Вы находитесь на странице: 1из 168
SAS Publishing SAS ® Solutions Services 1.3 System Administration Guide Second Edition

SAS Publishing

SAS Publishing SAS ® Solutions Services 1.3 System Administration Guide Second Edition

SAS ® Solutions Services 1.3

System Administration Guide Second Edition

SAS Publishing SAS ® Solutions Services 1.3 System Administration Guide Second Edition

The correct bibliographic citation for this manual is as follows: SAS Institute Inc. 2006. SAS ® Solutions Services 1.3: System Administration Guide , Second Edition. Cary, NC: SAS Institute Inc.

SAS ® Solutions Services 1.3: System Administration Guide, Second Edition Copyright © 2006, SAS Institute Inc., Cary, NC, USA All rights reserved. Produced in the United States of America. For a Web download or e-book: Your use of this publication shall be governed by the terms established by the vendor at the time you acquire this publication. U.S. Government Restricted Rights Notice. Use, duplication, or disclosure of this software and related documentation by the U.S. government is subject to the Agreement with SAS Institute and the restrictions set forth in FAR 52.227-19 Commercial Computer Software-Restricted Rights (June 1987). SAS Institute Inc., SAS Campus Drive, Cary, North Carolina 27513. 1st printing, December 2006 SAS Publishing provides a complete selection of books and electronic products to help customers use SAS software to its fullest potential. For more information about our e-books, e-learning products, CDs, and hard-copy books, visit the SAS Publishing Web site at support.sas.com/pubs or call 1-800-727-3228. SAS ® and all other SAS Institute Inc. product or service names are registered trademarks or trademarks of SAS Institute Inc. in the USA and other countries. ® indicates USA registration. Other brand and product names are registered trademarks or trademarks of their respective companies.

Contents

Chapter 1 Understanding SAS Solutions Services 1

Overview of SAS Solutions Services Architecture 2 Assumptions and Recommendations Required Skills Documentation Conventions

4

4

1

3

Chapter 2 Planning, Installing, and Configuring SAS Solutions Services and the Solutions 7

Overview of Configuration Plan the Installation Install the Software Set Application Properties

Make Localization Changes, If Necessary

Secure Your System

Load Transformations and Jobs

Back Up the System

Verify Using Sample Data (Optional)

Create the Site’s Users and Groups

Configure Content Load Production Data

Install the SAS Strategic Performance Management Migration Wizard (Optional)

Load Client Applications

Configure the J2EE Application Server and Web Applications

Maintain the System

Check SAS Notes for Additional Information

8

10

8

9

10

10

19

22

24

15

19

21

25

25

26

27

Chapter 3 Planning the Site’s Security 29

About Security

Authentication 29 Authorization 30 Server Security and Data Transmission Auditing 32

29

31

25

Chapter 4 Authentication and User Security 33

Overview of Authentication and User Security

Default Users and Groups

Determining Group and Role Assignments

Registering Users

Synchronizing Users, Groups, and Roles

36

40

48

49

33

Chapter 5 Content Administration 51

iv

What Is Content? Organizing Content

About Security Authorization for Content Defining Security Authorization for Content

Creating Site Content

51

52

60

53

55

Chapter 6 J2EE Server Administration 63

BEA WebLogic Administration

64

IBM WebSphere Administration

71

Configuring the Web Applications

74

Configuring Themes

Using ODCS Clustering to Reduce Wait Time

75

76

Chapter 7 Portal Administration 81

About Portal Administration

Assigning a Content Administrator

Creating Default Portal Pages

Customizing the Portal

81

83

84

81

Accessing the Default Portlets of the SAS Information Delivery Portal

91

Securing Logs to Enhance Portal Security

91

Chapter 8 Application Administration 93

 

Administering the Remote Services About Solutions Administration

96

94

Configuring Applications Using the SAS Management Console

96

Using the Solutions Web Administration Application

99

 

Configuring Log Files

105

Using Command-Line Diagnostic Tools

 

106

Chapter 9 Server Security and Encryption 113

 

About Server Security

113

Basic Protections

113

Securing Data Exchanges between Server Components

113

Secure Sockets Layer (SSL)

114

Chapter 10 MySQL Server Administration 115

 

MySQL Overview

115

MySQL Installation and Configuration (Windows)

115

MySQL Installation and Configuration (UNIX)

116

Backing Up MySQL Databases

116

 

MySQL Security Issues

116

Chapter 11 WebDAV Server Administration 117

 

About WebDAV

117

Configuring Content Folder Permissions on the Xythos WebFile Server

117

Changing the Apache Port Number

More Information

120

118

v

Chapter 12 Configuration Files 121

Overview 121 Metadata Repositories

121

Databases 122 The Lev1\Data Folder

122

The Lev1\SASMain\SASSolutionsServices Folder

122

Chapter 13 Deploying SAS Web OLAP Viewer and SAS Web Report Studio 125

Overview 125 A Note about Repositories

125

SAS Web OLAP Viewer for Java

SAS Web Report Studio and SAS Web Report Viewer

126

128

Chapter 14 Client Installation and Configuration 135

Client Setup

Client Applications

Java Runtime Environment

Configuring Logging for ETL Jobs Uninstalling the Client Applications

135

136

140

140

141

Appendix 1 Default Port Usage 143

Port Usage

143

Appendix 2 Log Files

Overview of Log Files

Log Files on the Middle Tier

Log Files on the Data Tier

Log Files for Client Applications

147

147

148

147

149

Appendix 3 Troubleshooting 151

General Troubleshooting Tips Errors in the SASV9.CFG File

Errors in the Portal BEA WebLogic Errors

IBM WebSphere Errors and Warnings

MySQL Errors

Errors Running Client Applications

151

151

152

153

154

Index

157

154

154

vi

1

CHAPTER 1
CHAPTER
1

Understanding SAS Solutions Services

1 CHAPTER 1 Understanding SAS Solutions Services Overview of SAS Solutions Services 1 Architecture 2 Assumptions

Overview of SAS Solutions Services 1 Architecture 2 Assumptions and Recommendations 3 Required Skills 4 Documentation Conventions 4

Overview of SAS Solutions Services

SAS Solutions Services is a set of services that provide common functionality and a framework for specific solutions. SAS Solutions Services builds upon the SAS 9 Intelligence architecture and includes the following areas of functionality:

Document management allows users to create, organize and secure documents of disparate types based upon their own folder structures. Document Manager, a Web application, supports management and viewing of the documents. Document Manager also allows customization of the menus for each document type, based upon user roles. A My Favorites portlet provides shortcuts to the folders or the documents themselves, and documents can also be viewed within a portlet. Collaboration enables the user to collaborate on objects surfaced by the applications or portlets. Comment Manager, a Web application, provides a standard interaction user interface for all types of objects. Measure and metric management provides a means for creating and managing measures used by key performance indicators or SAS Strategic Performance Management (SPM) Elements. A Web application, Measure Manager, allows the user to interactively manage measures. An ETL process is provided to create measures and metrics. Standard measures are shipped as part of SAS Solutions Services. Metric export is also available from the SAS Financial Management Add-In for Microsoft Excel. Key performance indicator (KPI) management enables the user to create and manage KPIs for various levels within an organization. Based upon security authorization, a user can create, manage, and modify KPI projects and scorecards.

A Web application, KPI Viewer, allows the user to view the scorecards. The

Dashboard portlet allows the user to put KPIs on a dashboard.

Alerts provide the ability to alert the users to when specific events happen. Various types of alerts are supported. Applications have the ability to participate in alerts based upon the events of the application. An Alerts portlet displays alerts to a user logged in to the Information Delivery Portal. Alerts can also be sent via e-mail. Directives direct the user to another application or action. Directives can be used by an application to provide links between applications. The My Favorites portlet

is based upon directives.

