Configure a SAS Metadata Server for Security

The DataFlux Data Management Server uses a SAS Metadata Server to authenticate users and manage users and groups. The DataFlux Data Management Server does not use the SAS Metadata Server for authorization. Instead, permissions are maintained locally.

Installing a DataFlux Data Management Server sets a value for the configuration option BASE/AUTH_SERVER_LOC in the file install-path/etc/app.cfg. The AUTH_SERVER_LOC option identifies the SAS Metadata Server as the authentication provider.

If your site uses a single host for the SAS Metadata Server, then the AUTH_SERVER_LOC entry resembles the following example:

BASE/AUTH_SERVER_LOC=iom://Orion.us.southeast.omr.com:8561

The option value is a URL that identifies the host and port number of the SAS Metadata Server. 8561 is the default port number.

If your SAS Metadata Server is installed as a cluster of multiple hosts, then the option points to the metadata cluster profile. The pathname used by the option is the physical location that is recognized by the operating environment. The file must be accessible from the current process.

The following example illustrates a typical value:

BASE/AUTH_SERVER_LOC=c:\SAS\Config\Lev1\metadataConfig.xml

The example includes the default name and location of the metadata cluster profile.

The values of the following configuration options are downloaded from the SAS Metadata Server when you start the DataFlux Data Management Server: DMSERVER/SOAP/SSL, DMSERVER/SOAP/LISTEN_PORT, and DMSERVER/SECURE.

The Data Management Server uses the value of DMSERVER/NAME to query its own metadata definition on the SAS Metadata Server. If the name is valid, and if the metadata definition can be accessed, then the DataFlux Data Management Server sets the local values from the supplied metadata.

To access the metadata definition, the process owner of the DataFlux Data Management Server must have a user definition on the SAS Metadata Server. Another method of enabling access is to specify Read access to the metadata definition for the PUBLIC group.

If the metadata definition cannot be accessed by the specified name, or if the name is valid and if access is denied, then the DataFlux Data Management Server does not start.

If the server starts, and if the preceding options are specified in the Data Management Server’s dmserver.cfg file, then the local values supersede the metadata values. For this reason, the preceding options should be commented-out in dmserver.cfg. This happens by default when you install the DataFlux Data Management Server.

To change the metadata definition of the DataFlux Data Management Server, open SAS Management Console, enter administrative credentials, right-click the Data Management Server instance, and select Properties. After you save your changes, restart the DataFlux Data Management Server to download the latest configuration option values.

Because the Data Management Server cannot start unless the SAS Metadata Server is fully operational, you might want to configure a server dependency to prevent failures at invocation. To configure a server dependency, see Troubleshoot Server Start or Restart.

After you install DataFlux Data Management Server, you create new user and group definitions (as needed) on the SAS Metadata Server. To create users and groups on the SAS Metadata Server, see the SAS Intelligence Platform: Security Administration Guide.

You can also implement other access controls on the DataFlux Data Management Server. You can restrict server access by IP address, and you can create default access control entries with ALLOW and DENY permissions for users and groups, as described in Manage Permissions. When no default access control lists are defined, the members of the PUBLIC and USERS groups receive DENY permission.