Security Considerations for SAS MDM

Overview

SAS MDM requires that security be enabled on Data Management Server. The SAS MDM installation creates the following system settings for you:
dmserver/secure = yes
dmserver/secure/grp_admin = SASAdministrators
The installation process also defines the following Data Management user groups:
  • Data Management Administrators
  • Data Management Stewards
  • Data Management Business Users
  • Data Management Business Approvers
  • Data Management Power Users
  • Data Management Executives
Use SAS Management Console to add users and groups to these groups or to define new ones for use with SAS MDM. Because SAS Administrators is set as the default group for grp_admin, you must assign at least one of your users to SAS Administrators so that the assigned user can modify Access Control Lists and other permissions for your SAS MDM users.
Permissions consist of Group and User permissions and Access Control Lists (ACLs). Group and User permissions determine the actions that users are allowed to take on the server. ACLs control which users are allowed to access jobs on the servers. If Group permissions and ACLs are not configured, Data Management Server provides defaults. Data Management Studio is used to create permissions and ACLs for the groups, jobs, and services that are deployed on the Data Management Server. The permissions that are used for the jobs depend on the roles and the groups that you have defined and on the needs of your business.
Note: Security checks are made by Data Management Server when a SOAP request is received. When a job calls another job directly, Data Management Server is not involved. When a job sends Data Management Server a SOAP request to run another job using the real-time service node, the security check is made only at the top-level service.
For more information about setting up security parameters for users and groups, see the Data Management Server: Administrator's Guide.

Setting Permissions

Group Permissions

On the Data Management Servers riser in Data Management Studio, select the server to be configured. Use the Security tab to add groups to the server configuration, and modify the permissions appropriately.
Here are some initial recommendations that can be changed as required for your installation:
Group Permissions
Group
Permissions
Data Management Administrators
All
Data Management Stewards
All
Data Management Business Users
All execute and list
Data Management Business Approvers
All execute and list
Data Management Power Users
All execute and list
Data Management Executives
All execute and list

Access Control Lists

ACLs can be set up for each job or service to give access rights to individuals or groups. For example, assume that only a certain individual, or group of individuals in an organization, is allowed to change records within SAS MDM. The user name or associated group can be given special access rights through an ACL. For sensitive services, an administrator might want to deny everyone access using the ACL and then explicitly allow some users or a group to access or run the job or service. For more information about setting up permission levels, see the Data Management Server: Administrator's Guide.

Batch Job Permissions

On the Data Management Servers riser in Data Management Studio, select the server to be configured. Expand the Batch Jobs folder and establish the following ACLs in the SAS MDM folder.
Batch Job Permissions
Group
Permissions
Data Management Administrators
All
Data Management Stewards
All
Data Management Business Users
None
Data Management Business Approvers
None
Data Management Power Users
None
Data Management Executives
None

Data Services Permissions

On the Data Management Servers riser in Data Management Studio, select the server to be configured. Expand the Real-Time Data Services folder and establish the following ACLs in the SAS MDM folder.
Data Services Permissions
Group
Permissions
Data Management Administrators
All
Data Management Stewards
All
Data Management Business Users
All
Data Management Business Approvers
All
Data Management Power Users
All
Data Management Executives
All
Note: You might want to make Data Management Stewards the owner of all SAS MDM jobs and services to facilitate maintenance activities.

Enabling IP Address-Based Security

SAS MDM must have access to Data Management Server in order to function. Requests from users using SAS MDM to run jobs seem to originate from the application server, not from the computers of the users. Configuring Data Management Server IP address-based security does not secure your system against web users. Instead, you can use request filters to block IP addresses from accessing your application server. For more information, see the Data Management Server: Administrator's Guide and your application server documentation.
Last updated: April 19, 2017