In order to set up a publish and subscribe solution using
SAS Integration Technologies, you can follow these
steps to help you plan and implement your solution.
The following is a list of tasks that are required to set up a publish
and subscribe system using Integration Technologies:
- Design information channels
Designing a successful publish and subscribe implementation
starts with an understanding of why your organization is implementing
the system. You will need to know, at a very basic level,
what kind of information needs to be distributed to users and how widely that
information needs to be distributed.
For example, you could start the planning process by understanding that
your organization needs to disseminate sales information
throughout the marketing organization and inventory data to the production
organization.
Starting with this base level of knowledge, you begin
the process of breaking down the general categories of
information into specific information channels by using a hierarchical model.
How you divide and subset the categories
depends on your organization's needs, but you should work toward
creating information channels as tightly focused as possible, without
making them too tightly focused to be useful. Channels that are broadly defined
leave users not knowing whether information delivered over the
channel will be useful to them; channels that are too narrowly defined
force users to subscribe to a long list of channels in order to ensure that
they receive the information that they need.
To help focus the information that users receive, set up
policies for name/value keywords. Name/value pairs are attributes that
are specified when a package is published and that help to identify
the package contents. Each subscriber definition can include a name/value filter
that only allows packages that meet the subscriber's needs to be delivered.
For example, if you publish a package with a
name/value attribute of market=(Mexico)
, that package
is only seen by those subscribers whose name/value filter
indicates that they are interested in information about the Mexican
market. Although the names and associated values can be anything that your organization
finds useful, you must establish a list of acceptable keywords and
values for those keywords. This list is essential for publishers to
be able to provide consistent metadata that identifies published content and
for subscribers to be able to filter published content in
order to focus on the information they need.
When you define your information channels, you must also
consider the users that will be accessing those channels as well
as any restrictions that need to be placed on the channels.
Although these aspects of planning are discussed separately and
in more detail in the following two topics, in practice they are
examined at the same time as you are defining your channels.
You cannot define an information channel without first
knowing who needs to see the information and how that
information should be restricted.
- Identify initial subscriptions
When you plan an initial set of information channels, you must
identify the users, groups, and applications that are initially subscribed
to those channels.
The information to set up these subscriptions is taken from the
information you collected when you planned the channels. An understanding of
your organization's need for a publish and subscribe system must include
not only what information needs to be published, but also who needs to
see that information.
However, you do not have to determine every piece of information
that every individual needs to see. Rather, the process of
planning initial subscriptions focuses on wider distributions of
information, such as identifying the essential information that
departments and groups of users need. How closely you
follow this guideline depends on your organization's needs - there
might be a few critical users who need to receive specific
information, and there might be a need to subscribe a group of users to
a tightly focused channel. In general, however, the initial subscriptions
that you plan cater to distributing essential information to the
largest number of users. Subscribers can set up subscriptions
to tightly focused channels themselves as the need arises.
After you have determined the list of initial subscribers for each channel, you
must determine how the information is to be distributed to each
user (whether by text e-mail, HTML e-mail, or through a queue) and identify
their address information. The address information is
essential for setting up both subscriber entries and the LDAP directory.
- Analyze information security requirements
When you plan information channels you must also
consider security for your publish and
subscribe implementation in order to ensure that the information
that is published on each planned channel is uniformly sensitive.
For example, if you plan for a single channel to distribute accounting information
throughout your organization, you will encounter a security problem
when the accounting department needs to publish sensitive information
(such as employee salaries). With only a single, unrestricted channel,
you cannot publish the information to a specific set of
users. In your consultations with users, you must identify information
channels whose access needs to be controlled.
Your plan must address both methods that
Integration Technologies uses to implement security - authentication
and access control.
Authentication security involves the process of users connecting to the
LDAP server. Because the LDAP server contains all of the definitions
for Integration Technologies objects (including subscribers, channels, and
servers), a user must be able to connect to the LDAP directory in order
to make any changes to the LDAP definitions.
This level of security is controlled when users supply a
distinguished name and corresponding password when they connect to
the directory.
Access control security controls the information channels that users
have access to. Without any security, users are able to subscribe to
any information channel in your organization and access sensitive
information.
To prevent this, you must to create access control lists (ACLs)
in the LDAP directory in order to specify what definitions and attributes users
have access to.
To plan for implementing access control security, you must
consider what kinds of users access the directory and
what kinds of information they should have access to. As an example,
the following are some possible user classes and questions you must
consider for each one:
- General subscriber
- Should subscribers be able to change their
own password? Should they be able to change their own subscriptions? Should
there be channels that not all subscribers are allowed to subscribe to?
- Management-level user
- Should someone at management level be able
to modify user subscriptions? Should a manager be able to access
management-only channels?
