SAS 9.1.3 Integration Technologies » Administrator's Guide (LDAP Version)

Administering the Publishing Framework
Creating Channels
Creating Archive Paths
Creating Subscribers
Creating Subscriptions
Using Name/Value Filters
Entry Filters
MIME Type Filters
Creating Overrides

Administering the Publishing Framework (Publish and Subscribe Planning and Implementation Guide)

In order to set up a publish and subscribe solution using SAS Integration Technologies, you can follow these steps to help you plan and implement your solution. The following is a list of tasks that are required to set up a publish and subscribe system using Integration Technologies:

  1. Design information channels

    Designing a successful publish and subscribe implementation starts with an understanding of why your organization is implementing the system. You will need to know, at a very basic level, what kind of information needs to be distributed to users and how widely that information needs to be distributed.

    For example, you could start the planning process by understanding that your organization needs to disseminate sales information throughout the marketing organization and inventory data to the production organization. Starting with this base level of knowledge, you begin the process of breaking down the general categories of information into specific information channels by using a hierarchical model.

    Channel hierarchy

    How you divide and subset the categories depends on your organization's needs, but you should work toward creating information channels as tightly focused as possible, without making them too tightly focused to be useful. Channels that are broadly defined leave users not knowing whether information delivered over the channel will be useful to them; channels that are too narrowly defined force users to subscribe to a long list of channels in order to ensure that they receive the information that they need.

    To help focus the information that users receive, set up policies for name/value keywords. Name/value pairs are attributes that are specified when a package is published and that help to identify the package contents. Each subscriber definition can include a name/value filter that only allows packages that meet the subscriber's needs to be delivered.

    For example, if you publish a package with a name/value attribute of market=(Mexico), that package is only seen by those subscribers whose name/value filter indicates that they are interested in information about the Mexican market. Although the names and associated values can be anything that your organization finds useful, you must establish a list of acceptable keywords and values for those keywords. This list is essential for publishers to be able to provide consistent metadata that identifies published content and for subscribers to be able to filter published content in order to focus on the information they need.

    When you define your information channels, you must also consider the users that will be accessing those channels as well as any restrictions that need to be placed on the channels. Although these aspects of planning are discussed separately and in more detail in the following two topics, in practice they are examined at the same time as you are defining your channels. You cannot define an information channel without first knowing who needs to see the information and how that information should be restricted.

  2. Identify initial subscriptions

    When you plan an initial set of information channels, you must identify the users, groups, and applications that are initially subscribed to those channels. The information to set up these subscriptions is taken from the information you collected when you planned the channels. An understanding of your organization's need for a publish and subscribe system must include not only what information needs to be published, but also who needs to see that information.

    However, you do not have to determine every piece of information that every individual needs to see. Rather, the process of planning initial subscriptions focuses on wider distributions of information, such as identifying the essential information that departments and groups of users need. How closely you follow this guideline depends on your organization's needs - there might be a few critical users who need to receive specific information, and there might be a need to subscribe a group of users to a tightly focused channel. In general, however, the initial subscriptions that you plan cater to distributing essential information to the largest number of users. Subscribers can set up subscriptions to tightly focused channels themselves as the need arises.

    After you have determined the list of initial subscribers for each channel, you must determine how the information is to be distributed to each user (whether by text e-mail, HTML e-mail, or through a queue) and identify their address information. The address information is essential for setting up both subscriber entries and the LDAP directory.

  3. Analyze information security requirements

    When you plan information channels you must also consider security for your publish and subscribe implementation in order to ensure that the information that is published on each planned channel is uniformly sensitive. For example, if you plan for a single channel to distribute accounting information throughout your organization, you will encounter a security problem when the accounting department needs to publish sensitive information (such as employee salaries). With only a single, unrestricted channel, you cannot publish the information to a specific set of users. In your consultations with users, you must identify information channels whose access needs to be controlled.

    Your plan must address both methods that Integration Technologies uses to implement security - authentication and access control.

    Authentication security involves the process of users connecting to the LDAP server. Because the LDAP server contains all of the definitions for Integration Technologies objects (including subscribers, channels, and servers), a user must be able to connect to the LDAP directory in order to make any changes to the LDAP definitions. This level of security is controlled when users supply a distinguished name and corresponding password when they connect to the directory.

    Access control security controls the information channels that users have access to. Without any security, users are able to subscribe to any information channel in your organization and access sensitive information. To prevent this, you must to create access control lists (ACLs) in the LDAP directory in order to specify what definitions and attributes users have access to. To plan for implementing access control security, you must consider what kinds of users access the directory and what kinds of information they should have access to. As an example, the following are some possible user classes and questions you must consider for each one:

    General subscriber
    Should subscribers be able to change their own password? Should they be able to change their own subscriptions? Should there be channels that not all subscribers are allowed to subscribe to?
    Management-level user
    Should someone at management level be able to modify user subscriptions? Should a manager be able to access management-only channels?
    Should the administrator be able to access all attributes of a subscriber's definition, including the password? Should the administrator be able to add and delete subscribers from a channel?

