topic Re: Trying to Contain Users Inside of a Workspace Server Path in SAS Enterprise Guide

Trying to Contain Users Inside of a Workspace Server Path

StephenOverton — Tue, 09 Nov 2010 19:41:02 GMT

I am trying to give SAS a general read/write access to the OS and manage what users can read/write through metadata. Enterprise Guide users (and any programmers for that matter) are the only ones I worry about because the workspace server gives direct access to the file system. I've actually got this covered by setting the workspace server path to where I want the users to read/write their data. BUT lets say a user is smart enough to figure out the directory structure and potentially write their own libname statement to another directory outside their workspace server, they could access data they shouldn't be able to.

Anybody have ideas? I would hope there is an option for the workspace server to limit what users can read/write depending on if it is outside the path defined for the workspace server.

Re: Trying to Contain Users Inside of a Workspace Server Path

twocanbazza — Wed, 10 Nov 2010 03:50:18 GMT

If you are worried about security that much, i suggest using using the OS permisisions as well as the MD permission, I believe that is the 'Best Practise'.

I am not sure what you mean by "setting the workspace server path " can you expand?

also what OS, what version of sas etc...

Barry

Re: Trying to Contain Users Inside of a Workspace Server Path

ChrisHemedinger — Wed, 10 Nov 2010 21:08:54 GMT

Steve is referring to the File Navigation path that you can set in the workspace server properties, which serves as a cue for how to allow the end user to navigate the server file system from within EG.

The advice is correct though: lock down the OS file system to prevent unauthorized access to areas the end user shouldn't get to. Creative SAS programmers can find programmatic methods to access content that is open, if they want to.

Chris

Re: Trying to Contain Users Inside of a Workspace Server Path

StephenOverton — Wed, 10 Nov 2010 21:42:18 GMT

We're going to investigate the use of ACLs to take it a step further...

http://support.sas.com/kb/33/961.html

Re: Trying to Contain Users Inside of a Workspace Server Path

Patrick — Wed, 10 Nov 2010 22:12:00 GMT

Hi
To set security on OS level will be the safest way.
User "sassrv" (EG) would then have only write access to the directories you want, user "sas" would be used for batch job with write access to much more directories.
Have "sas" and "sassrv" in the same group (I assume OS is UNIX) and set ACL appropriate (setfacl, getfacl). I have seen something like this already set-up and working.
There is also some possibility to suppress SAS commands (i.e. a Libname statement) and I've worked on one site where this was implemented. I don't know exactly how this was done and I also feel it's kind of a "brute force" method.
HTH
Patrick