BookmarkSubscribeRSS Feed
SangramjitPanda
Obsidian | Level 7

Hi All,

 

Recently we have installed SAS 9.4 M3 on Linux Host.( Metadata Tier on one Linux host, Compute Tier on another linux host and Web Tier on other Linux Host). All total on 3 linux host we have used to Install and Configue SAS.

 

We have AD users and the sas installer accout is also a AD account.

 

Now complete Installation is done and we want to add users to the SAS Environment. So we follow the below process for adding the users as of now:

1. Providing login access over all the sas servers(linux hosts)

2. adding them to the group(sas installer is a member of this group and all config & sashome folders are owned by this group)

 

After completing these activities, users are able to access the SAS Applications.

 

Concern is that, we have a requirement that Users should not have login access over those SAS Servers.

 

Please help us suggesting whether we need to have login access for the Users over all 3 servers or need to have for any specific server or else we dont require the login access at all for accessing the SAS Application(Enterprise Guide).

 

Quick response will be highly appreciated.

 

Thanks,

Sangramjit

 

6 REPLIES 6
PaulHomes
Rhodochrosite | Level 12

It will, at least in part, be based on what you mean by "should not have login access over those SAS Servers". Is it one of the following, or something else?:

  1. Should not not be able to run any process on the server using their own operating system/domain/directory identity? If so then those SAS processes that normally run using their own identity might be configured to run using a service identity instead (e.g. SAS Token Authentication for SAS Workspace servers). Of course this also limits your ability to restrict access to operating system resources based on the requesting identity. You will have to rely more on metadata access controls instead.
  2. Can run SAS processes on the server using their own identity but are limited in their ability to directly access operating system and 3rd party commands/facilities. If this is the case then you could look into things like xcmd and lockdown.
  3. Should not have direct console, RDP, SSH access to the server using their own identity, but can run SAS processes on the server using their own identity and may/may not be limited via xcmd/lockdown etc. In this case you might look into using directory/operating system facilities, sshd_config options etc to limit direct login access.
SangramjitPanda
Obsidian | Level 7

Hi Paul,

 

Thanks for the update.

 

Requirement is to have Users access their SAS Applications but they should not have direct login access over the linux host as per the business standard.

 

I am exploring about the possibilties and about their limitations too.

Please suggest if the requirements have any limitations and any impact on performance.

 

Thanks,

Sangramjit

SangramjitPanda
Obsidian | Level 7

I am exploring if it is possible for Users to access SAS Applications without having direct login access to the SAS Servers.

 

 

Kurt_Bremser
Super User

It should be possible to prevent remote logins with the proper PAM modules (in Linux).

In AIX it is done with the SMIT.

But you take away much of the great power inherent in UNIX systems. People should WORK with systems, not be prevented from using them properly.

System security does not come into play here, a properly hardened UNIX can't be compromised from the commandline. A basically unsafe system will also be vulnerable if only SAS can be used.

JuanS_OCS
Amethyst | Level 16

Hello,

 

you may well have a second option: besides PAM (a great option, although not always allowed), you can just set SAS Token Authentication (avery much recommended practice on UNIX systems) and then just set direct LDAP (or AD) authentication on the metadata server.

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

Get Started with SAS Information Catalog in SAS Viya

SAS technical trainer Erin Winters shows you how to explore assets, create new data discovery agents, schedule data discovery agents, and much more.

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 6 replies
  • 1532 views
  • 3 likes
  • 4 in conversation