What's New

What's New in Security Administration for the SAS 9.2 Intelligence Platform

Overview

New and enhanced features in the following areas increase security and manageability:

roles and permissions
authentication and user management
auditing, reporting, and encryption
documentation

Roles and Permissions

Expanded support for roles enables you to easily customize the user interface in applications including SAS Web Report Studio, SAS Enterprise Guide, the SAS Add-In for Microsoft Office, and SAS Management Console.
New administrative roles enable you to manage unrestricted access to metadata, user administration capabilities, the ability to operate the metadata server, and the visibility of plug-ins in SAS Management Console.
The authorization interface always displays effective permissions (a calculation of the net effect of all applicable metadata layer permission settings).
All applications share a single folder tree. Access control inheritance for most items flows through that tree. Inheritance can cross repository boundaries. Each schema, cube, library, and table inherits permissions from only its parent folder. These inheritance paths are discontinued:
- application server OLAP schema cube
- application server library table
- DBMS server DBMS schema DBMS table
A new permission, WriteMemberMetadata, enables you to separate the ability to interact with items in a particular folder from the ability to make changes to the folder itself.
When you define member-level access to OLAP data, you can use a graphical query-builder to build the permission conditions.
The SAS.IdentityGroups identity-driven property enables you to make row-level or member-level distinctions based on metadata group memberships.
In BI row-level permissions, an empty string is substituted into the query for an identity who has no value for the identity-driven property that is in use. Previously, a missing value caused the query to fail.
You can set permissions from within SAS OLAP Cube Studio, SAS Data Integration Studio, SAS Management Console, and SAS Information Map Studio.
A new Advanced button on each item's Authorization tab enables unrestricted users to trace the item's inheritance and look up the permissions that any identity has to the item.
DATA step functions enable you to programmatically define (and query) metadata layer authorization settings. See the SAS Language Interfaces to Metadata.

Authentication and User Management

Users who are logged on to their Windows desktop can seamlessly launch SAS desktop clients (if the metadata server runs on Windows). This feature, Integrated Windows authentication, is particularly useful for sites that use smart cards, biometrics, or other forms of multi-factor authentication.
Users who have authenticated to the metadata server access most SAS servers seamlessly. SAS token authentication causes the OLAP server, the table server, the stored process server, and, in some configurations, the workspace server to accept users who have authenticated to the metadata server.
You don't have to create external accounts for SAS internal purposes. Instead, you can use internal accounts that exist only in the metadata. It is appropriate to use internal accounts for administrators and some service identities.
For greater security, you can limit use of trusted peer connections.
Membership in a new user administration role enables you to manage most users, groups, and roles. You can still use permissions to delegate administration of an existing identity.
If you have user administration capabilities, you can directly manage authentication domains from the User Manager and Server Manager plug-ins in SAS Management Console.
Regular users can't change their own user definitions. Regular users can still manage their own personal logins.
If a user's group memberships make more than one login available in an authentication domain, the highest priority login is used. Priority is determined by identity precedence. This is an aspect of credential management.
You can use logins on the PUBLIC and SASUSERS groups. This enables you to provide single sign-on to a third-party server using one account that is shared by all users. This is an aspect of credential management.
You can add, modify, and remove external identity values for users, groups, and roles in SAS Management Console. These values support the identity synchronization process.
You can give each user, group, and role a display name. For an identity that doesn't have a display name, the name serves as the display name.
You can use the OMA_SASSEC_LOCAL_PW_SAVE option in the metadata server's omaconfig.xml file to control whether the Save user ID and password in this profile check box is available to users. This is an aspect of password management.
You can load identity information into the metadata in blocks by using the MDUIMPLB and MDUCHGLB macros. This is a performance enhancement to the user import process. The corresponding macros from the previous release (MDUIMPL and MDUCHGL) are still supported.
You don't have to give users the Windows privilege log on as a batch job unless they access a standard workspace server using credential-based host authentication.

Auditing, Reporting, and Encryption

You can use system-wide logging features to audit security events.
You can use the MDSECDS macro to create authorization data sets for security reporting purposes.
Configuring encryption of data in transit among SAS clients and servers is no longer a post-installation task. You select an over-the-wire encryption level (what gets encrypted in transit) and algorithm (what type of encryption or encoding is used) during installation.
By default, passwords in the metadata are encrypted using an industry-standard algorithm (AES fixed key). If you don't have SAS/SECURE, SASProprietary encoding is used instead.
By default, the PWENCODE procedure uses SASProprietary encoding (sas002). If you have SAS/SECURE, you can choose to use AES encryption (sas003) instead.

Documentation Enhancements

This document has been reorganized and rewritten for this release.
A new document, SAS Management Console: Guide to Users and Permissions, provides step-by-step instructions for performing selected tasks in SAS Management Console.
SAS Intelligence Platform: Web Application Administration Guide documents security features of the SAS Content Server.