Notes for SPD Server Administrators

The SPD Server administrator needs a UNIX login ID on the SPD Server machine. Other SPD Server users do not need UNIX login IDs. You can control their access to SPD Server data resources using the SPD Server password facility without giving them specific login accounts. This adds a measure of security and control and SPD Server users are permitted physical access to the SPD Server machine.

You should add the InstallDir/bin directory to your PATH using your shell's login script. ksh users should modify .profile or .kshrc files. csh users should modify .login or .cshrc files, depending on where they currently set the PATH environment variable. This makes invoking the various SPD Server utility programs much easier.

SAS recommends that you run your SPD Server environment using the same UNIX user ID that was used to install SPD Server on the server machine. The user ID should also be the SPD Server administrator's user ID. The common user ID minimizes potential problems with file ownership and system access permissions on the server machine. You add SPD Server access controls to the resources created with SPD Server by using SPD Server user IDs and SPD Server ACLs. The SPD Server user IDs and ACLs provide fine-grained access controls to the SPD Server data resources.

Regardless of how the SPD Server run-time environment is configured, SPD Server processes always run with some UNIX user ID. That UNIX user ID owns all of the files that the SPD Server process creates. The UNIX user ID is governed by UNIX file access permissions. Remember this when starting SPD Server processes and running SPD Server administrator utilities! Otherwise, it is possible to create files with ownership and permissions that deny required access to the SPD Server processes. Performing all SPD Server installation and administration tasks from the same UNIX user ID makes subsequent SPD Server use much easier.

Here are some options for establishing the appropriate UNIX user ID for your SPD Server processes:

Establish a dedicated UNIX account for the SPD Server administrator. Always execute the rc.spds script from that account.

The rc.spds script that starts the SPD Server processes should use the setuid bit. It does not matter who executes the script, the user ID of the shell executing the script is the script owner. This ensures that SPD Server processes run with the correct UNIX user ID.

At system startup, use the UNIX su command to establish the proper UNIX user ID for the shell that executes the rc.spds script. To start the environment manually, you must enter the password for each UNIX account in your su command, unless you are root when you execute the su command.

The SPD Server system uses its own layer of access controls that overlay UNIX access permissions. SPD Server processes run in the context of a UNIX user ID, and that user owns all of the resulting SPD Server file resources that are created.

The SPD Server password file allows better access control to SPD Server's data resources than a native UNIX user ID. Many sites do not want to give UNIX accounts to SPD Server system users, but still want protection and ownership of the data resources created in the SPD Server environment. In this case, SPD Server user IDs provide the extra layer of access control.

The SPD Server administrator needs to be familiar with the psmgr utility in SPD Server.

If you do not use SPD Server user IDs, you still need the SPD Server password file. Without the SPD Server password file, the SPD Server host process does not function correctly. To disable the use of SPD Server user IDs at your site, specify the -NOACL option when you start SPD Server.

If you use SPD Server user IDs, add them to the SPD Server password file that was created during installation. The psmgr command reads its commands from stdin so you can pipe commands to it from another command, script, or input file.

LDAP Authentication causes SPD Server to authenticate an SPD Server user password using LDAP, rather than using the password in the password database. LDAP authentication allows an SPD Server user to have the same user ID and password as their UNIX logon, as long as the UNIX logon meets the SPD Server character restrictions for user IDs and passwords.

You can select the mode of password authentication with server parameters. You can choose between using psmgr or LDAP. Once selected, all authentication is performed using the selected mode. When you use LDAP authentication, an SPD Server user must be entered in the SPD Server password database, in order to maintain other information that SPD Server requires, such as a user's groups and access levels.

For more information about SPD Server LDAP authentication, see "SPD Server Password Manager."