2

Architecture Chapter 1

Dimension Management provides the ability to create, manage, and add values to dimensions and hierarchies. A Java client application, Dimension Editor, allows the user to interactively create and modify the dimensions. Microsoft Office integration provides the ability to integrate documents from SAS Solutions Services within the Microsoft Office suite of applications. There is a common SAS Solutions Services Add-In for Microsoft Office that can be extended by solutions that want to add their document types. Data-level security allows application objects that are represented by data in the Solutions Data Mart to be secured using an object-based authorization facility. In this way, complex objects such as scorecards and planning forms can be secured. Authorization decisions are based on user and group permissions per object that are also applied to additional hierarchical information (such as organization tables, legal reporting structures, and project hierarchies).

Role-based user interface customization and authorization provide a means of customizing the user interface based on the roles a user is associated with (for example, administrator or analyst). A role determines which actions a user can take by limiting the menu options available in the user interface. Application configuration provides the ability to configure SAS Solutions Services and the solutions. Configuration is administered via a SAS Management Console plug-in. Administration enables Web-based monitoring of users and administration of SAS Solutions Services and other solutions.

The following products use SAS Solutions Services 1.3:

SAS Financial Management 4.3 SAS Strategic Performance Management 2.3 SAS Human Capital Management 4.3

Within this book, these products are referred to as solutions .

Architecture

The diagram in Figure 1.1 on page 3 gives an overview of the n -tier architecture of SAS Solutions Services and the solutions. The presentation tier includes Web browser-based clients, add-ins to Microsoft Office applications, and Java desktop applications such as Dimension Editor. On the middle tier, SAS applications are deployed to a J2EE application server, usually as either Web Archive (WAR) files (such as the SAS Information Delivery Portal) or Enterprise Archive (EAR) files. SAS Solutions Services is deployed in this middle tier, along with specific domain solutions applications, such as SAS Strategic Performance Management or SAS Financial Management. The SAS Foundation Services (running in a separate Java Virtual Machine) are extended to support SAS Solutions Services and are also deployed in this tier. The data and compute tier typically hosts the SAS application servers, the SAS Metadata Server, the MySQL server, and the WebDAV repository. However, these components might reside on multiple physical machines.

Understanding SAS Solutions Services Assumptions and Recommendations

3

Figure 1.1 SAS Solutions Services Tiered Architecture

SAS Data Integration Studio
SAS Data
Integration Studio

Assumptions and Recommendations

This book is written for system administrators and consultants and contains instructions for initial system administration and maintenance of the system. SAS Solutions Services: Data Administration Guide is a companion document. It is available

The book makes the following assumptions and recommendations:

Microsoft Windows:

The fully qualified host name will be used.

Note:

In this book, instructions that reference Windows are oriented

toward the Microsoft Windows 2000 Server operating environment. There might be differences between Microsoft Windows 2000 and Microsoft Windows XP for some tasks. You have enabled the viewing of “hidden files and folders.” To enable these views, complete the following steps:

4

Required Skills Chapter 1

2 Select the View tab.

3 Under Advanced Settings , select Show hidden files and folders .

This guide lists the default password values for accounts that are created during the installation process. You might have chosen different passwords during your installation.

SAS Solutions Services uses the SAS Intelligence n -tier architecture, as described in the SAS Intelligence Platform: System Administration Guide (available at

This architecture enables software components that are installed on a single machine or on multiple physical machines (servers). While this guide refers to different tiers within the documentation, it is assumed that you understand how to determine the appropriate n -tier structure for your installation and configuration.

Microsoft Internet Explorer 6.0 or greater is required for use as your Web browser.

Required Skills

To administer the solutions software, you must be familiar with the operating system on which it is installed. For example, you must know how to create folders, run scripts (.bat files or .sh files), and update environment variables. On Microsoft Windows, you must be an administrator of the machine.

Documentation Conventions

This book uses the following documentation conventions to identify paths in the solutions configuration:

Table 1.1

Path

Refers to

Examples

SAS-install-dir

path to the SAS installation directory

Windows:

C:\Program Files\SAS

 

UNIX:

/usr/local/SAS

SAS-config-dir

path to the configuration directory

Windows:

C:\SAS\SASSolutionsConfig

 

UNIX:

/usr/local/SAS/

SASSolutionsConfig

BEA-home-dir

 

path to the BEA WebLogic home directory

Windows:

C:\bea

 

UNIX: n.a.

WebSphere-install-dir

UNIX:

path to the IBM WebSphere installation directory

/usr/local/WebSphere

Windows: n.a.

Understanding SAS Solutions Services Documentation Conventions

5

Path

Refers to

Examples

MySQL-install-dir

path to the MySQL installation directory

Windows:

C:\mysql

 

UNIX:

/usr/local/mysql

Apache-install-dir

path to the Apache installation directory

Windows:

C:\Program Files\Apache

 

Group\Apache2

UNIX:

/usr/local/IBMIHS

Xythos-install-dir

Windows:

path to the Xythos WebFile Server installation directory

C:\Xythos

UNIX:

/usr/local/SAS/xythos

File system pathnames are typically shown with Windows separators (“\”); for UNIX, substitute a forward slash (“/”).

6

7

CHAPTER 2
CHAPTER
2

Planning, Installing, and Configuring SAS Solutions Services and the Solutions

and Configuring SAS Solutions Services and the Solutions Overview of Configuration 8 Plan the Installation 8

Overview of Configuration 8 Plan the Installation 8 Install the Software 9 Installation Overview 9 Install SAS/GRAPH Maps (Optional) 9 Change Threading Options for SAS Metadata Server (Optional) 9 Configure the SAS Servers for Alternative Authentication Mechanisms (Optional) 9 Set Application Properties 10 Make Localization Changes, If Necessary 10 Secure Your System 10 About Securing Your System 10 Remove Unnecessary Default Metadata Identities 11 Configure Security Settings for Folders and Files (Windows) 11 Protect System Configuration Folders 11 Protect Additional Folders and Files 12 Configure Security Settings for Folders and Files (UNIX) 13 Default Settings 13 Additional Settings 13

Secure the J2EE Server Configuration

15

Secure Your WebDAV Installation 15 Secure Data Transmissions (Optional)

15

Load Transformations and Jobs 15 Apply Hot Fixes 15 Set Up a SAS Data Integration Studio User 16

Define a Batch Job Deployment Directory (Optional) 16 Import Transformations, Jobs, and Error and Exception Table Metadata 17 Restrict the Events That Data Administrators See (Optional) 17 Back Up the System 19 Verify Using Sample Data (Optional) 19 Load Sample Data 19 Verify the System 20

Restore the System 21

Create the Site’s Users and Groups 21 Overview 21 Grant Log on as a batch job Rights to Users (Windows) 21 Create Metadata Identities 22 Run the UserGroupValidation Utility 22 Configure Content 22 Overview 22 Assign a Content Administrator 22 Create Content Folder Structure for the Site 22

8

Overview of Configuration Chapter 2

Modify Permissions for Information Maps 23 Modify Permissions for OLAP Cubes 23 Create Content for the Site 24 Set Permissions to Refresh Stored Process Reports 24 Configure the Information Delivery Portal for the Site 24 Load Production Data 24 Install the SAS Strategic Performance Management Migration Wizard (Optional) 25 Load Client Applications 25 Configure the J2EE Application Server and Web Applications 25 Maintain the System 26 Synchronize the Server Clocks 26 Restart Servers 26 Tune System Performance 26 Monitor and Maintain Your System 26 Check SAS Notes for Additional Information 27

Overview of Configuration

SAS Solutions Services, and the solutions that use SAS Solutions Services, are built on the SAS 9 Intelligence Architecture. The SAS Intelligence Platform: Installation Guide describes several planning steps that can occur prior to the physical installation and configuration of the software. As a system administrator or consultant, you should be familiar with those planning steps as well as the steps outlined in this guide. Because solutions are geared towards specific user communities, the solutions can provide information for some of these planning areas. Following are the steps that are used during installation and configuration. Note that the initial installation and configuration of solutions includes a set of installation verification data that you can use to verify the installation. This data is also called sample data , because it can be used to demonstrate the software. Before a production warehouse can be loaded, the installation verification data must be removed. For information about the files that are installed with SAS Solutions Services and the solutions, see Chapter 12, “Configuration Files,” on page 121. For more information about the solutions, see the online Help and user’s guides, as well as the SAS Solutions Services: Data Administration Guide (available at http://

For more information about the SAS Intelligence Platform, see the following references:

SAS Intelligence Platform: Installation Guide SAS Intelligence Platform: System Administration Guide SAS Intelligence Platform: Security Administration Guide

SAS Intelligence Platform: Application Server Administration Guide SAS Intelligence Platform: Web Application Administration Guide

Plan the Installation

In addition to the planning steps outlined in the SAS Intelligence Platform:

Installation Guide , follow these steps in planning your installation.

