topic Re: How to provide access to a SAS workspace server /SASAPP server to a user in Administration and Deployment

How to provide access to a SAS workspace server /SASAPP server to a user

RupaJ — Fri, 08 Feb 2019 20:57:42 GMT

Hello SAS users,

Could some one please tell me how I should grant/revoke access to a user on a SAS application server. I have a SASAPP2 server that only few users in the company have access to and now I see couple users who should not be having access on that server. Now how do I revoke the access for those users. Have been looking around for quite some time to figure this out. Pretty sure this should be very straightforward.

Thanks!

Re: How to provide access to a SAS workspace server /SASAPP server to a user

SuryaKiran — Fri, 08 Feb 2019 22:14:10 GMT

Hello,

Refer SAS Management Console.

https://documentation.sas.com/?docsetId=mcsecug&docsetTarget=n0pgcve9z5pfp7n1rf46l5u5xkbf.htm&docsetVersion=9.4&locale=en

Re: How to provide access to a SAS workspace server /SASAPP server to a user

PaulHomes — Sat, 09 Feb 2019 01:09:47 GMT

Rather than looking at this problem as how do I revoke access to people who have access but shouldn't, I would recommend taking a step back and considering how do I make sure I only grant access to the people who should have access. Based on the latter it looks like the access controls on the app server are not currently setup correctly to only grant access to those who should have access.

If you were to look at denying access to specific users or non-implicit groups (groups other than PUBLIC/SASUSERS) then you are very likely to run into conflict scenarios. You end up finding people-who-have-access-who-shouldn't or people-who-don't-have-access-but-should that can hard to troubleshoot (and the first group don't always tell you).

The recommended practice is to deny broadly (wipe out everyone's access) using PUBLIC (or SASUSERS) and then start granting access back to those who should have access (SAS System Services, SAS Administrators, other org groups).

For more info on this, there several resources you could look at:

SAS® Security Model Design Golden Rules, Validation, and Monitoring - Webinar - there is a webinar and many links to related papers
SAS Global Forum 2011 Paper 376-2011 Best Practice Implementation of SAS® Metadata Security at Customer Sites in Denmark by Cecily Hoffritz & Johannes Jørgensen - includes example of securing app servers too

If you follow those best practice examples then you control who has access by making sure they are members of groups that should have access. By making sure you do not deny permissions to any identity other than PUBLIC/SASUSERS then you also won't get conflicts. If the groups are setup correctly and someone doesn't have access then they need to join a group that has access. If they have access but shouldn't then they need to leave any groups that have access. If neither of those choices make business sense then the access controls and groups need to be revisited.

Re: How to provide access to a SAS workspace server /SASAPP server to a user

RupaJ — Wed, 13 Feb 2019 19:46:43 GMT

Thanks @PaulHomes - I exactly did as you mentioned. Thanks so much for the detailed response. Appreciate it!

Re: How to provide access to a SAS workspace server /SASAPP server to a user

PaulHomes — Wed, 13 Feb 2019 23:45:52 GMT

Great to hear it was helpful and thanks for marking it solved.