cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
BookmarkSubscribeRSS Feed
SangramjitPanda
Obsidian | Level 7 SangramjitPanda
Obsidian | Level 7

login access required for login to SAS Servers and Applications?

Posted 03-06-2017 02:10 PM (1028 views)

Hi All,

 

Recently we have installed SAS 9.4 M3 on Linux Host.( Metadata Tier on one Linux host, Compute Tier on another linux host and Web Tier on other Linux Host). All total on 3 linux host we have used to Install and Configue SAS.

 

We have AD users and the sas installer accout is also a AD account.

 

Now complete Installation is done and we want to add users to the SAS Environment. So we follow the below process for adding the users as of now:

1. Providing login access over all the sas servers(linux hosts)

2. adding them to the group(sas installer is a member of this group and all config & sashome folders are owned by this group)

 

After completing these activities, users are able to access the SAS Applications.

 

Concern is that, we have a requirement that Users should not have login access over those SAS Servers.

 

Please help us suggesting whether we need to have login access for the Users over all 3 servers or need to have for any specific server or else we dont require the login access at all for accessing the SAS Application(Enterprise Guide).

 

Quick response will be highly appreciated.

 

Thanks,

Sangramjit

 

0 Likes
Reply
6 REPLIES 6
PaulHomes
Rhodochrosite | Level 12 PaulHomes
Rhodochrosite | Level 12

Re: login access required for login to SAS Servers and Applications?

Posted 03-06-2017 06:49 PM (1012 views)  |   In reply to SangramjitPanda

It will, at least in part, be based on what you mean by "should not have login access over those SAS Servers". Is it one of the following, or something else?:

  1. Should not not be able to run any process on the server using their own operating system/domain/directory identity? If so then those SAS processes that normally run using their own identity might be configured to run using a service identity instead (e.g. SAS Token Authentication for SAS Workspace servers). Of course this also limits your ability to restrict access to operating system resources based on the requesting identity. You will have to rely more on metadata access controls instead.
  2. Can run SAS processes on the server using their own identity but are limited in their ability to directly access operating system and 3rd party commands/facilities. If this is the case then you could look into things like xcmd and lockdown.
  3. Should not have direct console, RDP, SSH access to the server using their own identity, but can run SAS processes on the server using their own identity and may/may not be limited via xcmd/lockdown etc. In this case you might look into using directory/operating system facilities, sshd_config options etc to limit direct login access.
Reply
SangramjitPanda
Obsidian | Level 7 SangramjitPanda
Obsidian | Level 7

Re: login access required for login to SAS Servers and Applications?

Posted 03-07-2017 02:59 PM (987 views)  |   In reply to PaulHomes

Hi Paul,

 

Thanks for the update.

 

Requirement is to have Users access their SAS Applications but they should not have direct login access over the linux host as per the business standard.

 

I am exploring about the possibilties and about their limitations too.

Please suggest if the requirements have any limitations and any impact on performance.

 

Thanks,

Sangramjit

0 Likes
Reply
SangramjitPanda
Obsidian | Level 7 SangramjitPanda
Obsidian | Level 7

Re: login access required for login to SAS Servers and Applications?

Posted 03-07-2017 03:02 PM (985 views)  |   In reply to Kurt_Bremser

I am exploring if it is possible for Users to access SAS Applications without having direct login access to the SAS Servers.

 

 

0 Likes
Reply
Kurt_Bremser
Super User Kurt_Bremser
Super User

Re: login access required for login to SAS Servers and Applications?

Posted 03-07-2017 03:51 PM (976 views)  |   In reply to SangramjitPanda

It should be possible to prevent remote logins with the proper PAM modules (in Linux).

In AIX it is done with the SMIT.

But you take away much of the great power inherent in UNIX systems. People should WORK with systems, not be prevented from using them properly.

System security does not come into play here, a properly hardened UNIX can't be compromised from the commandline. A basically unsafe system will also be vulnerable if only SAS can be used.

Maxims of Maximally Efficient SAS Programmers
How to convert datasets to data steps
The macro for direct download as ZIP
How to post code
Please vote for Provide Sequential Search Capability for Hash Objects
How to deal with locked files on UNIX
0 Likes
Reply
JuanS_OCS
Amethyst | Level 16 JuanS_OCS
Amethyst | Level 16

Re: login access required for login to SAS Servers and Applications?

Posted 03-07-2017 04:24 PM (973 views)  |   In reply to SangramjitPanda

Hello,

 

you may well have a second option: besides PAM (a great option, although not always allowed), you can just set SAS Token Authentication (avery much recommended practice on UNIX systems) and then just set direct LDAP (or AD) authentication on the metadata server.

0 Likes
Reply

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

CLI in SAS Viya

Learn how to install the SAS Viya CLI and a few commands you may find useful in this video by SAS’ Darrell Barton.

Watch CLI in SAS Viya on YouTube

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 6 replies
  • ‎03-06-2017 02:10 PM
  • 1029 views
  • 3 likes
  • 4 in conversation