Skip to main content

How SAS Admins should secure SAS configuration files?

SAS configuration files are stored in operating system. Those files should be secured using operating system security features such as ACL/chmod in Linux and Security option in Windows. SAS doesn't provide security to configuration files. You cannot bound the files with metadata security. The security of SAS config files are purely OS dependent. SAS Admin should plan whom should they give access to the configuration directory. Usually, users will be added to groups depending on the role. For example, add all user who need full access to admin group and add all user who need basic access for navigating directory to developer group.

Find more about configuration directory here.

Why security is needed for config directory?
In configuration directory, there will be have important contents of SAS like:

  • Metadata repository datasets (dataset is nothing but a table in SAS). Metadata repository datasets stores information about metadata objects like users, groups etc in form of table. Making changes to SAS datasets directly will cause severe damage to SAS environment.  
  • Scripts generated by SAS installation usually used to start or stop server 
  • Logs generated by Workspace Server, Stored Process Server, Object Spawner, Metadata Server and Pooled Workspace server.
  • Other important configuration files like sasv9, autoexec file, logconfig.


Any changes made to above mention content will severely affect production. You may not able to connect to any SAS server if you don't make changes properly. There are several steps to be followed if you made any changes. It is advisable to give permission only to SAS Admin or one who have excellent knowledge about SAS.

Permissions needed in SAS configuration directory for Windows server:
In Windows, the user who performs installation will have access to configuration file. For example: if user Jack performs SAS installation then he will have access to the configuration files.

Most of the times, client recommends to place the log in custom location. So you need to provide sufficient access to log directories to users who want to connect to SAS platform. If your enable logs for workspace server then the log directory should be given Full Control for the users of workspace server. If you don't give Full Control, then it will throws error when a users connect to the SASApp in SAS Enterprise Guide (which I experienced) and may throw error in other client application too.

SAS Spawned Server account must be given write access to stored process directory if users use SAS Enterprise Guide to create stored processes.

Permissions needed in SAS configuration directory for Linux server:
In Linux environment, add SAS Spawned Server account to SAS group. As I mentioned before, you will be using different log directory instead of the default one. Give appropriate permission to the log directory. If logging for workspace server is enabled then the users of that server should have RWX (read, write and execute) permission to the workspace server log directory.

Like Windows, SAS Spawned Server account must be given write access to stored process directory if users use SAS Enterprise Guide to create stored processes.

Comments

Popular posts from this blog

Insufficient authorization to access PIPE error in SAS EG

Issue: When I tried to run SAS code in SAS Enterprise Guide it throws following errors: ERROR: Insufficient authorization to access PIPE. ERROR: Error in the FILENAME statement. Screenshot of error: Solution: This error occurs when you try to run OS commands in SAS code. To run the OS commands in SAS code you need to enable XCMD option. You check it in SAS Management Console by following below steps.   Open SMC -> Expand Servers -> Expand   In SASApp , expand Logical Workspace Server -> right click on Workspace Server. Click properties -> option tab -> advanced options -> launch properties. Check whether Allow XCMD is checked. The issue arises if the Allow XCMD is not checked. In above image, Allow XCMD option is not checked. It should be checked to run OS commands from SAS code. In Unix /Linux machines, this XCMD option can be enabled by using system option XCMD in sasv9 config file or workspaceserver.sh script f...

The authentication server is not SETUID ROOT error in SAS

Question: When validating the SAS Server from SAS Management Console, I received the following error: The authentication server is not SETUID ROOT.  So, I ran the setuid.sh utility and restarted the services many times. I just checked the elssrv sasauth sasperm setuid bit. There were no error in sasauth-debug.log, sasauth-access.log, sasauth-error.log.  Any suggestions? Answer: Please do the following:    1) Run /<SASConfig>/Lev<X>/ObjectSpawner/ObjectSpawner.sh stop  2) Edit /<SASConfig>/Lev<X>/ObjectSpawner/ObjectSpawner.sh and add the code shown below right after SCRIPT=`basename $0`:  if [ -n ""$TKPATH"" ]; then  unset TKPATH  fi   if [ -n ""$TK_PATHLIST"" ]; then  unset TK_PATHLIST  fi    3) Run /<SASConfig>/Lev<X>/ObjectSpawner/ObjectSpawner.sh start  The above code change in ObjectSpawner.sh should fix the issue.

SAS - CLI error trying to establish connection

Issue: User asked me to make a database connectivity to SQL Server. They provided following details SQL server hostname and ip address Database/DSN name Username Password I made entry in ODBC.ini file. You know, SQL Server entries were made in ODBC.ini and Oracle entries were made in TNS.ora file. Everything went fine, took back up of odbc.ini, made entry and saved the file. So to test this connection I ran the libname statement in SAS Enterprise Guide 6.1. It throwed following error. Error Message: My DB team showed that they are able to login   14 GOPTIONS ACCESSIBLE; 15 LIBNAME test ODBC DATASRC=SGE_DS SCHEMA=VST USER=sales PASSWORD=XXXXXXXXX; ERROR: CLI error trying to establish connection: [SAS/ACCESS to SQL Server][ODBC SQL Server Legacy Driver][SQL Server]Login failed for user 'sales'. Solution: First I suspected that Login failed for user 'sales' meant the password provided by DB team was wrong. They responded that they were able to login wi...