Lockdown Feature :: SAS(R) IT Resource Management 3.7: Administrator's Guide

Overview of the Lockdown Feature

You can limit the reach and activities of a SAS server by locking it down. The lockdown feature is completely documented in the SAS 9.4 Intelligence Platform: Security Administration Guide at http://support.sas.com/documentation/onlinedoc/intellplatform/index.html.

Note: The XCMD option must be set to NOXCMD in order to use the lockdown feature.

Tip

The lockdown path list is a list that specifies which files and directories a SAS session can access when locked down. It does not specify which paths are inaccessible. This lockdown path list is often referred to as a whitelist.

For SAS IT Resource Management 3.7, if the application server (such as SASITRM) is locked down, jobs might fail if the required physical files and directories are not listed in the lockdown whitelist. (This is a desired result of using the lockdown feature.)

What Paths Should be Added to the Whitelist?

The paths to the following locations should be added to the lockdown whitelist:

all input raw data files and directories
all SAS library objects for all IT data marts
any directories that are specified by the WORKDIR= parameter of supplied SAS macros
any temporary files or directories such as temporary disk space locations that are overridden on the Report Parameters tab of the Performance Report or Exception transformation

Temporary disk space is used to store files and directories that are generated by a Performance Report or an Exception transformation. If the override path for a Performance Report or an Exception transformation is specified in the Report Parameters tab, be sure to include it in the whitelist. The following display shows a specified override path.

Tip
For best results, specify the override location for these files.

If the override location for these files is not specified, the following paths are used. The path to these files is constructed based on your operating environment and the user ID of person running the jobs. You must add these paths to the whitelist:
- For Windows operating environments, SAS IT Resource Management uses one of the following paths to the temporary files. The path is selected from this list in the following order:
  
  the value of the TEMP environment variable (for the user)
  
  the value of the TEMP environment variable (for the system)
  
  the value of the USERPROFILE environment variable
- For UNIX operating environments, the path is selected from this list in the following order:
  
  the value of the TEMP environment variable
  
  /tmp
  
  the value of the HOME environment variable
  
  .
- For z/OS operating environments, the path is selected from this list in the following order:
  
  The value of the FILETEMPDIR option if it is specified, if it exists, and if FILESYSTEM=zFS
  
  /tmp

Note: If there is code that is written by the user, then the user is responsible for evaluating whether the code requires additions to the whitelist. (Code that is written by the user might exist in the User-Written Staging transformation, in pre- or post-code sections of any transformations, or in any other place.)

How to Add Paths to the Whitelist

Adding paths to the lockdown whitelist is described further in the LOCKDOWN statement documentation, using the PATH= and FILE= arguments. Here is an example:

LOCKDOWN PATH=”C:\My\Raw\Data”;

This PATH example adds the directory C:\My\Raw\Data, including its files and subdirectories, to the whitelist of accessible paths.

To generate and publish reports from the Performance Report or the Exception transformation, or to send alerts from the Exception transformation, the HTTP (or URL) access method is required. (For lockdown purposes, HTTP and URL are an aliased name pair and mean the same thing.) By default, HTTP (or URL) access is denied when a server is locked down. Therefore, these two transformations will fail to execute correctly. The site can specify HTTP (or URL) as an exception to the lockdown state by using the ENABLE_AMS argument. Here is an example:

LOCKDOWN ENABLE_AMS=HTTP;

This ENABLE_AMS example adds HTTP (URL) access to the list of allowable access methods. When the Performance Report transformation and the Exception transformation generate and publish reports, HTTP is required in order to notify the middle tier. HTTP access also enables the Exception transformation to send alerts.

Note: If your site has specified NOXCMD as part of the locked down server settings, the RRDtool and SNMP staging transformations will not execute correctly. (The RRDtool and SNMP adapters require the XCMD option to be set on.) Therefore, the lockdown feature is not available for servers that are running these two adapters.