Configuring Data Source Access

Data services contain information that identifies the location of data tables. If a data source does not support native catalogs, SAS Federation Server enables you to define a logical catalog name to use as an SQL identifier. This allows each data source to be uniquely identified when performing heterogeneous operations.

Data services requiring logins must be associated with a domain in the Authentication Server. When users connect to the data service through a data source name, the domain name is used to retrieve user credentials associated with that data service. The credentials are then passed along to the back-end database. User credentials are stored in the Authentication Server.

Data services can also contain optional information to control SAS Federation Server driver behavior, such as locking semantics and tracing. Data services form the foundation for connectivity to a source of data, and privileges can be assigned to data services to control user access to the given data service.

Use administration DDL or SAS Federation Server Manager to create a data service.

By default, a BASE data service is created the first time that SAS Federation Server is started. Only one BASE data service can exist in a SAS Federation Server installation, and it cannot be modified or deleted.

When creating a data service for a data source that supports native catalogs and using the REGISTER option, the server attempts to connect to the database to acquire a list of catalogs. Credentials are required to secure the connection. If the connection cannot be made, creation of the data service will fail. The same requirement for pre-registered credentials applies when creating a data service to ODBC with native catalog support, or for any data services that support native catalogs.

When creating an ODBC data service, the server must query the data source to acquire its identifier case sensitivity property. The identifier case sensitivity property is used to create security entries in the Federation Server system tables and is stored with the data service.

Due to the requirement for a database connection described above, the following database login prerequisite applies to SQLSERVER, ODBC and ODBC_FED data services. These actions must be completed before creating the data service, and must be accomplished through the Authentication Server Manager.

Here is an example of the DDL statement, CREATE DATA SERVICE. See CREATE DATA SERVICE DDL for details and a complete list of options. You can also alter and drop data services using DDL.

CREATE [DATA] SERVICE data-service
TYPE data-service-type
[CATALOG [NAME] catalog-name]
[DOMAIN [NAME] domain-name]
[REGISTER [( catalog-name1 [,catalog-name2 …]) | ALL]
[register-options]]
[data-service-options]

Use CATALOG to register a catalog name for data sources that do not support native catalogs.

Use REGISTER to register the native catalog names for those data sources that support native catalogs, such as SQL Server. If an identical catalog name is encountered, a warning message is issued and the catalog is not registered. In this case use the CREATE CATALOG DDL statement to provide a mapped name for the native name.

If specifying more than one driver in the CREATE DATA SERVICE statement, the first driver listed in the statement is the default driver used to connect to a data source if a driver is not specified in a connection string. For example, if two drivers are specified when creating a data service, the first driver is used as the default driver if driver= is not specified in a connection string. If a driver is specified in a connection string using conopts-configuration-list when creating the data service, it is used when connecting to a data source.

The terms catalog and schema are defined as ANSI SQL standards and refer to the organization of data in a relational database. That is, data is contained in tables, tables are grouped into schemas, and schemas are grouped into catalogs. Catalog and schema names can be used in SQL statements to qualify table references. For example, when querying a database that supports both schemas and catalogs, you can specify a three-level identifier in the form of CATALOG.SCHEMA.TABLE-NAME.

A catalog is a named collection of logically related schemas. The catalog is the first-level (top) grouping mechanism in a data organization hierarchy that qualifies schemas. At least one schema is required for each catalog.

For the BASE data service, you must create catalogs and schemas in order to make data available. For all other data services, catalogs and schemas are defined in the data source (though the data source is not required to support either catalogs or schemas), and catalog and schema names can be registered in SAS Federation Server to reflect those objects.

Catalog names for all data sources must be registered in SAS Federation Server and they must be unique within the system.

The following is a sample of the CREATE CATALOG DDL statement:

CREATE CATALOG catalog UNDER data-service
[ NATIVE NAME native-name ]
[ create-catalog-options ]

A complete list of options is shown in the CREATE CATALOG DDL statement.

A schema is a data container object that groups logically related objects such as tables and views. The schema provides a unique namespace that is used along with a catalog to qualify names.

For SAS data sets, a schema identifies the physical location such as a UNIX® directory or a Windows® folder that contains a collection of tables. That is, for SAS data, the relationship between a schema and its files is similar to that of an operating system file directory and the files that are contained within that directory. For SAS data, a schema is approximately equivalent to a SAS library.

Unlike catalogs, schema registration is not required for all schemas in the data source. Schemas are registered only when the administrator wants to assign an owner to the schema. Schemas are also created and maintained internally as needed by the system, such as when assigning privileges to a user or group on a schema.

