BookmarkSubscribeRSS Feed
🔒 This topic is solved and locked. Need further help from the community? Please sign in and ask a new question.
FabioP
Calcite | Level 5

HI Everybody,

I have to work with Metadata server and SAS Application Server on separate UNIX machines and I need to create new system operative users. Is it necessary to create the new user in the machine with metadata server and also in the one with application server?

Thank you in advance for help.

Fabio

1 ACCEPTED SOLUTION

Accepted Solutions
PaulHomes
Rhodochrosite | Level 12

To add to what both LinusH and SASKiwi have said, if your metadata server and application server machines don't share an authentication provider (e.g. AD, LDAP), and you only have local accounts, then you would need to create an account on both machines: an account on the metadata server machine so the user can be authenticated by the metadata server and an account on the application server machine so they can be authenticated by the object spawner to start a SAS process on that machine.

With independent accounts on different machines the passwords could get out of sync, so to avoid this possibility and to avoid having to create accounts on the application server machine you could configure your standard workspace server for SAS Token Authentication. When configuring for SAS Token Authentication you provide the credentials for a service/proxy account (e.g. sassrv) that will be used to launch workspace server processes so the users don't have to have operating system accounts on the application server machine.  There is a downside to this in that all users will appear to the operating system as a single user (the service/proxy user) which will limit your flexibility in securing file system resources.

Personally I would prefer to reconfigure the two UNIX servers to share an authentication provider (eg. AD or LDAP) and get the benefit of operating system identities without duplication of accounts, but I appreciate this is not always possible or easy.

View solution in original post

6 REPLIES 6
FabioP
Calcite | Level 5

Thank you LinusH.

I already checked the documentation but can't find my answer.

So, is it necessary to create the user also in the machine with only Application server?

For example sasdemo have to be in both Meta and App server machines, is it correct?

Thanks!

LinusH
Tourmaline | Level 20

Depends... 😉

How do you do authentication?

About end user accounts, are they synchronized with an AD?

Are you going to use standard, pooled or both (workspace servers)?

No user except the one that starts the metadata server needs to be defined on that UNIX server.

Users that should be able to start standard workspace server sessions needs an account on that server.

Data never sleeps
FabioP
Calcite | Level 5

Unfortunately,

I have to work with a deployment unknown to me with no documentation at all, and I have very little unix skill.

I found in the s.o. of the metadata server machine users sasdemo and sasusr so I think that the autentication is performed by s.o.

User are not synchronized with an AD, the analyst is working only with sasdemo user to access data with EGuide and EMiner.

I'm going to use standard workspace server.

So, I need a new user that accesses tables with EGuide. Do I have to create that user in both Meta and App unix machines?

Thanks very much

SASKiwi
PROC Star

Correct. For EG a new user needs to be defined in both the operating system and in SAS metadata using Management Console. EG starts a SAS server session using that user account.

PaulHomes
Rhodochrosite | Level 12

To add to what both LinusH and SASKiwi have said, if your metadata server and application server machines don't share an authentication provider (e.g. AD, LDAP), and you only have local accounts, then you would need to create an account on both machines: an account on the metadata server machine so the user can be authenticated by the metadata server and an account on the application server machine so they can be authenticated by the object spawner to start a SAS process on that machine.

With independent accounts on different machines the passwords could get out of sync, so to avoid this possibility and to avoid having to create accounts on the application server machine you could configure your standard workspace server for SAS Token Authentication. When configuring for SAS Token Authentication you provide the credentials for a service/proxy account (e.g. sassrv) that will be used to launch workspace server processes so the users don't have to have operating system accounts on the application server machine.  There is a downside to this in that all users will appear to the operating system as a single user (the service/proxy user) which will limit your flexibility in securing file system resources.

Personally I would prefer to reconfigure the two UNIX servers to share an authentication provider (eg. AD or LDAP) and get the benefit of operating system identities without duplication of accounts, but I appreciate this is not always possible or easy.

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

CLI in SAS Viya

Learn how to install the SAS Viya CLI and a few commands you may find useful in this video by SAS’ Darrell Barton.

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 6 replies
  • 1236 views
  • 6 likes
  • 4 in conversation