Login definitions in the server and spawner configuration: When you configure the spawner and server definitions on the SAS Metadata Server, you can specify certain login definitions in the configuration.
Login credentials in the spawner's metadata configuration file: When you use a spawner to start a server, you specify a metadata configuration file that contains information to allow the spawner to access the SAS Metadata Server for server and spawner metadata information. When you create a metadata configuration file for the spawner to use to access the SAS Metadata Server, you specify a fully qualified user ID and password for connecting to the SAS Metadata Server.
Note: To simplify your configuration, use a common set of metadata server credentials for the spawner, SAS servers (if you specify the -metaprofile options), and for client programs.

The login credentials that you specify in the spawner's metadata configuration file must enable both of the following tasks:

access the SAS Metadata Server
view login definitions that are specified in the spawner and associated server definitions on the SAS Metadata Server.

Therefore, you must use the appropriate ID in the spawner's metadata configuration file, and use the appropriate login definitions in the server and spawner configuration. In addition, you must define these login credentials on the appropriate authentication provider. For details, see Understanding Spawner Authentication

For a scenario that shows an example security setup for the spawner, see Scenario: Security Configuration for Spawner and Load-Balancing .

Understanding Spawner/Server Login Configuration and Access

In the spawner and server definitions (on the SAS Metadata Server), you can specify the following login definitions:

operator login definition for the spawner (specified in the spawner definition).
for SAS Stored Process Servers, multi-user login definition (specified on the Credentials tab of the server definition).

The login credentials that are used to access the SAS Metadata Server (for example, the user ID in the spawner's metadata configuration file) must enable to access the previously mentioned server and spawner login definition in the configuration's SAS Metadata Repository. The SAS Metadata Server allows a user ID to read login definitions if either of the following conditions are true:

The login definitions are owned by the user ID's user or group metadata identity.
The login definitions are group (shared) login definitions that the user ID can access as part of a group metadata identity.

Note: Do not specify an unrestricted user for the user ID in the spawner's metadata configuration file.

The following table summarizes the credentials required for spawner security configuration:

Locations Where Credentials Are Specified for Spawner Configuration
User ID or Login Definition	Location Where Credentials Are Specified	Description	Requirements
user ID in the spawner's metadata configuration file	In the metadata configuration file Note: For an Advanced or Personal installation (using SAS Configuration Wizard), the metadata configuration file named `OMRConfig.xml` (located in the `ObjectSpawner` directory) contains the SAS Trusted User credentials.	The credentials that the spawner uses to access the metadata server.	The user ID that you specify must be able to access metadata for the operator login (ID) and if specified, the multi-user login definition. Note: Do not specify an unrestricted user for the user ID in the metadata configuration file.
operator login for spawners (optional)	In the SAS Management Console spawner definition: Initialization: Operator Login Operator Login Note: For an Advanced or Personal installation (using SAS Configuration Wizard), the operator login is not specified by default.	The Administrator login definition to access the operator port of the spawner.	The login definition must be one of the following: the login definition for the user ID that you specified in the metadata configuration file a login definition that the user ID in the metadata configuration file can access
multi-user login for SAS Stored Process Servers	In SAS Management Console stored process server definition: Options Advanced Options Credentials Login Note: For an Advanced or Personal installation (using SAS Configuration Wizard), the login for the SAS General Servers group is specified.	The user ID that is used to launch SAS processes on a multi-user server.	The login definition must be one of the following: the login definition for the user ID that you specified in the metadata configuration file a login definition that the user ID in the metadata configuration file can access

Enabling the User ID in the Spawner's Metadata Configuration File to View Spawner/Server Login Definitions

To enable the user ID in the spawner's metadata configuration file to access the spawner and server configuration login definitions on the SAS Metadata Server, the user ID in the metadata configuration file must be one of the following:

the same user ID as the user ID of the operator login definition (in the spawner definition) and, for SAS Stored Process Servers, the same user ID as the multi-user login definition (in the server definition).
a member of a group metadata identity in which the multi-user login definition (SAS Stored Process Servers only) and the operator login definition are login definitions owned by the group (or groups). You can do either of the following:
- create a group metadata identity and use the same group (shared) login definition for the multi-user (SAS Stored Process Servers only) and operator login definition.
- for SAS Stored Process Servers only, create a group metadata identity with a group (shared) login definition (for the multi-user login definition) and then add that group metadata identity to another group with a group (shared) login definition (for the operator login definition). The second group metadata identity must also contain a login definition for the user ID specified in the spawner's metadata configuration file.
To create a group metadata identity with a group (shared) login definition:
1. Create a group metadata identity.
2. Create a login definition (that uses the shared user ID) for the new group.
3. Add any user metadata identities (or another group with a group (shared) login definition) to the group as members.

In addition, if you are setting up load balancing, then the user ID in the spawner's metadata configuration file must be able to access (under one of the above three conditions) the user ID that you specify for the logical server credentials login definition (on the load-balancing logical server definition). For details, see Planning the Load Balancing Security.

Note: Do not specify an unrestricted user for the user ID in the spawner's metadata configuration file.

Note: For an Advanced or Personal installation (using SAS Configuration Wizard), the login in the spawner's metadata configuration file (for example, sastrust) can view the multi-user login definition for the stored process server (for example, sassrv) because the SAS Trusted User (which owns sastrust) is a member of the SAS General Server group that owns the multi-user login definition (sassrv). With an Advanced or Personal installation, no operator login is specified.

Understanding Spawner Authentication

When you implement a spawner and server configuration, the login definitions in the spawner and server configuration, and the clients who connect to the servers must be authenticated against the appropriate authentication provider. Depending on the type of spawner and server setup, spawner and client authentication works as follows:

Locations Where Credentials Are Authenticated
Type of Credentials	User ID Role	Authentication Location
standard spawner and server configuration	user ID of the operator login	no authentication
standard spawner and server configuration	for SAS Stored Process Servers, the user ID of the multi-user login	the host authentication provider for the SAS Stored Process Server
connections to standard spawner and server	the client user ID	the host authentication provider for the SAS Workspace Server or SAS Stored Process Server
connections to pooled server	user ID of the puddle login	the host authentication provider for the SAS Workspace Server
	user IDs that are associated with the user metadata identities that are members of the group metadata identity that is granted access to the pool	the SAS Metadata Server's authentication provider
	user IDs that are associated with the pool administrator	the SAS Metadata Server's authentication provider
load-balancing logical server configuration	user ID of the load-balancing logical server credentials	the host authentication provider for the SAS Workspace or SAS Stored Process Server and the host authentication provider for the other spawners to which it connects
connections to load-balancing server	the client user ID	the host authentication provider for the SAS Workspace or SAS Stored Process Server

For details about defining users for authentication, see Implementing Authentication

When the spawner starts the server process, the process runs under the following credentials

for SAS Workspace Servers, the credentials of the connecting client
for SAS Stored Process Servers, the multi-user login credentials that are specified in the stored process server definition (Advanced Options Credential) in SAS Management Console.