Managing Console Users and Groups

Understanding Console Users and Groups

An important concept to understand is that the SAS High-Performance Computing Management Console manages two types of users and groups. The first type is for console users and groups. This provides access control for the user accounts that can use the SAS High-Performance Computing Management Console. The second type of users and groups are the operating system users and groups. The console does assist with managing these users and groups. For information about managing operating system users and groups with the console, see Managing Users and Groups.
The following display shows the interface for managing console users and groups. The links for creating new console users and new console groups are highlighted.
Console Users and Groups Management
Console Users and Groups

Create a Console User

Be aware that a console user is not the same as a user that is created in the HPC Management section of the console. Console users are created strictly for using the console. The Users and Groups module in the HPC Management section manages the operating system users and groups.
Tip
If the site security policy does not permit logging on the console with the root account to create the first console user, see Creating a Console User from the Command Line.
To create a console user:
  1. Click Console Management from the toolbar.
  2. Click Console Users and Groups.
  3. Click Create a new console user.
    The following display shows the Create console user screen.
    Create Console User
    Create Console User
    The following table describes the additional fields on the Create console user screen. They become available after clicking Security and limits options or Available console modules.
    Create Console User Field Descriptions
    Field
    Description
    Username
    Specify the user account.
    Member of group
    Use the menu to select a group.
    Password
    Specify the password for the console user. The menu offers the following choices:
    Set to
    sets the password to the value entered into the text field.
    UNIX authentication
    passes the authentication request to the operating system. This is the most commonly used choice.
    No password accepted
    locks the user out of the system.
    Real name
    (Optional) Specify an alternative description for the console user.
  4. Click Create.
The follow table describes the additional options for creating a user.
Create Console User Options
Field
Description
Inactivity logout time
Specify an inactivity time-out. The default is no time-out.
Minimum password length
Specify the minimum number of characters for the user’s password. The default is no minimum length.
IP access control
Select the option that meets the security requirements for the environment. If Deny from listed addresses is selected, then be aware that the console user can log on from any IP address that is not listed. The default value is Allow from all addresses.
Allowed days of the week
Specify the days of the week that the console user is permitted to log on. The default value is Every day.
Allowed times of the day
Specify the range of hours that the console user can log on. The default value is Any time.
Console Configuration
Select this check box to enable the console user to configure console settings such as the user interface, network settings, and console logging.
Console Users and Groups
Select this check box to enable the console user to configure console users and groups. A best practice is to limit access to this feature. For more information, see Best Practices for Managing Console Users and Groups.
Console Logs
Select this check box to enable the console user to view and search the console logs. The console logs contain information about the actions performed with the console.
Active Queries and Connections
Select this check box to enable the console user to view and terminate database queries and connections.
Note: This option is available for environments that are configured to manage Greenplum Database deployments only.
Gridhosts File Management
Select this check box to enable the console user to modify the /etc/gridhosts file. This file is used to identify the machines in the HPC environment and is very important to the operation of SAS High-Performance Analytics software and the console itself.
Users and Groups
Select this check box to enable the console user to manage the operating system user accounts in the HPC environment.
SSH Lockout
Select this check box to enable the console user to use the SSH lockout feature.
Temporary Table Maintenance
Select this check box to enable the console user to view and drop temporary database tables.
Note: This option is available for environments that are configured to manage Greenplum Database deployments only.
Check boxes that are marked with an 'x' identify features that are enabled through group membership.

Creating a Console User from the Command Line

The root user account has access to log on to the console as soon as the console is installed and started. Typically, the root user account logs on to the console and creates a console administrator account that is then used to perform the administrative tasks. However, the security policy at some sites might not permit sharing the password for the root user account. In these environments, it is possible to add a console user from the command line if you have permission to use the sudo command. The files to modify are owned by root and only the root user account can restart a service. The console user to add must have a user account on the system.
To add a console user from the command line:
  1. Use the sudo command to edit the miniserv.users file: 
    sudo vi /opt/webmin/etc/miniserv.users
  2. Add a line that is similar to the following example: 
    username:x:0:::::::0:0
    Save and close the file.
  3. Use the sudo command to edit the webmin.acl file: 
    sudo vi /opt/webmin/etc/webmin.acl
  4. Add a line that is similar to the following example: 
    username: webmin webminlog init cron inittab proc acl 
webmincron net initsetup system-status useradmin tmptblmaint 
theme-xpstyle mscstyle3 actpsgqrys sshlock gridhosts
    Note: Enter this all on one line. It is split onto more than one line for display purposes only.
    Save and close the file.
  5. Restart the SAS High-Performance Computing Management Console: 
    sudo service sashpcmc restart
  6. Log on to the console with the user name.

Create a Console Group

To create a console group:
  1. Click Console Management from the toolbar.
  2. Click Console Users and Groups.
  3. Click Create a new console group.
    The following display shows the Create Console Group screen.
    Create Console Group
    Create Console Group
    The following table describes the fields on the Create Console Group screen.
    Create Console Group Field Descriptions
    Field
    Description
    Group name
    Specifies the console group name.
    Group description
    Specifies a description for the console group.
    Member of users and groups
    When a console group that has members is edited, this field lists the members of the group.
    Console Configuration
    Select this check box to enable the members of the group to configure console settings such as the user interface, network settings, and console logging.
    Console Users and Groups
    Select this check box to enable members of the group to configure console users and groups. A best practice is to limit access to this feature. For more information, see Best Practices for Managing Console Users and Groups.
    Console Logs
    Select this check box to enable members of the group to view and search the console logs. The console logs contain information about the actions performed with the console.
    Active Queries and Connections
    Select this check box to enable members of the group to view and terminate database queries and connections.
    Note: This option is available for environments that are configured to manage Greenplum Database deployments only.
    Gridhosts File Management
    Select this check box to enable members of the group to modify the /etc/gridhosts file. This file is used to identify the machines in the HPC environment and is very important to the operation of SAS High-Performance Analytics software and the console itself.
    Users and Groups
    Select this check box to enable members of the group to manage the operating system user accounts in the HPC environment.
    SSH Lockout
    Select this check box to enable members of the group to use the SSH lockout feature.
    Temporary Table Maintenance
    Select this check box to enable members of the group to view and drop temporary database tables.
    Note: This option is available for environments that are configured to manage Greenplum Database deployments only.
  4. Click Create.

Best Practices for Managing Console Users and Groups

Console groups can be used to grant identical access rights to groups of users that share the same administration responsibilities. The Console Users and Groups module enables an administrator to manage the access permissions for console users. Limit access to this module because a user can change his access permissions and dilute the security of the SAS High-Performance Computing Management Console.
Copyright © SAS Institute Inc. All rights reserved.