|
|
Getting Started
Initial Security Configuration
After you perform your pre-installation tasks, run the
SAS Configuration Wizard, and perform the post-installation
manual setup, your initial security setup includes the following user and group definitions
on the SAS Metadata Server:
- SAS Administrator (for example,
sasadm). This user's ID will be written to a special file called adminUsers.txt, which gives the user unrestricted access to the metadata server. For information about administrative users, see
Overview of Initial Users and Groups in the
SAS Intelligence Platform: System Administration Guide.
You can use the SAS Administrator to log on to SAS Management Console and to create metadata on the SAS Metadata Server.
- SAS Trusted User (for example,
sastrust).
This user's ID is written to the file trustedUsers.txt and has trusted access to the metadata server. It is used for the following tasks:
- If you have installed a SAS OLAP Server, this user is used for a trusted connection from
the SAS OLAP server to the SAS Metadata Server.
- The object spawner that starts your workspace and stored process servers uses this account to connect to the metadata server in order to read the appropriate server and spawner definition.
- If you configure Web server authentication, this user enables middle tier (Web-tier) users to be viewed as already authenticated by the Web server
and connect to the SAS Metadata Server for authorization purposes.
- If you configure workspace pooling, this user is used as the pool administrator. The pool administrator reads the puddle login definitions.
For information about trusted users, see
Overview of Initial Users and Groups in the
SAS Intelligence Platform: System Administration Guide.
Important Note: The SAS Trusted User is a highly privileged account and should be protected accordingly.
- SAS Guest (for example,
sasguest). This user is a guest user. If you have installed
the Web Infrastructure Kit or the SAS Information Delivery Portal, this user configures the Public Kiosk for the portal
Web application.
- SAS General Servers group. This group contains a group login (for example,
sassrv) that is used as follows:
- The object spawner uses the group login to start load-balancing SAS Stored Process Servers.
- SAS servers use the group login to connect back to the SAS Metadata Server.
- The group login is used as the default puddle login for workspace pooling.
The SAS Trusted User is a member of the SAS General Servers group.
SAS System Services group. The group is for users that make server-to-server connections. The group initially contains the SAS Web Administrator (for example, saswbadmn) and the SAS Trusted User (for example, sastrust).
Middle-tier Credentials
If you have set up software on the middle tier (Web tier), then the initial security setup also includes the following users and groups:
- SAS Web Administrator (for example,
saswbadm). This user has permission to administer the portal Web application.
The portal Web application shell uses the SAS Web administrator to perform
specific tasks, such as deploying portlets and creating SAS group permission trees.
The SAS Web administrator has administrative privileges for all of the portal Web application content. The SAS Web administrator
can access any portal user's pages and share content with any SAS group.
SAS Demo User (for example, sasdemo). This user is the general demo user for the portal Web application. Portal Admins group. The group Portal Admins is for the users that are
SAS Web administrators. The group initially contains the saswbadmn user. Each member of the
Portal Admins group is a SAS Web administrator and has administrative permissions to
view any user's content and share that content with any SAS group.
Portal Demos group. The group Portal Demos is for the portal's demo
users. The group initially contains the sasdemo user.
UNIX and z/OS Systems Credentials
If you installed the portal Web application using an Advanced or Personal installation on UNIX or z/OS, then you created one additional
user and one additional group on the operating system:
SAS user: The default SAS user is sas. The SAS user should be used to start the following servers (if they are not started as a service) and spawners:
- Start the spawner that starts the SAS Workspace Server(s) and SAS Stored Process Server(s).
- If you are not starting the SAS Metadata Server as a service, start the SAS Metadata Server.
- If you have installed a SAS OLAP Server and are not starting the OLAP server as a service,
start the OLAP server.
SAS group: The default SAS group is sas on UNIX and sasgrp on z/OS. This group is used to control access to some directories and files.
Initial User Accounts
If you deploy a distributed server configuration, or authenticate some users against an alternative authentication provider, the following table shows the required locations of the user accounts that you create before beginning your installation:
| Summary of Required Accounts for Authentication of Initial Credentials |
|---|
| User Name (User ID) |
SAS Metadata Server's authentication provider |
SAS Workspace Server's host authentication provider |
SAS Stored Process Server's host authentication provider |
SAS OLAP Server's authentication provider |
SAS Administrator (for example, sasadm) |
Yes |
No |
No |
Yes |
SAS Trusted User (for example, sastrust) |
Yes |
No |
No |
No |
SAS Guest (for example, sasguest) |
Yes |
Yes* |
Yes |
Yes |
SAS Demo User (for example, sasdemo) |
Yes |
Yes* |
Yes |
Yes |
SAS General Server (for example, sassrv) |
Yes |
Yes |
Yes |
No |
Note: If you set up the SAS Workspace Server in a pooled configuration,
you are not required to have an account for these user credentials on the host for the SAS Workspace Server.
User and Group Metadata Identities
The following table summarizes the User and Group objects
that you have defined in the metadata in order for your servers and applications
to work correctly. You can use the User Manager plug-in in SAS Management
Console to verify that these objects have been created properly.
| Metadata Identities |
Logins |
Group Membership Information |
| User ID* |
Password** |
Authentication Domain |
| User: SAS Administrator |
sasadm |
|
|
|
| User: SAS Trusted User |
sastrust |
|
DefaultAuth*** |
member of: SAS System Services group
member of: SAS General Servers group |
| User: SAS Guest User |
sasguest |
******** |
DefaultAuth |
|
| User: SAS Demo User |
sasdemo |
******** |
DefaultAuth |
member of: Portal Demos |
| User: SAS Web Administrator**** |
saswbadm |
******** |
DefaultAuth |
member of: SAS System Services group
member of: Portal Admins |
| Group: SAS System Services |
|
|
|
members: SAS Trusted User, SAS Web Administrator |
| Group: SAS General Servers |
sassrv |
******** |
DefaultAuth |
members: SAS Trusted User |
| Group: Portal Admins**** |
|
|
|
members: SAS Web Administrator |
| Group: Portal Demos**** |
|
|
|
members: SAS Demo User |
* These are the recommended IDs. They should correspond to accounts in your authentication provider. On Windows, the user ID in the login should be fully qualified with a host or domain name, for example, host-name\sasadm.
** If you are logged
in to SAS Management Console as an unrestricted user,
you will always see ******** in the password column, even if no password was
specified.
*** You must add the default authentication domain (for example, DefaultAuth) to the sastrust login definition if you configure workspace pooling.
**** You only need this metadata identity if you have a middle tier. |
For information about the SAS General Servers group
setup, and about the problems you will see if it is not set
up correctly, see Initial Load Balancing Stored Process Server Configuration and Security.
To add new SAS users and groups, refer to
User and Group Management in the
SAS Intelligence Platform: Security Administration Guide.
To implement authentication against an alternate authentication provider,
see Implementing Authentication in the
Security section of this guide.
|
