12-12-2013 01:46 AM
I am new to sas admin area, though not new to sas. I have a basic permission/rights question to ask in order to understand.
In a test environment, stored process server is not starting. I have realized that sassrv account does not have write access to the Logs directory at /sashome/config/Lev1/SASApp/StoredProcessServer location. The owner of the Logs directory is the sasinst user. Also, while validating workspace server, sassrv id and password fails too.
Now, how do I grant write access to sassrv, so that stored process server works? All the documents I have seen says that account ownership should be setup during installation.
Thanks for your time.
12-12-2013 03:35 AM
I'm a weak and not patient enough installer so possibly should not be answering this question. But as I just went through a trial and error process installing on a VM: You need to define external users and groups and then assign the appropriate permissions on OS level. So here sassrv should have write access to the log directory.
You normally add external users to external groups and then grant the group the required access to a folder structure. To apply the correct rights to the right folders needs some planning and is part of a pre-installation checklist.
There is some info in the installation guide of what needs to be done under "Setting up Users, Groups and Ports" http://support.sas.com/documentation/cdl/en/biig/63852/PDF/default/biig.pdf
For a "professional" installation: You probably define the groups and users in AD or LDAP and then synch with metadata.
12-12-2013 09:29 AM
Logon to SAS Management Console and select Server Manager ---> Select the server of your interest ,right click and get into properties ----> under Authorization tab add SAS General Servers and give write permissions .
Server launch credentials (for example, the SAS Spawned Servers account, sassrv) are stored in logins on the Accounts tab of the SAS General Servers group, which facilitates launching of stored process servers and pooled workspace servers.
12-12-2013 05:20 PM
zoomzoom - In my SAS on Linux installation the <SASCONFIG>/Lev1/SASApp/StoredProcessServer/Log dir is chmod 770 and chown sas:sas and this has not been changed from the initial installation (where the installation account was sas). This still grants the sassrv account write access to the Logs dir because one of the installation prerequisites in setting up the sassrv account is to make its primary group the same as the sas installation accounts primary group (which is sas for me). Can you check to see if your sassrv still has sasinst as its primary group. You mention you also can't launch a workspace server with the known sassrv credentials - what is the error reported? Does it suggest bad credentials, bad permissions, or failure to launch a process? Have you reviewed the SAS Object Spawner log file to see what errors are reported there? Can you let us know what errors you see?
SASYuppie - those instructions would explicitly grant the SAS General Servers group (and any member of it - often only the sassrv userid) permissions to modify the server definitions in metadata (and associate resources with them). In many installations this would probably be redundant - if you review the effective permissions for the SAS General Servers group on the various SASApp servers you'll most likely find it already has those permissions indirectly (via the SASUSERS group grants from the repository ACT). Additionally, it is not really necessary for the SAS General Servers group to have those WriteMetadata permissions on the servers as the sassrv login is not normally used as an administrator / data library manager / stored process author etc.
I hope this helps.
12-17-2013 10:42 PM
Thank you for your time and response.
I got the solution as I learnt that sassrv is the group owner for the Logs directory, and there was no write access for sassrv in my case !! So just providing the write access to the group did the work. sasinst is still the primary owner. I need to take another look at the generated logs inside logs folder to understand their ownership. And I have started matching up the access level of directories between test and prod, that is helping..!!
Thank you all once again.