Passwords

Password Policies

Each authentication provider sets password policies for accounts in that provider. For example, the password expiration policy for a host account is determined by that host.
For the SAS internal authentication provider, you can set server-level policies (in the metadata server’s omaconfig.xml file) and per-account policies (in a user’s metadata definition). See How to Change Internal Account Policies.

Client-Side Storage of Passwords

In the initial configuration, users can choose to store their credentials in their client-side connection profiles. This prepopulates the logon dialog box in desktop applications.
For most desktop applications, the SASSEC_LOCAL_PW_SAVE= option controls the availability of a check box that enables users to choose whether to store credentials locally. To prevent users from creating a local copy of their credentials, set SASSEC_LOCAL_PW_SAVE="N" (or ="0" or ="F") in the metadata server's omaconfig.xml file and restart the server.
Note: A change to the SASSEC_LOCAL_PW_SAVE= setting takes effect after the metadata server is restarted. Each client uses the previous setting for its first connection, discovers the revised metadata server setting, and conforms to that revised setting for subsequent connections. If you change the setting to disallow saved credentials, and credentials are already present in a user's connection profile, those credentials must be manually removed.
Note: For a few solutions rich clients (for example, SAS Model Manager, SAS Enterprise Miner, and SAS Forecast Studio), the ability to store credentials in client-side connection profiles is instead controlled by the Policy.AllowClientPasswordStorage property. This property is available on the Plug-ins tab in SAS Management Console (under Application Managementthen selectConfiguration Managerthen selectSAS Application Infrastructurethen selectSettingsthen selectPolicies) as the property Allow client password storage.

External Login Passwords

In most cases, the SAS copy of an external account includes only a user ID. For these cases, no password updates in metadata are necessary.
For any external passwords that are stored in the SAS metadata, updates are driven by changes that first occur in the external authentication provider. For example, if a copy of the password for an Oracle account or a host account is stored in a group login, you must maintain that copy so that it always matches the actual password. Any change to the actual password (in Oracle) must be followed by a corresponding update to the SAS copy of the password (in the group login in the SAS metadata).
You can update stored passwords in SAS Management Console. If you own logins that include passwords, you can also update those passwords in SAS Personal Login Manager. For example, to update the SAS copy of an external password in SAS Management Console, navigate to the owning user or group definition, select the Accounts tab, select a login, and click Edit.

Internal Account Passwords

Every SAS internal account has a password. By initial policy, these passwords don't expire.
To update a SAS internal password in SAS Management Console, navigate to the owning user definition, select the Accounts tab, and click Update (at the bottom of the tab). If you have your own SAS internal account, you can also update your internal password in SAS Personal Login Manager.
Tip
If repeated attempts to log on with an internal account fail, that account might be locked. See Unlock an Internal Account.

Managed Passwords

Passwords for a few service accounts require special coordination because these passwords are included in configuration files. To update these passwords, use the SAS Deployment Manager.