Planning, Installing, and Configuring Configure the SAS Servers for Alternative Authentication Mechanisms (Optional)

9

1 Determine the set of users that are necessary to run SAS Solutions Services and the solutions.

2 Decide on the authentication method(s) to be used

For more information, see Chapter 4, “Authentication and User Security,” on page 33.

Install the Software

Installation Overview

1 Using SAS Software Navigator, install and configure the SAS Intelligence Platform, as well as SAS Solutions Services and any licensed solutions.

2 Follow the instructions that were generated by the SAS Configuration Wizard, as well as the installation guide for SAS Financial Management, SAS Strategic Performance Management, and SAS Human Capital Management.

3 Follow the procedures described in the remainder of this chapter.

Install SAS/GRAPH Maps (Optional)

The SAS/GRAPH map data sets are not installed by default. If you want to install them, either as part of your regular installation or afterwards, follow these steps:

1 On the Select Components screen of the SAS 9.1 Foundation install, expand the listing under SAS 9.1.

2 Scroll down and select SAS/Graph Map Data Sets.

To install selected maps, expand SAS/Graph Map Data Sets and select only the locations needed.

Change Threading Options for SAS Metadata Server (Optional)

After installation and configuration, the maximum number of threads for the SAS Metadata Server has been set to a value that represents the number of processors on the machine hosting the metadata server. To maximize performance, you might need to change the threading options. These options are described in “Optimizing the Performance of the SAS Metadata Server” in the SAS Intelligence Platform: System

Configure the SAS Servers for Alternative Authentication Mechanisms (Optional)

If you use an authentication mechanism other than host authentication, see “Understanding Authentication ”and Customizing the Authentication Configuration” in the SAS Intelligence Platform: Security Administration Guide (available at http://

contains an overview of user authentication, as well as information about modifications

10

Set Application Properties Chapter 2

you must make to the server configuration (.cfg) files to support authentication mechanisms such as LDAP or Active Directory.

Set Application Properties

After installation and configuration, you might need to make these changes:

Set e-mail addresses for administrators.

If you did not already do so during the installation process, set the mail host and the e-mail addresses for administrative and error messages. This task is performed by using the Configuration Manager plug-in of the SAS Management Console. For instructions, see “Modify E-Mail Settings” on page 97.

Optionally, install a service to start the remote services.

See “Install a Service to Start the Remote Services” on page 94.

Make Localization Changes, If Necessary

If you installed SAS Human Capital Management in a language other than English, you must modify the setlocs.sas file as follows:

1 In the SAS Management Console, locate the text for the OLAP schema, as follows:

a In the HR repository, navigate to Server Manager .

b Right-click HR-OLAP and select Properties .

c Click the Olap Schema tab.

d Make a copy of the text that is displayed there. In English, this text is HR-OLAP - OLAP Schema, but you will see a translated string.

2 Change directory as follows:

Windows: !SASROOT\hrds\sasmacro UNIX: !SASROOT\sasautos

3 Open the setlocs.sas file for editing.

4 Locate this line:

%let HRSchema=HR-OLAP - OLAP Schema;

5 Replace the text to the right of the equal sign with the translated text from the SAS Management Console.

6 Save the file.

Secure Your System

About Securing Your System

After you have verified that your system is functioning correctly, you need to take additional steps to secure it, including (but not necessarily limited to) the tasks that are described in this section. In addition to setting metadata access controls, you must protect the physical server(s) that make up the data-tier level (in other words, the servers where your MySQL database is located and where your SAS application servers are running). You

Planning, Installing, and Configuring Configure Security Settings for Folders and Files (Windows)

11

also should protect the physical server(s) that make up the middle-tier level, where your J2EE server is running. In addition to the MySQL database, files on these servers might contain vital information such as encoded passwords.

Remove Unnecessary Default Metadata Identities

You should remove default metadata identities that are no longer needed. For security, you should remove the Solutions Installer from production environments after the installation and configuration are complete. (You might need to re-create this user identity if you need to install upgrades or hot fixes later.) You can also remove the SAS Demo User identity from production environments. For more information about the default metadata identities, see Table 4.1 on page 36 and Table 4.2 on page 37.

Configure Security Settings for Folders and Files (Windows)

Protect System Configuration Folders

By default, the configuration directory folders on a Windows machine do not have any special protections. It is important to secure some of these folders because they can contain information such as repository data sets and encoded passwords. The following table summarizes the recommended protections. It assumes that your SAS servers and spawners run as services under the Local System account, which is the recommended configuration.

Table 2.1 Recommended Operating System Protections on Windows

Folders*

Permissions

MetadataServer , OLAPServer [_ domain ], ObjectSpawner

Grant Full Control to SYSTEM and Administrators, and remove all other users and groups.

BatchServer , SASEnvironment, Users , Utilities , WorkspaceServer

Grant Full Control to SYSTEM, and grant Read permission to all SAS server users.

WorkspaceServer\logs

If you enable logging for the workspace server and you use this default location for the logs, then all users of the workspace server should be granted Modify permission for this subdirectory.

StoredProcessServer,

StoredProcessServer\logs

Grant Full Control to SYSTEM, grant Full Control to SAS General Server User (sassrv), and remove all other users and groups.

12

Configure Security Settings for Folders and Files (Windows) Chapter 2

Folders*

Permissions

SASEnvironment\SASCode\Jobs

SASSolutionsServices\SASCode\Jobs

SASSolutionsServices\SASCode\ETLMetadata

SASSolutionsServices\SASFormats

SASFinancialManagement\SASCode\Jobs

SASFinancialManagement\SASCode\ETLMetadata

SASHumanCapitalManagement\SASCode\Jobs

SASStrategicPerformanceManagement\SASCode\Jobs

Grant Modify permission to all SAS server users.

query cache library for SAS Web Report Studio**

Grant all SAS Web Report Studio users read, write, and execute permissions for the directory that holds the cache.

Grant the SAS Web Administrator (saswbadm) full control of the cache directory.

* By default, these folders are located under SAS-Config-Dir\Lev1\SASMain\ . To learn more about the configuration directory structure, see Chapter 12, “Configuration Files,” on page 121. ** During installation and configuration of SAS Web Report Studio, a query cache library is

created at SAS-config-dir/Lev1/SASMain/Data/wrstemp . By default, all users have

read and write permissions on this library. If you set up workspace server pooling, then you can implement tighter security and grant full permissions only to the user IDs that you specified for the puddle login definitions in your pool. To use the query cache, make sure each puddle login definition has access permissions (read and write) for the query cache library. If you have not configured pooling, then each requesting user’s individual (or shared) account will need read and write permissions for the library in order to access the tables. In either case, the SAS Web Administrator (saswbadm) should be granted full permissions for the cache directory, so that files can be deleted automatically and the cache will not become too large. For more information, see “SAS Web Report Studio Administration” in the SAS Intelligence Platform: Web Application Administration Guide.

For additional information, see “Securing a Deployment” in the SAS Intelligence Platform: Security Administration Guide. This chapter describes setting folder permissions, securing your metadata repositories, encryption, and related topics. If you installed SAS Web Report Studio, see “SAS Web Report Studio Administration” in the SAS Intelligence Platform: Web Application Administration Guide. This chapter includes information about securing the folders that are used by SAS Web Report Studio, including folders that hold temporary files.

