Exploiting the Security Features of Holap++ with the MultidimensionalTable Component of webAF

On a secure server, the security features of Holap++ can be used to restrict access to your data. The MultidimensionalTable component passes the login and password used to logon to the server to the _logon_ method of the Holap++ Security object for validation.

Note: This document assumes you are familiar with Holap++ and its security model.

Creating a Secure Windows NT server

Several steps must be followed to secure your Windows NT server. First, you must use the Windows NT User Manager to set the appropriate user rights. Second, you must install your SAS spawner with the appropriate security options. Third, you must add the proper prompts to your connection object.

For more information on the PC spawner (including the security and authserver options) see Communication Access Methods for SAS/CONNECT and SAS/SHARE Software, Second Edition.

To set user rights

1. Logon to Windows NT as the administrator.
2. Select Start->Programs->Admistrative Tools->User Manager.
3. Select the Username from which the server will run.
4. Select User Rights from the Policies menu.
5. Make sure that the Show Advanced User Rights check box is checked.

The user must have the following rights:

• Act as part of the operating system
• Bypass traverse checking (the default is everyone)
• Increase quotas
• Replace a process level token
• Logon locally (the default is everyone).

The Windows NT 4.0 userid specified at signon needs only the following user right:

• Log on as a batch job.

To start the spawner

Whether you install your spawner as a service or simply start it as needed, add the following options to your spawner command:

• -authserver <domain-name>
• -security

where <domain-name> is the name of the domain server where the validation database resides.

For example, to install the spawner as a Windows NT service for a server in the carynt domain, use the following command:

C:\appdevstudio\sas\connect\sasexe\spawner –install –c tcp -telnet 2323 -security -authserver carynt

Modifying your Connection Object

When connecting to a secure Windows NT server, you must update your connection object to reflect the proper prompts. With a nonsecure Windows NT server, the Username and Password prompts are blank. Update these prompts in your connection object to be Username: and Password: respectively.

Creating a secure Windows NT server is your first level of security. Use holap++ if you need additional control in restricting certain users from accessing a particular dataset (or levels within a dataset).

Registering a Holap++ Security Model

To exploit the security model of a holap MDDB, add the _secure attribute to your metabase registration. The _secure attribute requires two inputs:

• the security object to use (which defaults to the standard holap++ security model)
• the Define User object to use to validate the user's access permissions. You can create the Define User object using EIS if Holap++ is installed.

Creating a Define User Object

To create a Define User Object, do the following:

1. From the EIS Main Menu, select Build EIS.
2. Select the Path and Application Database where the new User Definition will reside.
3. Select Add.
4. Select the BROESSG Objects from the Object Databases.
5. Select Define Users from the Objects.
6. Select Build.
7. Fill in the required fields, including the name of the security dataset that will contain the valid users and passwords.
8. Select Test to add the Users to the security dataset. The Userid and Password must match those in the domain server database.

For more information on Holap++ Security and the Define User object, refer to the Holap++ documentation available in SAS online Help, the SAS OnlineDOC CD, and other SAS publications.