SAS 9.1.3 Integration Technologies » Server Administrator's Guide

Implementing Authentication
Host Authentication
Setting the System Permissions on:
Windows NT
Windows 2000
Windows XP
UNIX
Specifying Default Host Domains
How Hosts Handle Domains
Trusted Authentication Mechanisms
Alternative Authentication Providers
Specifying Authentication Providers and Domains
How Servers Determine the Authentication Provider
Scenario
Security

Defining Users for Host Authentication

By default, servers rely on the host environment to authenticate users. (SAS Workspace Servers and SAS Stored Process Servers always authenticate using the host environment). To implement host authentication for an IOM server, for every host user who needs to access a server or start a server, you must specify the following:

  • A valid user ID and password for the operating system account that provides access to the server's machine. The procedure for adding host users varies depending on the operating system you are using.

  • System permissions for Windows and UNIX.

    For Windows systems, the following table shows the specific user rights (permissions) for server invokers and server accessors:

    Required User Rights (Permissions) for Windows Operating System Accounts
    Type of Server and User Act as part of the operating system Adjust memory quotas for a process Increase quotas Replace the process level token Log on as a batch job
    SAS Metadata Server Invoker Windows NT and 2000 only        
    SAS OLAP Server Invoker Windows NT and 2000 only        
    Object Spawner Invoker for the SAS Stored Process Server* Windows NT and 2000 only Windows XP only Windows NT and 2000 only All Windows systems  
    Object Spawner Invoker for the SAS Workspace Server* Windows NT and 2000 only Windows XP only Windows NT and 2000 only All Windows systems  
    Accessors (clients) of SAS Metadata, OLAP, Stored Process, and Workspace Servers         **All Windows systems

    *Note: The object spawner invoker must also be a member of the Windows Administrators group.

    **Note: As an alternative, you might consider defining a SAS Server Users group and assign the Log on as a batch job user right to this group.

    For details about setting user rights (permissions) on specific Windows systems, see these topics:

    For UNIX systems, the servers require the SASPERM and SASAUTH files to be setuid and owned by root. See Setting System Access Permissions on UNIX for steps to ensure these permissions are set correctly.

When you use host authentication, you can also associate a default domain with the host; this domain is used for authorization purposes. For details, see Specifying Default Host Domains.