Protect Additional Folders and Files

In addition to securing the folders mentioned above, secure the following folders and files:

Planning, Installing, and Configuring Configure Security Settings for Folders and Files (UNIX)

13

Table 2.2 Additional Recommended Operating System Protections

Folders

Permissions

!SASROOT\nls\en\sasv9.cfg

Grant Read and Execute permission to the SAS Server Users group.

SAS-config-dir \Lev1\Data and its subdirectories

Grant Full Control to SAS General Server User (sassrv) and to SAS Administrator (sasadm).

Grant Read/Write/Create permission to users who will run ETL or SAS jobs to update data in the warehouse. This includes the user that is specified in the jdbcconnection-userid of the web.xml file for sas.solutions.common.war.

MySQL-Install-Dir

Grant Full Control to MySQL-Install-Dir only to SYSTEM and Administrators.

MySQL-Install-Dir\bin

Grant Read and Execute permission to everyone.

Configure Security Settings for Folders and Files (UNIX)

Default Settings

For UNIX systems, the following table lists the default permissions for the directories, files, and scripts that are created in a planned installation. All files reside in the SAS-config-dir directory.

Table 2.3 Default Directory Permissions for UNIX

Directories/Files/Scripts

The sas user ID

The sas User Group

All Users

Server-specific directories, files, and scripts, except for the StoredProcessServer directory

Read, write,

No access

No access

execute

Lev1/SASMain/

Read, write,

Read, write,

No access

StoredProcessServer

execute

execute

Lev1/SASMain/Data

Read, write,

Read, write,

Read, write,

execute

execute

execute

All other Lev1 directories and files

Read, write,

Read, execute

Read, execute

execute

All other Lev1 scripts

Read, write,

Read, execute

Read, execute

execute

Additional Settings

After installation, change directory to SAS-config-dir and set the following additional permissions:

Note:

The -R flag is used to set permissions recursively.

14

Configure Security Settings for Folders and Files (UNIX) Chapter 2

Table 2.4 Additional Directory Permissions for UNIX

Directories/Files/Scripts

Permissions

Lev1/Data

permit full access for the sas user ID and the sas user group:

chmod -R 775 Lev1/Data

Lev1/SASMain

permit full access for the sas user ID and the sas user group:

chmod 775 Lev1/SASMain

Depending on the solutions that you have installed:

Lev1/SASMain/SASSolutionsServices/

SASCode/Jobs

Lev1/SASMain/SASSolutionsServices/

SASCode/ETLMetadata

Lev1/SASMain/SASSolutionsServices/

SASFormats

Lev1/SASMain/SASFinancialManagement/

SASCode/Jobs

Lev1/SASMain/SASFinancialManagement/

SASCode/ETLMetadata

Lev1/SASMain/

SASStrategicPerformanceManagement/

SASCode/Jobs

Lev1/SASMain/

SASHumanCapitalManagement/SASCode/

Jobs

permit full access for the sas user ID and the sas user group. For example:

chmod -R 775 Lev1/SASMain/ SASSolutionsServices/SASCode/Jobs

user-defined stored processes

If you have created any directories to hold stored processes that are created by users, set those directories’ permissions to allow full access for the sas user ID and the sas user group. For example:

chmod -R 770 Lev1/SASMain/ SASSolutionsServices/SASCode/ UserDefined

query cache library for SAS Web Report Studio*

Grant all SAS Web Report Studio users read and write permission for the query cache, unless workspace server pooling is enabled.

Grant the SAS Web Administrator (saswbadm) full control of the cache directory.

*

During installation and configuration of SAS Web Report Studio, a query cache library is

created at SAS-config-dir/Lev1/SASMain/Data/wrstemp . By default, all users have

read and write permissions on this library. If you set up workspace server pooling, then you can implement tighter security and grant full permissions only to the user IDs that you specified for the puddle login definitions in your pool. To use the query cache, make sure each puddle login definition has access permissions (read and write) for the query cache library. If you have not configured pooling, then each requesting user’s individual (or shared) account will need read and write permissions for the library in order to access the tables. If workspace server pooling has not been configured, then the query cache is not automatically cleared. You might want to clear these files on a regular basis so that the cache will not grow too large. In either case,

Planning, Installing, and Configuring Apply Hot Fixes

15

the SAS Web Administrator (saswbadm) should be granted full permissions for the directory. For more information, see "SAS Web Report Studio Administration" in the SAS Intelligence Platform: Web Application Administration Guide .

If you want multiple users to be able to update the same data sets that are created by SAS Data Integration Studio, you might want to set the default umask that is applied to the data sets when they are created. For more information, see “Administering SAS Data Integration Studio” in SAS Intelligence Platform: Desktop Application Administration Guide (available at http://support.sas.com/

Secure the J2EE Server Configuration

1 Secure the J2EE server configuration and log files.

2 The installation process configures WebLogic to use the sas.weblogic.policy file. If you applied the sas.allpermissions.weblogic.policy file during the initial testing, you should reapply the sas.weblogic.policy file. For more information, see the instructions.html file that was generated by the SAS Configuration Wizard. That file is located in

SAS-config-dir\SASSolutionsConfig .

3 For information about the filter policy file and security configuration for WebSphere, see the instructions.html file that was generated by the SAS Configuration Wizard.

Secure Your WebDAV Installation

If you are using Xythos as your WebDAV server, the configuration process requires that all Users with Accounts have full permissions for Xythos content folders. After the configuration is complete, deny those permissions and add permissions for the SAS Trusted User. Follow the instructions in “Configuring Content Folder Permissions on the Xythos WebFile Server” on page 117 to secure the Xythos content folders for running the solutions. For more information about WebDAV, see Chapter 11, “WebDAV Server Administration,” on page 117.

Secure Data Transmissions (Optional)

For information about using encryption to protect data transmissions, see “Securing Data Exchanges between Server Components” on page 113.

Load Transformations and Jobs

As part of configuring your system, you must use SAS Data Integration Studio to load transformations, jobs, and error and exception table metadata that are required by the solutions.

Apply Hot Fixes

Before opening SAS Data Integration Studio, download and apply necessary hot fixes by following these steps:

16

Set Up a SAS Data Integration Studio User Chapter 2

1 Point your browser to http://ftp.sas.com/techsup/download/hotfix/ dis34.html .

2 Download and install Hot Fix 34DATABLDR02.

3 Log on to the SAS Management Console as an administrator.

4 Select Tools Update Metadata for SAS Data Integration Studio.

Set Up a SAS Data Integration Studio User

Set up at least one SAS Data Integration Studio user for the solutions, as follows:

1 If necessary, create a user ID and password on the host system on which the jobs are being submitted. On Windows, SAS Data Integration Studio users must have the Log on as a batch job right. For more information, see “Grant Log on as a batch job Rights to Users (Windows)” on page 21.

2 In the folder’s security properties, grant Read/Write/Create permission to the user for the directory where the data warehouse resides (that is,

SAS-config-dir\Lev1\Data and its subdirectories).

3 In the SAS Management Console, create the user (if necessary), and add the user to the following groups and roles:

Solutions Users group MYSQL Users group Data Administrator role

The user ID that is used to log on to SAS Data Integration Studio must not be

the unrestricted user (sasadm). If you log on as the unrestricted user, then you will not be able to attach the libraries that are necessary to run SAS Data Integration Studio.

You will define additional SAS Data Integration Studio users later; see “Assign SAS Data Integration Studio Groups and Roles” on page 48.

Note:

Define a Batch Job Deployment Directory (Optional)

In SAS Data Integration Studio, when you deploy a job for scheduling, you must select a directory to hold the generated code. Your directory choices are set in the SAS Management Console, in the Schedule Manager. To define a batch job deployment directory:

1 Log on to the SAS Management Console as the administrative user (sasadm).

2 Right-click Schedule Manager and select Deployment Directories .

3 From the Application Server drop-down list, select the application server that will be used to deploy jobs.

4 Click New .

5 In the New Directories dialog, specify a name for the directory, and either type a directory name or click Browse to select a directory. For SAS Human Capital Management, we recommend that you create a subdirectory in the

SAS-config-dir\Lev1\SASMain\SASHumanCapitalManagement\SASCode

directory (such as SASCode\ScheduledJobs ). Grant it the same file permissions as the SASCode\Jobs directory. For more information about file permissions, see “Secure Your System” on page 10.

