Jon, Security is challenging, most of SAS is documented at bisecag. Notice the mentioned cautions. SAS(R) 9.4 Intelligence Platform: Security Administration Guide (security overview / autorization). See also the medaited access notes at SAS(R) 9.4 Intelligence Platform: Security Administration Guide (mediated access). Web-access is mediated. This part should be secured sufficient in that way. As soon there is a way some code (SAS language) being inserted by users, all those facilities of SAS are getting disclosed with all the access rights of the running key at OS level. You do not the password as it already running and availabe for you. It is a same possible security hole as SQL-injection or the look alikes. Eguide, DI, Addin-microsoft office, Eminer are intended to be used by analytics offering or even requiring that option to do code. There fore there is made a note is this document that well designed host layers is your last defence that is to be trusted.. To get it technical more compliacted for you. The sasauth module in the SAS installation is running at roor-level wiht setuid rights. It is this process that is the core to switch user-identities using SAS. It is the same logic as the SSH demon putty terminal login (being replaced by SAS). This is needing agreement wiht your security staff. For the security setup I have a running discussion with SNLFAM1 https://communities.sas.com/message/179331#179331
... View more