SAS 9.1.3 Integration Technologies » Server Administrator's Guide


Getting Started
Overview of Administration
Getting Started Without the SAS Configuration Wizard
Choosing a Server Configuration
Planning for Metadata
Getting Started With the SAS Configuration Wizard
Initial Directories
Initial Security
Initial Servers and Services
Initial Load-Balancing Stored Process Server Configuration and Security
Additional Planning
Setting Up Libraries
Initial Access Control
Getting Started

Initial Security Configuration

After you perform your pre-installation tasks, run the SAS Configuration Wizard, and perform the post-installation manual setup, your initial security setup includes the following user and group definitions on the SAS Metadata Server:

  • SAS Administrator (for example, sasadm). This user's ID will be written to a special file called adminUsers.txt, which gives the user unrestricted access to the metadata server. For information about administrative users, see Overview of Initial Users and Groups in the SAS Intelligence Platform: System Administration Guide. You can use the SAS Administrator to log on to SAS Management Console and to create metadata on the SAS Metadata Server.

  • SAS Trusted User (for example, sastrust). This user's ID is written to the file trustedUsers.txt and has trusted access to the metadata server. It is used for the following tasks:

    • If you have installed a SAS OLAP Server, this user is used for a trusted connection from the SAS OLAP server to the SAS Metadata Server.

    • The object spawner that starts your workspace and stored process servers uses this account to connect to the metadata server in order to read the appropriate server and spawner definition.

    • If you configure Web server authentication, this user enables middle tier (Web-tier) users to be viewed as already authenticated by the Web server and connect to the SAS Metadata Server for authorization purposes.

    • If you configure workspace pooling, this user is used as the pool administrator. The pool administrator reads the puddle login definitions.

    For information about trusted users, see Overview of Initial Users and Groups in the SAS Intelligence Platform: System Administration Guide.

    Important Note: The SAS Trusted User is a highly privileged account and should be protected accordingly.

  • SAS Guest (for example, sasguest). This user is a guest user. If you have installed the Web Infrastructure Kit or the SAS Information Delivery Portal, this user configures the Public Kiosk for the portal Web application.

  • SAS General Servers group. This group contains a group login (for example, sassrv) that is used as follows:

    • The object spawner uses the group login to start load-balancing SAS Stored Process Servers.
    • SAS servers use the group login to connect back to the SAS Metadata Server.
    • The group login is used as the default puddle login for workspace pooling.

    The SAS Trusted User is a member of the SAS General Servers group.

  • SAS System Services group. The group is for users that make server-to-server connections. The group initially contains the SAS Web Administrator (for example, saswbadmn) and the SAS Trusted User (for example, sastrust).

Middle-tier Credentials

If you have set up software on the middle tier (Web tier), then the initial security setup also includes the following users and groups:

  • SAS Web Administrator (for example, saswbadm). This user has permission to administer the portal Web application. The portal Web application shell uses the SAS Web administrator to perform specific tasks, such as deploying portlets and creating SAS group permission trees. The SAS Web administrator has administrative privileges for all of the portal Web application content. The SAS Web administrator can access any portal user's pages and share content with any SAS group.

  • SAS Demo User (for example, sasdemo). This user is the general demo user for the portal Web application.

  • Portal Admins group. The group Portal Admins is for the users that are SAS Web administrators. The group initially contains the saswbadmn user. Each member of the Portal Admins group is a SAS Web administrator and has administrative permissions to view any user's content and share that content with any SAS group.

  • Portal Demos group. The group Portal Demos is for the portal's demo users. The group initially contains the sasdemo user.

UNIX and z/OS Systems Credentials

If you installed the portal Web application using an Advanced or Personal installation on UNIX or z/OS, then you created one additional user and one additional group on the operating system:

  • SAS user: The default SAS user is sas. The SAS user should be used to start the following servers (if they are not started as a service) and spawners:

    • Start the spawner that starts the SAS Workspace Server(s) and SAS Stored Process Server(s).
    • If you are not starting the SAS Metadata Server as a service, start the SAS Metadata Server.
    • If you have installed a SAS OLAP Server and are not starting the OLAP server as a service, start the OLAP server.

  • SAS group: The default SAS group is sas on UNIX and sasgrp on z/OS. This group is used to control access to some directories and files.

Initial User Accounts

If you deploy a distributed server configuration, or authenticate some users against an alternative authentication provider, the following table shows the required locations of the user accounts that you create before beginning your installation:

Summary of Required Accounts for Authentication of Initial Credentials
User Name (User ID) SAS Metadata Server's authentication provider SAS Workspace Server's host authentication provider SAS Stored Process Server's host authentication provider SAS OLAP Server's authentication provider
SAS Administrator (for example, sasadm) Yes No No Yes
SAS Trusted User (for example, sastrust) Yes No No No
SAS Guest (for example, sasguest) Yes Yes* Yes Yes
SAS Demo User (for example, sasdemo) Yes Yes* Yes Yes
SAS General Server (for example, sassrv) Yes Yes Yes No

Note: If you set up the SAS Workspace Server in a pooled configuration, you are not required to have an account for these user credentials on the host for the SAS Workspace Server.

User and Group Metadata Identities

The following table summarizes the User and Group objects that you have defined in the metadata in order for your servers and applications to work correctly. You can use the User Manager plug-in in SAS Management Console to verify that these objects have been created properly.

Metadata Identities Logins Group Membership Information
User ID* Password** Authentication Domain
User: SAS Administrator sasadm      
User: SAS Trusted User sastrust   DefaultAuth*** member of: SAS System Services group
member of: SAS General Servers group
User: SAS Guest User sasguest ******** DefaultAuth  
User: SAS Demo User sasdemo ******** DefaultAuth member of: Portal Demos
User: SAS Web Administrator**** saswbadm ******** DefaultAuth member of: SAS System Services group
member of: Portal Admins
Group: SAS System Services       members: SAS Trusted User, SAS Web Administrator
Group: SAS General Servers sassrv ******** DefaultAuth members: SAS Trusted User
Group: Portal Admins****       members: SAS Web Administrator
Group: Portal Demos****       members: SAS Demo User
* These are the recommended IDs. They should correspond to accounts in your authentication provider. On Windows, the user ID in the login should be fully qualified with a host or domain name, for example, host-name\sasadm.

** If you are logged in to SAS Management Console as an unrestricted user, you will always see ******** in the password column, even if no password was specified.

*** You must add the default authentication domain (for example, DefaultAuth) to the sastrust login definition if you configure workspace pooling.

**** You only need this metadata identity if you have a middle tier.

For information about the SAS General Servers group setup, and about the problems you will see if it is not set up correctly, see Initial Load Balancing Stored Process Server Configuration and Security.

To add new SAS users and groups, refer to User and Group Management in the SAS Intelligence Platform: Security Administration Guide.

To implement authentication against an alternate authentication provider, see Implementing Authentication in the Security section of this guide.