6 Click OK .

Planning, Installing, and Configuring Restrict the Events That Data Administrators See (Optional)

17

Import Transformations, Jobs, and Error and Exception Table Metadata

SAS Solutions Services is shipped with a comprehensive set of transformations and jobs that provide a framework for extracting, transforming, and loading enterprise data, as well as error and exception table metadata. You must import the following:

Detail Data Store repository error and exception table metadata These are imported in a single SAS package file (DDS Error Tables.spk). Detail Data Store repository transformations and jobs

Solutions repository transformations and jobs These transformations and jobs are imported in a single SAS package (Solutions_DIS_Jobs.spk). If you installed SAS Financial Management: Finance repository transformations and jobs As with the Solutions repository, these transformations and jobs are imported in a single SAS package (Finance_DIS_Jobs.spk). If you installed SAS Human Capital Management: HR repository transformations and jobs If you are migrating data from SAS Strategic Performance Management 1.4, or if you want to be able to load numeric values into the SAS Strategic Performance Management database: Performance Management repository transformations and jobs

For instructions, see the SAS Solutions Services: Data Administration Guide ( http:/

/support.sas.com/documentation/solutions/admin ).

Restrict the Events That Data Administrators See (Optional)

You can set permissions on events so that Data Administrators see only DataChanged events. In SAS Data Integration Studio, Data Administrators see a list of events that can be sent to the portal. The only event that is appropriate in this context is the DataChanged event. Consequently, you want to deny Data Administrators permission to see all other events. To set metadata permissions on events, follow these steps:

1 Log on to the SAS Management Console.

2 Expand Foundation Services Manager Remote Services Event Event Broker Service.

You should see a list of all available events, similar to the image below:

18

Restrict the Events That Data Administrators See (Optional) Chapter 2

Events That Data Administrators See (Optional) Chapter 2 3 For all events except SAS.Solutions.Data.DataChanged ,

3 For all events except SAS.Solutions.Data.DataChanged , perform the following steps:

a Right-click the event name and select Properties .

b Click the Authorization tab.

c Click the Add button, and add the Data Administrator role to Selected

Identities.

d Click OK .

e Deny all permissions to the Data Administrator. Ensure that the background for each of the check boxes is white, as shown in the image that follows. (If the check box has a non-white background, click the box again to clear the background.) This last step ensures that the permission is set directly on the item and that any future changes to its inherited permission set do not affect it.

Planning, Installing, and Configuring Load Sample Data

19

Installing, and Configuring Load Sample Data 19 Back Up the System Back up the server content.

Back Up the System

Back up the server content. This backup (referred to as the Default Backup ) contains the content of the system prior to any load of data. It can be used to restore the system to its default state (before any data was loaded). As part of good system administration practice, it is suggested that you make a complete backup of each machine in the configuration before proceeding. For information about backing up and restoring the server content, see the documentation for the Backup, Restoration, and Migration tool.

Verify Using Sample Data (Optional)

Sample data is provided to help you verify the correct operation of the system and to demonstrate system functionality. Follow these steps to verify the installation, or skip to “Create the Site’s Users and Groups” on page 21.

Load Sample Data

1 Back up the server content if the Default Backup was not created.

For instructions, see the documentation for the Backup, Restoration, and Migration tool.

2 Log on to the middle-tier server and load the sample data to be used for installation verification:

20

Verify the System Chapter 2

a At a command prompt, change directory to SAS-config-

dir\Lev1\Utilities\SASSolutionsServices\Deployment\bin .

b If this is a multi-machine configuration, start the Ant server. On Windows, use this command:

StartAntServer.bat

On UNIX, use this command:

./StartAntServer.sh

c Run the command to load the SAS Solutions Services sample data. On Windows:

SolutionsLoadSampleData.bat

On UNIX:

./SolutionsLoadSampleData.sh

d If you have installed SAS Human Capital Management, you can also load the HCM sample data.

i To load the sample data on Windows, run this command:

HCMLoadSampleData.bat

On UNIX:

./HCMLoadSampleData.sh

ii After loading the sample data, re-create the HCM cubes and information maps. For more information, see the SAS Solutions Services: Data Administration Guide .

3 Create any sample users and groups necessary for demonstration and verification purposes.

4 Synchronize users and groups by following these steps:

a Log on to the portal as a member of the Administrators group.

b Open the Document Manager and click the Browse tab.

c From the Repository drop-down list, select Solutions . To support different content types and dependencies, the Browse page displays documents and folders for one repository at a time. Your repository selection is remembered and applied the next time you open the Document Manager.

d Navigate to SAS Content Data Management Solutions Data Mart.

e Click the action menu and select Refresh .

Click the action menu and select R e f r e s h . beside the

beside the Import Users and Groups stored process

5 Create any document folders necessary for demonstration and verification purposes.

6 Optionally, administer data-level security on the installation verification data for demonstration and verification purposes.

For instructions, see SAS Solutions Services: Data Administration Guide

Verify the System

After you load the sample data, verify the operation of the system. The following steps are an example of verification:

Planning, Installing, and Configuring Grant Log on as a batch job Rights to Users (Windows)

21

1 Run the MailValidation utility to check that the e-mail interface was set up correctly.

For details, see “Validate the E-Mail Interface” on page 111.

2 Log on to the portal as sasdemo .

3 Add an instance of each portlet.

4 In the My Favorites portlet, add the Manage Documents task.

5 Select Manage Documents and import a document to the SAS Demo User folder.

6 Add a comment to the document.

Restore the System

When the installation has been verified, the system needs to be restored to its default state (before the sample data was loaded). For instructions, see the documentation for the Backup, Restoration, and Migration tool.

Create the Site’s Users and Groups

Overview

After you verify the installation and operation of the solutions, you can create and load production information. To load the production users, perform the tasks described in this section. You can use the SAS Management Console, or you can use the bulk-load process as described in “Bulk Loading Users and Groups” on page 49. As you expand the set of users and groups, you can repeat these tasks.

Grant Log on as a batch job Rights to Users (Windows)

If you are using host authentication on Windows systems, then all users must have the local Log on as a batch job right on machines that host SAS servers, including the SAS Metadata Server, workspace servers, the SAS Stored Process Server, the SAS OLAP Server, the SAS/CONNECT server, and the SAS/SHARE server.

Note:

There is an exception: machines hosting pooled workspace servers (and no

other SAS servers) do not need this right to be assigned.

The recommended way to grant this right is as follows:

1 Create a SAS Server Users group and add your users to that group.

Be sure to include the SAS General Server User (sassrv).

Note:

created as a network (global) group, or it can be created as a local group on each

server machine.

This is an operating-system group, not a SAS metadata identity. It can be

2 On each server machine, assign the Log on as a batch job right to the SAS Server Users group.

These rights must be assigned locally. For more information about assigning local policy rights, see your computer’s online help.

22

Create Metadata Identities Chapter 2

Create Metadata Identities

Register users at the site and assign them to groups and roles. For instructions, see “Determining Group and Role Assignments” on page 40 and “Registering Users” on page 48. After you have registered the users, log on to the portal as an administrator and run Import Users and Groups to synchronize users, groups, and roles. For details, see “Synchronizing Users, Groups, and Roles” on page 49.

The stored process server is configured to have an authentication domain of

SPAuth. Any user who invokes a stored process must be authenticated on this server, either with his own login or via a group login. For more information, see “Default Groups” on page 38.

Note:

Run the UserGroupValidation Utility

The UserGroupValidation utility checks to make sure that all users belong to the Solutions Users group or to a subgroup, as required for logging on to the portal. For details, see “Validate Group Assignments” on page 109.

