Administering Portal Authorization |
About Unchallenged Portal Access |
Effective with SAS Information Delivery Portal 4.3, you can choose to enable unchallenged access to the portal. When unchallenged access is enabled, users can access the portal and interact with selected content without providing a user ID and password. The option is similar to the Public Kiosk feature in the SAS 9.1.3 release of the SAS Information Delivery Portal.
After you have enabled unchallenged access, users can access the portal by entering the URL http://host-name/SASPortal/public. When the SAS Information Delivery Portal Web application receives this request, it does not display a logon page. Instead, it creates a user session with the identity of a special user that you set up specifically for this purpose, referred to here as the Unchallenged Access User. The user is then able to view and interact with any portal pages and content that the Unchallenged Access User is authorized to access.
The user interface that is presented to unchallenged users differs from the regular portal user interface in the following ways:
The Options and Customize menus do not appear in the banner.
The Search link is displayed in the banner by default. You can choose to omit this link when you configure unchallenged access.
The Log Off link is displayed in the banner by default. When you configure the portal for unchallenged access, you can choose to either omit this link or replace it with the Log On link.
Select Log Out (or close the browser window) to close the portal session and free system resources.
Leave the portal session open, and allow the session to close at the end of the time-out period.
Select Log On to access the portal as a regular portal user, if this link appears in the banner and if the user is registered in metadata. Registered users can also log on by using the regular portal URL (for example, http://host-name/SASPortal) to access the logon page.
When implementing unchallenged access, SAS administrators must be aware of important security considerations, including precautions to take to ensure that content is not inadvertently exposed to the unchallenged user. These security considerations are described in the next topic.
Note: Unchallenged portal access is supported only with SAS authentication. It is not compatible with Web authentication.
Security Considerations for Implementing Unchallenged Portal Access |
The SAS Web Infrastructure Platform provides a common security architecture that is used by all SAS Web applications. The cornerstones of this security architecture are (1) prompting users for credentials and (2) routing requests through Web application filters that validate the user's security token before allowing access to content. When unchallenged access is enabled, the first of these cornerstones is removed. Therefore, you should enable unchallenged access only if your requirements cannot be met through other methods.
The unchallenged access feature is specific to the SAS Information Delivery Portal. Other SAS Web applications cannot distinguish unchallenged users from registered users who log on by entering a user ID and password. For example, if an unchallenged user selects a report in the portal, and SAS Web Report Studio opens to display the report, then SAS Web Report Studio treats the user the same as if the user had entered a user ID and password in SAS Logon Manager. It is important to apply this knowledge when you are determining the type of content to surface to unchallenged users.
When unchallenged access is enabled, the SAS administrator assumes a larger share of the burden for ensuring the security of data. As an administrator, you must thoroughly review the content that is to be surfaced, understand how the content uses SAS servers, and make sure that the content and its behavior are appropriate for unchallenged users. In addition to the SAS Information Delivery Portal, these security considerations also apply to SAS solutions that use the portal architecture.
When unchallenged portal access is enabled, the administrator must ensure that any content that needs to be secured is inaccessible to unchallenged users. Follow these guidelines:
Examine all locations where the Unchallenged Access User has read or write privileges, and make sure that the folders, objects, and data in those locations are appropriately secured both in SAS metadata and on the physical file system.
Review any content, applications, or portlets that allow users to interact with the SAS server tier. Examples include dashboards, information maps, reports, and stored processes, as well as applications that are launched from these objects. Review any applications or portlets that access data, especially with unbounded queries, or that submit code for processing.
Examine the content that is stored on the SAS Content Server and make sure that its folders are appropriately secured. The SAS Content Server treats unchallenged users the same as any other user. Therefore, unchallenged users can view any content for which jcr:authenticated has READ access. For details, see Using the SAS Content Server Administration Console.
When unchallenged portal access is enabled, the administrator is responsible for limiting the ability of unchallenged users to modify or save content. Unchallenged users cannot edit portal pages or portlets. However, some types of portal content launch SAS applications that do allow a user to save data. Some of these applications have options for disabling the ability to save. Follow these general guidelines to limit the ability to save:
Do not surface any application or portlet that allows unchallenged users to save data, unless it is intended that they be able to do so.
Make sure the Unchallenged Access User has the appropriate read and write permissions on folders, objects, and data.
