The following
table provides details about how SAS servers preserve identity.
Preservation of User Identity
|
SAS Identity for Metadata
Layer Evaluations
|
Host Identity for Host
Layer Evaluations
|
|
The SAS Trusted User.
However, user identity is preserved because this privileged service
identity impersonates each requesting user. 1
|
The server's host identity.
This affects drilling to detail if the underlying data is in SAS tables.
|
|
Each requesting user's
SAS identity. The exception is for library pre-assignment, which happens
under the server identity. 2
|
The server's host identity
(the multi-user credential).
|
Workspace server (using
any form of host authentication)
|
The SAS identity of
the server. This is the same as the SAS identity of the requesting
user or group.
|
The server's host identity
(the host identity of the requesting user or group). 3
|
Workspace server (using
SAS token authentication)
|
Each requesting user's
SAS identity.
|
The server's host identity
(the launch credential).
|
|
Each requesting user's
SAS identity.
|
The server's host identity
(the launch credential).
|
Client-pooled workspace
server
|
The SAS identity of
the server. However, SAS Web Report Studio pre-processes requests
based on each requesting user's SAS identity.
|
The server's host identity
(the puddle login).
|
1Except for retrieval of
DBMS credentials, which happens under the SAS Trusted User's identity.
This affects drilling to detail if the underlying data is in a third-party
DBMS.
|
2The requesting user isn't
known at the time that library pre-assignment happens (during server
initialization).
|
3Each server process instance
is launched on-demand and runs under the host identity of the requesting
user (or group, if authentication is via stored group logins).
|
Note: You can directly specify
which identity to use on a connection to the metadata server (for
example, with METAUSER and METAPASS). You can directly specify which
identity to use on a connection to a host (for example, by providing
explicit credentials in your code).
In the preceding table,
notice that although metadata layer evaluations are almost always
individualized (for example, "Does Joe have metadata layer permission
to see this stored process?"), physical layer evaluations are often
generalized (for example, "Does the sassrv account have host layer
permissions for this data?").
In particular, requests
from metadata-aware clients for SAS data often aren't evaluated under
the host identity of each requesting user. The host doesn't know the
user's SAS identity, so the host can't evaluate the user's operating
system permissions. Instead, the host checks the permissions of the
service account that is fetching the SAS data on behalf of the requesting
user. These service accounts are referred to as launch credentials.