Checklist for a More Secure Deployment

Introduction

You can use this appendix to verify that security issues are being addressed as appropriate for your environment and goals. Not all measures are relevant in all deployments. It is a good practice to review your security configuration on a periodic basis.

General Measures

Metadata Layer Measures

  • Limit the WriteMetadata permission on servers. See Protect Server Definitions.
  • Limit the WriteMetadata permission on ACTs. In general, only the SAS Administrators group has a grant of the WriteMetadata permission on the Authorization tab of an ACT.
  • Limit the WriteMetadata permission on custom folders. To reduce the chance of inadvertent or deliberate changes to a custom folder, grant WriteMemberMetadata (instead of WriteMetadata) to users who should contribute only content. See WriteMetadata and WriteMemberMetadata.
  • Review the WriteMetadata permission on OLAP schemas and libraries. To prevent someone from adding cubes to an OLAP schema or tables to a library, set denials of the WriteMetadata permission on the schema or library. Remember to preserve access for administrators as appropriate.
  • Review the permission pattern of the predefined ACTs. See Permission Patterns of Selected ACTs.
  • Review who has privileged user status from metadata memberships. See Distribution of Selected Privileges.
  • Review who has privileged user status from the adminUsers.txt file. See User IDs in Configuration Files That Convey Privileged Status.
  • Consider reducing WriteMetadata access to the user definitions for any unrestricted users. This prevents restricted user administrators from updating an unrestricted user's definition and then logging on as that unrestricted user. To add this protection, access the Authorization tab of each unrestricted user and add an explicit denial of the WriteMetadata permission for PUBLIC.
  • Consider tracking changes to metadata layer permissions and ACTs. See Security Report Macros and Auditing of Security Events.
  • Consider limiting the locations from which SAS Web Report Studio uses information maps. See Limit the Availability of Relational Information Maps That Implement Row-Level Security in SAS Intelligence Platform: Web Application Administration Guide.

Enhanced Protections for Passwords