For each application, place the Unchallenged Access User in roles that appropriately limit the ability to save. For example:
SAS Web Report Studio, which is the default application for viewing reports, enables users to save reports to the user's My Folder, as well as to any folders for which the user has write access. To prevent unchallenged users from saving reports, make sure that the Unchallenged Access User is not authorized as a report creator or as an advanced user of SAS Web Report Studio. For more information, see Predefined Roles.
If you have implemented the portal in a restricted environment (such as a corporate intranet) where the unchallenged user base is known, then you might want to allow reports to be created, modified, and saved. However, make sure that folder permissions have been set up so that reports can be saved only to the appropriate folders.
If you plan to surface dashboards on portal pages that are available to unchallenged users, then make sure the Unchallenged Access User is not authorized to administer dashboards. For more information, see Implementing Security for SAS BI Dashboard.
Summary of Configuring the Portal for Unchallenged Access |
Here is a summary of the steps to configure the SAS Information Delivery Portal for unchallenged access:
Create an operating system-level user account for the Unchallenged Access User. See Step 1: Create an Operating System-Level User Account for the Unchallenged Access User.
Set the portal's configuration properties for unchallenged access by using one of the following methods:
Use the SAS Deployment Wizard. You can use this method when you install the SAS Information Delivery Portal for the first time if the version that you are installing is SAS Information Delivery Portal 4.3. You can also use this method if you are migrating your system from SAS 9.1.3 to a SAS 9.2 deployment that includes the SAS Information Delivery Portal 4.3.
See Use the SAS Deployment Wizard to Set Configuration Properties for Unchallenged Portal Access.
Use SAS Management Console to set the properties, and then rebuild and redeploy the SAS Information Delivery Portal Web application. You can use this method if you have already installed the SAS Information Delivery Portal, or if you have already migrated from SAS 9.1.3 to SAS 9.2.
This method requires that you first update your deployment to SAS Information Delivery Portal 4.3.
See Use SAS Management Console to Set Configuration Properties for Unchallenged Portal Access.
Set up a metadata identity for the Unchallenged Access User. This is the identity that is assumed by users when they access the portal via the public URL. See Step 3: Create a Metadata Identity for the Unchallenged Access User.
Create content for unchallenged access. If you migrated your deployment from SAS 9.1.3, you can convert any existing Public Kiosk pages to unchallenged access pages. See Convert Public Kiosk Pages to Unchallenged Access Pages (Migrated Deployments Only). You can also set up new content. See Create New Content for Unchallenged Access.
Validate your deployment to make sure that unchallenged access has been configured correctly. See Step 5: Validate Unchallenged Access.
The following topics provide detailed instructions for each of the configuration steps.
Step 1: Create an Operating System-Level User Account for the Unchallenged Access User |
On the machine where the metadata server is installed (or will be installed), set up an operating system-level account for the Unchallenged Access User.
This is the user that you will specify in the SAS Deployment Wizard or in SAS Management Console when you set the configuration properties for unchallenged portal access.
If you migrated your system from SAS 9.1.3, then you might already have an account (for example, sasguest) that you can use for this purpose.
Step 2: Set the Configuration Properties for Unchallenged Portal Access |
You can use the SAS Deployment Wizard to set the configuration properties for unchallenged portal access in the following situations:
You are installing the SAS Information Delivery Portal for the first time. The release that you are installing must be SAS Information Delivery Portal 4.3.
You are migrating your system from SAS 9.1.3 to a SAS 9.2 deployment that includes the SAS Information Delivery Portal 4.3.
Wizard Page | Prompt | Description |
---|---|---|
Select Configuration Prompting Level | None | Select Custom to access the custom deployment options. |
SAS Information Delivery Portal: Unchallenged Access | Enable Unchallenged Access | Select the check box to enable unchallenged portal access. |
SAS Information Delivery Portal: Unchallenged Access Information | User ID for the Unchallenged Access User | Enter the user ID for the Unchallenged Access User. On Windows systems, make sure that the user ID includes the appropriate qualifier. |
|
Display Search Menu for Unchallenged Access | Select the check box if you want to display the Search link in the banner for unchallenged users. |
Logoff Behavior for Unchallenged Access |
Select one of the following values:
logoff to display the Log Off link in the banner for unchallenged users logon to display the Log On link in the banner for unchallenged users. Users can click on this link to display the SAS Logon Manager. hide to hide the Log Off and Log On links in the banner. |
If you have already installed the SAS Information Delivery Portal, or if you have already migrated from SAS 9.1.3 to SAS 9.2, you can use SAS Management Console to set the configuration properties for unchallenged portal access. You must then rebuild and redeploy the SAS Information Delivery Portal Web application.
