cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
FrankPoppe
‎05-15-2024
  • 64 Posts
  • 2 Likes Given
  • 2 Solutions
  • 18 Likes Received

When does the OBS= data set option operate?

by Quartz | Level 8 in SAS Programming
‎07-02-2013 08:45 AM
‎07-02-2013 08:45 AM
Hi, I have always thought that data set options operate outside the context of the Proc that uses the data set as input. That means that the Proc only sees the observations that options like OBS= let through. I was greatly surprised when I saw the results of the following piece of code (simplified for this purpose). data test ; do x = 1 to 10 ; output ; end ; run ; proc sql ; create table sel1 as select * from test ( obs=1) where x > 1 ; I expected that Proc SQL would see only the first observation (with x=1), then decide that it didn't pass the where clause, and thus create a table with 0 observation. But the result is a single observation with x=2! Apparently the obs= and where conditions are combined. But it does not feel right that when I specify that only the first observation should be processed, I get the second observation as output. Any other views? ... View more

Re: SAS DI

by Quartz | Level 8 in SAS Data Management
‎03-21-2013 09:39 AM
‎03-21-2013 09:39 AM
I have seen that happen as well. But that was in 9.2, and I think that at some point (TS2?) this was fixed. I does not occur (at least not that often) in 9.3 (which is now at DIS 4.6). ... View more

Re: CATX in %SYSFUNC

by Quartz | Level 8 in SAS Programming
‎03-21-2013 09:29 AM
5 Likes
‎03-21-2013 09:29 AM
5 Likes
Hi, The OF construct is SAS Language, not macro language, i.e. something you can use in the data step, not within a macro. It would be possible to have the macro generate data step code that uses the OF construct, but that is not what you are doing here. ... View more

Re: Hide .Srx Extensions

by Quartz | Level 8 in SAS Web Report Studio
‎10-19-2012 09:46 AM
‎10-19-2012 09:46 AM
Or use an URL display portlet. You can then format it to look any which way you want. On the other hand of course you have to write the HTML yourself and maintain the links. ... View more

Preventing direct access to cubes from WRS

by Quartz | Level 8 in Administration and Deployment
‎11-14-2011 05:51 AM
‎11-14-2011 05:51 AM
Right. The PUBLIC group still had the original "Web Report Studio: Report Viewing" role assigned, which includes the "Allow Direct Access to Cubes" capability. I choose not to change the original role, but created custom roles as copies of the original ones, plus or minus a few capabilities. But overlooked the fact that you still get the capabilities I removed through the PUBLIC group. There is another tricky behaviour, it seems. Identities that have no role assigned, because SASUSER and PUBLIC no longer have any explicit role and because they are not member of any group that has a role, seem to get a set of default capabilities, including the "Allow Direct Access to Cubes" one. Perhaps the paper Paul refers to (below) will clarify that - I haven't read it yet. Thanks all. Frank ... View more

Preventing direct access to cubes from WRS

by Quartz | Level 8 in Administration and Deployment
‎11-10-2011 08:27 AM
‎11-10-2011 08:27 AM
Hi, I want to ascertain that WRS (Web Report Studio) users can access data only through Information Maps. I thought it would be enough to remove the 'Allow Direct Access to Cubes' and 'Allow Direct Access to Tables' capabilities from the role that is assigned to those users. However, from a Web Report they still can open cubes and tables. That is, only if they have Read access, of course, but the point is that the Information Map might limit their access to certains rows or slices. I have made certain that they are not a member of any group that has a broader role. Of course, they still are member of the SASUSERS group, but that group has no role assigned. I stumbled onto Usage Note 40599: "Assigning users to a custom role that has limited capabilities might still have access to additional capabilities even after applying the custom role". But what does that mean? That I can never give a user less capabilities then SASUSERS has, and that I can never remove those capabilities from SASUSERS? That would be very disappointing! Anybody any experience? Frank Poppe ... View more

Alternative authentication methods?

