In general, only users who can authenticate and who have a well-formed
user definition should use a SAS deployment. However, in order to
accommodate scenarios where more general access is desired, the following
specialized configurations are supported:
-
PUBLIC access enables unregistered
users to participate if they can authenticate to the metadata server
(directly or through a trust mechanism). Unregistered users are referred
to as PUBLIC-only users because their only SAS identity is that of
the PUBLIC group. A PUBLIC-only user has the logins, permissions,
and capabilities of the PUBLIC group. A PUBLIC-only user can't belong
to any other groups, or have any personal logins, or have any specialized
(individual) access controls. Not all applications allow a PUBLIC-only
user to log on.
-
Anonymous access enables unregistered
users to participate without authenticating to the SAS environment.
Anonymous access is an optional configuration that is available for
only a few applications. Anonymous access is supported only with SAS
authentication; anonymous access is not compatible with Web authentication.
Anonymous access is supported as follows:
-
For SAS BI Web Services and the
SAS Stored Process Web Application, a user who connects through anonymous
access uses the SAS Anonymous Web User identity. This is a service
identity that functions as a surrogate for users who connect without
supplying credentials.
See Using the SAS Anonymous Web User with SAS Authentication in SAS Intelligence Platform: Middle-Tier Administration Guide.
-
For the SAS Information Delivery
Portal, a user who connects through anonymous access uses the Unchallenged
Access User identity. This is a service identity that functions as
a surrogate for users who connect without supplying credentials.
See Enabling Unchallenged Portal Access in SAS Intelligence Platform: Web Application Administration Guide.
PUBLIC access and anonymous
access differ in the following ways:
-
In PUBLIC access, each participating
user must authenticate. In anonymous access, participating connections
don't require user authentication.
-
In PUBLIC access, participating
users share the PUBLIC group identity. In anonymous access, participating
connections share a designated service identity (the surrogate identity
is always a member of both the SASUSERS group and the PUBLIC group).
-
You can choose to provide wide
support for PUBLIC access. You can't extend support for anonymous
access beyond the specific applications that can be configured to
use it.
CAUTION:
If you
choose to offer PUBLIC or anonymous access, you risk users seeing
more data and content than you might expect.
Carefully review and
manage access control for the PUBLIC group. If you offer anonymous
access, carefully review and manage access control for your surrogate
service identity too.