SAS 9.2 Intelligence Platform: Security Administration Guide

Contents......Page 4
Roles and Permissions......Page 8
Authentication and User Management......Page 9
Documentation Enhancements......Page 10
Fundamentals......Page 12
Security in the SAS Intelligence Platform......Page 14
Roles Overview......Page 15
Single Sign-On Overview......Page 16
Security Reporting and Logging Overview......Page 17
Introduction to Security Tasks......Page 18
Coordinate the Workspace Server......Page 19
Add Administrators......Page 20
Add Regular Users......Page 21
Open Up Access......Page 22
Limit the Ability to Update or Delete Servers......Page 23
Provide PUBLIC Access (Optional)......Page 24
Password Updates for Service Accounts......Page 25
Ensure Availability of Application Features......Page 28
About User Administration......Page 32
User Definitions......Page 33
Group Definitions......Page 35
Role Definitions......Page 37
Differences Between Roles and Groups......Page 39
How to Unlock an Internal Account......Page 40
How to Assign Capabilities to Roles......Page 41
User ID Formats......Page 43
Unique Names and IDs......Page 44
Identity Precedence......Page 45
Windows Privileges......Page 47
Who Can Manage Users, Groups, and Roles?......Page 48
Orientation to Working With Permissions......Page 50
Who are Permissions Assigned To?......Page 51
What Is the Effect of a Permission Setting?......Page 52
Explicit Settings......Page 53
ACT Settings......Page 54
Inherited Settings......Page 55
Using WriteMetadata and WriteMemberMetadata Permissions......Page 56
Key Points About Working With Permissions......Page 58
Authorization......Page 60
About Metadata-Based Permissions......Page 62
Inheritance Paths and Identity Precedence......Page 63
Use and Enforcement of Each Permission......Page 64
Inheritance Paths......Page 65
Permissions by Item......Page 66
Permissions by Task......Page 71
Authorization Decisions......Page 73
Considerations for Batch Reporting......Page 76
Identity-Driven Properties......Page 77
What Implementations are Available?......Page 78
How are Fine-Grained Controls Assigned?......Page 79
Baseline ACTs......Page 82
Demonstration: Departmental and Project Separation......Page 84
Variation 1: Add Subgroups, Designate Content Creators......Page 87
Variation 2: Add Functional Separation......Page 90
Key Points About the Baseline ACT Approach......Page 92
Consolidation of ACTs......Page 93
End Users, Folders, and Permissions......Page 94
Protecting Server Definitions......Page 96
Hiding Server Definitions......Page 99
About BI Row-Level Permissions......Page 104
Preliminary Tasks......Page 106
Data Modeling......Page 108
Information Map Tasks......Page 111
Verification......Page 113
Implementation and Testing......Page 114
Variation 2: Apply Different Filtering Logic to Different Groups......Page 116
BI Row-Level Permissions, Identity-Driven Properties, and Missing Values......Page 117
How to Assign an OLAP Permission Condition......Page 120
Introduction......Page 121
Implementation Process......Page 122
Overview of Security Reporting......Page 126
Authorization Data Sets......Page 129
Additional Resources for Building Authorization Data Sets......Page 131
Authentication......Page 134
Introduction to the Authentication Model......Page 136
Depictions of the Authentication Process......Page 137
Example: Metadata Server on UNIX......Page 139
Example: Metadata Server on Windows......Page 140
Authentication to Data Servers and Processing Servers......Page 141
Introduction and Template......Page 142
Example: Windows and Shared Access to Oracle......Page 144
Example: Mixed Hosts and SAS Token Authentication......Page 145
About Mixed Providers......Page 146
Solution to Mixed Providers: Align Authentication......Page 147
Credential Gaps......Page 148
How Logins Are Used......Page 150
About PUBLIC Access and Anonymous Access......Page 151
Introduction to Authentication Mechanisms......Page 154
Credential Management......Page 155
Direct LDAP Authentication......Page 157
Host Authentication......Page 158
Integrated Windows Authentication......Page 159
Pluggable Authentication Modules (PAM)......Page 160
SAS Internal Authentication......Page 161
SAS Token Authentication......Page 164
Trusted Peer Connections......Page 165
Trusted User Connections......Page 166
Web Authentication......Page 167
Summary by Server Type......Page 170
How to Configure SAS Token Authentication......Page 172
How to Configure SAS Internal Authentication......Page 173
Server-Level Policies......Page 174
Per-Account Policies......Page 176
Logins for Users Who Participate in Web Authentication......Page 177
How to Configure Direct LDAP Authentication......Page 178
How to Configure Integrated Windows Authentication......Page 180
How to Force Use of Kerberos......Page 183
How to Store Passwords for the Workspace Server......Page 184
How to Store Passwords for a Third-Party Server......Page 185
How to Reduce Exposure of the SASTRUST Password......Page 187
About the Workspace Server's Options Tab......Page 188
About This Chapter......Page 192
How SAS Servers Preserve Identity......Page 193
About Launch Credentials......Page 194
Criteria for a Designated Launch Credential......Page 195
How to Create and Designate a New Launch Credential......Page 197
Direct Access Versus Mediated Access......Page 198
Managing the Risks of Mediated Host Access......Page 200
Example: Multiple Levels of Host Access......Page 201
Benefits and Risks of Server-Side Pooling......Page 203
Which Eligible Requests Actually Use Pooling?......Page 205
Modifying the Initial Pooling Configuration......Page 206
Encryption......Page 208
Default Settings for On-Disk Encryption......Page 210
Default Settings for Over-the-Wire Encryption......Page 211
How Are SAS/SECURE Features Surfaced?......Page 212
Licensing and Availability of SAS/SECURE......Page 213
Instructions for Post-Installation Changes......Page 214
Details About NETENCRALG and CEL......Page 215
How to Increase Encryption Strength for Passwords at Rest......Page 216
RETURNPASSWORDS=SAS003 and Compatibility......Page 217
Accomodating Connections That Can't Use SAS003 Passwords......Page 218
Appendixes......Page 220
General Measures......Page 222
Metadata Layer Measures......Page 223
Distribution of Selected Privileges......Page 224
Permission Patterns of Selected ACTs......Page 225
Managed Passwords in the SAS Metadata Repository......Page 226
Managed Passwords in the SAS Configuration Directories......Page 227
Additional Managed Passwords in the Web Environment......Page 228
Who's Who in the SAS Metadata......Page 229
Overview of User Import and Synchronization......Page 230
Canonical Tables......Page 233
External Identities......Page 234
Scope of the Import Process......Page 235
How to Import Identities......Page 236
Scope of the Synchronization Process......Page 237
How to Synchronize Identities......Page 238
Sample Code for Generic File Import......Page 239
Sample Code for User Synchronization......Page 241
About the Sample Code for UNIX /etc/passwd Import......Page 242
About the Sample Code for Active Directory Import......Page 243
Reference: User Import and Synchronization Macros......Page 245
Recommended Reading......Page 252
Glossary......Page 254
Index
......Page 258