Follow these steps:
Important: If you have release 4.2 of the SAS Information Delivery Portal, then upgrade your installation to SAS Information Delivery Portal 4.3.
Log on to SAS Management Console as an unrestricted user (for example, sasadm@saspw) or as a user who is in the SAS Administrators group.
On the Plug-ins tab, navigate to Application Management Configuration Manager Information Delivery Portal 4.3. Right-click to display the Information Delivery Portal 4.3 Properties dialog box.
On the Advanced tab, enter the property names and appropriate property values as specified in the following table:
Property Name | Description |
---|---|
Unchallenged.Access.Enabled | Enter true to enable unchallenged portal access, or enter false to disable it. |
Unchallenged.Access.UserID | Enter the user ID that you created for the Unchallenged Access User. On Windows systems, make sure that the user ID includes the appropriate qualifier. |
Unchallenged.Access.Logoff.Behavior |
Enter one of the following values:
logoff to display the Log Off link in the banner for unchallenged users. logon to display the link in the banner for unchallenged users. Users can click on this link to display the SAS Logon Manager. hide to hide the Log Off and Log On links in the banner. |
Unchallenged.Access.Show.Search.Menu | Enter true to display the Search link in the banner for unchallenged users, or enter false to hide it. |
To enable the updated Unchallenged.Access.Enabled property to take effect, you must rebuild and redeploy the SAS Information Delivery Portal Web application. Follow these steps:
Stop the Web application server.
Use the SAS Deployment Manager to rebuild the SAS Information Delivery Portal Web application. For instructions, see Rebuilding the SAS Web Applications.
Redeploy the SAS Information Delivery Portal Web application. For instructions, see Redeploying the SAS Web Applications.
Restart the Web application server.
Note: If you updated only the Unchallenged.Access.Logoff.Behavior and Unchallenged.Access.Show.Search.Menu properties, then it is not necessary to rebuild and redeploy the SAS Information Delivery Portal Web application. You need only to stop and restart the Web application server.
Step 3: Create a Metadata Identity for the Unchallenged Access User |
To set up a metadata identity for the Unchallenged Access User, follow these steps. This is the identity that is assumed by users when they access the portal via the public URL.
Note: If you migrated your system from SAS 9.1.3, then you might already have a metadata identity (for example, SAS Guest User) that you can use for this purpose. If the identity already exists, make sure that it is set up correctly as described in the following steps.
Make sure that an operating system-level user account for the Unchallenged Access User exists on the metadata server machine. See Step 1: Create an Operating System-Level User Account for the Unchallenged Access User.
Open the User Manager plug-in in SAS Management Console and follow these steps to create a metadata identity for the Unchallenged Access User:
On the General tab, enter the user ID that you created in SAS Deployment Wizard. See Step 1: Create an Operating System-Level User Account for the Unchallenged Access User. In the Display Name field, enter a name such as Unchallenged Access User.
On the Accounts tab, select New to create the user's login. In the New Login Properties dialog box, enter the User ID for the Unchallenged Access User's account (the operating system account that you created in step 1). On Windows, make sure that the user ID includes the appropriate qualifier (for example, Windows-domain-name\userID, userID@company.com, or machine-name\userID).
Leave the Password field blank. In Authentication Domain, select the same domain that is specified for other portal users (for example, DefaultAuth).
Click OK to save your changes.
If you plan to include dashboards on any of the portal pages that are available for unchallenged access, then make sure that the Unchallenged Access User is not a direct or indirect member of the BI Dashboard Administrators group or the BI Dashboard: Administration role. To enable unchallenged users to view dashboards, make the Unchallenged Access User a direct or indirect member of the BI Dashboard Users group. See Implementing Security for SAS BI Dashboard.
If you plan to include SAS reports on any of the portal pages that are available for unchallenged access, then make sure that the Unchallenged Access User is not a direct or indirect member of the Web Report Studio: Report Creation or Web Report Studio: Advanced roles. See Predefined Roles.
