SAS 9.1.3 Integration Technologies » Server Administrator's Guide

Security
Overview of Domains
Implementing Authentication
Host Authentication
Trusted Authentication Mechanisms
Alternative Authentication Providers
Defining Users, Groups, and Logins on the SAS Metadata Server
Implementing Authentication and Authorization for Xythos WFS WebDAV
Scenario
Implementing Encryption
Setting Up Additional Server Security
Planning the Workspace and Stored Process Server Security
Spawner Security
Scenario: Spawner and Load-Balancing
Pooling Security
Scenario: Pooling
Load Balancing Security
Scenario: Load-Balancing Across Two Machines
Implementing Security in Client Applications
Security

Planning Security on Workspace and Stored Process Servers (IOM Bridge Connection Only)

You might choose whether to run a workspace server, pooled workspace server, load-balancing stored process server, or load-balancing workspace server based on your security considerations. (For an overview of the user IDs specified in the configuration, see Security Metadata). The following table shows several aspects of security for workspace servers, pooled workspace servers, and load-balanced stored process servers:

Workspace and Stored Process Security Considerations
Security Features SAS Workspace Server Pooled SAS Workspace Server Load-Balancing SAS Stored Process Server Load-Balancing SAS Workspace Server
Server Reuse

dedicated server per client

sequential reuse (of the server) by clients

efficient (scalable) reuse (of the server) by many simultaneous clients

dedicated server per client
User ID Under Which The Server Runs

client's user ID

puddle login; all users in a puddle run under the puddle login's user ID.

CAUTION: A stored process that runs on a pooled workspace server accesses data using the account under which the server is running (that is, the puddle login). Because your account is not being used to access the data, your permissions to the data are not relevant. In these circumstances, it is particularly important to set appropriate access controls to secure the stored process.

multi-user login; all users for a server run under the multi-user login's user ID.

Note: Because the load-balancing stored process server runs under the multi-user login credentials, the operating system account for these credentials must have access to any operating system resources used by stored processes that are hosted on the stored process server.

CAUTION: A stored process that runs on a stored process server accesses data using the account under which the server is running (that is, the multi-user login). Because your account is not being used to access the data, your permissions to the data are not relevant. In these circumstances, it is particularly important to set appropriate access controls to secure the stored process.

client's user ID
Client Authentication

client's credentials must be valid on the server's host authentication provider

clients mapped to puddles of servers; clients' user IDs must be valid on the SAS Metadata Server's authentication provider

client's credentials must be valid on the server's host authentication provider

client's credentials must be valid on the server's host authentication provider
Metadata Access Requirements for User IDs

Important Note: DO NOT specify an unrestricted user for either the user ID in the spawner's metadata configuration file or the user ID for the pool administrator.

user ID in the spawner's metadata configuration file must be able to view the following user ID:

  • operator login, if one is specified.

user ID in the spawner's metadata configuration file must be able to view the following user ID:

  • operator login, if one is specified.

user ID in the pool's metadata configuration file or pooling connection request (the pool administrator's credentials) must be able to view the following user ID:

  • puddle login

user ID in the spawner's metadata configuration file must be able to view the following user IDs:

  • operator login, if one is specified.
  • multi-user login
  • logical server credentials

user ID in the spawner's metadata configuration file must be able to view the following user ID:

  • operator login, if one is specified.
  • logical server credentials
Use of METAAUTOINIT to Connect Back to the SAS Metadata Server

allowed, not specified by default

allowed, specified by default for COM and not specified by default for IOM Bridge

allowed, not specified by default

allowed, not specified by default
When using METAAUTOINIT, Server Security for Connecting Back to the SAS Metadata Server if the trustsaspeer option is specified, connects using the client's user ID

if the trustsaspeer option is NOT specified, use the required META* options to specify the client user ID		 if the trustsaspeer option is specified, connects using the puddle login

if the trustsaspeer option is NOT specified, use the required META* options to specify the puddle login		 if the trustsaspeer option is specified, connects using the multi-user login

if the trustsaspeer option is NOT specified, use the required META* options to specify the multi-user login		 if the trustsaspeer option is specified, connects using the client's user ID

if the trustsaspeer option is NOT specified, use the required META* options to specify the client user ID

For details about the use of METAAUTOINIT and how to specify security, see Specifying Metadata Connection Information.