SAS configuration files are stored in operating system. Those files should be secured using operating system security features such as ACL/chmod in Linux and Security option in Windows. SAS doesn't provide security to configuration files. You cannot bound the files with metadata security. The security of SAS config files are purely OS dependent. SAS Admin should plan whom should they give access to the configuration directory. Usually, users will be added to groups depending on the role. For example, add all user who need full access to admin group and add all user who need basic access for navigating directory to developer group.
Find more about configuration directory here.
Why security is needed for config directory?
In configuration directory, there will be have important contents of SAS like:
Any changes made to above mention content will severely affect production. You may not able to connect to any SAS server if you don't make changes properly. There are several steps to be followed if you made any changes. It is advisable to give permission only to SAS Admin or one who have excellent knowledge about SAS.
Permissions needed in SAS configuration directory for Windows server:
In Windows, the user who performs installation will have access to configuration file. For example: if user Jack performs SAS installation then he will have access to the configuration files.
Most of the times, client recommends to place the log in custom location. So you need to provide sufficient access to log directories to users who want to connect to SAS platform. If your enable logs for workspace server then the log directory should be given Full Control for the users of workspace server. If you don't give Full Control, then it will throws error when a users connect to the SASApp in SAS Enterprise Guide (which I experienced) and may throw error in other client application too.
SAS Spawned Server account must be given write access to stored process directory if users use SAS Enterprise Guide to create stored processes.
Permissions needed in SAS configuration directory for Linux server:
In Linux environment, add SAS Spawned Server account to SAS group. As I mentioned before, you will be using different log directory instead of the default one. Give appropriate permission to the log directory. If logging for workspace server is enabled then the users of that server should have RWX (read, write and execute) permission to the workspace server log directory.
Like Windows, SAS Spawned Server account must be given write access to stored process directory if users use SAS Enterprise Guide to create stored processes.
Find more about configuration directory here.
Why security is needed for config directory?
In configuration directory, there will be have important contents of SAS like:
- Metadata repository datasets (dataset is nothing but a table in SAS). Metadata repository datasets stores information about metadata objects like users, groups etc in form of table. Making changes to SAS datasets directly will cause severe damage to SAS environment.
- Scripts generated by SAS installation usually used to start or stop server
- Logs generated by Workspace Server, Stored Process Server, Object Spawner, Metadata Server and Pooled Workspace server.
- Other important configuration files like sasv9, autoexec file, logconfig.
Any changes made to above mention content will severely affect production. You may not able to connect to any SAS server if you don't make changes properly. There are several steps to be followed if you made any changes. It is advisable to give permission only to SAS Admin or one who have excellent knowledge about SAS.
Permissions needed in SAS configuration directory for Windows server:
In Windows, the user who performs installation will have access to configuration file. For example: if user Jack performs SAS installation then he will have access to the configuration files.
Most of the times, client recommends to place the log in custom location. So you need to provide sufficient access to log directories to users who want to connect to SAS platform. If your enable logs for workspace server then the log directory should be given Full Control for the users of workspace server. If you don't give Full Control, then it will throws error when a users connect to the SASApp in SAS Enterprise Guide (which I experienced) and may throw error in other client application too.
SAS Spawned Server account must be given write access to stored process directory if users use SAS Enterprise Guide to create stored processes.
Permissions needed in SAS configuration directory for Linux server:
In Linux environment, add SAS Spawned Server account to SAS group. As I mentioned before, you will be using different log directory instead of the default one. Give appropriate permission to the log directory. If logging for workspace server is enabled then the users of that server should have RWX (read, write and execute) permission to the workspace server log directory.
Like Windows, SAS Spawned Server account must be given write access to stored process directory if users use SAS Enterprise Guide to create stored processes.
Comments
Post a Comment