We’re smarter together. Learn from this collection of community knowledge and add your expertise.

Let's ACE this! DataFlux Data Management Server adds 4 new Access Control Entry options

by SAS Employee MKQueen on ‎12-21-2015 10:15 AM - edited on ‎12-21-2015 10:19 AM by Community Manager (909 Views)

ACE in this case stands for Access Control Entry. Four new configuration options were added for DataFlux Data Management Server 2.6 with respect to ACE.  The options are:

     DMSERVER/SECURE/DEFAULT_ACE_USERS_ALLOW

     DMSERVER/SECURE/DEFAULT_ACE_USERS_DENY

     DMSERVER/SECURE/DEFAULT_ACE_GROUPS_ALLOW

     DMSERVER/SECURE/DEFAULT_ACE_GROUPS_DENY

 

These options set “ALLOW” or “DENY’ Access Control Entry (ACE) for each user/group in the configured list when the Data Management Server creates the access control list (ACL) for a job, as it is uploaded to the server. These options are set in the dfmserver.cfg file. After you make these changes in the config file, you must restart the DataFlux Data Management Server service for them to take effect.

 

Here is an example of using these settings in the dmserver.cfgNote:  Multiple user and group names are separated by “ | “.

DMSERVER.CFG ACE Settings

With these settings, when a job is uploaded to the DataFlux Data Management Server, the Permissions (Access Control List (ACL)) for the job will look like this:

Access Control List

 

These new options are a great enhancement and certainly will help with setting permissions for the jobs on a secure DataFlux Data Management Server. However, you do need to be careful when setting these options. If a user or group shows up more than once within or across options or you refer to a group or user name that does not exist in SAS Management Console, then the Data Management Server will not allow any logins to the server until the issue is fixed. For example, say you have the following settings where you have listed a group called Data Management Users which does exist in the group listing in the SAS Management Console:

dmserver_cfg_ACE_settings2.png

This causes an error when someone tries to access the server. If anyone tries to log on to the Data Management Server, they will receive this message.

connection_failed.png

And the message “error resolving configured default ACEs” is written to the dmserver.log.

 

 

Note:  These new options supersede the deprecated options of DMSERVER/SECURE/DEFAULT_ACE_USERS and DMSERVER/SECURE/DEFAULT_ACE_PUBLIC. These two old options are still recognized and if present, will be combined with the values of the four new options. If one of these old options is used -- and you also add USERS or PUBLIC as groups in the new options -- the group names will show up more than once and cause an error when trying to access to the Data Management Server. Therefore, it is recommended to remove these old options from your dmserver.cfg, if you plan to take advantage of these new options.

 

Refer the Data Management Server 2.6: Administrator’s Guide for more information about these options as well as others you can set.

Contributors
Your turn
Sign In!

Want to write an article? Sign in with your profile.


Looking for the Ask the Expert series? Find it in its new home: communities.sas.com/askexpert.