topic SAS DI Studio 9.04 with SAS Studio Enterprise 3.6 Security question in Administration and Deployment

SAS DI Studio 9.04 with SAS Studio Enterprise 3.6 Security question

gjanuary — Wed, 22 Aug 2018 17:17:21 GMT

I currently have five separate databases that require completely different security. On the meta-data side of things I have security handled. My problem is with SAS Studio and its connection to my metadata server. Its not just applying the security I've setup in management console in metadata its also using security from the metadata physical server. The test user that I'm using had to be added to a security group on the physical windows server in order to even access the application. I guess I should add that the application is being accessed via browser. How is windows security overriding security from metadata. What does windows security have to do with access to SAS Studio Enterprise. I've already taken the steps in management console so that the users can't see the physical server drives in SAS Studio, but that wouldn't stop a savvy user from creating their own shortcut to a physical drive. Are we left with having to manage windows security as well as meta data security if we desire to have users using SAS Studio Enterprise. I must be missing something. If not any suggestions on windows server security groups and permissions.

Re: SAS DI Studio 9.04 with SAS Studio Enterprise 3.6 Security question

shayne — Wed, 22 Aug 2018 21:03:31 GMT

SAS metadata is used for authorization but it's not used for authentication. It sounds like your site has configured host authentication which is why proper privileges must be assigned to users on the host operating system.

SAS Studio requires that users have the correct permissions on the host operating system so that workspace server sessions (sas.exe) can be launched under each user's Windows ID. The host operating system privileges that users must have to use workspace server based clients like SAS Studio are covered in the SAS® 9.4 Intelligence Platform: Security Administration Guide under Fundamentals > User Administration > Windows Privileges. These privileges are required for any workspace server based client in a Windows environment using host authentication, including SAS Enterprise Guide and DI Studio.

Usually administrators will create a Windows user group named something like "SAS Server Users", make sure the group has the necessary privileges, then add users to the group as needed.

You can also consider configuring an alternate authentication mechanism like Integrated Windows Authentication (IWA) or SAS Token Authentication.