- Administrator
- Should the administrator be able to access all
attributes of a subscriber's definition, including the password? Should
the administrator be able to add and delete subscribers from a channel?
In addition, your initial information channel planning must identify
some channels whose distribution is limited to certain user
classes. You must make sure that the user classes that you identify when
you consider security planning match those that you identified during
initial channel planning.
After you determine rules for access control for the user groups in your
organization, you must work toward simplifying and consolidating the
rules as much as possible. Rather than having many specific rules for
each group, try to develop a general rule that accomplishes the same
result and can be applied to the user base as a whole.
For example, if your organization has five classes of users (A through E)
and you want to define the rules for access to channel definitions, you
can write the following rules:
- user class A is not allowed access
- user class B is not allowed access
- user class C is not allowed access
- user class D is allowed access
- user class E is not allowed access.
Each rule is then applied to each user group separately.
To simplify, you can define the following rule:
- Only user class D is allowed access.
This rule, applied one time to the whole user base, accomplishes
the same result as the previous list of rules.
- Configure the LDAP server
After you complete your initial planning, you can begin implementing
the publish and subscribe solution. The first step is to identify and configure the
LDAP server. You must start by installing the LDAP directory server
software, if you have not already done so. See
Setting Up an LDAP Server for information
on the process of installing and configuring an LDAP server. If you are
using Microsoft's Active Directory, you must install the LDAP
schema to support that server. See Installing
the LDAP Schema for Microsoft Active Directory for more information.
When you install and configure the LDAP server, you must
create person entries in the directory in order to supply identifying
information for persons and groups in your organization. Make sure
that you create a person entry for each person and group in your organization
that you have identified as a subscriber. If a person or group does not
have an entry in the LDAP directory, you will not be able to create
a subscription for them.
- Configure channels and subscribers
After you install and configure the LDAP directory server, use the
Integration Technologies Administrator application to define the
channels and subscriptions that you identified during the planning phase.
Begin by defining the subscriber entries. Defining the subscribers
first gives you the ability to select a channel's subscribers
at the time that you define the channel. See
Creating Subscribers for information.
After you define the subscribers, define the channels and associate
subscribers with the channels. See Creating
Channels and Creating Subscriptions for
information.
- Implement LDAP directory security.
After you define the channels and subscriptions, implement the security plan
that you previously devised.
To implement access control security, you must add Access
Control Lists (ACLs) to your LDAP directory. The ACLs are composed
of access-control information (ACI) statements, each of which
specifies the access policy for a particular target.
Simplify your security policies by consolidating your ACI statements
as you write them. Establishing a simple
security structure that has a relatively small number of ACIs makes
security easier to maintain, allows for change as the system changes,
and helps prevent conflicts between ACI statements.
Consult the documentation for your LDAP directory server for details
on creating ACI statements and ACLs.
- Develop applications that deliver content
After you set up the publish and subscribe infrastructure and
implement the mechanisms that deliver content to a selected
set of users, you must develop or modify applications
that will be used to create the content to be published.
These applications can take the form of standalone applications
that are written in a visual programming language or SAS programs.
See Publishing Framework in the Integration Technologies Developer's Guide for information
about the tools that are available to create a publishing application.
See SAS Publisher in the Integration Technologies Developer's Guide for information on using the SAS Publisher application to create and publish packages.
- Make client applications available
After you develop or modify the applications that publish
content, the initial structure of the publish and subscribe implementation
is complete. Your next step is to make these applications available to
users in your organization. Using the information that you gathered during
initial planning, make the appropriate applications available to each user or group.
Publishers must obtain or install the appropriate publishing application
for their needs. For example, an individual or department that needs to
publish data-intensive reports on a regular basis might use a SAS program for
publishing, while a user who needs to send information to a changing number
of users on an occasional basis might use the SAS Publisher application.
Subscribers must also obtain or install any appropriate software that is required
to view published content. In particular, each subscriber must install
the SAS Package Reader application in order to be able to view the contents of
published SAS packages. See SAS Package Reader in the Developer's Guide for
more information. If the subscribers receive information through
queues, they must also install the SAS Retriever.
See SAS Package Retriever in the Developer's Guide for more information.
It is recommended that subscribers install the SAS Subscription
Manager Java applet. This applet enables subscribers to subscribe to and
unsubscribe from channels as well as change how content is delivered.
Giving subscribers the ability to change their own information lessens
the burden on the administrator and lets the administrator concentrate
on administering channels. See
SAS Subscription Manager in the Developer's Guide for more information.
- Announce solution and train users
After the publishers and subscribers install the necessary applications,
you can announce your implementation to your organization. You will
also need to follow up the announcement with training for both publishers
and subscribers, with training broken down by publishing methods, publishing needs,
and subscriber applications.