 |
|
| Users, Groups, and Roles |
User ID Formats
In most cases, users can launch SAS applications using the same ID and password as they use in the rest of your computing environment. However, when you create a SAS copy of a Windows user ID, you must qualify the ID (for example, WindowsDomain\user-ID, MachineName\user-ID, or user-ID@company.com).
Failure to meet the preceding requirement doesn't prevent a successful logon. However, it prevents SAS from recognizing the user's individual identity and causes the user to have only the PUBLIC identity. See Authentication to the Metadata Server.
If your site accepts Windows IDs in disparate formats, you must coordinate the format of the copies with the format in which users submit their IDs. This table describes the common forms for an Active Directory user ID:
| Form1 | Basic Syntax | Examples |
|---|---|---|
| Short |
user-ID |
joe |
| UPN |
user-ID@UPNsuffix |
joe@orionsports.com or joe@sales.orionsports.com |
| Down-level |
down-level-domain-name\user-ID |
orionsports\joe or sales\joe or mymachine\joe |
| Kerberos |
user-ID@realm |
joe@orionsports.com2 |
| 1
User Principal Name (UPN) is an Active Directory concept.
Down-level domain is a Windows NT concept.
2
The realm in a Kerberos name is usually a Windows domain.
A Kerberos name can include an instance (in the format |
||
In the SAS Intelligence Platform, follow these standards for Windows user IDs:
-
If users log on interactively, they can use the short form except in these unusual cases:
-
The user needs to host authenticate to a metadata server that has been configured to directly use a provider other than its host. See Direct LDAP Authentication.
-
The user has multiple accounts with the same user ID in different down-level domains (for example, machine\joe, domain1\joe, and domain2\joe).
-
-
If users log on interactively, they can also use one other site-supported form (either the UPN form or the down-level form). Use one of these approaches:
-
In the metadata, store each user ID in UPN form. Tell users not to use the down-level form when they log on.
-
In the metadata, store each user ID in down-level form. Tell users to not use the UPN form when they log on.
-
-
If users log on to SAS desktop applications through Integrated Windows authentication, their user IDs should usually be stored in down-level form. In general, that is the form in which SAS obtains user IDs after Kerberos authentication occurs.
Note: If you prefer to store user IDs in the native Kerberos form, add the setting SASUSEKERBNAME true as a Windows system environment variable on the server host. For example, on the Windows desktop, right-click My Computer, select Properties, select the Advanced tab, click the Environment Variables button, add the setting under System variables, and reboot the machine. This setting affects only connections that use Integrated Windows authentication. If you use this setting, you might want to make sure that the Integrated Windows authentication process always chooses the Kerberos protocol. See How to Force Use of Kerberos.
![[cautionend]](../../../../common/63294/HTML/default/images/cautend.gif)
-
If users log on to SAS Web applications through Integrated Windows authentication (which occurs only if you configure Web authentication and have set up Integrated Windows authentication with your Web provider), the form of the returned user ID might differ. See the documentation for your Web application server.
Note: In the status bar of applications such as
SAS Management Console, a currently connected Windows user ID is always displayed
in the format user-ID@VALUE, regardless
of how the user logged on or how the user's ID is stored in the metadata.
For example, if you log on as Joe and your stored user ID is WIN\joe, the
status bar displays your authenticated ID as joe@WIN.
See Also
|
|
Copyright © 2011 by SAS Institute Inc., Cary, NC, USA. All rights reserved.