Previous Page | Next Page

Server Configuration, Data Retrieval, and Risk

Host Access to SAS Tables

Direct Access Versus Mediated Access

Managing the Risks of Mediated Host Access

Example: Multiple Levels of Host Access


Direct Access Versus Mediated Access

A SAS table (data set) is stored as a file in a host operating system. In general, a SAS table can be directly accessed and read by anyone who has the necessary host operating system permissions to that file. You can use the SAS metadata authorization layer to further constrain access. However, those additional constraints apply only when the user requests that data in a metadata-aware context.

As a simple example, assume that you have registered a library and several tables in the metadata. In SAS Management Console, you deny userA the ReadMetadata permission for a table named Salary. This prevents userA from seeing the Salary table in metadata-aware applications. However, if userA has host access to the physical file that contains the table data, userA can open that file in Base SAS and examine all of the data. When the table is accessed directly, the metadata layer denial of ReadMetadata permission isn't applied. In the following figure, the first image illustrates the issue and introduces the concept of mediated access.

Host Access to SAS Data

[Host Access to SAS Data]

With mediated access, a workspace server or stored process server retrieves SAS data from the host operating system using a service account called a launch credential. The server uses one account to retrieve data on behalf of each requesting user. Mediation is an integral part of a standard configuration as follows:

Mediation offers the following advantages:

CAUTION:
Along with its advantages, mediation introduces some risk.

If your deployment includes sensitive data in SAS tables, it is essential to review existing host layer controls and to understand the effects of mediated access.  [cautionend]


Managing the Risks of Mediated Host Access

The risks of mediated host access are as follows:

The following table describes techniques for reducing risk. Keep in mind that there is no absolute security and that you must balance security goals against other considerations.

Alternatives for Reducing Mediation Risks
Modification Risk Reduction Notes
Use a different launch credential for each server. For example, configure the server-side pooled workspace server with its own dedicated launch credential. Diversification reduces exposure for each launch credential. Recommended if you have sensitive data in SAS tables. See Launch Credentials.
Limit the availability of SAS Information Map Studio by installing that application only where it is needed. Reduces opportunity to misuse that application. Recommended if you have server-side pooling.
Limit the SAS folder locations from which relational information maps can be used.1 Reduces opportunity to use a rogue information map, but affects only SAS Web Report Studio and SAS Web Report Viewer. See the wrs.map.accessibility.check property in the SAS Intelligence Platform: Web Application Administration Guide.
Set up client-side pooling using a protected, dedicated service account as the puddle login. Reduces opportunity to misuse the server by creating a rogue application. A client-pooled workspace server can be used from only designated Web applications. See Choices in Workspace Server Pooling.
Delete the server-side pooled workspace server (and, for performance reasons, set up client-side pooling for SAS Web Report Studio). Eliminates opportunity to misuse that server (in SAS Information Map Studio or in a rogue application). See Choices in Workspace Server Pooling.
Set up a restricted deployment of SAS Web Report Studio with client-side pooling. Fully isolates the restricted client-side pool (with a dedicated pool administrator as well as a dedicated puddle login).1 See BI Row-Level Permissions.
1 This measure is necessary in order to make row-level permissions that are defined in information maps fully secure.


Example: Multiple Levels of Host Access

The preceding figure depicts a simple case where there is only one level of host access. You can establish multiple levels of host access by setting up multiple servers, each with its own launch credential. This can involve a trade off of granularity (how many different levels of access will I establish?) against administrative effort (how much server metadata will I create and manage?).

For example, the following instructions show how you can physically isolate sensitive data that is accessed through a logical workspace server that uses SAS token authentication.

  1. In the operating system that hosts the SAS data:

    1. Establish a separate file system directory for each level of access. This enables you to avoid setting host permissions on individual files. For example, to separate HR tables, you might create an HR directory.

    2. Create or identify one service account for each level of access. For example, to provide physical protection for HR data, you might add an hrsrv account.

      Note:   For servers on Windows, each launch account must have the Log on as a batch job privilege. See Windows Privileges.  [cautionend]

    3. Set operating system permissions so that each account has appropriate access to your SAS data. For example, deny the general use account (sassrv) physical access to the HR data and grant the HR account (hrsrv) physical access to all data (including the HR data).

      Note:   If you want certain IT staff to be able to access the data directly using their own accounts, preserve that access.  [cautionend]

  2. In SAS Management Console's User Manager, select the SAS General Servers group, right-click, and select the Accounts tab. For each service account that you created in step 1, click New and enter the service account credentials as an additional login for the SAS General Servers group. Include a password in each of these logins. For example, you might enter the HR login as:

    DefaultAuth | WIN\hrsrv | password

    Note:   Each of these logins will be directly associated with a particular server, instead of being looked up by authentication domain. For this reason, it doesn't matter which authentication domain you use. You can ignore any warnings about the SAS General Servers group having multiple logins in the same authentication domain.  [cautionend]

    Note:   Users should not be members of the SAS General Servers group. This group is for service identities only. Users don't retrieve these credentials, so users shouldn't have access to these logins. In a standard configuration, these logins are available only to the privileged service identity (the SAS Trusted User) that the spawner uses to read all server metadata.   [cautionend]

  3. In Server Manager, select the logical workspace server [icon], right-click, and select Properties. On the Options tab, verify that the Use server access security check box and the SAS token authentication radio button are selected. Click Cancel.

  4. Select the logical workspace server again, right-click, and select Add Server. Set up one additional server [icon] for each level of access. All of the servers can use the same port. For example, you might add a server named Human Resources.

  5. Beneath the logical workspace server, complete these steps for each server [icon] that you added:

    1. Select the server, right-click, select Properties, and select the Options tab. In the Launch credentials drop-down list, select one of the service accounts (use a different account for each server). For example, for the Human Resources server you would first select More logins and then search for and select the login that references the hrsrv account.

      Note:   In order to see this login in the list, you need user administration capabilities.  [cautionend]

    2. On the Authorization tab, use the ReadMetadata permission to control who can use that server.

      Note:   Be sure to preserve necessary service access. See Hiding Server Definitions.  [cautionend]

  6. Under Server Manager, select the object spawner [icon] , right-click, and select Properties. On the object spawner's Servers tab, add the new servers to the Selected Servers list.

  7. To make the changes take effect:

    1. Expand the object spawner [icon], right-click the computer [icon], and select Connect.

    2. Right-click the computer again and select Refresh Spawner. In the message box, click Yes.

    3. Right-click the computer a third time and select Disconnect.

  8. To validate, expand the logical workspace server [icon] and select a server [icon]. On each connection object [icon] in the display area, right-click and select Test Connection. Test the connections for every other sibling server [icon] that you added under the logical workspace server.

If you want to also enable power users to access data using their own accounts, set up a separate application server [icon] for those users. In that application server, add a logical workspace server [icon] that uses some form of host authentication. Even though regular users wouldn't be able to authenticate (because they wouldn't have host accounts for the workspace server machine), it is a good practice to limit ReadMetadata access to the additional application server.

You can use a similar approach to set up multiple levels of host access for a stored process server or a server-pooled workspace server. For multiple levels of host access from a client-pooled workspace server, set up multiple puddles. Always ensure that the server's host identity meets all of the requirements that are documented in Launch Credentials.

Previous Page | Next Page | Top of Page