
SASApp - ServerB
|
HideServer
|
GroupB: +RM
|
1The direct controls in
this example don't determine which of the users who can see the server
can also update or delete the server. See Protect Server Definitions. |
Someone who has ReadMetadata
permission for both ServerA and ServerB (for example, a member of
the SAS Administrators group) uses the first server in the object
spawner's list of servers.