cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
BookmarkSubscribeRSS Feed
🔒 This topic is solved and locked. Need further help from the community? Please sign in and ask a new question.
SASWayne
Quartz | Level 8 SASWayne
Quartz | Level 8
Go to Solution

questions on SAS installer account

Posted 09-07-2020 12:38 PM (1626 views)

Hi All,

 

I'd like to know what are all the places in a SAS environment that are tied up internally with the SAS installer account?

 

Would I be able to start/stop SAS services with installer account even after removing its identity from SAS metadata?

 

I'm trying to remove the installer account from everywhere within SAS except for start/stop of SAS services, is it possible to achieve?

 

Thanks! 

1 ACCEPTED SOLUTION

Accepted Solutions
SASKiwi
PROC Star SASKiwi
PROC Star

Re: questions on SAS installer account

Posted 09-07-2020 11:53 PM (1527 views)  |   In reply to SASWayne

IMHO, best practice is to use the SAS installer account just for installing and configuring and nothing else. Then have another SAS server account (often called sassrv) for running SAS servers, then a SAS admin account (often called sasadm) for administration. Of course things can be a bit more granular than that to suit your SAS site.

 

As a SAS administrator myself I don't have any problem just using my own account for manually starting and stopping services.

View solution in original post

13 REPLIES 13
SASWayne
Quartz | Level 8 SASWayne
Quartz | Level 8

Re: questions on SAS installer account

Posted 09-07-2020 10:33 PM (1565 views)  |   In reply to Kurt_Bremser
The reason is to have two separate installer accounts for test and prod environments.

Now that the environments are built already with the same installer account, we want to atleast minimize the utilization of installer account in test environment. We have created another service account (to use instead of SAS installer account) with same OS level privileges of the installer account and we want to use that account for all SAS admin and monitoring operations.

So if I remove the SAS installer account's metadata profile, would I still be able to start/stop services with it?

How could I achieve very minimal usage of the original installer account?
0 Likes
SASKiwi
PROC Star SASKiwi
PROC Star

Re: questions on SAS installer account

Posted 09-07-2020 11:03 PM (1551 views)  |   In reply to SASWayne

Why do you use the installer account to stop and start services? Any account with admin privileges is able to do that. 

0 Likes
SASWayne
Quartz | Level 8 SASWayne
Quartz | Level 8

Re: questions on SAS installer account

Posted 09-07-2020 11:21 PM (1541 views)  |   In reply to SASKiwi
@SASKiwi

isn't it the best practice to use SAS installer account to start/stop SAS services?
Please advise me if I'm wrong.

By admin privileges do you mean at OS level?
I've never used another account than SAS installer to start/stop SAS services.
0 Likes
SASKiwi
PROC Star SASKiwi
PROC Star

Re: questions on SAS installer account

Posted 09-07-2020 11:53 PM (1528 views)  |   In reply to SASWayne

IMHO, best practice is to use the SAS installer account just for installing and configuring and nothing else. Then have another SAS server account (often called sassrv) for running SAS servers, then a SAS admin account (often called sasadm) for administration. Of course things can be a bit more granular than that to suit your SAS site.

 

As a SAS administrator myself I don't have any problem just using my own account for manually starting and stopping services.

Anand_V
Ammonite | Level 13 Anand_V
Ammonite | Level 13

Re: questions on SAS installer account

Posted 09-08-2020 09:14 AM (1480 views)  |   In reply to SASWayne
Why was SAS installer account added to metadata in first place? I don't think it's required. Unless you are using platform web services component for LSF and the configuration ID for LSF is not as same as well the SAS installer account.

Also, it's fine to use a single installer account for both the environments. SAS Admin activities can be done using the internal sasadm@saspw account, if you have multiple admins at your site, you can create individual system accounts for them and add to SAS Administrator group so they can use their IDs instead of internal account, still starting/stopping of services you will have to use the installer account itself.
SASWayne
Quartz | Level 8 SASWayne
Quartz | Level 8

Re: questions on SAS installer account

Posted 09-10-2020 03:52 AM (1407 views)  |   In reply to Anand_V

Thank you @SASKiwi and@Anand_V for your suggestions, we are planning to remove SAS installer from metadata. For some reason, SAS installer account gets locked often from one of the test servers and that's the reason we're planning to have separate ones for prod and test.

 

@Anand_V I'm curious to know if we could use other user accounts with admin privileges to start/stop services? (as suggested by @SASKiwi ).

Do you think doing so would cause any undesirable effects?

 

Thanks!

Anand_V
Ammonite | Level 13 Anand_V
Ammonite | Level 13

Re: questions on SAS installer account

Posted 09-10-2020 04:30 AM (1389 views)  |   In reply to SASWayne

I haven't tried it myself as I was never in a scenario where there is a requirement to vault or not use the installer account to start/stop services. If @SASKiwi has done it successfully I am sure you can give it a try too!

JuanS_OCS
Amethyst | Level 16 JuanS_OCS
Amethyst | Level 16

Re: questions on SAS installer account

Posted 09-10-2020 04:31 AM (1387 views)  |   In reply to SASWayne

Please be careful with permissions and users who start/stop services.

 

Lock/pid files and log files with different owners and permissions can cause those "undesirable" situations.

 

 

SASWayne
Quartz | Level 8 SASWayne
Quartz | Level 8

Re: questions on SAS installer account

Posted 09-10-2020 04:38 AM (1373 views)  |   In reply to JuanS_OCS
@JuanS_OCS, I agree, we're replicating a new admin service account with the same folder and group level accesses of the original SAS installer account. Hope that it doesn't cause any issue.
JuanS_OCS
Amethyst | Level 16 JuanS_OCS
Amethyst | Level 16

Re: questions on SAS installer account

Posted 09-11-2020 03:09 AM (1346 views)  |   In reply to SASWayne

Good luck!

SASWayne
Quartz | Level 8 SASWayne
Quartz | Level 8

Re: questions on SAS installer account

Posted 09-12-2020 08:34 AM (1318 views)  |   In reply to JuanS_OCS
@JuanS_OCS @Anand_V @SASKiwi
Just a quick question

Does LIM starts vemkd and egosc with the same account used to start LIM?

Thanks
JuanS_OCS
Amethyst | Level 16 JuanS_OCS
Amethyst | Level 16

Re: questions on SAS installer account

Posted 09-14-2020 05:43 AM (1277 views)  |   In reply to SASWayne

@SASWayne , I would say by default, it does, with the same account. However, perhaps design or installed had to decide otherwise. The best you can do is to check what account generated the logs/temp files for each daemon,

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

Get Started with SAS Information Catalog in SAS Viya

SAS technical trainer Erin Winters shows you how to explore assets, create new data discovery agents, schedule data discovery agents, and much more.

Watch Get Started with SAS Information Catalog in SAS Viya on YouTube

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 13 replies
  • ‎09-07-2020 12:38 PM
  • 1627 views
  • 14 likes
  • 5 in conversation