Architecting, installing and maintaining your SAS environment

Permissions when STP runs on Stored Process Server

Accepted Solution Solved
Reply
Highlighted
Contributor
Posts: 30
Accepted Solution

Permissions when STP runs on Stored Process Server

I created test STP:

 

proc sql;
  select * from MYLIB.sometable;
run;

and chose option 'Stored process server only' on Execution tab. I have library MYLIB (preassigned by native engine) and I made the following Authorization constraints for it:

 

SAS General Servers - ReadMetadata - Deny

SAS System Services - ReadMetadata - Deny

SAS Trusted User - ReadMetadata - Deny

myuser - ReadMetadata - Deny

 

But when I launch the STP from Stored Process Web Application (I logged as myuser) then it executed without errors. STP sees MYLIB.sometable and can select rows from it.

 

Could somebody explain me why? 


Accepted Solutions
Solution
a week ago
SAS Super FREQ
Posts: 785

Re: Permissions when STP runs on Stored Process Server

Posted in reply to DmitryErshov

STP Server are not ended once a STP request is finished.

 

So you might still be using a Stored Process Server that has been started before you actually changed the permissions on your library.

 

I recommend to end all Stored Process Server processes and try again.

 

See also this blog entry https://communities.sas.com/t5/Administration-and-Deployment/A-custom-task-to-list-and-stop-active-S... by @ChrisHemedinger about a task for SAS Enterprise Guide to list all SAS server processes.

View solution in original post


All Replies
Super Contributor
Posts: 277

Re: Permissions when STP runs on Stored Process Server

Posted in reply to DmitryErshov

Setups vary, but generally STPs run under a a shared account, typically sassrv, not your own account. So if the shared account has the required OS permissions, it should all work.

 

However, this is just one of a couple of moving parts in the whole STP operation....

Contributor
Posts: 30

Re: Permissions when STP runs on Stored Process Server

Thanks for reply.

 

But as I know sassrv is OS user (not SAS user), however I make constraints not at OS level, but at SAS Metadata Level. So, it is interesting under what SAS user (registered in Management Console) STP is executed.

PROC Star
Posts: 1,391

Re: Permissions when STP runs on Stored Process Server

Posted in reply to DmitryErshov

You're right, since MYLIB is a metadata library, you should be able to manage the permissions in metadata.  If you log in to the stored process web app as MYUSER, the stored process runs with that user. I would check the metadata permissions for the library, and turn all of the READ* permissions to deny.  If that doesn't work, I would change the permissions for the metadata table for MYUSER, just to make sure that can work, then I would read more about how metadata library permissions work.

PROC Star
Posts: 1,391

Re: Permissions when STP runs on Stored Process Server

Posted in reply to DmitryErshov

So you're applying these permissions to the metadata library, rather than the metadata table or metadata folder?

 

I would try different denials for MYUSER (as I understand it, an explicit denial to MYUSER should work).  I don't remember what options there are for library permissions.  In addition to ReadMetadata, is there also a ReadMemberMetadata or just Read?  It could be that one of those settings effects the ability to read tables from a library.

SAS Employee
Posts: 1

Re: Permissions when STP runs on Stored Process Server

One easy way to check is via SAS Management Console assuming you have access to it. You can right click on the Stored Process Server and do a validate or Test Connection. If the validation works then the Stored Process server is set up correctly. The Stored Process server runs under a shared account usually the "sassrv" account. If the validation fails then you can look at the logs to see where the problem is.  

Contributor
Posts: 30

Re: Permissions when STP runs on Stored Process Server

[ Edited ]

I tried to deny all available permissions for library. And STP (if it is launched on Stored Process Server) can read data from table. But if I change Stored Process Server to Workspace Server then receive error

 

ERROR: Libref MYLIB is not assigned.

 

as we can expect. But it is still mystery why I don't get an error when STP runs on Stored Process Server.

Solution
a week ago
SAS Super FREQ
Posts: 785

Re: Permissions when STP runs on Stored Process Server

Posted in reply to DmitryErshov

STP Server are not ended once a STP request is finished.

 

So you might still be using a Stored Process Server that has been started before you actually changed the permissions on your library.

 

I recommend to end all Stored Process Server processes and try again.

 

See also this blog entry https://communities.sas.com/t5/Administration-and-Deployment/A-custom-task-to-list-and-stop-active-S... by @ChrisHemedinger about a task for SAS Enterprise Guide to list all SAS server processes.

Contributor
Posts: 30

Re: Permissions when STP runs on Stored Process Server

Posted in reply to Bruno_SAS
You are right! I restarted servers and now STP works as expected.
☑ This topic is solved.

Need further help from the community? Please ask a new question.

Discussion stats
  • 8 replies
  • 229 views
  • 6 likes
  • 5 in conversation