|
Security
Implementing Security in Client Applications
To connect to and access data on a server, clients provide a fully qualified user ID and password.
In a SAS Metadata Repository, the server, user, group, and login definition
(which corresponds to a user's credentials within a security domain) metadata defines which users are allowed access to a server
as follows:
For SAS Metadata Servers, login credentials defined on the authentication provider for the
SAS Metadata Server's machine.
For IOM servers, login definitions defined in the same authentication domain as the server.
For IOM pooled servers:
the login definition (and its user or group metadata identity) that is associated with
a puddle defined for a pooled logical server
the login definitions defined for the user metadata identities that are members of a group metadata identity that is granted access to a puddle.
Important Note: Do not connect to a server as the unrestricted user. To understand unrestricted access for unrestricted users, see
Overview of Initial Users and Groups in the
SAS Intelligence Platform: System Administration Guide.
Applications can specify credentials in the following ways:
provide credentials to connect to servers. Your application can directly supply the necessary fully qualified user ID and password that is required to connect to the server.
retrieve credentials from the SAS Metadata Server in order to connect to servers. Your application
can access the SAS Metadata Server and retrieve server and login (user credential) information in order to connect to
a server. The application must then connect to the server using the retrieved credentials.
retrieve credentials from other applications by sharing session or user contexts (Java clients only).
Java clients can use the User Service to retrieve and share user information between applications.
When one application is accessed from another application, the first application passes the second application its user or group metadata identity (via a shared session and user context).
This identity can then be used for authorization purposes or to retrieve user credentials to access particular resources.
This context-sharing feature enables single sign-on to be seamlessly implemented between applications.
For detailed information about context sharing, see the SAS Foundation Services class documentation for the
User Service.
connect to downstream servers by providing credentials or by retrieving credentials from
the SAS Metadata Server. When connecting to an FTP, HTTP, or WebDAV server,
if the client or SAS Metadata Server provides a set of credentials to use for the WebDAV, FTP, or HTTP server, those credentials are used for connection to the downstream server.
if the client or SAS Metadata Server does not provide a set of credentials, anonymous access is used for connection to the downstream server.
For information about coding client applications, refer to the following:
For Java clients, Developing Java Clients in the SAS Integration Technologies: Developer's Guide and the SAS Foundation Services class documentation.
For Windows clients, Developing Windows Clients in the SAS Integration Technologies: Developer's Guide and the Windows Object Manager class documentation.
Authenticating Clients
When a client connects to a server, the server authenticates the client
against the appropriate authentication provider or trusted authentication mechanism. For details,
see Implementing Authentication.
Retrieving and Enforcing Authorization Decisions
In order to secure access to a resource, your application must do the following:
- Retrieve authorization metadata for a particular user's action on a resource.
- Enforce the authorization decisions for a particular user's action on a resource.
The SAS Open Metadata Architecture provides the ISecurity class for authorizing access both to metadata and the data that is represented by the metadata. For details, see
ISecurity Class in the SAS Open Metadata Interface: Reference.
|