03-06-2017 02:10 PM
Recently we have installed SAS 9.4 M3 on Linux Host.( Metadata Tier on one Linux host, Compute Tier on another linux host and Web Tier on other Linux Host). All total on 3 linux host we have used to Install and Configue SAS.
We have AD users and the sas installer accout is also a AD account.
Now complete Installation is done and we want to add users to the SAS Environment. So we follow the below process for adding the users as of now:
1. Providing login access over all the sas servers(linux hosts)
2. adding them to the group(sas installer is a member of this group and all config & sashome folders are owned by this group)
After completing these activities, users are able to access the SAS Applications.
Concern is that, we have a requirement that Users should not have login access over those SAS Servers.
Please help us suggesting whether we need to have login access for the Users over all 3 servers or need to have for any specific server or else we dont require the login access at all for accessing the SAS Application(Enterprise Guide).
Quick response will be highly appreciated.
03-06-2017 06:49 PM
It will, at least in part, be based on what you mean by "should not have login access over those SAS Servers". Is it one of the following, or something else?:
03-07-2017 02:59 PM
Thanks for the update.
Requirement is to have Users access their SAS Applications but they should not have direct login access over the linux host as per the business standard.
I am exploring about the possibilties and about their limitations too.
Please suggest if the requirements have any limitations and any impact on performance.
03-07-2017 05:18 AM
"we have a requirement that Users should not have login access over those SAS Servers."
What is the reason for this "requirement"?
03-07-2017 03:51 PM
It should be possible to prevent remote logins with the proper PAM modules (in Linux).
In AIX it is done with the SMIT.
But you take away much of the great power inherent in UNIX systems. People should WORK with systems, not be prevented from using them properly.
System security does not come into play here, a properly hardened UNIX can't be compromised from the commandline. A basically unsafe system will also be vulnerable if only SAS can be used.
03-07-2017 04:24 PM
you may well have a second option: besides PAM (a great option, although not always allowed), you can just set SAS Token Authentication (avery much recommended practice on UNIX systems) and then just set direct LDAP (or AD) authentication on the metadata server.