Creating Operating System Accounts for Product Administrators and Users

About the User Accounts for SAS Business Rules Manager

SAS Business Rules Manager provides two types of user accounts:
Product administrator
A SAS Business Rules Manager administrative user is specific to SAS Business Rules Manager. A product administrator account is not the same as a general administrator account, such as the SAS Administrator (sasadm@saspw). These users must have a valid host operating system account, and you must associate that account with a metadata user.
Users of SAS Business Rules Manager
These users must have a valid host operating system account, and you must associate that account with a metadata user through SAS Management Console.
You must create the operating system account for the administrator and for regular user accounts as a post-installation task. For more information, see the following topics:

Using Operating System Groups to Assign Permissions

Users have different operating system privileges on the SAS Workspace Server. By defining a user group for SAS Business Rules Manager, you can assign all users to the same group and grant the same permissions to all users at one time. All SAS Business Rules Manager users must have Read, Write, and Execute permissions for each environment directory that a user is permitted to use. Users also need permissions to all of the files and directories in an environment directory. The operating system must be configured to grant these permissions when new files and directories are created. The steps that you follow to do this depend on which operating system groups are defined and your site’s security policies.

Create Windows Operating System Accounts and Groups for Users

On the SAS Workspace Server, create an operating system account for the administrator of SAS Business Rules Manager and all SAS Business Rules Manager users.
If the SAS Workspace Server is running in the Windows operating environment, use one of the following methods to create this operating system account:
  • If you are using an LDAP server to manage your users, define the user (for example, domain\username) on the Active Directory server.
  • If you are working on a local machine, complete these steps to create this user account:
    1. Right-click the Computer icon on your desktop and select Manage. The Computer Management window appears.
      Note: If you are creating users on a server, you can use the Server Manager.
    2. In the left navigation pane, expand the Local Users and Groups node. The Users and Groups nodes appear.
    3. Right-click the Users node and select New User. The New User window appears.
    4. In the New User window, complete these tasks:
      • Specify a user name and password.
        Note: In Windows, you cannot enter <domain>\username (you enter the user name only), but you must enter <domain>\username in the SAS Deployment Wizard and SAS Management Console.
      • Clear the User must change password at next logon check box.
      • Select the User cannot change password check box.
      • Select the Password never expires check box.
      Click Create.
    5. Click Close to close the New User dialog box.
    6. If you want to add the users that you created to a group, perform the following steps:
      1. Right-click the Groups node in the Computer Management window, and select New Group.
      2. Click Add. Enter the user names, separated by semicolons, and click Check Names.
      3. Click OK.
    7. Assign the security policy of Log on as batch job for each user or group.
      1. Select Startthen selectControl Panelthen selectSystem and Securitythen selectAdministrative Toolsthen selectLocal Security Policy.
      2. From the Local Security Policy window, expand the Local Policies node and select User Rights Assignment. Then double-click the Log on as batch job policy.
      3. Click Add user or Group. Enter the user names or group names, separated by semicolons, and click Check Names.
      4. Click OK.

Create UNIX Operating System Accounts and Groups for Users

Conditions for the User Group

If you are working in a UNIX operating environment, the following conditions must be met:
  • A group of users is created for the UNIX operating environment. The logon IDs for each user must be in this group. The group must also include any user who might run code that is created by SAS Business Rules Manager in a SAS session.
  • Users can be members of multiple groups, but the SAS Business Rules Manager group is the primary group for each user.
  • The SAS scripts are updated to grant permissions to the SAS Business Rules Manager users on the SAS Workspace Server. For more information, see Update the SAS Scripts to Grant Permissions to the User Group.
  • Each environment directory has the correct ownership, and the user group has Read, Write, and Execute permissions.

Update the SAS Scripts to Grant Permissions to the User Group

Using the umask option, you can grant permissions to users on a conditional basis if the user is part of the SAS Business Rules Manager user group.
Note: This example might require changes to fit your server configuration. In particular, this example could result in changed permissions on other SAS files, such as OLAP cubes. For example, if you are working with multiple UNIX groups and have a SAS OLAP Server, you must ensure that the account under which the SAS OLAP Server runs has Read and Execute permissions to OLAP files.
To set these permissions:
  1. On each SAS Workspace Server, open /SAS-configuration-directory/Levn/SASApp/appservercontext_env_usermods.sh.
  2. Enter the configuration information for your operating environment. Here is the general format of this code:
    Note: The following code uses grave accents and not quotation marks.
    CMD=<your-operating-system-path>
    CURR_GID=`eval $CMD -g`
    GID=<solution-group-id>
    if [$CURR_GID -eq $GID]; then umask 002 fi
    1 In the CMD=<your-operating-system-path>, specify the full path on your server where the ID command is stored. You can get this information by entering a which id or whence id command on your console.
    2 In the GID=<solution-group-id>, specify the group ID. Type id on your console to get the GID and UID information.
    3 A value of 002 is recommended for the umask option.
    Here are code examples for each UNIX environment where SAS Business Rules Manager is supported:
Operating Environment
Sample Code
AIX
CMD=/usr/bin/id
CURR_GID=‘eval $CMD -g‘
GID=201
if [ $CURR_GID -eq $GID ]; then umask 002
fi
H64I (HP-Itanium)
CMD=/usr/bin/id
CURR_GID=‘eval $CMD -g‘
GID=201 if [ $CURR_GID -eq $GID ] ; then umask 002
fi
S64 (Solaris)
CMD=/usr/xpg4/bin/id
CURR_GID=‘eval $CMD -g‘
GID=201 if [ $CURR_GID -eq $GID ] ; then umask 002
fi
SAX (Solaris for X64)
CMD=/usr/xpg4/bin/id
CURR_GID=‘eval $CMD -g‘
GID=201
if [ $CURR_GID -eq $GID ] ; then umask 002
fi
LNX (Linux)
 #!/bin/bash
CMD=/usr/bin/id
CURR_GID=‘eval $CMD -g‘
GID=500
if [ "$CURR_GID" -eq "$GID" ] ; then umask 002
fi
Last updated: February 22, 2017