Passwords
Password Policies
Each authentication provider
sets password policies for accounts in that provider. For example,
the password expiration policy for a host account is determined by
that host.
For the SAS internal
authentication provider, you can set server-level policies (in the
metadata server’s omaconfig.xml file) and per-account policies
(in a user’s metadata definition). See How to Change Internal Account Policies.
Client-Side Storage of Passwords
In the initial configuration,
users can choose to store their credentials in their client-side connection
profiles. This prepopulates the logon dialog box in desktop applications.
For most desktop applications,
the SASSEC_LOCAL_PW_SAVE= option controls the availability of a check
box that enables users to choose whether to store credentials locally.
To prevent users from creating a local copy of their credentials,
set SASSEC_LOCAL_PW_SAVE="N" (or ="0" or ="F") in the metadata server's
omaconfig.xml file and restart the server.
Note: A change to the SASSEC_LOCAL_PW_SAVE=
setting takes effect after the metadata server is restarted. Each
client uses the previous setting for its first connection, discovers
the revised metadata server setting, and conforms to that revised
setting for subsequent connections. If you change the setting to disallow
saved credentials, and credentials are already present in a user's
connection profile, those credentials must be manually removed.
Note: For a few solutions rich
clients (for example, SAS Model Manager, SAS Enterprise Miner, and
SAS Forecast Studio), the ability to store credentials in client-side
connection profiles is instead controlled by the Policy.AllowClientPasswordStorage
property. This property is available on the Plug-ins tab
in SAS Management Console (under Application
Management
Configuration ManagerSAS Application InfrastructureSettingsPolicies) as the property Allow
client password storage.
Configuration ManagerSAS Application InfrastructureSettingsPolicies) as the property Allow
client password storage.
External Login Passwords
In most cases,
the SAS copy of an external account includes only a user ID. For these
cases, no password updates in metadata are necessary.
For any external passwords
that are stored in the SAS metadata, updates are driven by changes
that first occur in the external authentication provider. For example,
if a copy of the password for an Oracle account or a host account
is stored in a group login, you must maintain that copy so that it
always matches the actual password. Any change to the actual password
(in Oracle) must be followed by a corresponding update to the SAS
copy of the password (in the group login in the SAS metadata).
You can update stored
passwords in SAS Management Console. If you own logins that include
passwords, you can also update those passwords in SAS Personal Login
Manager. For example, to update the SAS copy of an external password
in SAS Management Console, navigate to the owning user or group definition,
select the Accounts tab, select a login,
and click Edit.
Internal Account Passwords
To update a SAS internal
password in SAS Management Console, navigate to the owning user definition,
select the Accounts tab, and click Update (at
the bottom of the tab). If you have your own SAS internal account,
you can also update your internal password in SAS Personal Login Manager.
Tip
If repeated attempts to log
on with an internal account fail, that account might be locked. See Unlock an Internal Account.