Configure Content

Overview

In terms of SAS Solutions Services, content is defined as any document, stored process, or viewable object. SAS Solutions Services provides a Web application, called the Document Manager, that displays content in a hierarchical folder structure. Content that is displayed within the Document Manager’s tree view can also be shown in portlets. Content configuration tasks include creating the site’s content folder structure in the Document Manager, creating stored process reports, and configuring the Information Delivery Portal.

Assign a Content Administrator

It is recommended that you assign a user to administer portal content. This could be the user who is the system administrator for the site. You can assign a single user to administer all portal content, or you can assign different content administrators for different groups. These user identities must have logins that can be authenticated on the metadata server host. For instructions about assigning a content administrator, see “Assigning a Content Administrator” on page 81.

Create Content Folder Structure for the Site

In the Document Manager, create a set of shared folders that correspond to the group hierarchy you created for the site’s users. Assign security to these folders. For instructions, see these topics:

Planning, Installing, and Configuring Modify Permissions for OLAP Cubes

23

“Organizing Content” on page 52

“About Security Authorization for Content” on page 53

“Defining Security Authorization for Content” on page 55

Modify Permissions for Information Maps

If you have installed SAS Web Report Studio or SAS Web OLAP Viewer, you must modify the permissions for accessing information maps. For each repository that will be used to hold information maps:

1 Log on to the SAS Management Console as an administrator.

2 Open the repository that you want to modify.

3 In the navigation tree, select the folder that will hold information maps.

If you have installed SAS Web Report Studio, the typical location for its maps is BI Manager BIP Tree Report Studio Maps.

Note:

folder structure is created for that domain in the metadata repository and in the

external content server (WebDAV).

The first time that a user opens SAS Web Report Studio, the ReportStudio

4 Right-click the Maps folder and select Properties .

5 Click the Authorization tab.

6 Grant Solutions Users these permissions: Read and ReadMetadata.

You might need to add the Solutions Users group to the list. Be sure that the Read and ReadMetadata permissions are granted directly—that is, be sure that the Read and ReadMetadata Grant check boxes are selected and have white backgrounds. If the background is gray, click the check box until the background changes to white.

Modify Permissions for OLAP Cubes

In order for users to access OLAP cubes in SAS Web Report Studio or SAS Web OLAP Viewer, they must have Read permission for the cubes (in addition to any information maps that are built on the cubes). To modify the permissions for accessing OLAP cubes:

1 Log on to the SAS Management Console as an administrator.

2 Open the repository that you want to modify.

3 Navigate to Authorization Manager Resource Management By Location OLAP server name OLAP server name – OLAP Schema.

4 Right-click OLAP server name OLAP server name – OLAP Schema and

select Properties .

5 Click the Authorization tab.

6 Grant Solutions Users these permissions: Read and ReadMetadata.

You might need to add the Solutions Users group to the list. Be sure that the Read and ReadMetadata permissions are granted directly—that is, be sure that the Read and ReadMetadata Grant check boxes are selected and have white backgrounds. If the background is gray, click the check box until the background changes to white.

You can also set permissions for an individual cube, a dimension, a hierarchy within a dimension, or a level within a dimension. For details, see the SAS OLAP Server:

24

Create Content for the Site Chapter 2

Create Content for the Site

Create content for the site by importing content, creating stored process reports, and developing custom stored processes.

A number of stored processes are provided with the solutions. These stored processes

are located in the SAS Content folders of the repositories that are used by those solutions. One way of creating content for the site is to create stored process reports that are customized for different groups. For instructions about creating site content, including stored process reports, see “Creating Site Content” on page 60.

Set Permissions to Refresh Stored Process Reports

If you have installed SAS Human Capital Management and want users to be able to

refresh stored process reports, you must grant ReadMetadata permission to Solutions Users for the corresponding stored processes. For details, see “Enable Users to Refresh Stored Process Reports” on page 60.

Configure the Information Delivery Portal for the Site

Configuring the portal includes assigning default portal pages for users or groups, as described in “Applying the Solutions Users Page Templates” on page 83. You can also create custom page templates; for more information, search for “page templates” in the portal’s online Help. Users can customize their own portal pages. Some suggestions are in “Customizing the Portal” on page 84.

If you want to make available additional portlets of the SAS Information Delivery

Portal, see “Accessing the Default Portlets of the SAS Information Delivery Portal” on

page 91.

Load Production Data

You are now ready to load production data. Follow these steps:

1 Back up the server content.

For instructions, see the documentation for the Backup, Restoration, and Migration tool.

2 Load production data. The user and group information is retained in metadata. The content folder structure is maintained.

3 Apply data security to the production data.

For instructions about loading production data and applying data security, see SAS Solutions Services: Data Administration Guide ( http://support.sas.com/

Planning, Installing, and Configuring Configure the J2EE Application Server and Web Applications

25

Install the SAS Strategic Performance Management Migration Wizard (Optional)

If you are migrating data from an earlier release of SAS Strategic Performance Management, you should install and run the Migration Wizard. For instructions, refer to “SAS Strategic Performance Management Migration Wizard” on page 139.

Load Client Applications

After installing the servers, system administrators can install some client applications on the users’ systems. Alternatively, users can install these clients themselves. For descriptions of these applications and for installation instructions, see Chapter 14, “Client Installation and Configuration,” on page 135.

Configure the J2EE Application Server and Web Applications

After installation and configuration, you can make the following modifications to the J2EE application servers and to the deployed Web applications. The first few modifications are required under certain circumstances. The remaining modifications are optional. Deploy themes to a Web server. If you are deploying your applications on WebSphere, you cannot deploy your themes to the same servers that are referencing the themes. You must deploy them to a separate WebSphere instance or to a Web server. For instructions, see “Move Themes to a Web Server” on page 75. WebLogic only: Set the Frontend Host parameter for a WebLogic server. This can be particularly important if you are deploying SAS Web Report Studio and SAS Solutions Services on different managed servers. WebLogic only: If you have installed SAS Human Capital Management, increase the heap size for the HR managed server. For instructions, see “Startup Scripts” on page 65.

Note:

Do not make this modification for a single-machine installation.

WebLogic only: Install services to start the managed servers. See “Setting Up Managed Servers as Windows Services” on page 68. WebSphere only: Suppress warning messages that occur as the result of data access from a thread that was spawned by an application event (optional). To suppress these warning messages, see “Suppress Warning Messages for Data Access” on page 73. Modify timeout values for Web applications. The default timeout is 30 minutes. For instructions about changing this value, see “Set Session Timeout Values” on page 74. Make the Winter theme available to portal users. See “Make the Winter Theme Available” on page 75. Change the port number for an application server.

26

Maintain the System Chapter 2

For WebLogic managed servers, see “Changing the Port Number for a Managed Server” on page 69. Configure ODCS clustering to improve performance. ODCS clustering is designed to reduce wait time by distributing query processing to additional machines. For more information, see “Using ODCS Clustering to Reduce Wait Time” on page 76.

For additional information about J2EE application administration, see Chapter 6, “J2EE Server Administration,” on page 63.

Maintain the System

Synchronize the Server Clocks

If you installed the solutions on more than one server, you should set up a job to synchronize clocks between servers. Otherwise there might be errors when you try to update data—for example, if the target server has a later date or time than the source. Typically, this job should run on a daily basis.

Restart Servers

If you are running SAS Human Capital Management on the BEA WebLogic application server: for best performance, we recommend that you restart the managed servers, as well as the SAS application servers, once a week.

Tune System Performance

The SAS Intelligence Platform: System Administration Guide, SAS Intelligence Platform: Web Application Administration Guide, and SAS Intelligence Platform:

Application Server Administration Guide have several topics about performance tuning—for example, for SAS Web Report Studio, for SAS OLAP Server, for the metadata server, and for the workspace servers. These books are available at http://

For information about performance tuning for WebLogic or WebSphere, follow the recommendations in Chapter 6, “J2EE Server Administration,” on page 63.

