Desktop productivity for business analysts and programmers

Trying to Contain Users Inside of a Workspace Server Path

Reply
Contributor
Posts: 50

Trying to Contain Users Inside of a Workspace Server Path

I am trying to give SAS a general read/write access to the OS and manage what users can read/write through metadata. Enterprise Guide users (and any programmers for that matter) are the only ones I worry about because the workspace server gives direct access to the file system. I've actually got this covered by setting the workspace server path to where I want the users to read/write their data. BUT lets say a user is smart enough to figure out the directory structure and potentially write their own libname statement to another directory outside their workspace server, they could access data they shouldn't be able to.

Anybody have ideas? I would hope there is an option for the workspace server to limit what users can read/write depending on if it is outside the path defined for the workspace server.
Super Contributor
Posts: 356

Re: Trying to Contain Users Inside of a Workspace Server Path

If you are worried about security that much, i suggest using using the OS permisisions as well as the MD permission, I believe that is the 'Best Practise'.

I am not sure what you mean by "setting the workspace server path " can you expand?

also what OS, what version of sas etc...

Barry
Community Manager
Posts: 2,691

Re: Trying to Contain Users Inside of a Workspace Server Path

Steve is referring to the File Navigation path that you can set in the workspace server properties, which serves as a cue for how to allow the end user to navigate the server file system from within EG.

The advice is correct though: lock down the OS file system to prevent unauthorized access to areas the end user shouldn't get to. Creative SAS programmers can find programmatic methods to access content that is open, if they want to.

Chris
Contributor
Posts: 50

Re: Trying to Contain Users Inside of a Workspace Server Path

We're going to investigate the use of ACLs to take it a step further...

http://support.sas.com/kb/33/961.html
Respected Advisor
Posts: 3,822

Re: Trying to Contain Users Inside of a Workspace Server Path

Hi
To set security on OS level will be the safest way.
User "sassrv" (EG) would then have only write access to the directories you want, user "sas" would be used for batch job with write access to much more directories.
Have "sas" and "sassrv" in the same group (I assume OS is UNIX) and set ACL appropriate (setfacl, getfacl). I have seen something like this already set-up and working.
There is also some possibility to suppress SAS commands (i.e. a Libname statement) and I've worked on one site where this was implemented. I don't know exactly how this was done and I also feel it's kind of a "brute force" method.
HTH
Patrick
Ask a Question
Discussion stats
  • 4 replies
  • 145 views
  • 0 likes
  • 4 in conversation