What's New in Security Administration in SAS 9.3

Overview

New and enhanced features in the following areas increase security and manageability:
  • auditing
  • authentication
  • authorization
  • encryption
  • user administration
  • documentation

Auditing

  • You can create audit records for additions, deletions, and updates to public objects (in the Audit.Meta.Updates.PublicObjects category).
  • You can create audit records for additions, deletions, and updates to a user's contact information and external identity value (in the Audit.Meta.Security.UserAdm category.

Authentication

  • In Integrated Windows authentication (IWA), support is extended to include servers on UNIX. You can use IWA from Windows desktop clients to servers on Windows and UNIX.
  • In Integrated Windows authentication, the default service principal name (SPN) no longer includes a port value. The format is SAS/machine, where machine is the host machine’s fully qualified domain name. For example, SAS/A12345.company.com.
  • User IDs that include unrecognized @domain qualifiers are sent to the -primpd provider, if that option is specified. Previously, such IDs were sent to the host, regardless of whether -primpd was specified. The -primpd option is a SAS system option (PRIMARYPROVIDERDOMAIN). This minor change affects specialized configurations in which the metadata server directly uses LDAP as an authentication provider.
  • User IDs that include down-level domain qualifiers are examined to determine whether SAS recognizes the qualifier as an -authpd domain. If the qualifier is recognized, the submitted credentials are sent to the associated provider. Previously, such IDs were automatically sent to the host (or to the -primpd provider, if that option is specified). The -authpd option is a SAS system option (AUTHPROVIDERDOMAIN). This minor change affects specialized configurations in which the metadata server directly uses LDAP as an authentication provider. In such configurations, users can successfully log on even if they submit their user IDs in down-level format. For example, if -authpd ADIR:USA is specified in the metadata server start command, someone who logs on as USA\joe is now authenticated directly against Active Directory, regardless of whether -primpd is set.
  • In the initial configuration for a new deployment, the SAS Stored Process Web Application doesn’t accept PUBLIC-only users.

Authorization

  • You can use a new type of public object, the OLAP shared dimension, to help centralize access control. You define and secure a shared dimension once, and then include it in multiple cubes. Each shared dimension inherits effective permissions from its parent folder (not from the cubes that include it).
  • In metadata promotion, you can import and export access control templates (ACTs).
  • In SAS Management Console, you can find ACTs by searching or by navigating on the Folders tab.
  • In authorization reporting, if you use the MEMBERTYPES option and don't specify to include folders, folders are not included.
  • In authorization reporting, new options enable you to specify whether to include columns (when a table is returned) and cube components (when a cube is returned).
  • In the authorization display for a SAS Application Server, the CheckInMetadata permission is listed. This helps to clarify the ability of change-managed users to associate objects (such as library definitions) to the server. Change management is an optional feature that is supported for only SAS Data Integration Studio. See the SAS Intelligence Platform: Desktop Application Adminstration Guide, Third Edition.

Encryption

  • In direct LDAP authentication, you can use LDAPS for direct connections between the metadata server and the LDAP server. This new feature is applicable in a specialized configuration in which the metadata server directly uses LDAP as an authentication provider.
  • In Secure Sockets Layer (SSL) configuration, you can exchange OpenSSL libraries.
  • If you have SAS/SECURE, you can use SHA-256 hashing for SAS internal account passwords that are stored in the SAS metadata. New deployments that include SAS/SECURE use SHA-256 by default. A new metadata server option enables you to alter the default.
  • If you have SAS/SECURE, you can force it to use only services that are part of the Federal Information Processing Standard (FIPS) 140-2 specification. This feature can be enabled during installation, and is configured through a new SAS system option (ENCRYPTFIPS).

User Administration

  • In interfaces such as SAS Management Console and SAS Personal Login Manager, when you connect to a 9.3 metadata server, the Logins table displays a blank cell if no password is stored. When you connect to a 9.2 metadata server, empty password values are still displayed as eight asterisks.
  • In metadata promotion, you can import and export users, groups, roles, and authentication domains.
  • In SAS Management Console, you can find users, groups, and roles by searching or by navigating on the Folders tab.
  • In user bulk load and synchronization, the Active Directory sample code includes a check to prevent a synchronization that would delete all identities.

Documentation Changes

  • Documentation for OLAP member-level permissions is exclusively in SAS OLAP Server: User's Guide.
  • Documentation for BI row-level permissions has moved to a new guide, SAS Guide to BI Row-Level Permissions.