Data Security for SAS/CONNECT or SAS/SHARE Servers

Client Authentication

Authentication is the act of verifying the identity of the user who is attempting to access a machine—that is, the machine that either the client session or the server session runs on. Authentication is performed so that a machine can use the identity information to make decisions about the user's authority to access protected resources. Under Windows, the user ID, password, and access permissions make up a user context.
Resources on a SAS/CONNECT or a SAS/SHARE server are considered to be protected when both of the following conditions are met:
  • The server requires that the client provide its identity.
  • The client presents an identity that is successfully authenticated.
After the client's identity is authenticated, the client is given the appropriate permissions to access the server's resources.
Under Windows, two methods are available for authenticating a client's identity:
  • Simulated logon
  • SSPI

Simulated Logon Method

Overview of Simulated Logon Method

The simulated logon method is the most commonly used method of authentication and is available in all SAS supported operating environments. In a simulated logon, the client provides a user ID and password that are checked by the server.
You use a simulated logon in the following situations:
  • The client or the server (or both) does not run on a Windows machine.
  • The user who runs the client machine is not a trusted user at the server machine.
  • The user who runs the client machine wants to log on by using a different user context.
For details about user context, see Contexts for User IDs.

Requirements for Using Simulated Logon with SAS/CONNECT or SAS/SHARE

To authenticate user credentials (user ID and password) of SAS/CONNECT or SAS/SHARE clients, the administrator of the computers that the SAS/CONNECT client and server sessions or the SAS/SHARE client and server sessions run on must assign the appropriate rights to users.
Here are the requirements for SAS/CONNECT and SAS/SHARE:
  • assignment of the “Log on as batch job” right to users in client sessions that access SAS/CONNECT server sessions.
  • assignment of the “Act as part of the operating system” right to users who start SAS/SHARE servers or SAS/CONNECT spawners.
Here are the requirements for SAS/CONNECT only:
  • assignment of the “Increase quotas” right to users who start a SAS/CONNECT spawner.
  • assignment of the “Replace a process level token” right to users who start a SAS/CONNECT spawner.
  • specification of the -SECURITY option in the SAS/CONNECT spawner start-up command.
Here are the requirements for SAS/SHARE only:
  • specification of the system option TCPSEC=_SECURE_ in the server session.
  • specification of the AUTHENTICATE=REQUIRED option in the PROC SERVER statement that is used to start a SAS/SHARE server session. REQUIRED is the default value.

SSPI

Overview of SSPI

Security Support Provider Interface (SSPI) enables transparent authentication for connections between Windows computers. Users that are members of a trusted domain are authenticated automatically, and user context information is transferred to the server.
Windows attempts to use SSPI for authentication whenever a user ID is not explicitly supplied.
SSPI is available only when the client and the server sessions both run on Windows computers, and the user who runs the client computer is a member of a domain that is trusted at the server computer.

SSPI Requirement for SAS/CONNECT

In order to use SSPI for authentication, the SAS/CONNECT server administrator must set the -SECURITY option at spawner invocation.

SSPI Requirement for SAS/SHARE

In order to use SSPI for authentication, the SAS/SHARE server administrator must do the following:
  • specify the option TCPSEC=_SECURE_
  • specify the option AUTHENTICATE=REQUIRED in the PROC SERVER statement. REQUIRED is the default value.
Copyright © SAS Institute Inc. All rights reserved.