09-17-2015 11:20 AM
The group I work in runs all of our SAS jobs on an AIX unix server.
On that server we use a functional id that owns and runs all of our processes.
We cannot log into the unix server with that functioanl id - instead we log into the server using our individual accounts and then su to the functional id.
Is it possible to run SAS jobs on an AIX server as another login?
That is, can the connection to unix be set up to log in using our individual accounts and then su to our functional id before SAS jobs or commands are run?
Thanks very much for your help.
09-18-2015 08:07 AM
When you connet to SAS with EG you are using a WokrspaceServer.
Usually this means the ObjectSpawner starts a new process for you, using your provided login information (user/pw).
The entry point of this process is WorkspaceServer.sh shell script. This script calls a series of other shell scripts and then finally the sas binary is started.
One way to change the user is to place a sudo or su command somewhere in those shell scipts.
A more standard way would be to use a PooledWorkspace server: to configure the owner of the WorkspaceServer directly in the metadata. Even if that functional user id is denied from loging in, this could work, because technically the process is lunched by the ObjectSpawner.
09-18-2015 06:14 PM
It sounds like reconfiguring your SAS Workspace Server for SAS Token Authentication would fit your requirements. You would use your own normal login to authenticate to the SAS Metadata Server and then a proxy/service identity would be used to launch SAS Workspace Server instances for you (you will see sassrv in the documentation but you can substitute with your "functional user id"). See How to Configure SAS Token Authentication in the SAS 9.4 Intelligence Platform: Security Administration Guide for more information.
While SAS Token Authentication is very useful/essential in some situations, bear in mind that it also has some impacts on the flexibility for fine-grained access controls at the file system level (but since you are already using a functional user id I assume this will not be an issue for you).