Usage Note 60428: Associating a client user ID with SAS® Workspace Server logs when using Token Authentication
When you configure your SAS Workspace Server to use Token Authentication, it is generally not possible to associate a specific SAS Workspace Server log file or session with the real end-user ID.
When Token Authentication is used, all users authenticate to the SAS® Metadata Server using their own credentials, but the SAS Workspace Server sessions are launched by the token user specified to use as the Multi-User Credentials. As a result, all of the workspace server logs and all files created by any of the SAS Workspace Server sessions are owned by this one user. This leads to a loss in accountability for the end users.
In order to restore some accountability, it is possible to link the end-user identity to the SAS Workspace Server log by performing the following steps.
- Modify the SASApp/WorkspaceServer/WorkspaceServer_usermods.sh script to add the following
date=`date +%Y%m%d`
if [ ! -f /tmp/users_$date.log ]
then
touch /tmp/users_$date.log
chmod 666 /tmp/users_$date.log
fi
This checks for the existence of the file /tmp/users_<date>.log and creates it if the file does not exist, and then sets the permissions to allow World Write to the file.
-
Modify the
SASApp/WorkspaceServer/autoexec_usermods.sas file and add lines comparable to the following:
data _null_ ;
now=date() ;
put now= b8601da. ;
call symput("mydate", strip(put(now,b8601da10.))) ;
run ;
filename whois "/tmp/users_&mydate..log" mod ;
data _null_ ;
file whois ;
user=substr(sysget('METAUSER'),1, index(sysget('METAUSER'),"@")-1) ;
datet=datetime() ;
put datet E8601DT. +1 user +1 "&sysjobid";
run ;
This code writes records to the file /tmp/users_<date>.log formatted as:
2017-05-01T15:47:15 sasdemo 31533
The above shows the current date and time, the client user ID, and the process ID (PID) of the SAS Workspace Server session. In this case, the client user ID is their metadata identity, and not the common account used to launch the SAS Workspace Server.
The default format for the naming of the SAS Workspace Server session logs is SASApp_WorkspaceServer_<date>_<hostname>_<PID>.log, which enables matching the log file by the PID to the records written to the /tmp/users_<date>.txt file.
Operating System and Release Information
SAS System | N/A | 64-bit Enabled AIX | | |
64-bit Enabled HP-UX | | |
64-bit Enabled Solaris | | |
ABI+ for Intel Architecture | | |
AIX | | |
HP-UX | | |
HP-UX IPF | | |
IRIX | | |
Linux | | |
Linux for x64 | | |
Linux on Itanium | | |
OpenVMS Alpha | | |
OpenVMS on HP Integrity | | |
Solaris | | |
Solaris for x64 | | |
Tru64 UNIX | | |
*
For software releases that are not yet generally available, the Fixed
Release is the software release in which the problem is planned to be
fixed.
This note provides details in how to associate end-user identity with SAS Workspace Server session logs when using Token Authentication
Date Modified: | 2017-05-10 11:52:17 |
Date Created: | 2017-05-08 11:38:40 |