Creating Operating System Accounts in UNIX Environments

Using Operating System Groups to Assign Permissions

Users have different operating system privileges on the SAS Workspace Server. By defining a user group for SAS Business Rules Manager, you can assign all users to the same group and grant the same permissions to all users at one time. All SAS Business Rules Manager users must have Read, Write, and Execute permissions for each environment directory that a user is permitted to use. Users also need permissions to all of the files and directories in an environment directory. The operating system must be configured to grant these permissions when new files and directories are created. The steps that you follow to do this depend on which operating system groups are defined and your site’s security policies.

Conditions for the User Group

If you are working in a UNIX operating environment, the following conditions must be met:
  • A group of users is created for the UNIX operating environment. The logon IDs for each user must be in this group. The group must also include any user who might run code that is created by SAS Business Rules Manager in a SAS session.
  • Users can be members of multiple groups, but the SAS Business Rules Manager group is the primary group for each user.
  • The SAS scripts are updated to grant permissions to the SAS Business Rules Manager users on the SAS Workspace Server. For more information, see Update the SAS Scripts to Grant Permissions to the User Group.
  • Each environment directory has the correct ownership, and the user group has Read, Write, and Execute permissions.

Update the SAS Scripts to Grant Permissions to the User Group

Using the umask option, you can grant permissions to users on a conditional basis if the user is part of the SAS Business Rules Manager user group.
Note: This example might require changes to fit your server configuration. In particular, this example could result in changed permissions on other SAS files, such as OLAP cubes. For example, if you are working with multiple UNIX groups and have a SAS OLAP Server, you must ensure that the account under which the SAS OLAP Server runs has Read and Execute permissions to OLAP files.
To set these permissions:
  1. On each SAS Workspace Server, open /sasconfigdir/Lev1/SASApp/appservercontext_env.sh.
  2. Enter the configuration information for your operating environment. Here is the general format of this code:
    Note: The following code uses grave accents and not quotation marks.
    CMD=<your-operating-system-path>
    CURR_GID=`eval $CMD -g`
    GID=<solution-group-id>
    if [$CURR_GID -eq $GID]; then umask 002 fi
    a In the CMD=<your-operating-system-path>, specify the full path on your server where the ID command is stored. You can get this information by entering a which id or whence id command on your console.
    b In the GID=<solution-group-id>, specify the group ID. Type id on your console to get the GID and UID information.
    c A value of 002 is recommended for the umask option.
    Here are code examples for each UNIX environment where SAS Business Rules Manager is supported:
Operating Environment
Sample Code
AIX
CMD=/usr/bin/id
CURR_GID=‘eval $CMD -g‘
GID=201
if [ $CURR_GID -eq $GID ]; then umask 002
fi
H64I (HP-Itanium)
CMD=/usr/bin/id
CURR_GID=‘eval $CMD -g‘
GID=201 if [ $CURR_GID -eq $GID ] ; then umask 002
fi
S64 (Solaris)
CMD=/usr/xpg4/bin/id
CURR_GID=‘eval $CMD -g‘
GID=201 if [ $CURR_GID -eq $GID ] ; then umask 002
fi
SAX (Solaris for X64)
CMD=/usr/xpg4/bin/id
CURR_GID=‘eval $CMD -g‘
GID=201
if [ $CURR_GID -eq $GID ] ; then umask 002
fi
LNX (Linux)
 #!/bin/bash
CMD=/usr/bin/id
CURR_GID=‘eval $CMD -g‘
GID=500
if [ "$CURR_GID" -eq "$GID" ] ; then umask 002
fi