Authentication Model

Authentication to Data Servers and Processing Servers

A registered user who has a connection to the metadata server accesses the OLAP server, stored process server, and pooled workspace server seamlessly by SAS token authentication. Authentication to following servers requires coordination:

standard workspace server

to provide seamless access, see Coordinate the Workspace Server.

third-party data server (for example, Oracle)

to provide access, select an approach from the following table. For instructions, see How to Store Passwords for a Third-Party Server.

Authentication to a Third-Party Data Server
Goal	Approach
Provide seamless access and preserve individual identity to the target server.	Store individual user IDs and passwords in the metadata (each on the Accounts tab of a different user definition).
Provide seamless access.	Store the user ID and password for one shared account in the metadata (on the Accounts tab of a group definition).
Provide seamless access with a few distinct access levels for resources in the target server.	Store a few shared user IDs and passwords in the metadata (each on the Accounts tab of a different group definition).¹
Preserve individual identity.	No configuration required. Users will be prompted for credentials for the target server.²
1 For a hybrid approach, use a combination of personal and group logins. 2 Secondary prompting is supported for desktop applications and SAS Web Report Studio.

Note: In general, requesting users can access only those servers for which they have the ReadMetadata permission. An exception is client-side pooling, in which access depends on membership in a puddle group. [cautionend]

Note: This topic is about metadata-aware connections. Direct connections to a SAS server (for example, from the SAS Add-In for Microsoft Office to the OLAP server) can't use SAS token authentication. Direct connections use client-supplied credentials or, in some cases, Integrated Windows authentication. [cautionend]