The preceding figure depicts a simple case where there
is only one level of host access. You can establish multiple levels
of host access by setting up multiple servers, each with its own launch
credential. This can involve a trade off of granularity ("how many
different levels of access will I establish?") against administrative
effort ("how much server metadata will I create and manage?").
For example, the following
instructions show how you can physically isolate sensitive data that
is accessed through a logical workspace server that uses SAS token
authentication.
-
In the operating system
that hosts the SAS data:
-
Establish a separate
file system directory for each level of access. This enables you to
avoid setting host permissions on individual files. For example, to
separate HR tables, you might create an HR directory.
-
Create or identify one
service account for each level of access. For example, to provide
physical protection for HR data, you might add an hrsrv account.
Note: For servers on Windows, each
launch account must have the Windows privilege
Log on
as a batch job.
-
Set operating system
permissions so that each account has appropriate access to your SAS
data. For example, deny the general use account (sassrv) physical
access to the HR data and grant the HR account (hrsrv) physical access
to all data (including the HR data).
Note: If you want certain IT staff
to be able to access the data directly using their own accounts, preserve
that access.
-
In SAS Management Console's
User
Manager, select the SAS General Servers group, right-click,
and select the
Accounts tab. For each service
account that you created in step 1, click
New and
enter the service account credentials as an additional login for the
SAS General Servers group. Include a password in each of these logins.
For example, you might enter the HR login as follows:
DefaultAuth | WIN\hrsrv | password
Note: Each of these logins will
be directly associated with a particular server, instead of being
looked up by authentication domain. For this reason, it doesn't matter
which authentication domain you use. You can ignore any warnings about
the SAS General Servers group having multiple logins in the same authentication
domain.
Note: Users should not be members
of the SAS General Servers group. This group is for service identities
only. Users don't retrieve these credentials, so users shouldn't have
access to these logins. In a standard configuration, these logins
are available only to the privileged service identity (the SAS Trusted
User) that the spawner uses to read all server metadata.
-
In
Server
Manager, select the logical workspace server
, right-click, and select
Properties.
On the
Options tab, verify that the
Use
server access security check box and the
SAS
token authentication radio button are selected. Click
Cancel.
-
Select the logical workspace
server again, right-click, and select
Add Server.
Set up one additional server
for each level of access. All of the servers can
use the same port. For example, you might add a server named Human
Resources.
-
Beneath the logical
workspace server, complete these steps for each server
that you added:
-
Select the server, right-click,
select
Properties, and select the
Options tab.
In the
Launch credentials drop-down list,
select one of the service accounts (use a different account for each
server). For example, for the Human Resources server, you would first
select
More logins and then search for
and select the login that references the hrsrv account.
Note: In order to see this login
in the list, you need user administration capabilities.
-
On the
Authorization tab,
use the ReadMetadata permission to control who can use that server.
Be sure to preserve necessary service access.
-
Under
Server
Manager, select the object spawner
, right-click, and select
Properties.
On the object spawner's
Servers tab, add
the new servers to the
Selected Servers list.
-
To make the changes
take effect:
-
Expand the object spawner
, right-click the computer
, and select
Connect.
-
Right-click the computer
again and select
Refresh Spawner. In the
message box, click
Yes.
-
Right-click the computer
a third time and select
Disconnect.
-
To validate, expand
the logical workspace server
and select a server
. On each connection object
in the display area, right-click and select
Test
Connection. Test the connections for every other sibling
server
that you added under the logical workspace server.
If you want to also
enable power users to access data using their own accounts, set up
a separate application server
for those users. In that application server, add
a logical workspace server
that uses some form of host authentication. Even
though regular users wouldn't be able to authenticate (because they
wouldn't have host accounts for the workspace server machine), it
is a good practice to limit ReadMetadata access to the additional
application server.
You can use a similar
approach to set up multiple levels of host access for a stored process
server or a server-pooled workspace server. For multiple levels of
host access from a client-pooled workspace server, set up multiple
puddles. Always ensure that the server's host identity meets all of
the requirements for a launch credential.