You might choose whether to run a workspace server, pooled workspace server, load-balancing stored process server, or load-balancing workspace server based on your security considerations. (For an overview of the user IDs specified in the configuration, see Security Metadata). The following table shows several aspects of security for workspace servers, pooled workspace servers, and load-balanced stored process servers:
Workspace and Stored Process Security Considerations |
Security Features |
SAS Workspace Server |
Pooled SAS Workspace Server |
Load-Balancing SAS Stored Process Server |
Load-Balancing SAS Workspace Server |
Server Reuse |
dedicated server per client |
sequential reuse (of the server) by clients |
efficient (scalable) reuse (of the server) by many simultaneous clients |
dedicated server per client |
User ID Under Which The Server Runs |
client's user ID |
puddle login; all users in a puddle run under the puddle login's user ID.
CAUTION:
A stored process that runs on a pooled workspace server accesses data using the account under which the server is running (that is, the puddle login). Because your account is not being used to access the data, your permissions to the data are not relevant. In these circumstances, it is particularly important to set appropriate access controls to secure the stored process.
|
multi-user login; all users for a server run under the multi-user login's user ID.
Note: Because the load-balancing stored process server runs under the multi-user login credentials, the operating system account for these credentials must have access to any operating system resources used by stored processes that are hosted on the stored process server.
CAUTION:
A stored process that runs on a stored process server accesses data using the account under which the server is running (that is, the multi-user login). Because your account is not being used to access the data, your permissions to the data are not relevant. In these circumstances, it is particularly important to set appropriate access controls to secure the stored process.
|
client's user ID |
Client Authentication |
client's credentials must be valid on the server's host authentication provider |
clients mapped to puddles of servers; clients' user IDs must be valid on the SAS Metadata Server's authentication provider |
client's credentials must be valid on the server's host authentication provider |
client's credentials must be valid on the server's host authentication provider |
Metadata Access Requirements for User IDs
Important Note: DO NOT specify an unrestricted user for either the user ID in the spawner's metadata configuration file or the user ID for the pool administrator. |
user ID in the spawner's metadata configuration file must be able to view the following user ID:
- operator login, if one is specified.
|
user ID in the spawner's metadata configuration file must be able to view the following user ID:
- operator login, if one is specified.
user ID in the pool's metadata configuration file or pooling connection request (the pool administrator's credentials) must be able to view the following user ID:
|
user ID in the spawner's metadata configuration file must be able to view the following user IDs:
- operator login, if one is specified.
- multi-user login
- logical server credentials
|
user ID in the spawner's metadata configuration file must be able to view the following user ID:
- operator login, if one is specified.
- logical server credentials
|
Use of METAAUTOINIT to Connect Back to the SAS Metadata Server |
allowed, not specified by default |
allowed, specified by default for COM and not specified by default for IOM Bridge |
allowed, not specified by default |
allowed, not specified by default |
When using METAAUTOINIT, Server Security for Connecting Back to the SAS Metadata Server |
if the trustsaspeer option is specified, connects using the client's user ID
if the trustsaspeer option is NOT specified, use the required META* options to specify the client user ID |
if the trustsaspeer option is specified, connects using the puddle login
if the trustsaspeer option is NOT specified, use the required META* options to specify the puddle login |
if the trustsaspeer option is specified, connects using the multi-user login
if the trustsaspeer option is NOT specified, use the required META* options to specify the multi-user login |
if the trustsaspeer option is specified, connects using the client's user ID
if the trustsaspeer option is NOT specified, use the required META* options to specify the client user ID |