https://communities.sas.com/t5/Administration-and-Deployment/SAS-Studio-security-setup/m-p/483549#M13804 <P>Hi All,</P><P>&nbsp;</P><P>We are currently running SAS 9.4 M5 (For Linux) and SAS Studio 3.71. We also have users who use batch sas and SAS interactive. We&nbsp;use grid with x nodes and the integration of SAS infra with grid is through LSF 9. Assuming a user logs into SAS Studio , he/she would be routed to one of the x grid nodes and the root directory (along with sub-dirs) are made available in the left palette of SAS Studio. Our current security setup is such that any user who would like to access SAS Studio application, has to -</P><P>1) His/ her unix ID needs to have access to SAS servers as well as the x Grid nodes</P><P>2) needs to be part of SAS Metadata (PAM auth verification)</P><P>&nbsp;</P><P>Now whenever the user logs into SAS Studio, we see 2 processes spawned under his/ her ID. Now we would like to configure te security in such a way that these jobs should not be spawned under the user's ID, rather there should be a common service account. So irrespective of whoever logs into SAS Studio (after the system authenticates him/ her), all processes should be owned by a service account.</P><P>&nbsp;</P><P>How do we go about this? Any thoughts?&nbsp;</P> Fri, 03 Aug 2018 16:15:55 GMT Kamsher 2018-08-03T16:15:55Z https://communities.sas.com/t5/Administration-and-Deployment/SAS-Studio-security-setup/m-p/483549#M13804 <P>Hi All,</P><P>&nbsp;</P><P>We are currently running SAS 9.4 M5 (For Linux) and SAS Studio 3.71. We also have users who use batch sas and SAS interactive. We&nbsp;use grid with x nodes and the integration of SAS infra with grid is through LSF 9. Assuming a user logs into SAS Studio , he/she would be routed to one of the x grid nodes and the root directory (along with sub-dirs) are made available in the left palette of SAS Studio. Our current security setup is such that any user who would like to access SAS Studio application, has to -</P><P>1) His/ her unix ID needs to have access to SAS servers as well as the x Grid nodes</P><P>2) needs to be part of SAS Metadata (PAM auth verification)</P><P>&nbsp;</P><P>Now whenever the user logs into SAS Studio, we see 2 processes spawned under his/ her ID. Now we would like to configure te security in such a way that these jobs should not be spawned under the user's ID, rather there should be a common service account. So irrespective of whoever logs into SAS Studio (after the system authenticates him/ her), all processes should be owned by a service account.</P><P>&nbsp;</P><P>How do we go about this? Any thoughts?&nbsp;</P> Fri, 03 Aug 2018 16:15:55 GMT https://communities.sas.com/t5/Administration-and-Deployment/SAS-Studio-security-setup/m-p/483549#M13804 Kamsher 2018-08-03T16:15:55Z https://communities.sas.com/t5/Administration-and-Deployment/SAS-Studio-security-setup/m-p/483613#M13806 <P>To launch SAS Workspace Servers using a service account instead of the requesting user account you can configure it for SAS Token Authentication - see <A href="http://documentation.sas.com/?cdcId=bicdc&amp;cdcVersion=9.4&amp;docsetId=bisecag&amp;docsetTarget=n0rhb6yftn8srbn1wqxpg2s0fzfd.htm&amp;locale=en" target="_self">SAS Token Authentication</A>&nbsp;and <A href="http://documentation.sas.com/?cdcId=bicdc&amp;cdcVersion=9.4&amp;docsetId=bisecag&amp;docsetTarget=p06o3ymf2cuw16n1cmyi47t9icsn.htm&amp;locale=en" target="_self">How to Configure SAS Token Authentication</A>&nbsp;in the&nbsp;<EM>SAS 9.4 Intelligence Platform: Administration Security Administration Guide</EM>.<BR /><BR /><BR /></P> Thu, 02 Aug 2018 23:10:45 GMT https://communities.sas.com/t5/Administration-and-Deployment/SAS-Studio-security-setup/m-p/483613#M13806 PaulHomes 2018-08-02T23:10:45Z https://communities.sas.com/t5/Administration-and-Deployment/SAS-Studio-security-setup/m-p/483770#M13809 Thanks Paul. I'll read the artifact you shared! <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> Fri, 03 Aug 2018 13:38:39 GMT https://communities.sas.com/t5/Administration-and-Deployment/SAS-Studio-security-setup/m-p/483770#M13809 Kamsher 2018-08-03T13:38:39Z https://communities.sas.com/t5/Administration-and-Deployment/SAS-Studio-security-setup/m-p/483772#M13810 <P>Out of experience, I advise against this. You lose all options of using operating system based user specific settings, like file system quotas etc</P> Fri, 03 Aug 2018 13:44:21 GMT https://communities.sas.com/t5/Administration-and-Deployment/SAS-Studio-security-setup/m-p/483772#M13810 Kurt_Bremser 2018-08-03T13:44:21Z https://communities.sas.com/t5/Administration-and-Deployment/SAS-Studio-security-setup/m-p/483834#M13811 <P>As&nbsp;<a href="https://communities.sas.com/t5/user/viewprofilepage/user-id/11562">@Kurt_Bremser</a>&nbsp;correctly mentions in <A href="I'm interested in understanding the business value / reason behind the type of configuration you are asking about. Would you be able to explain why this configuration is desired at your site?" target="_blank">his reply</A>, the limitation of configuring SAS Token Authentication is that you&nbsp;lose<SPAN>&nbsp;granularity of host access on the workspace servers.&nbsp;You'll need to be very aware of the privileges assigned to the&nbsp;service account on the host operating system - if it's configured to have generous privileges, than any user's workspace server session will also have that generous access to the host OS (although you can apply some access restrictions via SAS metadata).&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN>I'm interested in understanding the business value / reason behind the type of configuration you are asking about.&nbsp;Can you give us more info about&nbsp;why this configuration is desired at your site?</SPAN></P> Fri, 03 Aug 2018 15:49:59 GMT https://communities.sas.com/t5/Administration-and-Deployment/SAS-Studio-security-setup/m-p/483834#M13811 shayne 2018-08-03T15:49:59Z