Authentication is
an identity verification process that attempts to determine whether
users (and other entities) are who they say they are. In the simplest
case, users already have accounts that are known to the metadata server's
host. For example, if the metadata server is on UNIX, then users might
have accounts in an LDAP provider that the UNIX host recognizes. If
the metadata server is on Windows, then users might have Active Directory
accounts.
For accountability,
we recommend creating an individual SAS identity for each person who
uses the SAS environment. These identities enable administrators to
make access distinctions and audit individual actions in the metadata
layer. The identities also provide personal folders for each user.
The metadata server maintains its own copy of each user ID for the
purpose of establishing a SAS identity.
Identity management
tasks can be performed manually using SAS Management Console or by
using the following batch processes:
-
To load user information
into the metadata repository, you first extract user and group information
from one or more enterprise identity sources. Then you use SAS bulk-load
macros to create identity metadata from the extracted information.
SAS provides sample applications that extract user and group information
and logins from an Active Directory server and from UNIX /etc/passwd
and /etc/group files.
-
To periodically update
user information in the metadata repository, you extract user and
group information from your enterprise identity sources and from the
SAS metadata. Then you use SAS macros to compare the two sets of data
and identify the needed updates. After validating the changes, you
use SAS macros to load the updates into the metadata repository.
Note: You cannot use
these batch processes to manage passwords. Users can manage their
own passwords with the SAS Personal Login Manager.
The metadata identity
information is used by the security model's credential management
and authorization features. For example, when a user logs on to SAS
Data Integration Studio, the metadata server wants to know who the
user is so that it can determine which libraries, stored processes,
and jobs should be displayed in the desktop client. If a user makes
a request in SAS Data Integration Studio to run a job against an Oracle
table, the Oracle server wants to know who the user is so that it
can determine whether the user has access to the data in the table.