SAS 9.1.3 Integration Technologies » Server Administrator's Guide


Setting up a Server and Spawner
Best Practices
Quick Start: Standard Workspace Server and Spawner
Quick Start: Load-Balancing Stored Process Server and Spawner
Summary of Setup Steps
Spawner Overview
Spawner Requirements
Planning the Configuration Metadata
Security
Standard Workspace or Stored Process Server
Standard OLAP Server
Creating the Metadata Using SAS Management Console
Defining Servers
Modifying Servers
Workspace or Stored Process Server
OLAP Server
Configuring a UUID Generator
Configuring and Starting the Object Spawner on z/OS
Administering the Server and Spawner
Creating a Metadata Configuration File in SAS
Using ITConfig
Testing Server Connections
Using Telnet
Spawner Error Messages
Reference Materials
Fields for the Server Definition
Object Server Parameters
Fields for the Spawner Definition
IOM Bridge

Security Metadata

This section provides an overview of where you can associate logins within a server configuration that uses an IOM Bridge connection. Depending on your IOM Bridge connection setup, there are several different areas where you might provide security through the association of login definitions.

To understand security, see the Security section.

User and Login Metadata

Each SAS login definition contains a fully qualified user ID, password, and authentication domain. The administrator can establish multiple login definitions for each user or group metadata identity. For each login instance of the user, you must specify the following information:

  • the SAS login (fully qualified user ID) and password
  • authentication domain name

You might also add users to groups and define login definitions for the groups.

For detailed information about users, groups, and login definitions, see Defining Users, Groups, and Logins.

Standard, Pooled, and Load-Balancing Security Metadata

For OLAP servers, you only need to define a login for the user's server connection. For SAS Workspace and SAS Stored Process Servers, you must plan and specify several different types of login credentials. To understand security differences between SAS Stored Process Servers and SAS Workspace Servers, see Planning the Workspace and Stored Process Server Security. For details about planning the spawner security, and pooling and load-balancing security, see the following topics:

The following table shows the login credentials that are required for standard, pooled, and load-balancing server configurations. For logins that are configured in SAS Management Console, the Login row links to the SAS Management Console location where the login must be specified.

Workspace and Stored Process Server Login Requirements
Login Description SAS Workspace Server Pooled SAS Workspace Server Load-Balancing Stored Process or Workspace Servers
Logins for Users who Connect to Servers

Login definitions associated to users that request connections to a server. The authentication domain of the server definition must match the domain of the login definition. If a domain match for a login cannot be found within a user definition, the groups that the user belongs to are searched for a login that matches the domain of the server definition.

Yes

No

Yes

Login for User ID in the Metadata Configuration File (for the Spawner or Windows Object Manager) User ID in the metadata configuration file. You must specify the login credentials that the spawner or Windows Object Manager will use to connect to the SAS Metadata Server. This user ID must be able to access the operator ID and if specified, the multi-user login definition.

Important Note: DO NOT specify an unrestricted user for the user ID in the metadata configuration file.

Yes

Yes

Yes

Operator Login for Spawners (optional) Administrator login definition to access the operator port of the spawner. The login definition must be one of the following:
  • the login definition for the user ID that you specified in the metadata configuration file

  • a login definition that the user ID in the metadata configuration file can access

Yes

Yes

Yes

Multi-User Login for SAS Stored Process Servers Login for the multi-user server. The launched SAS process runs under the process ID defined by this login. The login definition must be one of the following:
  • the login definition for the user ID that you specified in the metadata configuration file

  • a login definition that the user ID in the metadata configuration file can access

Note: Because the load-balancing stored process server runs under the multi-user login credentials, the operating system account for these credentials must have access to any operating system resources used by stored processes that are hosted on this server.

No

No

Yes, only for SAS Stored Process Servers

If METAAUTOINIT is specified (and the trustsaspeer option is not specified), Metaprofile User ID User ID that is specified for the metadata connection profile option (or server's metadata configuration file) to enable the server to connect back to the SAS Metadata Server. For details about using METAAUTOINIT, see Server Startup Command.

Yes

Yes

Yes

For Pooling, Login for Pool Administrator Login for pool administrator credentials supplied by the application. These credentials are used to connect to the SAS Metadata Server and read the puddle login definitions.

No

Yes

No

For Pooling, Puddle Login Login definition that is used to establish the connection to the server for this puddle. You might decide to partition your pool into puddles in order to allow different login definitions for different puddles within the pool. When you define the puddle, you must associate a login with the puddle.

No

Yes

No

For Pooling, Login Definitions for Users that are Members of a Group Granted Access to the Puddle Logins for users in a group that is granted access to a puddle. If you want a user to have access to a puddle in a pool, you can define the user and its login definitions, and then add the user to a group. You can then grant this group access to the puddle.

No

Yes

No

For Load-Balancing, Login for the Logical Server Credentials Login definition that is used by spawners to connect to other spawners for load balancing. The login definition must be one of the following:
  • the login definition for the user ID that you specified in the metadata configuration file

  • a login definition that the user ID in the metadata configuration file can access

No

No

Yes