12-18-2017 04:40 PM
Good afternoon everyone,
We're currently in the process of setting up a SAS test server and are in the process of creating oracle account groups for database connections. Some of our databases use the same user ID for various databases. So I went ahead and attempted to create two separate accounts for the individual database connections, but even though the database and schemas are different, user manager will not let me use the same ID twice, regardless of authentication domain. Is there a way around this? I'm honestly not sure what kind of red tape I would have to go through to have our database team change the IDs (particularly with the number of affected users / applications this would affect).
12-18-2017 05:09 PM
Assuming you have SAS 9.4 M2 or above, you can mark the database authentication domain as "Outbound Only" which removes the uniqueness requirement for logins. The uniqueness requirement is there for inbound logins to ensure a user id lookup after authentication to the metadata server can only return a single identity. Logins stored in metadata for the purposes of providing access to third party systems (outbound logins) are not normally intended to be used as inbound logins too, hence the addition of the outbound-only flag for authentication domains in SAS 9.4 M2.
You can edit the properties for authentication domains by right mouse clicking over the User Manager or Server Manager plug-ins in SAS Management Console and selecting the Authentication Domains... item from the context menu. From here you can set the outbound-only flag.
For more info see the Outbound and Trusted Authentication Domains section of the SAS 9.4 Intelligence Platform: Security Administration Guide.
12-18-2017 05:48 PM
"use the same ID twice, regardless of authentication domain" - I can read this issue one of two ways.
@PaulHomes has already covered making your Oracle AuthDomain outbound only.
Another simple method, if you can't create 2 users with the same Oracle ID, is to create an Oracle-specific metadata group, and store the Oracle credentials in the group's metadata profile, and make the two users members of that group. If they don't have their own Oracle AuthDomain credentials, then each will "inherit" the shared Oracle AuthDomain credentials from the Oracle group.
Best of luck - please let us know how you fare.