Security Concepts and Policies

The installation process for the SAS Information Delivery Portal creates a security structure in your enterprise directory that controls access on both the Web server (middle tier) and the SAS server (back tier). The structure includes a default set of permissions that enable the portal to operate on a demonstration basis. This structure provides a starting point that you can build upon as needed to meet your organization's specific security requirements.

Web Server (Middle Tier) Security

The security structure for the Web server (middle tier) controls access to system components that reside within the portal application, including:

• Portal services
• Some types of portal content, including applications, widgets, content channels, and documents
• Portal components such as lists, links, and windows

The security structure for the middle tier includes the following levels of access:

• Access by Privileged User. The SAS Information Delivery Portal application uses a privileged identity to perform specific tasks on behalf of users who are logged on to the application. These tasks include creating new profiles, subscribing and unsubscribing to publication and content channels, and accessing credentials for SAS servers. In the default portal installation, the privileged identity belongs to a user called the Portal User. This definition must remain intact in order for the portal to operate correctly in its default form. (If you want to use another name for the privileged identity, you must change the portal configuration files and the enterprise directory accordingly.)

• Public Access (Access by All Users). Certain content items in the default installation of the portal are set up to allow read, search, and compare access for all users. These include anonymous users who have not logged on to the portal and have not been defined in the enterprise directory. Metadata for this type of content is stored in "Public" containers within each content type. To add, modify, or delete public content, an authorized user can log in as the public content administrator, choose the Personalize task, and choose Public as the role to personalize. In the default portal installation, the Portal.properties file assigns the public content administrator the user ID "portaladmin."

• Access by Group Members. When group-specific content (referred to as "role-based" content) is added to the portal, the portal automatically grants read, search, and compare access to all users who belong to the group. Metadata for this type of content is stored in group containers within each content type. The default portal installation does not include any role-based content. To add, modify, or delete role-based content, the user who has been designated as owner of the group can log on to the portal, choose the Personalize feature, and choose the group's name as the role to personalize.

• Access by Registered User. When individual users add content (referred to as "personal content") to the portal, the portal automatically grants all access rights to the user who created the content and no access to anyone else. Metadata for this type of content is stored in content type containers beneath each portal user container. The default portal installation includes personal content for a sample user called Portal Demo. To add, modify, or delete personal content, any registered portal user can log on to the portal, choose the Personalize feature, and then choose "Personal" as the role to personalize.

Back Tier (SAS Server) Security

The security structure for the SAS server (back tier) controls access to SAS system components including SAS tables, reports (stored processes), multidimensional databases (MDDBs), and archived packages. SAS Login definitions on the enterprise directory are the primary mechanism for controlling access to these objects. Each SAS server that you define to the portal must have a login definition that specifies which users or groups of users can access SAS objects on the server. If no users or groups are specified in the login definition, no users will be able to access these SAS objects.

The security structure for the back tier includes the following levels of access:

• Access by Privileged User. When a user requests SAS data or a SAS process via the SAS Information Delivery Portal, the workspace manager uses a privileged identity to create a workspace factory on behalf of the user. The workspace factory is a prerequisite to performing any type of process on the SAS server. The privileged identity, which is hidden in the workspace manager, belongs to a user called Portal User.

• Access by Registered User. After the privileged user creates the workspace factory, a workspace is requested from the spawner that runs on the SAS server. First, the portal determines whether the requesting user's distinguished name (or the distinguished name of a group to which the user belongs) is present in an associated SAS Login definition. If a match occurs, the portal uses the identity specified in the SAS Login to obtain a workspace on the SAS server.

  Note: In the default portal installation's SAS Login definition, all predefined users, including Portal User, Portal Guest, Portal Admin, and Portal Demo, are specified as allowed users. When additional portal users are registered, they will not be able to access SAS data or processes unless their user names (or group names) are added to the SAS Login definition.

Implementing Security for Your Environment

Each implementation of the SAS Information Delivery Portal will have different security requirements. In determining how to implement portal security, you should consider your organization's internal security policies, the security mechanisms that are in place in your environment, the types of users who will need to access the portal, and the type of content that will be made available. Then you can modify the default portal security structure to meet your requirements