 |
|
| What to Do Next: Administration Tasks |
First-Priority Setup Tasks
| Summary of First-Priority Setup Tasks |
The following tasks are necessary to protect the integrity of your system. Complete these steps as soon as possible after installation, before you complete any of the other tasks that are outlined in this chapter.
| Task | Description |
|---|---|
| Secure the SAS configuration on each server machine. |
For a secure deployment, the configuration directory on each server
machine must be protected by operating system controls. These controls will
prevent inappropriate access to repository data sets, server scripts, server
logs, and configuration files.
On Windows systems, all configuration directories, files, and scripts are owned by the user who performs the installation. You must update the permissions as shown in Recommended Operating System Protections for Windows Machines. These recommendations assume that your SAS servers and spawners run as services under the Local System account. On UNIX and z/OS systems, the SAS Deployment Wizard automatically applies the appropriate permissions. The default permissions are shown in Default Operating System Protections for UNIX and z/OS Machines. |
| Establish a formal, regularly scheduled backup process. |
Establish a formal, regularly scheduled backup process that includes
your metadata repositories as well as the associated physical files.
SAS provides backup and restore utilities that enable you to perform correct backups and restores of your metadata repositories, the repository manager, the metadata journal file, and the metadata server configuration files while minimizing disruptions in service. It is important to also back up the physical data that is associated with the metadata so that related information will be synchronized if a restore becomes necessary. Before you back up your SAS Intelligence Platform, read Best Practices for Backing Up and Restoring Your System. |
| Recommended Operating System Protections for Windows Machines |
On Windows server machines, we recommend that you apply the following operating system protections to your configuration directory. All of these directories are located in SAS-configuration-directory\Lev1.
| Directories | Users | Recommended Permissions | |
|---|---|---|---|
|
SAS-configuration-directory
SAS-configuration-directory\Lev1 Lev1 subdirectories: Documents, ReportBatch, SASApp, SASMeta, Utilities, Web |
SYSTEM and Administrators | Full Control | |
| All other users | List Folder Contents, Read | ||
| Lev1 subdirectories: ConnectSpawner, Logs, ObjectSpawner, SASApp\OLAPServer, SASMeta\MetadataServer, SASTS, ShareServer | SYSTEM and Administrators |
Full Control
Remove all other users and groups |
|
| SASApp subdirectories : PooledWorkspaceServer, StoredProcessServer | SYSTEM, Administrators, and SAS Spawned Servers (sassrv) |
Full Control
Remove all other users and groups |
|
|
SASApp subdirectories: ConnectServer\Logs,
Data\wrsdist, Data\wrstemp, PooledWorkspaceServer\Logs,
PooledWorkspaceServer\sasuser, StoredProcessServer\Logs , StoredProcessServer\sasuser, and
WorkspaceServer\Logs
SASMeta\WorkspaceServer\Logs |
SYSTEM, Administrators, and SAS Spawned Servers (sassrv) | Full Control | |
| sasv9_meta.cfg file | SYSTEM and Administrators |
Read and Write
Remove all other users and groups |
|
|
SASMeta
subdirectories: MetadataServer, MetadataServer\rposmgr,
MetadataServer\MetadataRepositories\Foundation
Backup destination (for example, SASMeta\MetadataServer\SASBackup) |
The user who backs up the metadata server. You can add this user to the Administrators group to provide the required access. | Full Control | |
Note:
-
These recommendations assume that your SAS servers and spawners run as services under the Local System account. If servers and spawners are run under a different account, then grant that account the permissions that are recommended for SYSTEM.
-
You might have selected the custom installation option to place all of your log files in a single directory. If you selected this option, then you will need to grant the SAS Spawned Servers (sassrv) user Full Control of the central log destination (for example, SAS-configuration-directory\Lev1\Logs).
-
If users will be using SAS Enterprise Guide to create stored processes, then the SAS Spawned Servers (sassrv) account must have Write access to the directory in which stored processes will be stored.
-
If you enable logging for a workspace server, then you will need to grant all users of the workspace server Full Control of the log directory. (See Create a Log File for Workspace Server Troubleshooting).
![[cautionend]](../../../../common/63294/HTML/default/images/cautend.gif)
For information about backups, see Using the Backup Wizard in SAS Management Console and Using the %OMABAKUP Macro to Perform Backups and Restores.
For details about the configuration directory structure, see Overview of the Configuration Directory Structure.
| Default Operating System Protections for UNIX and z/OS Machines |
The following table shows the default operating system protections that are provided automatically for configuration directories on UNIX and z/OS machines. All of these directories are located in SAS-configuration-directory/Lev1.
| Directories | Users | Default Permissions | |
|---|---|---|---|
|
SAS-configuration-directory
SAS-configuration-directory/Lev1 Lev1 subdirectories: Documents, ReportBatch, SASApp, SASMeta, Utilities, Web |
SAS Installer | Read, Write, and Execute | |
| All other users | Read and Execute | ||
| Lev1 subdirectories: ConnectSpawner, Logs, ObjectSpawner, SASApp/OLAPServer, SASMeta/MetadataServer, SASTS, ShareServer | SAS Installer | Read, Write, and Execute | |
| All other users | No access | ||
| SASApp subdirectories : PooledWorkspaceServer, StoredProcessServer | SAS Installer | Read, Write, and Execute | |
| sas group | Read and Execute | ||
|
SASApp subdirectories : ConnectServer/Logs,
Data/wrsdist, Data/wrstemp, PooledWorkspaceServer/Logs,
PooledWorkspaceServer/sasuser, StoredProcessServer/Logs , StoredProcessServer/sasuser, and
WorkspaceServer/Logs
SASMeta/WorkspaceServer/Logs |
SAS Installer | Read, Write, and Execute | |
| sas group | Read, Write, and Execute | ||
| sasv9_meta.cfg file | SAS Installer | Read and Write | |
| All other users | no access | ||
Note:
-
Make sure that the SAS Spawned Servers account (sassrv) is a member of the sas group, which has the necessary permissions to server configuration files and log directories.
-
You might have selected the custom installation option to place all of your log files in a single directory. If you selected this option, then you will need to grant either the sas group or the SAS Spawned Servers (sassrv) user Read, Write, and Execute permission on the central log destination (for example, SAS-configuration-directory/Lev1/Logs).
-
If users will be using SAS Enterprise Guide to create stored processes, then the SAS Spawned Servers (sassrv) account must have Write access to the directory in which stored processes will be stored.
-
If you enable logging for a workspace server, then you will need to grant all users of the workspace server Read, Write, and Execute permission on the log directory. (See Create a Log File for Workspace Server Troubleshooting).
-
The user who backs up the metadata server must have full access to SAS-configuration-directory/Lev1/SASMeta/MetadataServer, to its subdirectories rposmgr and MetadataRepositories/Foundation, and to the backup destination (for example, SAS-configuration-directory/Lev1/SASMeta/MetadataServer/SASBackup). The SAS Installer user has the required access.
- CAUTION:
- Do
not run a backup or a restore as the Root user. Doing so will
change ownership of the metadata server files.
-
For details about the configuration directory structure, see Overview of the Configuration Directory Structure.
|
|
Copyright © 2011 by SAS Institute Inc., Cary, NC, USA. All rights reserved.