If your UNIX admins are unwilling or unable to configure the host for AD authentication with PAM then you might consider re-configuring your UNIX hosted SAS Workspace Server to use SAS Token Authentication. All of the SAS processes on the UNIX server will then run as a single local service account (e.g. sassrv). Whilst you will be able to use metadata access controls, be aware that this approach severely limits your ability to take advantage of UNIX file system access controls (without resorting to multiple servers and multiple service accounts etc).

It would be worth discussing this with both your UNIX admins and the security department, so that they are aware of, and accept, the security ramifications of using SAS Token Authentication vs host authentication for SAS Workspace Servers. Some people prefer to use SAS Token Authentication and some don't. Both approaches are fine as long as you are aware of, and accept, the pros and cons.

Configuring UNIX or Linux for Windows AD authentication is easier than it used to be. I like to use realmd - see Active Directory Authentication for SAS on Linux (with realmd) for more info.

For more information see the How to Configure SAS Token Authentication section of the SAS 9.4 Intelligence Platform: Security Administration Guide, as well as the linked pages in the See Also section.

Another messy option is to save the user's UNIX credentails in their SAS Metadata profile, then configure your UNIX Workspace server with something like UNIXAuth authentication domain. Downside is that your user's will need to update their password in the SAS Metedata everytime it changes on UNIX, People will forget, sessions will fail, blah, blah.... Your security department might also not be happy about the fact that UNIX credentails are retained outside of UNIX, but again, like @PaulHomes said, they have to pick their battle. There are however different ways to encrypt the credentails (at rest and in motion) with SAS Secure to calm their fears.

Else.....if you ommit the UNIX password from the user's Metadata profile, SAS Enterprise Guide should prompt you for it when trying to connect to the Workspace server. Downside is that the user will need to enter their password when making the connection, but your security department might be more comfortable since you are not storing UNIX credential outside of UNIX. The user also wouldn't need to update their password in the SAS metedata when it changes on UNIX. Pros...cons...pros...cons...

If you can't get yor UNIX system included in the AD with PAM, then move the metadata server to UNIX. That way at least users will know that their Data Warehouse (not UNIX) password is physically different from their "normal" password, but they only have to enter it once when starting their application. Otherwise they'll need to enter one password for metadata and one for the workspace servers.

Running SAS with a single system ID (SAS Token Authentication) should be avoided, as it makes (sensibly) managing your users next to impossible.

Thank you all for your input, we probably going to go the authdomain way as we already have our Oracle credential in it, and yes it has is pros and cons.  Security Dept. are ok with it.

Thanks again!