Introduction . . . 83 Method . . . 83 Instructions . . . 84 Hide Server Definitions . . . 86 Introduction . . . 86 Method . . . 87 Instructions . . . 88
Protect Server Definitions
Introduction
In a new deployment, all registered users can update and delete server definitions. We recommend that you limit the ability to update or delete server metadata as follows:
n The SAS Administrators group should be able to administer, update, and delete all server definitions.
n Users who assign libraries, stored processes, or an OLAP schema to an application server must have WriteMetadata permission for that application server.
n No other users should be able to update or delete server definitions.
TIP This chapter explains how to manage access to metadata objects that represent server processes. If you want to limit what a particular server process can do, see “Locked-Down Servers” on page 98 instead.
Method
To avoid repeatedly adding the same explicit grants and denials to multiple pieces of server metadata, create and use an ACT. If you want to enable regular users to assign libraries, stored processes, or an OLAP schema to a particular application server, supplement the ACT settings with an explicit grant of WriteMetadata permission on that application server.
83
The following table depicts typical protections.
Table 7.1 Example: Protecting Server Definitions
Object
Direct Controls
ACTs Explicit Grants
SASApp Protect DataAdmins: +WM
Each logical server inside SASApp Protect (none)
SASMeta Protect (none)
Other immediate children of Server Manager Protect (none)
Note: The initial configuration in a new deployment limits access to the logical workspace server and the logical SAS DATA step batch server within SASMeta, so it is not necessary to add protections to those components.
Instructions
Here is one way to set the permissions:
1 Log on to SAS Management Console as a member of the SAS
Administrators group (for example, sasadm@saspw). Select the Plug-ins tab.
2 (Optional) Examine the current settings.
a Expand Server Manager, right-click the SASApp application server and select Properties.
b On the Authorization tab, select SASUSERS. Notice that this group (which includes all registered users) has both ReadMetadata and WriteMetadata permissions. The application server inherits these grants from the standard repository-level settings. Click OK to close the dialog box.
3 If you do not already have an ACT with the appropriate pattern, create a new ACT as follows:
a Expand Authorization Manager, right-click Access Control Templates, and select New Access Control Template.
b On the General tab, enter a name such as Protect.
c On the Permission Pattern tab, define settings that you want to apply to all server metadata.
Table 7.2 Example: Pattern for the Protect ACT
Group Permission Pattern
PUBLIC Deny WriteMetadata, WriteMemberMetadata,
CheckInMetadata, Write, Administer SAS Administrators Grant WriteMetadata, WriteMemberMetadata,
CheckInMetadata, Write, Administer, ReadMetadata*
* These grants ensure that administrators can manage all metadata.
TIP To increase reusability, this pattern includes permissions that are not relevant for server definitions.
d On the Authorization tab, add explicit controls to protect the ACT that you are creating:
n Select PUBLIC and deny WriteMetadata permission. Leave the indirect ReadMetadata setting in place.
n Select SAS Administrators and grant WriteMetadata permission.
Leave the indirect ReadMetadata setting in place.
TIP If the Users and Groups list box on the ACT's Authorization tab is empty, click OK to save the ACT. Then, right-click the new ACT, select Properties, and select the Authorization tab again.
e Click OK.
4 (Optional) If you want to allow some nonadministrators to assign libraries, stored processes, or an OLAP schema, and you do not already have a group that represents those users, create a new custom group.
a Right-click User Manager and select New Group.
b On the General tab, enter a name such as Data Admins.
c On the Members tab, move users (or groups) to the Selected Identities list box.
d Click OK to save the new group. You will grant WriteMetadata permission to this group in step 5c. This group does not participate in the ACT's pattern because this group needs WriteMetadata permission on only some of the target objects.
Note: As an alternative to creating a group for only this purpose, you can skip this step and instead assign the permissions to specific users in step 5c.
5 To set the protections:
a Expand Server Manager, right-click the first application server (if this is your first pass) and select Properties.
b On the Authorization tab, click Access Control Templates. In the Add and Remove Access Control Templates dialog box, move the Protect
Protect Server Definitions 85
ACT to the Currently Using list box (you have to expand the Foundation node to get to the ACT). Click OK to return to the Authorization tab.
Note: Review the revised settings. Notice that SASUSERS is now denied WriteMetadata permission and that PUBLIC and SAS Administrators have some ACT settings. These settings come from the Protect ACT.
c (Optional) If the current item is an application server to which nonadministrators will assign libraries, OLAP schemas, or stored processes, click Add, add one or more identities to the Authorization tab, and give each of those identities an explicit grant of WriteMetadata permission. For example, you might assign the grant to a group (such as GroupA) or to individual users.
TIP For any users that are under change management, grant CheckInMetadata (CM), instead of WriteMetadata (WM). See SAS Intelligence Platform: Desktop Application Administration Guide.
Note: Do not extend WriteMetadata access to the SASMeta application server, because that server should be used for only a few specialized administrative tasks.
d Click OK to save the settings for this object.
e Repeat steps 5a-d for every immediate child of Server Manager.
Immediate children include objects such as other application servers, third-party servers, the share server, the content server, and spawners.
f Apply the Protect ACT to every logical server that is under an application server where you added an explicit grant of WriteMetadata permission (for SASUSERS or a custom group such as Data Admins).
Note: This protects lower-level server metadata that would otherwise inherit the nonadministrator's WriteMetadata grant from the application server. This also prevents nonadministrators who have WriteMetadata permission on the application server from deleting that application server.
See Also
“Use and Enforcement of Each Permission” on page 68