Architecting, installing and maintaining your SAS environment

login access required for login to SAS Servers and Applications?

Reply
Occasional Contributor
Posts: 10

login access required for login to SAS Servers and Applications?

Hi All,

 

Recently we have installed SAS 9.4 M3 on Linux Host.( Metadata Tier on one Linux host, Compute Tier on another linux host and Web Tier on other Linux Host). All total on 3 linux host we have used to Install and Configue SAS.

 

We have AD users and the sas installer accout is also a AD account.

 

Now complete Installation is done and we want to add users to the SAS Environment. So we follow the below process for adding the users as of now:

1. Providing login access over all the sas servers(linux hosts)

2. adding them to the group(sas installer is a member of this group and all config & sashome folders are owned by this group)

 

After completing these activities, users are able to access the SAS Applications.

 

Concern is that, we have a requirement that Users should not have login access over those SAS Servers.

 

Please help us suggesting whether we need to have login access for the Users over all 3 servers or need to have for any specific server or else we dont require the login access at all for accessing the SAS Application(Enterprise Guide).

 

Quick response will be highly appreciated.

 

Thanks,

Sangramjit

 

PROC Star
Posts: 425

Re: login access required for login to SAS Servers and Applications?

Posted in reply to SangramjitPanda

It will, at least in part, be based on what you mean by "should not have login access over those SAS Servers". Is it one of the following, or something else?:

  1. Should not not be able to run any process on the server using their own operating system/domain/directory identity? If so then those SAS processes that normally run using their own identity might be configured to run using a service identity instead (e.g. SAS Token Authentication for SAS Workspace servers). Of course this also limits your ability to restrict access to operating system resources based on the requesting identity. You will have to rely more on metadata access controls instead.
  2. Can run SAS processes on the server using their own identity but are limited in their ability to directly access operating system and 3rd party commands/facilities. If this is the case then you could look into things like xcmd and lockdown.
  3. Should not have direct console, RDP, SSH access to the server using their own identity, but can run SAS processes on the server using their own identity and may/may not be limited via xcmd/lockdown etc. In this case you might look into using directory/operating system facilities, sshd_config options etc to limit direct login access.
Occasional Contributor
Posts: 10

Re: login access required for login to SAS Servers and Applications?

Posted in reply to PaulHomes

Hi Paul,

 

Thanks for the update.

 

Requirement is to have Users access their SAS Applications but they should not have direct login access over the linux host as per the business standard.

 

I am exploring about the possibilties and about their limitations too.

Please suggest if the requirements have any limitations and any impact on performance.

 

Thanks,

Sangramjit

Super User
Posts: 7,782

Re: login access required for login to SAS Servers and Applications?

Posted in reply to SangramjitPanda

"we have a requirement that Users should not have login access over those SAS Servers."

 

What is the reason for this "requirement"?

---------------------------------------------------------------------------------------------
Maxims of Maximally Efficient SAS Programmers
Occasional Contributor
Posts: 10

Re: login access required for login to SAS Servers and Applications?

Posted in reply to KurtBremser

I am exploring if it is possible for Users to access SAS Applications without having direct login access to the SAS Servers.

 

 

Super User
Posts: 7,782

Re: login access required for login to SAS Servers and Applications?

Posted in reply to SangramjitPanda

It should be possible to prevent remote logins with the proper PAM modules (in Linux).

In AIX it is done with the SMIT.

But you take away much of the great power inherent in UNIX systems. People should WORK with systems, not be prevented from using them properly.

System security does not come into play here, a properly hardened UNIX can't be compromised from the commandline. A basically unsafe system will also be vulnerable if only SAS can be used.

---------------------------------------------------------------------------------------------
Maxims of Maximally Efficient SAS Programmers
Trusted Advisor
Posts: 1,312

Re: login access required for login to SAS Servers and Applications?

Posted in reply to SangramjitPanda

Hello,

 

you may well have a second option: besides PAM (a great option, although not always allowed), you can just set SAS Token Authentication (avery much recommended practice on UNIX systems) and then just set direct LDAP (or AD) authentication on the metadata server.

Ask a Question
Discussion stats
  • 6 replies
  • 180 views
  • 3 likes
  • 4 in conversation