DataFlux Data Management Studio 2.6: User Guide

Adding Authentication Domains and Users

• Overview of SAS Metadata Server Domains and Users
• Overview of DataFlux Authentication Server Domains and Users
• Prerequisites for Adding DataFlux Authentication Server Domains and Users
• Open the DataFlux Authentication Server as an Administrator
• Register a DataFlux Domain
• Register a DataFlux User
• (Optional) Add DBMS Logins to a User Definition
• Using Authentication Server Domains to Supply Credentials for Batch Jobs

Overview of SAS Metadata Server Domains and Users

DataFlux Data Management Studio supports two kinds of authentication servers: DataFlux Authentication Servers and SAS Metadata Servers. Support for SAS Metadata Servers is more limited.

SAS Metadata Servers can authenticate connections to DataFlux Data Management Servers. For example, you can use a SAS metadata identity to connect to a server on the Data Management Servers riser in DataFlux Data Management Studio. For more information about data management server connections, see Connecting to Data Management Servers. You can also specify a SAS authentication domain in a domain-enabled ODBC connection, if that connection is used in a job or profile that is executed by a data management server. For more information about these connections, see Adding Domain Enabled ODBC Connections. For more information about how SAS Metadata Servers can be used with data management servers, see Specifying an Authentication Server for a Data Management Server.

You cannot, however, use the Administration riser bar in DataFlux Data Management Studio to add a connection to a SAS Metadata Server. Also, the following servers which are often used in a data management environment still require a DataFlux Authentication Server: SAS Federation Server 3.2 and earlier, and DataFlux Web Studio 2.4 and earlier.

For more information about users and domains for SAS Metadata Servers, see SAS Management Console Guide to Users and Permissions. The rest of this topic is about DataFlux Authentication Servers only.

Overview of DataFlux Authentication Server Domains and Users

An Authentication Server domain is a label that is used to group similar user credentials, such as a group of users who need to log in to DataFlux Data Management Platform applications, or a group of users who need to login to a database management system (DBMS). If an Authentication Server is installed on your site, and you have administrative privilege, you can use the Administration riser in DataFlux Data Management Studio to add Authentication Server domains, users, and logins.

This topic describes the basic steps for adding domains, users, and logins on the Authentication Server. Even if you are not responsible for this task, the topic will help you understand how the Authentication Server interacts with DataFlux Data Management Studio and the Federation Server. For complete information about maintaining domains and related information, see the DataFlux Authentication Server User's Guide and the DataFlux Authentication Server Administrator's Guide.

Prerequisites for Adding DataFlux Authentication Server Domains and Users

Assume that a connection to an Authentication Server has already been added to the Administration riser, as described in Connecting to Authentication Servers.

Identify a set of domains, users, and (possibly) logins that must be registered on the Authentication Server in order to meet certain goals at your site. For example, suppose that you wanted to meet the following goals.

Goal 1: Authenticate DataFlux Data Management Platform Users. Authenticate users for DataFlux Data Management Platform applications and servers on a test computer (pubdmp). To meet this goal, you might register a domain and users such as the following.

• Domain - PUBDMP, a local domain for users on the test computer (pubdmp) where DataFlux Data Management Platform software is installed. (For production systems, you would create an Authentication Server domain that corresponds to network domain that is used for production work.)
• Users - DataFlux Admin, DataFlux User, DataFlux Web Admin. All of these users have local accounts on the test computer, pubdmp. For production systems, these would typically be network accounts. Passwords for DataFlux Data Management Platform users are not typically saved as part of the user definitions on the Authentication Server. These users will enter their passwords for the relevant domain as they normally would, when the Authentication Server prompts them to log in.  

Goal 2: Register Database Management System logins for use in job that will execute in batch mode. When a job executes in batch mode, any credentials for DBMS data sources must be provided programmatically. One solution would be to use an Authentication Server domain to retrieve DBMS credentials at run time, if the appropriate users and logins have been added to the domain. Accordingly, part of the solution for Goal 2 might be to register domains, users, and logins such as the following.

• Domains - One for each database management system, such as ORACLE, SQLSERVER, and SAP.
• Users - No additional users are required for the example test system that is described in this section. In general, you do not have to create an Authentication Server user for every database management system user. Each Authentication Server user can have multiple logins. For convenience, all database management system logins could be added to the DataFlux Admin user that was defined for Goal 1.
• Logins - User names and passwords for the database management systems. The passwords are needed in this case because they will be retrieved at run-time by a job that is running in batch mode. For more information about this scenario, see Using Authentication Server Domains to Supply Credentials for Batch Jobs.

