Re: SAS Studio security setup

shirishkamath · Posted 08-02-2018 03:29 PM

Hi All,

We are currently running SAS 9.4 M5 (For Linux) and SAS Studio 3.71. We also have users who use batch sas and SAS interactive. We use grid with x nodes and the integration of SAS infra with grid is through LSF 9. Assuming a user logs into SAS Studio , he/she would be routed to one of the x grid nodes and the root directory (along with sub-dirs) are made available in the left palette of SAS Studio. Our current security setup is such that any user who would like to access SAS Studio application, has to -

1) His/ her unix ID needs to have access to SAS servers as well as the x Grid nodes

2) needs to be part of SAS Metadata (PAM auth verification)

Now whenever the user logs into SAS Studio, we see 2 processes spawned under his/ her ID. Now we would like to configure te security in such a way that these jobs should not be spawned under the user's ID, rather there should be a common service account. So irrespective of whoever logs into SAS Studio (after the system authenticates him/ her), all processes should be owned by a service account.

How do we go about this? Any thoughts?

PaulHomes · Posted 08-02-2018 07:10 PM

To launch SAS Workspace Servers using a service account instead of the requesting user account you can configure it for SAS Token Authentication - see SAS Token Authentication and How to Configure SAS Token Authentication in the SAS 9.4 Intelligence Platform: Administration Security Administration Guide.

shirishkamath · Posted 08-03-2018 09:38 AM

Thanks Paul. I'll read the artifact you shared! 🙂

Kurt_Bremser · Posted 08-03-2018 09:44 AM

Out of experience, I advise against this. You lose all options of using operating system based user specific settings, like file system quotas etc

Maxims of Maximally Efficient SAS Programmers
How to convert datasets to data steps
The macro for direct download as ZIP
How to post code
Please vote for Provide Sequential Search Capability for Hash Objects
How to deal with locked files on UNIX

shayne · Posted 08-03-2018 11:49 AM

As @Kurt_Bremser correctly mentions in his reply, the limitation of configuring SAS Token Authentication is that you lose granularity of host access on the workspace servers. You'll need to be very aware of the privileges assigned to the service account on the host operating system - if it's configured to have generous privileges, than any user's workspace server session will also have that generous access to the host OS (although you can apply some access restrictions via SAS metadata).

I'm interested in understanding the business value / reason behind the type of configuration you are asking about. Can you give us more info about why this configuration is desired at your site?