This section provides an overview of where you can associate logins within a server configuration that uses an IOM Bridge connection. Depending on your IOM Bridge connection setup, there are several different areas where you might provide security through the association of login definitions.
Each SAS login definition contains a fully qualified user ID, password, and authentication domain. The administrator can establish multiple login definitions for each user or group metadata identity. For each login instance of the user, you must specify the following information:
You might also add users to groups and define login definitions for the groups.
For OLAP servers, you only need to define a login for the user's server connection. For SAS Workspace and SAS Stored Process Servers, you must plan and specify several different types of login credentials. To understand security differences between SAS Stored Process Servers and SAS Workspace Servers, see Planning the Workspace and Stored Process Server Security. For details about planning the spawner security, and pooling and load-balancing security, see the following topics:
The following table shows the login credentials that are required for standard, pooled, and load-balancing server configurations. For logins that are configured in SAS Management Console,
the Login row links to the SAS Management Console location where the login must be specified.
Workspace and Stored Process Server Login Requirements |
Login |
Description |
SAS Workspace Server |
Pooled SAS Workspace Server |
Load-Balancing Stored Process or Workspace Servers |
Logins for Users who Connect to Servers |
Login definitions associated to users that request connections to a server. The authentication domain of the server definition must match the domain of the login definition. If a domain match for a login cannot be found within a user definition, the groups that the user belongs to are searched for a login that matches the domain of the server definition. |
Yes |
No |
Yes |
Login for User ID in the Metadata Configuration File (for the Spawner or Windows Object Manager) |
User ID in the metadata configuration file. You must specify the login credentials that the spawner or Windows Object Manager will use to connect to the SAS Metadata Server. This user ID must be able to access the operator ID and if specified, the multi-user login definition.
Important Note: DO NOT specify an unrestricted user for the user ID in the metadata configuration file. |
Yes |
Yes |
Yes |
Operator Login for Spawners (optional) |
Administrator login definition to access the operator port of the spawner. The login definition must be one of the following:
- the login definition for the user ID that you specified in the metadata configuration file
- a login definition that the user ID in the metadata configuration file can access
|
Yes |
Yes |
Yes |
Multi-User Login for SAS Stored Process Servers |
Login for the multi-user server. The launched SAS process runs under the process ID defined by this login. The login definition must be one of the following:
- the login definition for the user ID that you specified in the metadata configuration file
- a login definition that the user ID in the metadata configuration file can access
Note: Because the load-balancing stored process server runs under the multi-user login credentials, the operating system account for these credentials must have access to any operating system resources used by stored processes that are hosted on this server.
|
No |
No |
Yes, only for SAS Stored Process Servers |
If METAAUTOINIT is specified (and the trustsaspeer option is not specified), Metaprofile User ID |
User ID that is specified for the metadata connection profile option (or server's metadata configuration file) to enable the server to connect back to the SAS Metadata Server. For details about using METAAUTOINIT, see Server Startup Command. |
Yes |
Yes |
Yes |
For Pooling, Login for Pool Administrator |
Login for pool administrator credentials supplied by the application. These credentials are used to connect to the SAS Metadata Server and read the puddle login definitions. |
No |
Yes |
No |
For Pooling, Puddle Login |
Login definition that is used to establish the connection to the server for this puddle. You might decide to partition your pool into puddles in order to allow different login definitions for different puddles within the pool. When you define the puddle, you must associate a login with the puddle. |
No |
Yes |
No |
For Pooling, Login Definitions for Users that are Members of a Group Granted Access to the Puddle |
Logins for users in a group that is granted access to a puddle. If you want a user to have access to a puddle in a pool, you can define the user and its login definitions, and then add the user to a group. You can then grant this group access to the puddle. |
No |
Yes |
No |
For Load-Balancing, Login for the Logical Server Credentials |
Login definition that is used by spawners to connect to other spawners for load balancing. The login definition must be one of the following:
- the login definition for the user ID that you specified in the metadata configuration file
- a login definition that the user ID in the metadata configuration file can access
|
No |
No |
Yes |