A SAS Open Metadata Interface client is a program that
communicates with the SAS Metadata Server. The SAS Open Metadata Interface
provides methods to perform the following tasks on the SAS Metadata
Server:
-
Create, read, and update repository
objects.
-
Create, read, and update application
metadata objects.
-
Control access to the SAS Metadata
Server.
-
Define access controls on application
resources and repositories, request authorizations based on access
controls, and manage access controls.
-
Define and manage internal user
accounts.
-
Back up and recover the SAS Metadata
Server (new in SAS 9.3).
Most clients create,
read, and update application metadata.
Clients use repository
objects to register repositories in the SAS Repository Manager, to
modify a repository's registered access mode, or to get information
about repository availability.
A client that controls
access to the SAS Metadata Server does so to interrupt client activity
so that maintenance tasks can be performed. Examples of maintenance
tasks are recovering memory, running metadata analysis and repair
tools, or changing certain server configuration and invocation options
while the server is offline.
The SAS authorization
facility supports resource-based authorization and role-based authorization.
A client that defines resource-based
authorization enables administrators to define and manage access controls
on the metadata that describes the resources. Access controls can
be defined directly on the metadata that describes a resource, or
they can be defined in an access control template (ACT) that is associated
with many resources. A client that manages access controls enables
administrators to list identities that have permissions on a resource. Administrators
can also list permissions that are defined directly on a resource,
list permissions that are defined in an ACT, and apply and remove
ACTs from a resource. Administrators can create an ACT, modify the
attributes of an ACT, and destroy an ACT.
A client that requests authorizations based on resource-authorization
settings queries the SAS Open Metadata Architecture authorization
facility to determine whether the specified user has appropriate permission
to a requested resource based on active access controls. Then, depending
on the decision, the SAS authorization facility either
enforces the decision or allows the SAS Metadata Server to enforce
the decision. The SAS Metadata Server enforces ReadMetadata and WriteMetadata
permissions to a resource. A client that wants to enforce other permissions
on a resource must do so itself. For information about the default
access controls supported by the SAS authorization facility, and how
the SAS authorization facility works, see the
SAS Intelligence Platform: Security Administration Guide.
A client that defines
role-based authorization identifies application actions that will
be controlled as metadata. Administrators can assign identities to
the roles. The GetApplicationActionsAuthorizations method enables
clients to request decisions based on role membership.
A client that creates
and manages internal user accounts creates internal logins, and modifies
their authentication settings for the task.
Appropriate identity,
permission, resource, ApplicationAction, and Role objects must be
defined in the SAS Metadata Server for authorizations to be meaningful.
For detailed information about the security features that are available
through the SAS Open Metadata Architecture authorization facility,
see the
SAS Intelligence Platform: Security Administration Guide.