Enabling Public Access to Enterprise Guide: Advanced

Accepted Solution Solved
Reply
Occasional Contributor
Posts: 5
Accepted Solution

Enabling Public Access to Enterprise Guide: Advanced

I currently have a sandbox metadata and app server that I want to allow all users access to through Enterprise Guide. I basically want all users to be able to execute SAS programs on the server through Enterprise Guide without having to worry about adding individual users everytime someone new joins the organization. Is this possible? My thought was to add the Enterprise Guide: Advanced Role to PUBLIC. My reasoning being that anyone who is authenticated on the server machine will be considered "public" and then they shouldn't have to provide any further credentials to SAS EG. I can use the windows login to create a profile in EG and that lets me see the servers. But when I try to access the server, I get the "Credentials Required" box which I assume is asking me for a SAS identity. But I don't have a SAS identity! I just want to authenticate as PUBLIC. What am I doing wrong?


Accepted Solutions
Solution
‎07-24-2013 07:02 PM
PROC Star
Posts: 389

Re: Enabling Public Access to Enterprise Guide: Advanced

The reason why the Integrated Windows Authentication (IWA) connection to the metadata server worked, but the IWA connection to the SASApp Workspace Server (WS) didn't is most likely because your WS is not configured to accept IWA connections (this is the default). Once you configure the WS to accept IWA connections it will probably work for you (assuming all other pre-requisites are also in place - same/trusted domain, valid SPNs etc).

You can find out more about configuring the WS for IWA in the How to Configure Integrated Windows Authentication section of the SAS 9.3 Intelligence Platform: Security Administration Guide.

I have written a few IWA related blog posts (including links to appropriate SAS docs) that you might also find useful in configuring and troubleshooting IWA configurations, especially if you plan to access additional servers (UNC path files, SAS/Access & SQL Server etc) from an EG IWA connection to a WS.

You shouldn't need to create internal (@saspw) accounts for all of your normal users. Internal accounts are mostly used for internal and administrative purposes.

View solution in original post


All Replies
Super User
Posts: 3,100

Re: Enabling Public Access to Enterprise Guide: Advanced

My understanding is that all users of EG, if EG is using a metadata server must also be defined defined as users in metadata even if they are just accessing EG via Windows authentification. In other words if you have a Windows user name of "Fred", Fred must also be defined explicitly as a user in SAS metadata even if your EG profile uses Windows Authentification.  

If the maintenance of metadata user definitions is onerous then you can run a SAS job that will update your metadata user definitions from users defined in a Windows SAS user group. This job can be scheduled daily to keep usernames in sych. Check out the SAS installation site for more details.

PROC Star
Posts: 389

Re: Enabling Public Access to Enterprise Guide: Advanced

As SASKiwi suggests, if the underlying issue is the amount of manual SAS identity management that might be required in SAS Management Console then identity synchronization with an enterprise directory is what most organizations would do. The documentation for this can be found in the User Import Macros section of the SAS 9.3 Intelligence Platform: Security Administration Guide.  There's also a SAS Global Forum 2012 paper by Steve Overton on the topic: Automagically Herding 101 SAS® Users from Microsoft Active Directory to SAS Metadata.

I wouldn't normally recommend opening up access to PUBLIC because of the downside of losing fine grained access controls, capabilities, logins and audit information. However, I have done this in the past in throwaway environments with SAS Management Console purely as an exercise in demonstrating how someone might become a PUBLIC-only user when they have valid credentials for the metadata servers authentication provider but no SAS identity (and how it easily happens when someone forgets a Windows domain qualifier on the users accounts tab login).  Out of interest I wondered if this was even possible in SAS Enterprise Guide: by opening up access in the repository ACT one might be able to login and then if necessary the workspace server could be configured for SAS token authentication to get an execution environment. So I tried it out with SAS 9.3 M0 on Linux and SAS Enterprise Guide 5.1.  I didn't get very far though.  After opening up access for PUBLIC in the repository ACT, so it was similar to the access that SASUSERS would have, I was unable to even log into EG. I got the error "PUBLIC user is lacking basic authorization to continue". I couldn't get even past this to the point where I tried to get access to a workspace server. I don't know what authorization checks EG is doing when it generates this lacking basic authorization message but I wonder if it is something related to trying to find/create a private user folder (My Folder) for the (PUBLIC) identity. With this open permissions config I was able to login to SAS Data Integration Studio as a PUBLIC-only user but had no "My Folder".  Perhaps a SAS Institute person could provide a more definitive answer, but I suspect that PUBLIC-only access to SAS Enterprise Guide is not available (and even if it was, I would think carefully about whether it was advisable).

Occasional Contributor
Posts: 5

Re: Enabling Public Access to Enterprise Guide: Advanced

Thank you SASKiwi and Paul. The macros were a great tip. I will definitely use them to transfer users from AD to SAS metadata.

Before I execute that, as a proof on concept, I manually added a few users to the SAS metadata. I created a user, and under the accounts tab, I added the fully qualified Windows login (domain\username).

When I log into the client as one of the users and open Enterprise Guide, I select a profile that connects to the metadata server using Integrated Windows Authentication. This connects me to the server ok, but when I expand one of the metadata servers, I receive the SAS: SASApp "Credentials Required" popup screen. The Windows credentials do not seem to work here so I can't access the server. What's more, when I hover over the connection link in the bottom right hand corner of EG, it displays my SAS metadata user so it seems that the connection between my Windows and SAS user accounts is functioning, but SAS continues to ask me for additional credentials.


I do not have this problem if I manually link the user to a SAS internal account (like sasadm@saspw). I shouldn't have to create an internal "@saspw" account for every user, should I?

Solution
‎07-24-2013 07:02 PM
PROC Star
Posts: 389

Re: Enabling Public Access to Enterprise Guide: Advanced

The reason why the Integrated Windows Authentication (IWA) connection to the metadata server worked, but the IWA connection to the SASApp Workspace Server (WS) didn't is most likely because your WS is not configured to accept IWA connections (this is the default). Once you configure the WS to accept IWA connections it will probably work for you (assuming all other pre-requisites are also in place - same/trusted domain, valid SPNs etc).

You can find out more about configuring the WS for IWA in the How to Configure Integrated Windows Authentication section of the SAS 9.3 Intelligence Platform: Security Administration Guide.

I have written a few IWA related blog posts (including links to appropriate SAS docs) that you might also find useful in configuring and troubleshooting IWA configurations, especially if you plan to access additional servers (UNC path files, SAS/Access & SQL Server etc) from an EG IWA connection to a WS.

You shouldn't need to create internal (@saspw) accounts for all of your normal users. Internal accounts are mostly used for internal and administrative purposes.

Occasional Contributor
Posts: 5

Re: Enabling Public Access to Enterprise Guide: Advanced

This was exactly right. Your blog posts are also very informative. Thanks!

☑ This topic is SOLVED.

Need further help from the community? Please ask a new question.

Discussion stats
  • 5 replies
  • 2746 views
  • 6 likes
  • 3 in conversation