Security Tasks

Facilitate Authentication

In order to log on to a SAS client, a user must have an account that can provide access to the metadata server. Determine which of the following situations applies to you and complete any tasks as indicated.

In the simplest case, users already have accounts that are known to the metadata server's host. For example, the metadata server is on UNIX, and users have accounts in an LDAP provider that the UNIX host recognizes. Or the metadata server is on Windows, and users have Active Directory accounts. No action on your part is required.

In some cases, users have accounts that aren't currently recognized by the metadata server's host. Consider the examples in the following table.

Incorporating Unrelated Accounts
Scenario	Possible Solution¹
You have Active Directory accounts but the metadata server is on UNIX.	Enable the UNIX host to recognize the accounts. See Pluggable Authentication Modules (PAM).
You have accounts in an LDAP provider that isn't known to the metadata server's host.	Enable the metadata server itself to recognize the LDAP provider. See Direct LDAP Authentication.
You have accounts that are known at your Web perimeter but aren't known to the metadata server's host.	Enable the metadata server to trust users who have authenticated at the Web perimeter. See Web Authentication.²
1 None of these options enable you to avoid later creating corresponding identity information in the SAS Metadata Repository. 2 This is only a partial solution, because users of desktop applications still need accounts that can be validated by the metadata server or its host.

Note: Even if your Web accounts are recognized by the metadata server's host, you might choose to use Web authentication so that SAS Web applications are launched silently. [cautionend]

In other cases, you must add accounts to your environment. Although it is technically possible to instead use SAS internal accounts for this purpose, those accounts aren't intended for regular users.

Note: Someone who directly connects to the OLAP server needs an account with the OLAP server. This situation occurs when someone uses a data provider to access SAS OLAP data from the SAS Add-In for Microsoft Office. [cautionend]

Coordinate the Workspace Server

Seamless access to the workspace server depends on coordination between that server and the metadata server. This coordination is necessary because authentication to the workspace server is, by default, performed by the workspace server's host. The following table provides general recommendations:

Coordinate the Workspace Server With the Metadata Server
Scenario	Recommendation
Both servers are on Windows.	The preferred approach is to ensure that both servers offer Integrated Windows authentication (IWA) for desktop clients. See Integrated Windows Authentication. An alternative is to use credential-based host authentication for both servers. See Host Authentication.
Both servers are on UNIX.¹	Use credential-based host authentication for both servers. No action on your part is required.
The two servers don't recognize the same accounts.²	To minimize requirements for and exposure of host credentials, SAS provides several alternate configurations. See Mixed Providers.
1 Or both servers are on z/OS. 2 For example, one server is on Windows and the other server is on UNIX.

Note: Similar coordination for other types of SAS servers isn't necessary because those servers don't use host authentication for metadata-aware connections. [cautionend]