I am trying to give SAS a general read/write access to the OS and manage what users can read/write through metadata. Enterprise Guide users (and any programmers for that matter) are the only ones I worry about because the workspace server gives direct access to the file system. I've actually got this covered by setting the workspace server path to where I want the users to read/write their data. BUT lets say a user is smart enough to figure out the directory structure and potentially write their own libname statement to another directory outside their workspace server, they could access data they shouldn't be able to.
Anybody have ideas? I would hope there is an option for the workspace server to limit what users can read/write depending on if it is outside the path defined for the workspace server.
Steve is referring to the File Navigation path that you can set in the workspace server properties, which serves as a cue for how to allow the end user to navigate the server file system from within EG.
The advice is correct though: lock down the OS file system to prevent unauthorized access to areas the end user shouldn't get to. Creative SAS programmers can find programmatic methods to access content that is open, if they want to.
To set security on OS level will be the safest way.
User "sassrv" (EG) would then have only write access to the directories you want, user "sas" would be used for batch job with write access to much more directories.
Have "sas" and "sassrv" in the same group (I assume OS is UNIX) and set ACL appropriate (setfacl, getfacl). I have seen something like this already set-up and working.
There is also some possibility to suppress SAS commands (i.e. a Libname statement) and I've worked on one site where this was implemented. I don't know exactly how this was done and I also feel it's kind of a "brute force" method.