Supporting Guest Access

Introduction

Note: For the most current and comprehensive information about guest access, see Configuring Guest Access in SAS Intelligence Platform: Middle-Tier Administration Guide. As a convenience, some information about guest access is provided here.
Guest access is an optional feature that provides anonymous access to a subset of resources and functionality. In guest access, there is no individualized authentication of the requesting user, so there are no requirements for individual user accounts or metadata identities. Instead, all guest users are authenticated as the same service account (the SAS Anonymous Web User). That service account functions as the single surrogate identity for all guest users. All guest users can see what the SAS Anonymous Web User can see, and do what the SAS Anonymous Web User can do.
To provide guest access within an intranet only, place the applications behind a firewall. See Best Practices for Configuring Your Middle Tier in the SAS Intelligence Platform: Middle-Tier Administration Guide.
To use guest access with web authentication, additional middle-tier configuration is required. See Fallback to SAS Form-based Authentication in the SAS Intelligence Platform: Middle-Tier Administration Guide.

Limit Content

Any content that the SAS Anonymous Web User can access is available to all guest users.
CAUTION:
Grants to the SASUSERS and PUBLIC groups can introduce additional content at the guest access URLs.
If your deployment supports guest access, it is important to review access that is granted to the SASUSERS and PUBLIC groups. The SAS Anonymous Web User is an implicit member of those groups, so any content that you make available to those groups is potentially available at the guest access URLs.
Here are some guidelines for managing access:
  • Do not expect user- or group-based access distinctions (such as row-level security) for guests. Guest access provides only generic, lowest-common-denominator access to content.
  • Review the metadata-layer permissions that are granted to the SASUSERS and PUBLIC groups. You can use either of the following approaches to exclude content from guest access:
    • Where access is granted to the SASUSERS or PUBLIC group, add denials for the SAS Anonymous Web User.
    • Replace grants to the SASUSERS or PUBLIC group with grants to the Visual Analytics Users group and the SAS System Services group.
  • Do not revoke the SAS Anonymous Web User’s ReadMetadata access to the /System folder.

Limit Functionality

Guest access functionality corresponds to the capabilities of the SAS Anonymous Web User.
  • For the home page, the property sas.home.allow.anonymous.user.personalization ensures that guest access does not include individualized capabilities.
  • For SAS Visual Analytics, the Visual Analytics: Basic role provides an appropriate set of guest access capabilities. Do not permanently give the Personalization capability to the Visual Analytics: Basic role. Failure to conform to this guideline causes each user’s experience to reflect the activities of the previous user.
CAUTION:
Any capabilities that the SASUSERS or PUBLIC group has can expand guest access functionality. This expansion of functionality can cause unintended results.
If your deployment supports guest access, it is important to review the capabilities of the SASUSERS and PUBLIC groups. The SAS Anonymous Web User is an implicit member of those groups.

Enable or Disable Guest Access

Enable Guest Access

The preferred method for configuring guest access is to make the following choices during installation:
  • Create a SAS Anonymous Web User.
  • Enable guest access for the home page and SAS Visual Analytics.
If you enable guest access during installation, the home page, the web viewer, and transport service (SAS Mobile BI) allow users to connect as the guest user. Users can choose to sign in to those applications as a guest.
Note: For the home page and the web viewer, users can instead explicitly specify a guest access URL. For example:
http://host/SASVisualAnalyticsHub/guest.jsp
For the exact URL, see the file SAS-configuration-directory/Documents/Instructions.html on the middle-tier machine.
If you need to configure guest access as a post-installation task:
  1. If the SAS Anonymous Web User does not already exist in your deployment, create that service identity. See Using the SAS Anonymous Web User with SAS Authentication in the SAS Intelligence Platform: Middle-Tier Administration Guide.
  2. In SAS Management Console’s Configuration Manager, set the property App.AllowGuest to true on the Visual Analytics Hub, Visual Analytics Viewer, and Visual Analytics Transport Service nodes.
  3. Restart the SAS Web Application Server.

Disable Guest Access

To disable guest access for an individual application, set the application’s App.AllowGuest property to false, and restart the SAS Web Application Server.
To disable guest access system-wide, set the property Policy.DisallowGuestAccess to true for Logon Manager.

Customize the Home Page for Guests

Tip
If guest access is enabled, it is a good practice to periodically access the home page as a guest to verify that only the intended resources and functionality are available to guests.
To customize the home page for guests:
  1. Identify the changes that you want to make.
    Tip
    This step helps you minimize the period of time in which another user might sign in as the guest user and inadvertently affect the guest access configuration.
    1. Access the home page as yourself, and familiarize yourself with the available customizations. You can make changes such as the following:
      • Add, remove, or reorganize collections, shortcuts, and links.
      • Change application settings by clicking your name (in the upper right), and then selecting Settings.
      Note: These instructions are for the modern mode. For details or classic mode instructions, see the online Help.
    2. Access the home page as a guest, and examine the current configuration. Notice that if you click SAS Anonymous Web User in the banner, the Settings menu item is not available.
  2. Temporarily enable the SAS Anonymous Web User to modify the home page.
    1. Restart the SAS Web Application Server.
  3. Access the home page as a guest. Notice that if you click SAS Anonymous Web User in the banner, the Settings menu item is available because anonymous user personalization is now enabled.
  4. Make the changes that you identified in step 1.
  5. Set the property sas.home.allow.anonymous.user.personalization to false, and restart the SAS Web Application Server.
  6. Access the home page as a guest.
    1. Verify that the results are as expected.
    2. Verify that you (as the SAS Anonymous Web User) cannot make any further customizations.

Customize the Web Viewer for Guests

To customize the web viewer for guests:
  1. Temporarily add the Personalization capability to the Visual Analytics: Basic role.
    1. Log on to SAS Management Console as someone who has user administration capabilities (for example, sasadm@saspw).
    2. On the Plug-ins tab, select User Manager.
    3. In the right pane, right-click the Visual Analytics: Basic role, and select Properties.
    4. On the Capabilities tab, expand the Visual Analytics node, and select the check box for the Personalization capability. Click OK.
  2. Access the web viewer as a guest.
  3. As soon as your session is established, remove the Personalization capability from the Visual Analytics: Basic role.
    Tip
    Minimizing the period of time in which the Personalization capability is granted to the Visual Analytics: Basic role reduces the risk of another user inadvertently affecting the guest access configuration.
  4. Change web viewer settings for the SAS Anonymous Web User as needed, and then sign out.
  5. Access the web viewer as a guest.
    1. Verify that the results are as expected.
    2. Verify that you (as the SAS Anonymous Web User) cannot make any further customizations.
Last updated: December 18, 2018