Architecting, installing and maintaining your SAS environment

Contolling the directory access for the AD users on linux based SASApp server

Accepted Solution Solved
Reply
Contributor
Posts: 41
Accepted Solution

Contolling the directory access for the AD users on linux based SASApp server

In our setup, the windows users dont have Linux presence and we are using the PAM authentication to authenticate them. I would like to create 2 directories DirA abd DirB, which are owned by GrpA and GrpB users respectively. Lets say I have 3 users X@abc.com,Y@ABC.com and Z@ABC.com and X is a member of GrpA and Y is a member of GrpB and Z is a member of both the groups. How can I achieve this in Unix?


Accepted Solutions
Solution
‎02-16-2016 12:26 PM
Regular Contributor
Posts: 174

Re: Contolling the directory access for the AD users on linux based SASApp server

I'm not too familiar with them, but the "+" at the end of your permissions string may indicate that you have ACLs (Access Control Lists) implemented. If I understand ACLs correctly, these could potentially be overriding the OS permissions you're trying to set.  You might want to get with your Unix Admins to see if the ACLs may be overriding what you're trying to do.

View solution in original post


All Replies
Regular Contributor
Posts: 174

Re: Contolling the directory access for the AD users on linux based SASApp server

If I understand you correctly, I think it would be something like the following.

You need to have the Linux groups created (GrpA/GrpB) and then have each user added to their respective group (presumably their GID, primary group, would be either GrpA or GrpB).

Then you need to create DirA and DirB and change the group ownership of the DirA and DirB to GrpA and GrpB. So something like: "chgrp GrpA /DirA"

So long as the user is a member of the appropriate group and the directory has execute permissions for the group that owns it they should have access to those directories.
Contributor
Posts: 41

Re: Contolling the directory access for the AD users on linux based SASApp server

Posted in reply to Timmy2383

Yes Tim. Exactly!!! These users only have the windows presence and using SAS only through EG. If they place any external file in these directories only the members of that group should be able to see the files. I have created dirA and GrpA and changed the ownership of dirA to grpA and placed a file in that directory, modified the permissions to 770. If I login as userB I am able to see files under the dirA. Dont know what I am missing here

Regular Contributor
Posts: 174

Re: Contolling the directory access for the AD users on linux based SASApp server

Can you show me current permissions for DirA and then issue the following commands send me the ouput?

id UserA
id UserB
Contributor
Posts: 41

Re: Contolling the directory access for the AD users on linux based SASApp server

Posted in reply to Timmy2383

Current permissions for DirA is drwxrwx---+ and I apologize as I cannot send the output of the next commands as its sensitive data.  

Regular Contributor
Posts: 174

Re: Contolling the directory access for the AD users on linux based SASApp server

The only reason UserB should be able to access DirA, with the permissions as they are, is because UserB is in GrpA. You need to check the groups of UserB.

If you issue "groups UserB" is GrpA in the list?
Contributor
Posts: 41

Re: Contolling the directory access for the AD users on linux based SASApp server

Posted in reply to Timmy2383

No. GroupA is not listed for the userB

Regular Contributor
Posts: 174

Re: Contolling the directory access for the AD users on linux based SASApp server

How are you verifying that UserB can access DirA?

Contributor
Posts: 41

Re: Contolling the directory access for the AD users on linux based SASApp server

Posted in reply to Timmy2383

I have logged in SAS EG as userB and expanded SASApp server> files> dirA and I can consume the file in my SAS code

Regular Contributor
Posts: 174

Re: Contolling the directory access for the AD users on linux based SASApp server

I just noticed, you sent me the permissions for /DirA but not the long listing that shows the owner and group. Can you show that as well?

Can you putty into the server and see the SAS process for your session? Can you verify that's actually running under UserB and not one of the SAS service accounts (like sassrv)?
Contributor
Posts: 41

Re: Contolling the directory access for the AD users on linux based SASApp server

Posted in reply to Timmy2383

Hi Tim,

 

            Please find the info asked 

drwxrwx---+  2 sasadmin        dirA                4096 Feb 10 19:17 dirA

 

 

Solution
‎02-16-2016 12:26 PM
Regular Contributor
Posts: 174

Re: Contolling the directory access for the AD users on linux based SASApp server

I'm not too familiar with them, but the "+" at the end of your permissions string may indicate that you have ACLs (Access Control Lists) implemented. If I understand ACLs correctly, these could potentially be overriding the OS permissions you're trying to set.  You might want to get with your Unix Admins to see if the ACLs may be overriding what you're trying to do.

Contributor
Posts: 41

Re: Contolling the directory access for the AD users on linux based SASApp server

Posted in reply to Timmy2383

Sure Tim. I think thats whats happening. let me check with them and see what's going on

☑ This topic is solved.

Need further help from the community? Please ask a new question.

Discussion stats
  • 12 replies
  • 691 views
  • 0 likes
  • 2 in conversation