Hi Co's, On our windows environment (compute server), Folder D:\Program Files\SASHome are having access to user, and they are able to write data through sas program (like libname/proc export etc).
I was checking the security setting to the folder but looks like user have only access to read & execute, special permission.
My questions, I want to restrict the user access so that they cannot write data to this SASHome folder, may I know how to proceed with this, what else should I check to restrict the access.
TIA.
SAS obeys Windows security permissions, in fact it can't bypass them. I can only assume there is a gap in these permissions somewhere. I suggest you talk to your IT security people, to help identify the gap.
Do your users use a pooled workspace server?
@Kurt_Bremser Do your users use a pooled workspace server? - No
Hi Co's, I got to know how this permission is working for SASHOME folder. I can manage that.
Before changing permission of SASHOME folder, I would like to understand, is it really required to keep write permission of SASHOME folder, or is it fine to keep only Read/Execute permission to folder? Please suggest.
SASHome contains your installed SAS software and shouldn't be writable by SAS users. User-written files should be stored elsewhere.
Users typically do not have write access to [SASHOME] folder.
Thanks Co's, for the suggestions on SASHOME folder, in addition to that, we could see there are few folders like
D/SAS/Config/Lev1/logs/WorkspaceServer/logs/<Perf/Arm etc>
D/SAS/Config/Lev1/logs/ObjectSpawnerLogs/logs/<auditlogs/congif file>
web application related scripts/logs...etc... configuration level folder and files.
Kindly help me to understand on these folders, is it recommended to have users write access.
Thanks.
For SAS Foundation servers that run as the user (such as Workspace servers, Grid Servers, Batch servers, and CONNECT servers), the log files (if created) will be written using that user ID so the directories that contain those logs need to be open (which they should be by default). Usually, however, the SAS log files are managed by the client. For example, Enterprise Guide uses a workspace server which will return the SAS log from the workspace server to EG through the IOM connection. Similarly, a CONNECT client will get the SAS log from a CONNECT server through the connection. It is only when you set the servers to create more detailed logs will either of those two servers actually write a log file to the respective Logs directory.
For spawners (ObjectSpawner, ConnectSpawner), the log files will be created as the user the spawner runs as which is usually LocalSystem on Windows.
By default, the SAS users will have a WORK and UTIL libraries that are associated with temporary directories in the user's %TEMP% directory although these libraries can be pointed to different locations by setting SAS options.
Any other file data read or written would need to have its location be defined in the code using the LIBNAME statement. That could be a local directory, a CIFS directory, or a directory on a mounted drive. Also, SAS code can read/write to various databases using SAS ACCESS.
The SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment.
Learn how to install the SAS Viya CLI and a few commands you may find useful in this video by SAS’ Darrell Barton.
Find more tutorials on the SAS Users YouTube channel.