Defining User Accounts :: SAS® Visual Analytics 7.4: Installation and Configuration Guide (Distributed SAS® LASR(TM))

Overview of Defining User Accounts

There are two types of user accounts to understand when deploying SAS:

Internal user accounts are accounts known only to SAS and are created and authenticated internally in SAS metadata rather than externally.
External user accounts are accounts created outside of SAS metadata. These accounts are local to a machine or are defined in a network directory service of which the machine is a member, such as LDAP.

The following sections describe the user accounts that SAS and third-party software require. They help you answer these questions:

What are internal and external user accounts?
What user rights does each account have and to what groups must each account be assigned?
Should I create local or network directory service accounts?
What password policies should I enforce?

Controlling User Access to Hosts

SAS Visual Analytics uses passwordless secure shell (SSH) for access to the machines in the analytics cluster. The following list identifies some of the requirements for configuring passwordless SSH to enable access:

Data administrators must configure their user accounts for passwordless SSH to start and stop SAS LASR Analytic Server instances. Passwordless SSH is also needed to load and unload tables to server instances. For more information, see the SAS High-Performance Analytics Infrastructure: Installation and Configuration Guide.
User accounts that are used as shared logins for group access to data must be configured for passwordless SSH. For more information, see the SAS High-Performance Analytics Infrastructure: Installation and Configuration Guide.

To reduce the number of operating system (external user) accounts, use the SAS Installer account for running SAS LASR Analytic Server monitor. Although not required, it is useful to create a SAS First User (sasdemo) account to do a simple validation of your deployment after installation and initial configuration.

Internal User Accounts

SAS identifies internal user accounts by appending a special string to the user ID. This string begins with an at sign (@) and contains saspw (for example, @saspw). For two of the required user accounts, the SAS Administrator and the SAS Trusted User, the SAS Deployment Wizard prompts you by default to create internal user accounts.

The following table shows the default internal user accounts required by SAS. (SAS internal user accounts are authenticated on the SAS Metadata Server.)

SAS Internal User Accounts
Description	User ID
SAS Administrator The user account that has privileges associated with the SAS Metadata Unrestricted Users role.	sasadm@saspw
SAS Trusted User The user account that can impersonate other users on connections to the metadata server. Some SAS processes use this account to communicate with the metadata server on a client's behalf.	sastrust@saspw
Search Interface to SAS Content User The user account that permits access to SAS content that is supplied to SAS Information Retrieval Studio for indexing.	sassearch@saspw
SAS Environment Manager Service The user account that the SAS Environment Manager Server and its agent uses to communicate while monitoring the processes in your SAS deployment. This internal user account has unrestricted administrative access rights to the metadata server. For more information, see SAS Environment Manager: User’s Guide.	sasevs@saspw
SAS Anonymous Web User An optional user account that is used to grant web clients access to applicable SAS Web Infrastructure Platform components. When web clients request access to web services, they are not prompted for credentials. Instead, they are granted access under this user account.	webanon@saspw

In the following table are additional internal user accounts:

Additional SAS Internal User Accounts
Description	User ID
dbmsowner User ID and password for accessing the SAS Web Infrastructure Platform Data Server. This is the owner of all databases.	dbmsowner
SharedServices User ID and password for accessing the SharedServices database used by the SAS Web Infrastructure Platform.	SharedServices
adminowner User ID and password for accessing the Administration database used by the SAS Environment Manager.	adminowner
sasevdb User ID and password for the Environment Manager Enablement Kit Database.	sasevdb
EVManager User ID and password for accessing the EVManager database used by the SAS Environment Manager.	EVManager
vatadm User ID and password for accessing the database used with SAS Visual Analytics Services.	vatadm
vdbadm User ID and password for accessing the database used with SAS Visual Data Builder.	vdbadm

For more information about SAS internal user accounts and their purposes, see Understanding the State of Your System in SAS Intelligence Platform: System Administration Guide.

Here are some benefits of internal user accounts:

less maintenance

The account is defined only once in SAS. You do not define this account externally using the authentication provider.
isolation from the host machine security policy

The SAS Administrator and the SAS Trusted User credentials are referenced in many locations within SAS. For example, forcing a recurring password change (a common security policy) might make unnecessary work for the person administering SAS.
independence from IT

You can create additional SAS unrestricted user and administrative user accounts for metadata management without involvement from your IT department.
reduced “headless” external user accounts

The SAS Trusted User is an account used for SAS inter-process communication. It will not be mistaken for a human user.
minimal security exposure to your enterprise

The SAS Administrator and the SAS Trusted User are highly privileged accounts and only provide access to SAS—not to operating system resources.

Required External User Accounts for SAS

SAS requires certain external user accounts for two purposes: installing and running certain SAS server processes.