Open the DataFlux Authentication Server as an Administrator

1. Click the Administration riser, and then expand the Authentications Servers folder.
2. Right-click an Authentication Server and select Open.
3. Enter any required credentials. After you log in, the administrative dialogs for the Authentication Server will display, as shown in the next figure.
   

Register a Domain

Register one or more domains on the Authentication Server, as required to meet your goals. For the example that is described in the Prerequisites section, you would create the following domains: 

• PUBDMP, a local domain on a test computer (pubdmp) where DataFlux Data Management Platform software is installed.
• ORACLE, SQLSERVER, and SAP, a domain for each database management system that is required for the test environment.

It is assumed that you have opened the Authentication Server as an administrator. Perform the following steps to register a domain.

1. Click the Domains riser.
2. Click the New Domain control in the All Domains panel on the right. The New Domain dialog displays. Typically you will identify the information that is required by this dialog when you research the prerequisites.
3. Enter a name, a description, and other attributes, as shown in the next figure.

    

   

   
   In the previous figure, the Name specifies the domain name that could be combined with a login ID for authentication. The Description defines the purpose and scope of the domain. The User Name Format area specifies if and how the domain name is to be combined with a login ID for authentication. Given that the Down-level logon name option is selected in the previous figure, the domain will be combined with the login ID for authentication (PUBDMP\dfWebAdmin). The case-sensitive option is unchecked for this domain.

4. Click OK when finished to save the domain.
5. Repeat for all required domains. For the current example, the All Domains panel would look like the next figure.
   

Register a DataFlux User

Register one or more users on the Authentication Server, as required to meet your goals. For the example that is described in the Prerequisites section, you would create the following users: DataFlux Admin, DataFlux User, DataFlux Web Admin, George Barnes, and Rhonda Zool.

It is assumed that you have opened the Authentication Server as an administrator. Perform the following steps to register a user.

1. Click the Users riser.
2. Click the New Users control in the All Users panel on the right. The New User dialog displays. Typically you will identify the information that is required by this dialog when you research the prerequisites.
3. Enter a name, a description, and other attributes, as shown in the next figure.

    

   

   
   In the previous figure, the Name specifies an Authentication Server user. The Description identifies the user. The User ID specifies a login ID for this user in the selected domain. The Domain specifies an Authentication Server domain.
   

4. Click OK when finished to save the user.
5. Repeat for all required users. For the current example, the All Users panel would look like the next figure.

   

(Optional) Add DBMS Logins to a DataFlux User Definition

In order to meet Goal 2 as described in Prerequisites above, the DataFlux Admin user could add logins and passwords for Oracle, SQL Server, and SAP. These credentials would be retrieved at run-time by a job that is running in batch mode. For more information about this scenario, see Using Authentication Server Domains to Supply Credentials in Batch Mode.

It is assumed that you have connected to the Authentication Server and that you have opened that server on the Administration riser of DataFlux Data Management Studio. Perform the following steps to add another login to your account.

1. Click the Users riser.
2. Select your user definition in the left panel. For the current example, you would select the DataFlux Admin user. The current logins for the selected user will display in the panel on the right. If you have selected your own account, a New login control should also be available on the right.
3. Click the New login control in the panel on the right. The New Login dialog displays. Typically you will identify the information that is required by this dialog when you research the prerequisites.
4. Enter a user ID, an Authentication Server domain, and a password for the target resource, as shown in the next figure.

    

   

   
   In the previous figure, User ID specifies the login ID for the target resource, such as an Oracle database. The Domain identifies the Authentication Server domain for the target resource, such as ORACLE. This domain must have already been created. The Password specifies the password for the target resource.

5. Click OK when finished to save the login.
6. Repeat for all required logins. For the current example, the panel on the right for DataFlux Admin would look like the next figure.

   

Using Authentication Server Domains to Supply Credentials in Batch Mode

When a job executes in batch mode, a user cannot provide any DBMS credentials that are needed to connect to data sources. One solution would be to use an authentication server domain to retrieve DBMS credentials at run time, if the appropriate users and logins have been added to the domain. You could combine the following features: 

• An authentication domain from the authentication server that is specified for the DataFlux Data Management Server that executes the job. The authentication server could be either a DataFlux Authentication Server or a SAS Metadata Server.
• DSN connections that support authentication domains. For examples, see Adding Domain Enabled ODBC Connections.
• A method for programmatically logging in to the authentication server in order to access DBMS logins. For an example, see Run a Job with a DSN That Specifies an Authentication Server Domain.