Monitor and Maintain Your System

Maintaining your system is a complex set of tasks that cannot be fully described in this book. Here are some references to chapters in this book, as well as other sources of information:

“Using the Solutions Web Administration Application” on page 99 Describes the utilities that are available in the Solutions Web Administration Console. “Using Command-Line Diagnostic Tools” on page 106 Describes the status, users, UserGroupValidation, StoredProcessValidation, and MailValidation diagnostic utilities. Appendix 2, “Log Files,” on page 147

Planning, Installing, and Configuring Check SAS Notes for Additional Information

27

Describes useful log files, some of which might need regular rotation to prevent their becoming too large. For information about controlling the level of information that is logged, see “Configuring Log Files” on page 105.

Appendix 3, “Troubleshooting,” on page 151

Describes some common problems and possible courses of action. For information about generating a status report that can be sent to SAS Technical Support, see “Check System Status” on page 107. For information about port numbers, see Appendix 1, “Default Port Usage,” on page 143.

SAS Intelligence Platform: System Administration Guide and SAS Intelligence Platform: Application Server Administration Guide

Contain information about maintaining SAS servers, such as the SAS Metadata Server, the SAS Stored Process Server, and workspace servers. These books are

Check SAS Notes for Additional Information

We strongly recommend that you check the SAS Notes, available on the SAS Technical Support Web site, for additional information and support fixes. To find the

available SAS Notes, go to http://support.sas.com/techsup/intro.html , click

Advanced Search , and search for the phrase “solutions services”.

28

29

CHAPTER 3
CHAPTER
3

Planning the Site’s Security

29 CHAPTER 3 Planning the Site’s Security About Security 2 9 Authentication 29 Authorization 30 Server

About Security 29

Authentication 29 Authorization 30 Server Security and Data Transmission 31

Auditing 32

About Security

SAS Solutions Services and the solutions that use SAS Solutions Services build on the SAS Intelligence Architecture security plan, as described below. You should be familiar with the “Security Administration” chapters of the SAS Intelligence Platform:

Security Administration Guide (available at http://support.sas.com/

Authentication

Authentication is the process of verifying the identity of a person or process within the guidelines of a specific policy. Authentication is a prerequisite for authorization. An authentication provider is a technology that servers or applications can use to verify that users are who they say they are. An implementation of SAS Solutions Services and the solutions uses the authentication providers supported by the SAS Intelligence Platform:

By default, the authentication provider for a SAS server is the host operating system of the machine on which the server is running. When you request access to

a SAS server that is using the default authentication process, the server asks its

host environment to verify that your user ID and password correspond to a valid user account in the operating system. This method of verifying identities is called host authentication.

At many sites, the host authentication process makes use of LDAP or Active Directory as a back-end authentication mechanism. SAS Web applications run on third-party servers that can use a variety of authentication providers. For more information, see the documentation for the third-party server on which your SAS Web applications run. SAS Solutions Services and the various solutions applications (such as SAS

Financial Management and SAS Strategic Performance Management) are deployed on standard J2EE application servers. These servers might also employ

a variety of third-party authentication providers.

30

Authorization Chapter 3

End-user client access to the solutions typically involves authentication to the applications deployed on the J2EE application server. By default, the applications are configured to pass user authentication on to the SAS Metadata Server.

For more information about authentication providers, see “Understanding Authentication” and “Customizing the Authentication Configuration” in the SAS Intelligence Platform: Security Administration Guide (available at http://

For information about the metadata identities that must be created for SAS Solutions Services, see Chapter 4, “Authentication and User Security,” on page 33.

Authorization

Authorization is the process of determining which users have which permissions for which resources. The outcome of the authorization process is an authorization decision that permits or denies a specific action on a specific resource, based on the requesting user’s identity and group memberships. It is important to understand how authorization works in the SAS Intelligence Platform and with SAS Solutions Services. Authorization enables you to perform the following activities:

manage access to resources across multiple authorization layers define an effective, manageable set of access controls in the metadata authorization layer

The SAS Intelligence Platform uses an authorization facility to control user access to repositories and to specific metadata in those repositories. The authorization facility is a subsystem of the SAS Metadata Server that returns authorization decisions based on access controls that are in the metadata. To secure a metadata resource, you must create authorization metadata and associate it with your resource metadata. The authorization metadata defines who can do what to a given resource. The secured resources can be both metadata and the actual computing resources represented by the metadata. The SAS Metadata Server enforces ReadMetadata, WriteMetadata, and CheckinMetadata permissions on resources. The authorization facility also provides a mechanism by which client applications can request authorization decisions on other actions which include Create, Delete, Read, Write, and Administer permissions. Applications use the authorization facility to obtain a user’s authorization to perform an action defined by the application. In this way, it is the responsibility of the application to request and enforce authorization decisions. In order to effectively secure a site’s enterprise metadata, an administrator must understand these concepts:

the authorization facility the default security provided by the metadata server the way in which the authorization facility makes authorization decisions the options that are available for securing metadata

In addition, the administrator needs to know the security requirements that SAS Solutions Services and related SAS applications might have that are enforced via metadata. In particular:

The SAS Intelligence Platform provides the ability to secure data such as tables and columns via metadata security. The authorization facility of the SAS Metadata Server evaluates and enforces specific metadata layer permissions. There are three basic types of access controls that you can use to set permissions in the metadata authorization layer, including:

Planning the Site’s Security Server Security and Data Transmission

31

direct access controls

inherited access controls

repository-level access controls

SAS Solutions Services installs a set of direct access controls to define permissions to the tables in the SAS Detailed Data Store and the SAS Solutions Data Mart. In addition, a site can further secure access to tables and other metadata objects using the Authorization Manager plug-in for SAS Management Console. For more information about setting those permissions, see the online Help for SAS Management Console.

In addition to data resources, SAS Intelligence Platform deployment can include one or more custom trees that you can use to organize and manage access for certain resources. In SAS Solutions Services, Document Manager has a default folder, Documents , that serves as the root level of the site’s content within a repository.

Below that folder are three additional default folders: SAS Content , Shared Documents , and Users . Within this content tree, each folder inherits the effective permissions of its parent folder. For more information about security for these folders, see “Organizing Content” on page 52.

The actions allowed on a particular metadata-defined content type are determined by the metadata authorization facility based on role assignments.

SAS Solutions Services provides two other authorization mechanisms that extend the authorization capabilities of the SAS Metadata Server:

For some forms of table access, row-level security is provided via information that is stored in a separate table in the Solutions Data Mart. Modifying this security information is a customization.

Application objects that are represented by data in the Solutions Data Mart are secured by means of an extended object-based authorization facility. In this way, complex objects such as scorecards and planning forms can be secured. Authorization decisions are based on user and group permissions per object that are also applied to additional hierarchical information (such as organization tables, legal reporting structures, and project hierarchies).

This facility is shared by SAS Solutions Services and applications such as SAS Financial Management and SAS Strategic Performance Management. For detailed information about applying this object-based security, see the documentation for the solutions.

The ability of users to perform a particular action is determined not only by these metadata-based access controls, row-level security schemes, and application-level authorization, but also by external authorization mechanisms such as operating system permissions and database controls. In order to perform a particular action, a user must have the necessary permissions in all of the applicable authorization layers. For additional information about authorization in the SAS Intelligence Platform, see the SAS Intelligence Platform: Security Administration Guide.

Server Security and Data Transmission

The third major area of security deals with securing servers and encryption. Sending unsecured data exposes it to various risks. How do you protect data transmissions? The SAS Intelligence Architecture and SAS Solutions Services make it easy for you to distribute critical information to key decision-makers while ensuring that this critical

32

Auditing Chapter 3

information does not fall into the wrong hands. However, this distributed model often requires more than application-level authorization and data security. It is also important to consider how access to physical servers is configured. In general, the solutions are designed for use inside a corporate firewall. Because much of the data deals with particularly sensitive information, an organization typically deploys a firewall at appropriate network gateways to protect the resources of its private network from users of other networks. This private network (or intranet) enables an enterprise to provide its workers with access to protected data resources. As organizations distribute the business intelligence found in their data, there is an increased need to ensure the confidentiality of business transactions over a network and within an enterprise. SAS Solutions Services makes available a number of data security technologies from SAS and from third parties to further protect data and credentials (such as user IDs and passwords) that are exchanged in a networked environment. Fundamental to these technologies is the use of proven, industry-standard encryption algorithms for data protection. Encryption is the transformation of intelligible data (plaintext) into an unintelligible form (ciphertext) by means of a mathematical process. The ciphertext is translated back to plaintext when the appropriate key that is necessary for decrypting (unlocking) the ciphertext is applied. Although encryption increases the protection of data, it does not prevent unauthorized access to data. For more information about these security mechanisms, see Chapter 9, “Server Security and Encryption,” on page 113.