by Quartz | Level 8 in Administration and Deployment
‎10-18-2011 03:41 AM
‎10-18-2011 03:41 AM
@Larry and @Vic: thanks for the additional input. For the time being we have our external users defined as local accounts on the Windows machine that hosts the metadataserver. But in order to get rid of the need for Microsoft CAL's somebody is investigating the alternative scenario's that have been suggested. That make take a few weeks. I'll report back on what we have chosen (and why). Frank ... View more

Alternative authentication methods?

by Quartz | Level 8 in Administration and Deployment
‎09-19-2011 08:02 AM
‎09-19-2011 08:02 AM
Hi Paul, Thanks a lot for the suggestions and pointers. At the moment we don't have a reverse proxy, but it sounds like something to investigate. I will try to familiarize myself further with these topics; or try to get somebody involved who feels already better at home here. Anyway, it may take a few days before I report on our next steps. Until then, thanks again to all of you. Frank ... View more

Alternative authentication methods?

by Quartz | Level 8 in Administration and Deployment
‎09-15-2011 09:50 AM
‎09-15-2011 09:50 AM
Hi, Thanks for the questions and the suggestions. I now have several things to think (and read) about, one reason being that these are areas I until now knew existed, but never did have to know much about. Some reactions already. @Paul, the Portal is surfaced to the external users through public internet. Everybody can see the logon page (http://zorgportal.prismant.nl). So the SAS Logon Manager is the point where authentication starts (and ends). The identity of the external users will have to be available when Information Maps are being processed (to be used in a filter using the SAS.IdentityGroups property) and when the permissions table for a cube is being used. So the scenarios where some shared identity is being used are only an option if that still is the case. At this moment I am not familiar enough with the way this operates to judge this for myself. @LarryNoe I always thought that when more then one domain was being used it works like this. The user gives just the username, the metadataserver then searches for an identity that has an account with that username, and then sends off the username to the authentication domain given before the backslash in the account field. But this does not fit in with your description of ‘always sends users to the default provider’? I have been thinking of the option of adding the @DOMAIN (possibly @SASPW if that in the end will be the way to go) in the HTML-form, perhaps with Javascript or something like that, before the username is sent off to some authentication mechanism. It should not be difficult (I think ) to provide the internal users with a logon page that does not add this suffix, and then starts exactly the same portal. @Shane I don’t see what would be gained with setting up another web server with metadata and workspace servers? If it would solve the problem, it would be an option, because it wouldn’t necessarily mean a new set of machines. I see no reason why they wouldn’t run on the same machines (providing you don’t mix up the port numbers). Thanks again to all of you, Frank ... View more

Alternative authentication methods?

by Quartz | Level 8 in Administration and Deployment
‎09-15-2011 05:34 AM
‎09-15-2011 05:34 AM
Again something I should have mentioned. It is SAS 9.2. But: 1) The SAS docs state that you can't (or shouldn't) use internal ID for other then administrative tasks because they can't access data sources. This doesn't seem to be quite true, I did some tests and didn't run into problems but the tests weren't very extensive and given that text in the docs it seems too large a risk to take. 2) Those external users always will have to type the @saspw part. Users that are authenticated outside of SAS only will have to type the username, regardless of whether the metadata knows a MetadataMachineName\user account or a CompanyAD\user account. This will hardly be acceptable for the people here. ... View more

Alternative authentication methods?

by Quartz | Level 8 in Administration and Deployment
‎09-15-2011 05:08 AM
‎09-15-2011 05:08 AM
I'll try to elaborate a bit. For starters I am just a SAS consultant, not the boss. And we are in a small organisation, independent in the products it develops, but part of a much larger organisation. The larger organisation makes the ICT environment available and maintains things as the Active Directory. So creating an account in the company wide AD is done through an authorisation procedure, and will mean the the organisation I work for starts to pay for additional users, for facilities they will never use. Even the change itself may be billed by the company to which this has been outsourced. The cost and the loss of flexibity when new users have to be created, or e.g. when existing users have forgotten their password make that (IMHO) using the existing LDAP server is not option. But although I can claim a fairly large experience in SAS, I never have done much in the area of authenticating web users, so I may have taken some things for granted which deserve more attention. I don't see why you judge the initial setup as an already complex situation. Also I don't see what you mean with the need to integrate authentication with the file system? Of course, for all users that get access to certain data (tables or cubes) through the metadata the physical data source will have to be accessed as well. But I don't see a difference there between users that are authenticated through the existing LDAP database and other users. But if I overlook something there, please enlighten me. And suggestions from Paul Homes are always welcome! ... View more

