topic Re: Permissions when STP runs on Stored Process Server in Administration and Deployment

Permissions when STP runs on Stored Process Server

DmitryErshov — Tue, 13 Feb 2018 12:38:54 GMT

I created test STP:

proc sql;
  select * from MYLIB.sometable;
run;

and chose option 'Stored process server only' on Execution tab. I have library MYLIB (preassigned by native engine) and I made the following Authorization constraints for it:

SAS General Servers - ReadMetadata - Deny

SAS System Services - ReadMetadata - Deny

SAS Trusted User - ReadMetadata - Deny

myuser - ReadMetadata - Deny

But when I launch the STP from Stored Process Web Application (I logged as myuser) then it executed without errors. STP sees MYLIB.sometable and can select rows from it.

Could somebody explain me why?

Re: Permissions when STP runs on Stored Process Server

nhvdwalt — Tue, 13 Feb 2018 13:10:11 GMT

Setups vary, but generally STPs run under a a shared account, typically sassrv, not your own account. So if the shared account has the required OS permissions, it should all work.

However, this is just one of a couple of moving parts in the whole STP operation....

Re: Permissions when STP runs on Stored Process Server

Quentin — Tue, 13 Feb 2018 13:50:52 GMT

So you're applying these permissions to the metadata library, rather than the metadata table or metadata folder?

I would try different denials for MYUSER (as I understand it, an explicit denial to MYUSER should work). I don't remember what options there are for library permissions. In addition to ReadMetadata, is there also a ReadMemberMetadata or just Read? It could be that one of those settings effects the ability to read tables from a library.

Re: Permissions when STP runs on Stored Process Server

DmitryErshov — Tue, 13 Feb 2018 13:59:59 GMT

Thanks for reply.

But as I know sassrv is OS user (not SAS user), however I make constraints not at OS level, but at SAS Metadata Level. So, it is interesting under what SAS user (registered in Management Console) STP is executed.

Re: Permissions when STP runs on Stored Process Server

Quentin — Tue, 13 Feb 2018 14:04:48 GMT

You're right, since MYLIB is a metadata library, you should be able to manage the permissions in metadata. If you log in to the stored process web app as MYUSER, the stored process runs with that user. I would check the metadata permissions for the library, and turn all of the READ* permissions to deny. If that doesn't work, I would change the permissions for the metadata table for MYUSER, just to make sure that can work, then I would read more about how metadata library permissions work.

Re: Permissions when STP runs on Stored Process Server

Meera_SAS — Tue, 13 Feb 2018 14:25:37 GMT

One easy way to check is via SAS Management Console assuming you have access to it. You can right click on the Stored Process Server and do a validate or Test Connection. If the validation works then the Stored Process server is set up correctly. The Stored Process server runs under a shared account usually the "sassrv" account. If the validation fails then you can look at the logs to see where the problem is.

Re: Permissions when STP runs on Stored Process Server

DmitryErshov — Tue, 13 Feb 2018 15:06:24 GMT

I tried to deny all available permissions for library. And STP (if it is launched on Stored Process Server) can read data from table. But if I change Stored Process Server to Workspace Server then receive error

ERROR: Libref MYLIB is not assigned.

as we can expect. But it is still mystery why I don't get an error when STP runs on Stored Process Server.

Re: Permissions when STP runs on Stored Process Server

BrunoMueller — Tue, 13 Feb 2018 15:09:56 GMT

STP Server are not ended once a STP request is finished.

So you might still be using a Stored Process Server that has been started before you actually changed the permissions on your library.

I recommend to end all Stored Process Server processes and try again.

See also this blog entry https://communities.sas.com/t5/Administration-and-Deployment/A-custom-task-to-list-and-stop-active-SAS-sessions/m-p/251340 by @ChrisHemedinger about a task for SAS Enterprise Guide to list all SAS server processes.

Re: Permissions when STP runs on Stored Process Server

DmitryErshov — Tue, 13 Feb 2018 15:30:12 GMT

You are right! I restarted servers and now STP works as expected.