BookmarkSubscribeRSS Feed
🔒 This topic is solved and locked. Need further help from the community? Please sign in and ask a new question.
DmitryErshov
Obsidian | Level 7

I created test STP:

 

proc sql;
  select * from MYLIB.sometable;
run;

and chose option 'Stored process server only' on Execution tab. I have library MYLIB (preassigned by native engine) and I made the following Authorization constraints for it:

 

SAS General Servers - ReadMetadata - Deny

SAS System Services - ReadMetadata - Deny

SAS Trusted User - ReadMetadata - Deny

myuser - ReadMetadata - Deny

 

But when I launch the STP from Stored Process Web Application (I logged as myuser) then it executed without errors. STP sees MYLIB.sometable and can select rows from it.

 

Could somebody explain me why? 

1 ACCEPTED SOLUTION

Accepted Solutions
BrunoMueller
SAS Super FREQ

STP Server are not ended once a STP request is finished.

 

So you might still be using a Stored Process Server that has been started before you actually changed the permissions on your library.

 

I recommend to end all Stored Process Server processes and try again.

 

See also this blog entry https://communities.sas.com/t5/Administration-and-Deployment/A-custom-task-to-list-and-stop-active-S... by @ChrisHemedinger about a task for SAS Enterprise Guide to list all SAS server processes.

View solution in original post

8 REPLIES 8
nhvdwalt
Barite | Level 11

Setups vary, but generally STPs run under a a shared account, typically sassrv, not your own account. So if the shared account has the required OS permissions, it should all work.

 

However, this is just one of a couple of moving parts in the whole STP operation....

DmitryErshov
Obsidian | Level 7

Thanks for reply.

 

But as I know sassrv is OS user (not SAS user), however I make constraints not at OS level, but at SAS Metadata Level. So, it is interesting under what SAS user (registered in Management Console) STP is executed.

Quentin
Super User

You're right, since MYLIB is a metadata library, you should be able to manage the permissions in metadata.  If you log in to the stored process web app as MYUSER, the stored process runs with that user. I would check the metadata permissions for the library, and turn all of the READ* permissions to deny.  If that doesn't work, I would change the permissions for the metadata table for MYUSER, just to make sure that can work, then I would read more about how metadata library permissions work.

The Boston Area SAS Users Group is hosting free webinars!
Next webinar will be in January 2025. Until then, check out our archives: https://www.basug.org/videos. And be sure to subscribe to our our email list.
Quentin
Super User

So you're applying these permissions to the metadata library, rather than the metadata table or metadata folder?

 

I would try different denials for MYUSER (as I understand it, an explicit denial to MYUSER should work).  I don't remember what options there are for library permissions.  In addition to ReadMetadata, is there also a ReadMemberMetadata or just Read?  It could be that one of those settings effects the ability to read tables from a library.

The Boston Area SAS Users Group is hosting free webinars!
Next webinar will be in January 2025. Until then, check out our archives: https://www.basug.org/videos. And be sure to subscribe to our our email list.
Meera_SAS
SAS Employee

One easy way to check is via SAS Management Console assuming you have access to it. You can right click on the Stored Process Server and do a validate or Test Connection. If the validation works then the Stored Process server is set up correctly. The Stored Process server runs under a shared account usually the "sassrv" account. If the validation fails then you can look at the logs to see where the problem is.  

DmitryErshov
Obsidian | Level 7

I tried to deny all available permissions for library. And STP (if it is launched on Stored Process Server) can read data from table. But if I change Stored Process Server to Workspace Server then receive error

 

ERROR: Libref MYLIB is not assigned.

 

as we can expect. But it is still mystery why I don't get an error when STP runs on Stored Process Server.

BrunoMueller
SAS Super FREQ

STP Server are not ended once a STP request is finished.

 

So you might still be using a Stored Process Server that has been started before you actually changed the permissions on your library.

 

I recommend to end all Stored Process Server processes and try again.

 

See also this blog entry https://communities.sas.com/t5/Administration-and-Deployment/A-custom-task-to-list-and-stop-active-S... by @ChrisHemedinger about a task for SAS Enterprise Guide to list all SAS server processes.

DmitryErshov
Obsidian | Level 7
You are right! I restarted servers and now STP works as expected.

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

Get Started with SAS Information Catalog in SAS Viya

SAS technical trainer Erin Winters shows you how to explore assets, create new data discovery agents, schedule data discovery agents, and much more.

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 8 replies
  • 3416 views
  • 6 likes
  • 5 in conversation