BookmarkSubscribeRSS Feed
Quartz | Level 8

Hi Co's, On our windows environment (compute server), Folder D:\Program Files\SASHome are having access to user, and they are able to write data through sas program (like libname/proc export etc).


I was checking the security setting to the folder but looks like user have only access to read & execute, special permission. 


My questions, I want to restrict the user access so that they cannot write data to this SASHome folder, may I know how to proceed with this, what else should I check to restrict the access. 





Opal | Level 21

SAS obeys Windows security permissions, in fact it can't bypass them. I can only assume there is a gap in these permissions somewhere. I suggest you talk to your IT security people, to help identify the gap.

Quartz | Level 8

@Kurt_Bremser Do your users use a pooled workspace server? - No

Quartz | Level 8

Hi Co's, I got to know how this permission is working for SASHOME folder. I can manage that. 

Before changing permission of SASHOME folder, I would like to understand, is it really required to keep write permission of SASHOME folder, or is it fine to keep only Read/Execute permission to folder? Please suggest. 

Opal | Level 21

SASHome contains your installed SAS software and shouldn't be writable by SAS users. User-written files should be stored elsewhere. 

Meteorite | Level 14

Users typically do not have write access to [SASHOME] folder.

Quartz | Level 8

Thanks Co's, for the suggestions on SASHOME folder, in addition to that, we could see there are few folders like

D/SAS/Config/Lev1/logs/WorkspaceServer/logs/<Perf/Arm etc>

D/SAS/Config/Lev1/logs/ObjectSpawnerLogs/logs/<auditlogs/congif file>

web application related scripts/logs...etc... configuration level folder and files. 


Kindly help me to understand on these folders, is it recommended to have users write access. 




SAS Employee

For SAS Foundation servers that run as the user (such as Workspace servers, Grid Servers, Batch servers, and CONNECT servers), the log files (if created) will be written using that user ID so the directories that contain those logs need to be open (which they should be by default). Usually, however, the SAS log files are managed by the client. For example, Enterprise Guide uses a workspace server which will return the SAS log from the workspace server to EG through the IOM connection. Similarly, a CONNECT client will get the SAS log from a CONNECT server through the connection. It is only when you set the servers to create more detailed logs will either of those two servers actually write a log file to the respective Logs directory.


For spawners (ObjectSpawner, ConnectSpawner), the log files will be created as the user the spawner runs as which is usually LocalSystem on Windows.


By default, the SAS users will have a WORK and UTIL libraries that are associated with temporary directories in the user's %TEMP% directory although these libraries can be pointed to different locations by setting SAS options.


Any other file data read or written would need to have its location be defined in the code using the LIBNAME statement. That could be a local directory, a CIFS directory, or a directory on a mounted drive.  Also, SAS code can read/write to various databases using SAS ACCESS.

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

CLI in SAS Viya

Learn how to install the SAS Viya CLI and a few commands you may find useful in this video by SAS’ Darrell Barton.

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 8 replies
  • 5 in conversation