Client Requirements |
A SAS Open Metadata Interface client is a program that communicates with the SAS Metadata Server. The SAS Open Metadata Interface provides methods to perform the following tasks on the SAS Metadata Server:
Create, read, and update repository objects.
Control access to the SAS Metadata Server.
Define access controls on application resources and repositories.
Request authorizations based on access controls.
Manage access controls.
Define and manage internal user accounts.
Most clients create, read, and update application metadata. Clients use repository objects to register repositories in the SAS Repository Manager, to modify a repository's registered access mode, or to get information about repository availability.
A client that controls access to the SAS Metadata Server does so to interrupt client activity so that external maintenance tasks can be performed, such as running a backup, recovering memory, or changing certain server configuration and invocation options while the server is online.
A client that defines access controls does so to control access to data by defining controls on the metadata that describes the data. Access controls can be defined directly on the metadata that describes a resource, or they can be defined in an access control template (ACT) that is associated with many resources.
A client that requests authorizations queries the SAS Open Metadata Architecture authorization facility to determine if the specified user has appropriate permission to a requested resource based on active access controls. Then, depending on the decision, either enforces the decision or allows the SAS Metadata Server to enforce the decision. The SAS Metadata Server enforces ReadMetadata and WriteMetadata permissions to a resource. A client that wants to enforce other permissions on a resource must do so itself. For information about the default access controls supported by the authorization facility and how the authorization facility works, see the SAS Intelligence Platform: Security Administration Guide.
SAS 9.2 supports authorization based on role membership. Clients can define roles that identify application actions that will be controlled as metadata. Administrators can assign identities to the roles. The GetApplicationActionsAuthorizations method is provided to enable clients to request decisions based on role membership.
A client that manages access controls lists identities that have permissions on a resource, lists permissions that are defined directly on a resource, lists ACTs that are associated with a resource, and applies and removes ACTs from a resource. It can also create an ACT, modify the attributes of an ACT, and destroy an ACT.
A client that creates and manages internal user accounts creates internal logins and modifies their authentication settings for the task.
Appropriate identity, permission, resource, ApplicationAction and Role objects must be defined on the SAS Metadata Server for authorizations to be meaningful. See the SAS Intelligence Platform: Security Administration Guide for detailed information about the security features that are available through the SAS Open Metadata Architecture authorization facility.
Copyright © 2010 by SAS Institute Inc., Cary, NC, USA. All rights reserved.