@AsSASsin,

Your setup is a bit confusing, you said:

• We changed the "host authentication" for the SASApp Logical Workspace Server in SAS Token authentication
• we have created some Unix service users(foreach groups and each workspace server)
• The unix users credential are stored in General Servers Group and we have created some metadata groups to private access to workspaces.

So you have more than one application server with SAS Token Authentication enabled? Why did you create multiple UNIX service accounts? Have you had any specific reasons for that? Why can't you use sassrv user for all of them? Where are you controlling access to the workspace server? On the workspace server object or somewhere else?

1. So you have more than one application server with SAS Token Authentication enabled?

No, it is only one, but the logical workspace server has a workspace server for each Group of users.

2. Why did you create multiple UNIX service accounts?

Because I need a workspace server foreach Group of users.

3. Have you had any specific reasons for that?

Yes, the phisical data that you see in EG cannot be shared between groups.

4. Why can't you use sassrv user for all of them?

Because, it is a tecnical service unix identity used by other processes and I cannot share the data between groups.

5. Where are you controlling access to the workspace server?

In management console, with metadata restricted access using an Access Control Template.

6. On the workspace server object or somewhere else?

On each workspace server.

We applied this note:

http://support.sas.com/documentation/cdl/en/bisecag/61133/HTML/default/viewer.htm#a003280630.htm

It is for SAS 9.2 but I think it is good also for 9.4 M4 that is the version that we use.

@AsSASsin,

Thanks for your response.

Is it normal refresh the spawner each time we change the Group of an user?

With your current setup - yes.

But from my point of view, rather than complicating SAS configuration, just configure PAM authentication on the OS and switch to PAM authentication in SAS. In this case, you do not need to create multiple workspace servers and you can manage access to physical data based on your LDAP/AD groups. Please note in order to configure PAM on the OS level, your LDAP schema has to be UNIX enabled. This means that your LDAP schema should contain information about user's UID, GID and so on.

Thank you for the reply.

We will look for antoher configuration.

This problem with the spawner refreshing with a change in the users metadata configuration should be underlined in the public SAS support notes.

Thanks a lot.

Could I use host authentcation with a system identity stored inside a metadata Group with an authentication domain?

http://documentation.sas.com/?docsetId=bisecag&docsetTarget=p004qiyfzfguhcn108lxbow2rifp.htm&docsetV...

This seems similar to SAS Token auth, but I could workaround the problem with the spawner.