Re: Alternative authentication methods?

by Quartz | Level 8 in Administration and Deployment
‎09-15-2011 04:49 AM
‎09-15-2011 04:49 AM
I should have mentioned this. In the production environment we have 4 servers (metadata server, workspace, OLAP, web), all Windows 2008. That is already in place and running. The issue now is to authenticate individual external users of the IDP. (We have a second set of four Windows servers for the development cycle. And all servers are virtual machines.) So the metadataserver is running on Windows, and is configured to talk to LDAP (more or less by default I guess, but I haven't done the installation and configuration). See also my reaction to Barry. ... View more

Alternative authentication methods?

by Quartz | Level 8 in Administration and Deployment
‎09-14-2011 07:33 AM
‎09-14-2011 07:33 AM
Hi Shane, Yes, they must have their own login. The content they'll see will differ: different portal pages and portlets, different information maps, different rows from a table, different cube slices, etc. (We will have the users in groups, and the groups will have access to the items in different metadata folders. Also some information maps will have filters with row level security, and the cubes will have permission tables.) Greetings, Frank ... View more

Alternative authentication methods?

by Quartz | Level 8 in Administration and Deployment
‎09-14-2011 04:11 AM
‎09-14-2011 04:11 AM
Hi, I wonder if there are any suggestions on the following authentication problem. I'll need a few sentences to explain the situation. We will have two sets of users. The first set are internal users, with a username in the standard company domain. There are lots of differences between the users within that set (some do DI Studio work, others EG, or just use the Portal and WRS), but that is not relevant. The other set are external users that only will access the Portal through internet, browsing information coming from tables and cubes. These users will not yet have a username, but they will need one because they have to be authenticated (users will have access only to specific subsets of data). The question is now how to authenticate those external users. Assigning them an username in the company domain is, for different reasons, not an option. An option that I have seen used elsewhere is to define users locally on the machine where the SAS Metadata Server sits. The SAS identities in the metadata for those users will be linked to accounts like MetadataMachineName\user, instead of CompanyAD\user. In the current situation that is not an acceptable solution because it appears an additional Microsoft CAL (Client Access License) is needed for each user that will be defined on the server (although that username only will be used for authentication, the user will never have real access to the machine). One of the ideas now is to set up a Linux server with an OpenSource LDAP server to manage those external users. But I cannot find much documentation on how to configure (in the metadata) a LDAP server that is not the standard one. Some links are Direct LDAP Authentication and How to configure direct LDAP Authentication , both from the Security Admin Guide. But there really only give necessary configuration settings, and don´t give much background - which is what I need as well, being ignorant in this area. One item I noticed however was that there can be only one LDAP server, which means I cannot have both the company LDAP server for internal users and this possible Linux LDAP server for external ones. Is this correct? Is there some way to overcome this? (Have the local LDAP server extract information from the central LDAP server?) Are the any other option that we should look at? Any suggestions are welcome! Frank Poppe ... View more

Re: Create Word Tables as Form or Object

by Quartz | Level 8 in ODS and Base Reporting
‎04-05-2006 08:41 AM
‎04-05-2006 08:41 AM
If the 'master document' remains the same across different runs you could create the tables in separate files and then create that master with MS Word and insert the files as links. The master document (or copies of it) can then be edited, but the tables cannot. If needed it should also be possible to create such a master with SAS and ODS, but that would require you insert the links to the files as raw RTF. A look in such a document created with Word and saved as RTF would give a fairly good idea of that RTF should look like. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎05-15-2024 06:15 PM
Likes given to
View All
Likes from
Quick links