Previous Page

|

Next Page

Authentication Model

About PUBLIC Access and Anonymous Access

In general, only users who can authenticate and who have a well-formed user definition should use a SAS deployment. However, in order to accommodate scenarios where more general access is desired, the following specialized configurations are supported:

• PUBLIC access enables unregistered users to participate if they can authenticate to the metadata server (directly or through a trust mechanism). Unregistered users are referred to as PUBLIC-only users because their only SAS identity is that of the PUBLIC group. A PUBLIC-only user has the logins, permissions, and capabilities of the PUBLIC group. A PUBLIC-only user can't belong to any other groups, or have any personal logins, or have any individual permission settings. See Provide PUBLIC Access (Optional).

• Anonymous access enables unregistered users to participate without authenticating to the SAS environment. Anonymous access is an optional configuration that is available for only a few applications. Anonymous access is supported only with SAS authentication; anonymous access is not compatible with Web authentication. Anonymous access is supported as follows:

  • For SAS BI Web Services and the SAS Stored Process Web Application, a user who connects through anonymous access uses the SAS Anonymous Web User identity. This is a service identity that functions as a surrogate for users who connect without supplying credentials. For more information, see the SAS Intelligence Platform: Web Application Administration Guide.

  • For the SAS Information Delivery Portal (release 4.3 and later), a user who connects through anonymous access uses the Unchallenged Access User identity. This is a service identity that functions as a surrogate for users who connect without supplying credentials. For more information, see the documentation on unchallenged portal access in the SAS Intelligence Platform: Web Application Administration Guide.

The following list highlights differences between PUBLIC access and anonymous access:

• In PUBLIC access, each participating user must authenticate. In anonymous access, participating connections don't require user authentication.

• In PUBLIC access, participating users share the PUBLIC group identity. In anonymous access, participating connections share a designated service identity (the surrogate identity is always a member of both the SASUSERS group and the PUBLIC group).

• You can choose to provide wide support for PUBLIC access. You can't extend support for anonymous access beyond the specific applications that can be configured to use it.

CAUTION:

If you choose to offer PUBLIC or anonymous access, you risk users seeing more data and content than you might expect.

Carefully review and manage access control for the PUBLIC group. If you offer anonymous access, carefully review and manage access for your surrogate service identity too.  

See Also

	How SAS Identity is Determined
	Initial Role Memberships in a New Deployment

Previous Page

|

Next Page

|

Top of Page

Copyright © 2011 by SAS Institute Inc., Cary, NC, USA. All rights reserved.