Architecting, installing and maintaining your SAS environment

system operative users on Metadata server and SAS Application Server

Accepted Solution Solved
Reply
Occasional Contributor
Posts: 12
Accepted Solution

system operative users on Metadata server and SAS Application Server

HI Everybody,

I have to work with Metadata server and SAS Application Server on separate UNIX machines and I need to create new system operative users. Is it necessary to create the new user in the machine with metadata server and also in the one with application server?

Thank you in advance for help.

Fabio


Accepted Solutions
Solution
‎12-04-2012 04:17 PM
PROC Star
Posts: 426

Re: system operative users on Metadata server and SAS Application Server

To add to what both LinusH and SASKiwi have said, if your metadata server and application server machines don't share an authentication provider (e.g. AD, LDAP), and you only have local accounts, then you would need to create an account on both machines: an account on the metadata server machine so the user can be authenticated by the metadata server and an account on the application server machine so they can be authenticated by the object spawner to start a SAS process on that machine.

With independent accounts on different machines the passwords could get out of sync, so to avoid this possibility and to avoid having to create accounts on the application server machine you could configure your standard workspace server for SAS Token Authentication. When configuring for SAS Token Authentication you provide the credentials for a service/proxy account (e.g. sassrv) that will be used to launch workspace server processes so the users don't have to have operating system accounts on the application server machine.  There is a downside to this in that all users will appear to the operating system as a single user (the service/proxy user) which will limit your flexibility in securing file system resources.

Personally I would prefer to reconfigure the two UNIX servers to share an authentication provider (eg. AD or LDAP) and get the benefit of operating system identities without duplication of accounts, but I appreciate this is not always possible or easy.

View solution in original post


All Replies
Super User
Posts: 5,441

Re: system operative users on Metadata server and SAS Application Server

Occasional Contributor
Posts: 12

Re: system operative users on Metadata server and SAS Application Server

Thank you LinusH.

I already checked the documentation but can't find my answer.

So, is it necessary to create the user also in the machine with only Application server?

For example sasdemo have to be in both Meta and App server machines, is it correct?

Thanks!

Super User
Posts: 5,441

Re: system operative users on Metadata server and SAS Application Server

Depends... ;-)

How do you do authentication?

About end user accounts, are they synchronized with an AD?

Are you going to use standard, pooled or both (workspace servers)?

No user except the one that starts the metadata server needs to be defined on that UNIX server.

Users that should be able to start standard workspace server sessions needs an account on that server.

Data never sleeps
Occasional Contributor
Posts: 12

Re: system operative users on Metadata server and SAS Application Server

Unfortunately,

I have to work with a deployment unknown to me with no documentation at all, and I have very little unix skill.

I found in the s.o. of the metadata server machine users sasdemo and sasusr so I think that the autentication is performed by s.o.

User are not synchronized with an AD, the analyst is working only with sasdemo user to access data with EGuide and EMiner.

I'm going to use standard workspace server.

So, I need a new user that accesses tables with EGuide. Do I have to create that user in both Meta and App unix machines?

Thanks very much

Super User
Posts: 3,260

Re: system operative users on Metadata server and SAS Application Server

Correct. For EG a new user needs to be defined in both the operating system and in SAS metadata using Management Console. EG starts a SAS server session using that user account.

Solution
‎12-04-2012 04:17 PM
PROC Star
Posts: 426

Re: system operative users on Metadata server and SAS Application Server

To add to what both LinusH and SASKiwi have said, if your metadata server and application server machines don't share an authentication provider (e.g. AD, LDAP), and you only have local accounts, then you would need to create an account on both machines: an account on the metadata server machine so the user can be authenticated by the metadata server and an account on the application server machine so they can be authenticated by the object spawner to start a SAS process on that machine.

With independent accounts on different machines the passwords could get out of sync, so to avoid this possibility and to avoid having to create accounts on the application server machine you could configure your standard workspace server for SAS Token Authentication. When configuring for SAS Token Authentication you provide the credentials for a service/proxy account (e.g. sassrv) that will be used to launch workspace server processes so the users don't have to have operating system accounts on the application server machine.  There is a downside to this in that all users will appear to the operating system as a single user (the service/proxy user) which will limit your flexibility in securing file system resources.

Personally I would prefer to reconfigure the two UNIX servers to share an authentication provider (eg. AD or LDAP) and get the benefit of operating system identities without duplication of accounts, but I appreciate this is not always possible or easy.

🔒 This topic is solved and locked.

Need further help from the community? Please ask a new question.

Discussion stats
  • 6 replies
  • 398 views
  • 6 likes
  • 4 in conversation