During installation and configuration, the SAS Deployment Wizard must run under an external user account with the necessary privileges on the target machine to write SAS program and log files. To run servers such as the SAS Stored Process Server and the SAS Pooled Workspace Server, SAS requires an external user account to be the server process owner. For more information about SAS external user accounts and their purposes, see About the Initial User Accounts in SAS Intelligence Platform: System Administration Guide.

Although it is not required, you might find it useful to create a SAS First User account. You can use this account to test a typical user’s ability to access various SAS applications and to validate your deployment. (A SAS First User account is sometimes referred to as the sasdemo account.) The SAS Deployment Wizard asks you if you want to create a SAS First User account in SAS metadata, and you must have an external operating system account available for this purpose. After the wizard finishes, remember that you must add this SAS user to the Visual Analytics Data Administrators Group. For more information, see Create SAS Users and Groups.

As you set up external user accounts, remember to use different external accounts for the SAS First User and the SAS Spawned Servers accounts. Otherwise, your configuration will generate errors and the SAS Pooled Workspace Server will not be functional.

As you create these external user accounts, record information about them in the Pre-installation Checklist for External User Accounts for SAS Visual Analytics. You will need this information when you run the SAS Deployment Wizard later.

The following table shows the external user accounts required by SAS, the recommended user ID, and the machines on which they are authenticated.

Required SAS External User Accounts
Description	Recommended User ID	Machine Where Authenticated
SAS Installer This user account installs SAS and starts the SAS LASR Analytic Server monitor.	sas	Every machine
SAS Hadoop User This user account starts Hadoop on the machines in the cluster. (This user account is created by the SAS Visual Analytics Hadoop configuration script—the hdpsetup command.)	hadoop
SAS Spawned Servers This user account is the process owner for SAS Stored Process Servers and SAS Pooled Workspace Servers.	sassrv	SAS Stored Process Server SAS Pooled Workspace Server

Note:

For information about the user rights that each external account requires, see Rights Required by SAS External User Accounts.
The SAS Installer generally overrides the default configuration directory with the site’s preferred location (for example, /opt/sas/config). The SAS Installer must have Write permission on this path.
Do not use root for the SAS Installer user ID.

Tip

To understand the user accounts required by the SAS analytics cluster, see “Preparing Your System to Deploy the SAS High-Performance Analytics Infrastructure” in the SAS High-Performance Analytics Infrastructure: Installation and Configuration Guide.

Rights Required by SAS External User Accounts

Operating systems require that you assign certain rights to the external user accounts used to deploy and to run SAS.

The following table describes the user rights required:

Rights Required by External User Accounts for SAS
External User Account	User Rights Needed
SAS Installer	The group that you designate as the primary group for the SAS Installer must contain the SAS Spawned Servers account.
SAS Spawned Servers	Member of a group that is the primary group for the SAS Installer. (This group does not have to be the primary group for the SAS Spawned Servers account.)

Password Policies

Note: This section addresses the passwords for the external user accounts that SAS requires, not the passwords for regular users of the system.

When you set up passwords for your SAS external user accounts, we highly recommend that these passwords do not have to be reset when a user first logs on. If, for some reason, it is required that you create passwords that have to be reset, you will have to log on using each account and change the password before you install and configure your software. And, of course, you will need to know the changed password for each account.

By default, passwords for internal user accounts are set not to expire. When passwords for user accounts change, you must use SAS Deployment Manager to update a set of configuration files and some metadata objects. SAS provides instructions for updating these files and metadata objects.

For more information, see Update a Managed Password in SAS Intelligence Platform: Security Administration Guide .

Pre-installation Checklist for External User Accounts for SAS Visual Analytics

Use the following pre-installation checklist to create the necessary external user accounts to deploy and run SAS Visual Analytics.

Note: This checklist is superseded by a more complete and up-to-date checklist that can be found at http://support.sas.com/installcenter/plans. This website also contains a corresponding deployment plan and an architectural diagram.

Pre-installation Checklist for External User Accounts for SAS Visual Analytics
Account	Recommended User ID	Actual User ID You Are Using
SAS Installer	sas
SAS Spawned Servers	sassrv

CAUTION:

Do not use root as the installer account.

Note these important items:

During deployment, the SAS Installer user must have Write permission to /etc/opt/vmware in order to configure VMware license files on all SAS middle tier machines.
For information about the user rights that each external account requires, see Rights Required by SAS External User Accounts.
The SAS Deployment Wizard prompts you for SAS Installer account and SAS Spawned Servers account information. You cannot complete the installation without providing it.
Prior to configuration, the SAS Deployment Wizard prompts you for the root (or sudo) password. Certain SAS products and features use functionality that requires SAS to check user ID authentication and file access authorization. This, in turn, necessitates that certain files within your SAS installation have setuid permissions and be owned by root.
If your system uses an authentication method other than /etc/passwd or /etc/shadow, then you must configure authentication before you begin your SAS software deployment or SAS Visual Analytics will not function properly. For more information, see the Configuration Guide for SAS 9.4 Foundation for UNIX Environments.