SAS Federation Server Resource Cache

Overview

Data that is used frequently can be cached from Authentication Server and retained on SAS Federation Server until the cached information is refreshed or purged. This data cache can help improve server performance at both ends by reducing the number of calls needed from SAS Federation Server to Authentication Server.

Managing Named Server Caches

SAS Federation Server maintains several internal resource caches, all of which are designed to improve the performance of potentially expensive operations. An administrative user can manage common cache properties by name by using the ALTER SERVER DDL statement. Among the cached resources are user and group identity information. This information is required in authorization enforcement and multi-tiered authentication, privilege information, and result sets generated from the execution of definer's rights views.
SAS Federation Server can cache resources that are related to authentication, reducing roundtrips to Authentication Server. Several of these configurable caches are periodically repopulated as SAS Federation Server captures information from Authentication Server during the authentication process. The cache names are prefixed with AS. By default, resources related to Authentication Server are not cached.
SAS Federation Server can also cache privilege information, reducing internal queries to various system tables related to privileges, thereby improving the rendering of authorization enforcement decisions. The authorization cache is periodically updated as SAS Federation Server performs authorization enforcement and processes DDL such as GRANT, DENY, REVOKE, and various DROP commands. The authorization cache is named Authorization and is configured at maximum level by default.
SAS Federation Server can cache result sets of definer’s rights views, improving query execution and data access performance. For information about enabling caching, see Managing Cache Configuration Properties.
The following cache namespace table describes the information cached under each name.
Cache Name
Description
AS
All Authentication Server (AS) cached resources
AS.Name
Name to identifier mappings
AS.Name.Subjects
User name to Authentication Server identifier cache
AS.Name.Groups
Group name to Authentication Server identifier cache
AS.Subject
Per user cache resources
AS.Subject.Groups
User group memberships cache
AS.Subject.Principals
User owned principals cache
AS.List
Directory listings
AS.List.Subjects
User listings cache
AS.List.Groups
Group listings cache
Authorization
Privileges cache
ResultSet
Result Sets
ResultSet.View
View result sets cache
Note: SAS Federation Server Manager does not display these values. To view them, use the SQL Console to select from the Information Views (for example, ).SELECT * FROM CONFIG_DATA_SERVICES WHERE DATA_SERVICE_NAME= '__SERVER__'

Managing Cache Configuration Properties

Common cache management operations are handled using the ALTER SERVER command with CACHE list-valued options. This CACHE list-valued option is keyed by the NAME option (similar to the CONOPTS list-valued option, keyed by DRIVER). Values of the NAME option must be one of the names listed in the preceding table.
This statement resets, drops, or adds individual properties of the named cache: 
ALTER SERVER {OPTIONS( cache-option-list [,cache-option-list ...] )}
cache-option-list ::= CACHE( NAME cache-name , cache-properties )
This statement drops properties currently persisted with the named cache and reverts their run-time settings to defaults: 
cache-option-list ::= DROP CACHE( NAME cache-name )
This statement resets or adds properties of the named cache as a complete set, replacing any existing properties: 
cache-option-list ::= SET|ADD|XSET CACHE( NAME cache-name, cache-properties )
The NAME option is required and specifies the name of the cache to be managed. Properties of the cache are replaced or created within the sublist. Normal generic SQL options syntax applies to the cache option and the associated suboptions outlined in Cache Properties.

Cache Properties

TIMEOUT timeout
All caches support the TIMEOUT option. The value for TIMEOUT specifies the length of time, in seconds, that a resource can be cached before being considered stale and marked for on-demand refresh. When a resource becomes stale, it is typically refreshed and reached on its next access. Here are the default TIMEOUT values associated with each of the caches:
NAME
Default TIMEOUT Value
ResultSet
1800 (30 minutes)
ResultSet.View
1800 (30 minutes)
Authorization
-1 (infinite)
All others
0 (not applicable — not cached)
The TIMEOUT property can be restored to a default several ways once it is explicitly configured. in the following scenario, the configured TIMEOUT values for result set caching are as follows:
ResultSet = 3600 (1 hours)
ResultSet.View = 3600
The following statement overrides both of these TIMEOUT values:
ALTER SERVER {options cache(name ResultSet, xset timeout 300)}
The statement sets the timeout of ResultSet to 300 seconds explicitly and also sets all children (for example, ResultSet.View to 300 seconds. Note that the statement only persists the new TIMEOUT value for the cache, ResultSet, but changes the current value for all the children, ResultSet.View, as well. This allows top-down run-time management of TIMEOUT values while preserving the configured defaults of child names.
To reset TIMEOUT to the original default value, issue the TIMEOUT option with no value: 
ALTER SERVER {options cache(name ResultSet.View, xset timeout)}
Cache properties are inherited from the parent namespace when the cache configuration is dropped altogether:
ALTER SERVER {options drop cache(name ResultSet.View)}
Afterward, the ResultSet.View cache inherits the TIMEOUT value from the parent namespace, ResultSet, which is 300 seconds.
PURGE | FLUSH
Specifies that the named cache should be refreshed. Associated resources are reacquired and cached on next access and can be flushed immediately. This option is not persisted and using it does not affect existing properties that have already been configured for the named cache. All caches support the FLUSH option.
LEVEL level
Controls the caching granularity of the named cache. This property applies to the Authorization cache only. Valid values are as follows:
ALL / OBJECT Cache privileges for columns, tables and all higher level secure objects. This is the default privilege caching level.
CONTAINER Cache privileges for schemas and all higher level secure objects.
NONE / OFF Used to turn off all privilege caching.
Copyright © SAS Institute Inc. All rights reserved.