The following is an example of the CREATE SCHEMA DDL statement:

CREATE SCHEMA [ catalog.schema ]
[ AUTHORIZATION|OWNER owner ]
[ create-schema-options ]

A complete list of options is shown in CREATE SCHEMA DDL.

All schemas have an owner. If an owner is not explicitly assigned to a schema, ownership defaults to the system user account. Definer’s rights views require a non-system schema owner for proper operation. The schema owner is the owner of all objects contained in the schema, though the owner has particular relevance to definer’s rights views. And as the owner, certain privileges are automatically granted to the schema owner.

DSNs are used to expose data services to users connecting through SAS Federation Server. Typically, when a client connects to SAS Federation Server, they will specify a DSN. The administrator can assign privileges to determine which users can connect. In order to connect to a data source, a user must be granted CONNECT privilege on SAS Federation Server, a specific data service, or a specific DSN.

A DSN references a specific data service to which it will connect and defines how SQL security is enforced. It can be configured so that SAS Federation Server enforces SQL privileges defined for the data service. The CREATE DSN privilege is required to create a DSN. Configure DSNs using DDL statements or by using SAS Federation Server Manager. For an explanation of CREATE DSN DDL syntax, refer to Administration DDL, CREATE DSN statement.

A federated DSN is a collection of one or more standard DSNs. Unlike the standard DSN which is parented to a data service, the federated DSN is parented to the federation server itself, even if it only contains DSNs from a single data service. Federated DSNs can contain other federated DSNs. Since federated DSNs are typically used to provide access to data from multiple, disparate data sources, the FedSQL dialect is required.

The ADMIN DSN is created automatically at server startup and is used for the purpose of sending administration SQL to the server. The ADMIN DSN is also used to query Information Views. The SAS Federation Server Manager automatically connects with the ADMIN DSN to display information such as the registered list of data services and DSNs. Any user expected to use SAS Federation Server Manager to accomplish tasks, such as creating views and caching views, will require CONNECT privilege to the ADMIN DSN. SAS Federation Server automatically checks a user’s privileges when any administration SQL is submitted. Some administration SQL can be submitted by any user (for example, selecting against Information Views for which they have privileges), while other administration SQL can be executed by the server administrator only. See the SAS FedSQL Reference Guide for details.

CONNECT privileges are not assigned to DSNs by default, and must be granted by the administrator or by the DSN owner, to users or groups that are connecting to data sources. See the GRANT and DENY statements for additional information.

When Federation Server SQL Authorization Enforcement is enabled, the FedSQL driver is also required, and the SQL dialect is automatically set to FedSQL. With FedSQL an additional layer of object-level security is enabled for the connection and SQL statements are secured before processing them. If Federation Server SQL Authorization Enforcement is disabled, object-level security is bypassed and a user is granted all privileges regardless of what the user has been granted or denied. If Federation Server SQL Authorization Enforcement is disabled, an administrator can choose either FedSQL dialect or data source (native) dialect. For example, if you are connected to Oracle, then native dialect would be SQL supported by Oracle. The SQL dialect for Base data services is always FedSQL.

Security is enabled by default for all new DSNs. However, if you need to enable SAS Federation Server security on a DSN, use DDL options with CREATE DSN and set SECURITY to YES.

Here is an example DDL statement that enables SAS Federation Server security:

CREATE DSN "DSN1" UNDER BASE
DESCRIPTION 'creating DSN1' NOPROMPT
'DRIVER=BASE;CATALOG="catalog1_BASE";SCHEMA=(name="schema1_BASE")' {OPTIONS
(SECURITY YES)}

If data services require credentials, the DSN can be configured to specify how database logins are retrieved. The DSN can be configured to use the personal credentials of the user, or retrieve the login from a shared login. If you are using a shared login, you can specify a consumer group from the DSN. This is required only to identify what shared login to use if multiple shared logins are available in the same domain to connecting users.

When using SAS Federation Server Manager, an administrator can have either personal credentials or a shared login to the underlying databases for the purpose of managing data services. SAS Federation Server Manager connects to a data service behind the scenes and data services use a credential search order of PERSONAL, SHARED (CSO=PERSONAL,SHARED).

Connections made using a DSN use a credentials search order (CSO) as specified in the DSN configuration. By default, the credentials search order is PERSONAL, SHARED. Other valid values are SHARED, (PERSONAL, SHARED) and (SHARED, PERSONAL).

Also, if GROUP=groupname is specified as part of the DSN used to connect or supplied directly in the connection string, shared login selection is limited to those candidates in which the specified group is a consumer. The user must be a direct or indirect member of the group, or no shared login will be selected at all. The GROUP= option does not have any effect on personal login extraction.