Step 4: Create Content for Unchallenged Access |
If you migrated your deployment from SAS 9.1.3, then you might already have a set of Public Kiosk pages. You can convert these pages from PUBLIC shared pages to pages that belong to the Unchallenged Access User. The pages appear in the page list when users access the portal using the public URL. To convert your Public Kiosk pages, follow these steps:
Temporarily configure the Unchallenged Access User (the user identity that you created in Step 3: Create a Metadata Identity for the Unchallenged Access User) to be a content administrator for the PUBLIC group. For instructions, see Configure a Group Content Administrator.
Access the portal by using the regular URL (for example, http://host-name/SASPortal), and log on as the Unchallenged Access User.
From the Customize menu, navigate to Edit page Edit Page Properties. On the Edit Page Properties dialog box, make the following entries:
In the Location (group) drop-down list, select Not shared.
If you want the contents of the page to be available only to unchallenged users, select Move the following items to the specified share location.
Repeat step 4 for each page that appears in the Public Kiosk.
Create any other pages, portlets, and content that you want to make available to unchallenged users. For details, see Adding Content to the Portal.
Important note: To prevent unintended access to servers and data, be sure to follow the guidelines in Security Considerations for Implementing Unchallenged Portal Access.
Make any desired changes to the order of the pages.
Review the pages that are displayed to the Unchallenged Access User, and make sure all of the content is appropriate for public access.
Log off from the portal.
Important: Remove the Unchallenged Access User from the list of PUBLIC content administrators. See Configure a Group Content Administrator.
When unchallenged users access the SAS Information Delivery Portal by using the public URL, they will be able to view all of the pages that are in the unchallenged user's list. If you did not migrate your deployment from SAS 9.1.3, follow these steps to set up pages for the unchallenged user. If you converted SAS 9.1.3 Public Kiosk pages, you can use these steps to create additional content for the unchallenged user.
Access the portal by using the regular URL (for example, http://host-name/SASPortal), and log on as the Unchallenged Access User.
Create pages, portlets, and content that are appropriate for access by unchallenged users. For details, see Adding Content to the Portal.
Important note: To prevent unintended access to servers and data, be sure to follow the guidelines in Security Considerations for Implementing Unchallenged Portal Access.
Review the pages that are displayed to the unchallenged user, and make sure all of the content is appropriate for public access.
Log off from the portal.
Step 5: Validate Unchallenged Access |
When you are finished configuring unchallenged portal access and creating unchallenged user content, navigate to http://host-name/SASPortal/public and verify that the portal is configured properly and that content is displayed appropriately.
Unchallenged access allows users to view SAS content without authenticating. It is the SAS administrator's responsibility to make sure any content that needs to be secured is not accessible via unchallenged access. It is also the SAS administrator's responsibility to make sure the unchallenged content cannot be modified.
Modifying the Configuration Properties for Unchallenged Portal Access |
If you want to change the links that are visible to unchallenged access users, you can modify the configuration properties. To do so, follow the instructions in Use SAS Management Console to Set Configuration Properties for Unchallenged Portal Access. If you update only the Unchallenged.Access.Logoff.Behavior and Unchallenged.Access.Show.Search.Menu properties, then it is not necessary to rebuild and redeploy the SAS Information Delivery Portal Web application. You only need to stop and restart the Web application server.
Disabling Unchallenged Portal Access |
If you want to disable unchallenged access behavior, you can do so by changing the Unchallenged.Access.Enabled configuration property to false. For instructions, see Use SAS Management Console to Set Configuration Properties for Unchallenged Portal Access. After changing the property, you must rebuild and redeploy the SAS Information Delivery Portal Web application.
Reconfiguring Unchallenged Portal Access |
If you remove the SAS Information Delivery Portal configuration for any reason, then the unchallenged access configuration properties are also removed. After you use the SAS Deployment Wizard to reconfigure the SAS Information Delivery Portal, follow the instructions in Use SAS Management Console to Set Configuration Properties for Unchallenged Portal Access to re-enable unchallenged portal access. After setting the properties, you must rebuild and redeploy the SAS Information Delivery Portal Web application.
Copyright © 2010 by SAS Institute Inc., Cary, NC, USA. All rights reserved.