    In addition, your initial information channel planning must identify some channels whose distribution is limited to certain user classes. You must make sure that the user classes that you identify when you consider security planning match those that you identified during initial channel planning.

    After you determine rules for access control for the user groups in your organization, you must work toward simplifying and consolidating the rules as much as possible. Rather than having many specific rules for each group, try to develop a general rule that accomplishes the same result and can be applied to the user base as a whole.

    For example, if your organization has five classes of users (A through E) and you want to define the rules for access to channel definitions, you can write the following rules:

    • user class A is not allowed access
    • user class B is not allowed access
    • user class C is not allowed access
    • user class D is allowed access
    • user class E is not allowed access.

    Each rule is then applied to each user group separately. To simplify, you can define the following rule:

    • Only user class D is allowed access.

    This rule, applied one time to the whole user base, accomplishes the same result as the previous list of rules.

  4. Configure the LDAP server

    After you complete your initial planning, you can begin implementing the publish and subscribe solution. The first step is to identify and configure the LDAP server. You must start by installing the LDAP directory server software, if you have not already done so. See Setting Up an LDAP Server for information on the process of installing and configuring an LDAP server. If you are using Microsoft's Active Directory, you must install the LDAP schema to support that server. See Installing the LDAP Schema for Microsoft Active Directory for more information.

    When you install and configure the LDAP server, you must create person entries in the directory in order to supply identifying information for persons and groups in your organization. Make sure that you create a person entry for each person and group in your organization that you have identified as a subscriber. If a person or group does not have an entry in the LDAP directory, you will not be able to create a subscription for them.

  5. Configure channels and subscribers

    After you install and configure the LDAP directory server, use the Integration Technologies Administrator application to define the channels and subscriptions that you identified during the planning phase. Begin by defining the subscriber entries. Defining the subscribers first gives you the ability to select a channel's subscribers at the time that you define the channel. See Creating Subscribers for information.

    After you define the subscribers, define the channels and associate subscribers with the channels. See Creating Channels and Creating Subscriptions for information.

  6. Implement LDAP directory security.

    After you define the channels and subscriptions, implement the security plan that you previously devised. To implement access control security, you must add Access Control Lists (ACLs) to your LDAP directory. The ACLs are composed of access-control information (ACI) statements, each of which specifies the access policy for a particular target.

    Simplify your security policies by consolidating your ACI statements as you write them. Establishing a simple security structure that has a relatively small number of ACIs makes security easier to maintain, allows for change as the system changes, and helps prevent conflicts between ACI statements.

    Consult the documentation for your LDAP directory server for details on creating ACI statements and ACLs.

  7. Develop applications that deliver content

    After you set up the publish and subscribe infrastructure and implement the mechanisms that deliver content to a selected set of users, you must develop or modify applications that will be used to create the content to be published. These applications can take the form of standalone applications that are written in a visual programming language or SAS programs. See Publishing Framework in the Integration Technologies Developer's Guide for information about the tools that are available to create a publishing application. See SAS Publisher in the Integration Technologies Developer's Guide for information on using the SAS Publisher application to create and publish packages.

  8. Make client applications available

    After you develop or modify the applications that publish content, the initial structure of the publish and subscribe implementation is complete. Your next step is to make these applications available to users in your organization. Using the information that you gathered during initial planning, make the appropriate applications available to each user or group. Publishers must obtain or install the appropriate publishing application for their needs. For example, an individual or department that needs to publish data-intensive reports on a regular basis might use a SAS program for publishing, while a user who needs to send information to a changing number of users on an occasional basis might use the SAS Publisher application.

    Subscribers must also obtain or install any appropriate software that is required to view published content. In particular, each subscriber must install the SAS Package Reader application in order to be able to view the contents of published SAS packages. See SAS Package Reader in the Developer's Guide for more information. If the subscribers receive information through queues, they must also install the SAS Retriever. See SAS Package Retriever in the Developer's Guide for more information.

    It is recommended that subscribers install the SAS Subscription Manager Java applet. This applet enables subscribers to subscribe to and unsubscribe from channels as well as change how content is delivered. Giving subscribers the ability to change their own information lessens the burden on the administrator and lets the administrator concentrate on administering channels. See SAS Subscription Manager in the Developer's Guide for more information.

  9. Announce solution and train users

    After the publishers and subscribers install the necessary applications, you can announce your implementation to your organization. You will also need to follow up the announcement with training for both publishers and subscribers, with training broken down by publishing methods, publishing needs, and subscriber applications.