Auditing

It is not enough to protect data resources and applications by prohibiting access by unauthorized users. A good security system must also provide a record that indicates who has accessed an application or resource and what operations he or she has performed during a given period of time. Such records are known as audit trails , and they are useful not just in maintaining security but also in identifying the process by which information is routed through the system. SAS Solutions Services provides several mechanisms for producing audit trails and user history, including a common user history mechanism in SAS Solutions Services that is used by the solutions (see “View an Audit Trail for a User” on page 103). The solutions have the capability to extend the auditing capabilities of SAS Solutions Services. For more information about those auditing capabilities, see the documentation for the solutions. In addition, SAS Solutions Services uses the auditing capabilities provided by SAS Data Integration Studio. For more information about these features, see the online Help for SAS Data Integration Studio.

33

CHAPTER 4
CHAPTER
4

Authentication and User Security

33 CHAPTER 4 Authentication and User Security Overview of Authentication and User Security 3 3 Group

Overview of Authentication and User Security 33 Group Membership—What Can I See? 34 About Groups 34 How Content Permissions Are Enforced 34 Role Membership—What Can I Do? 34 About Roles 34 Groups and Roles: An Example 34 How Roles Are Defined 35 How Role Permissions Are Enforced 36 Default Users and Groups 36 Default Users 36 Default Groups 38 Determining Group and Role Assignments 40 Overview of Group and Role Assignments 40 Assign a Solutions-Wide Group 40 Assign Custom Groups 41

Assign a Solutions-Wide Role 42 Assign SAS Strategic Performance Management Roles 42

Assign SAS Financial Management Roles

43

SAS Financial Management Studio

43

SAS Financial Management 44 Excel Reports 46 Stored Process Reports 46 Assign SAS Human Capital Management Roles 46 Assign SAS Web Report Studio Roles 47 Assign SAS Data Integration Studio Groups and Roles 48 Registering Users 48 About Registering Users 48 Bulk Loading Users and Groups 49 Synchronizing Users, Groups, and Roles 49 Synchronizing Data Tables 49 Creating Group Permission Trees for the Portal 50

Overview of Authentication and User Security

A metadata identity is created when you define an individual user or group in the User Manager plug-in to the SAS Management Console, or when you import user and group definitions from an enterprise source by using SAS bulk-load macros. The authorization facility uses identity metadata to define who is granted or denied permission to access a resource.

34

Group Membership—What Can I See? Chapter 4

The SAS Intelligence Platform and SAS Solutions Services require a specific set of users that are created and configured during the deployment process. These users are described in the SAS Intelligence Platform: Security Administration Guide (available at

users of a solutions application, however, are typically the business users in a particular domain, such as finance. A site’s administrator must load all of the appropriate information for each user who requires access to the solutions application. This chapter describes the default metadata identities representing users, groups, and roles required by SAS Solutions Services, as well as the identities that need to be created on site. For background information about authentication and authorization, see “About Security” on page 29.

Group Membership—What Can I See?

About Groups

Grouping users is a way of simplifying the process of authorizing access to content. Typically, you create a folder structure on-site that best fits the site’s needs, and you assign permissions to read, write, delete, and administer that content. After you define a group of users, you can assign permissions to the group rather than to individual users. Default groups are configured in the installation processes of both the SAS Intelligence Platform and the solutions. These default groups are described in “Default Users and Groups” on page 36. On site, you create additional custom groups, and you assign users to the default and the custom groups, as described in “Determining Group and Role Assignments” on page 40 and “Registering Users” on page 48.

How Content Permissions Are Enforced

Content permissions are enforced by the metadata server. They can be assigned in the Document Manager or in the SAS Management Console. For instructions and an example, see “Defining Security Authorization for Content” on page 55. For more information about the way the metadata server enforces these permissions, see “Understanding Authorization” in the SAS Intelligence Platform: Security Administration Guide.

Role Membership—What Can I Do?

About Roles

In SAS Solutions Services, roles are predefined on the basis of functionality that the user can perform in each solution. It is important to understand the difference between groups and roles, and the privileges that each conveys. Simply put, your group membership determines which content you have access to, whereas your role assignments determine which actions you can perform with this content.

Note:

Unlike groups, roles are not hierarchical; they do not inherit properties from

other roles. Roles should be assigned to individual users, not to groups.

Groups and Roles: An Example

As an example, assume that you belong to a group called Travel, and you are assigned the Information Consumer role. The Travel group has permission to access the contents of a folder called Travel Dept, that is located under Shared Documents.

Authentication and User Security Role Membership—What Can I Do?

35

and User Security Role Membership—What Can I Do? 35 In the Document Manager, you can see

In the Document Manager, you can see the list of documents in the Travel Dept folder, because of the group permissions attached to that folder and its contents. However, you are an Information Consumer, which by default can view documents but cannot move them. When you open the action menu for a Web document, you see this list of available actions:

for a Web document, you see this list of available actions: If you had been assigned

If you had been assigned the Analyst or System Administrator role instead, you would see an action menu that included the Move action, like this:

see an action menu that included the Move action, like this: How Roles Are Defined In

How Roles Are Defined

In the SAS Management Console, a role

How Roles Are Defined In the SAS Management Console, a role is defined as a special

is defined as a special kind of group

Console, a role is defined as a special kind of group . If you open a

. If you open a role’s properties, you will see a checkmark in the box that is labeled

Make this group available as a Role for applications.

During the solutions installation process, a set of default roles is defined. The Solutions Role Administrator is a member of all roles, and the SAS Demo User is a member of several of the roles. In addition to the default mappings, you must add site-created users to some of these roles. For more information, see “Determining Group and Role Assignments” on page 40.

Note:

Best practice suggests that roles not be added on-site unless they are for

extensions that are added specifically for that site.

36

Default Users and Groups Chapter 4

How Role Permissions Are Enforced

Permissions that are based on roles are enforced in two different ways:

The Document Manager enforces the permissions that are set in the metadata repository.

For each content type, such as WebDocument, ExcelReport, or StoredProcessReport, there is a defined set of actions, such as Move, AddtoPortlet, and Comment. Roles are granted permission to perform various actions based on content type. In “Groups and Roles: An Example” on page 34, the permissions are set on the Move action for the WebDocument content type.

If a user has one role that grants an action for a particular content type and another role that denies the same action, then the least restrictive permission applies.

If a user is directly granted or denied permission to perform an action, then the user’s grant or denial applies, regardless of any roles the user might belong to.

In the solutions, roles are enforced by the application. Each application determines the functionality that is permitted to various roles.

It is not possible to modify role permissions in applications.

Default Users and Groups

Default Users

During installation of the SAS Intelligence Platform, several users are created in the metadata, as shown in the following table.

Table 4.1 Default Users That Are Created during SAS Intelligence Platform Installation

Logins*

Default Authentication Domain

Metadata Identity

User ID

Default Password

SAS Administrator

domain \sasadm

AdminAdmin1

If you use Xythos as your

SAS Trusted User**

domain \sastrust

UserUser1

WebDAV server, the authentication domain for sasadm and sastrust should be the same domain as the WebDAV server.

SAS Guest

domain \sasguest

UserUser1

DefaultAuth

SAS Demo User

domain \sasdemo

DemoDemo1

DefaultAuth

SAS Web

domain \saswbadm

AdminAdmin1

DefaultAuth

Administrator

or

saswbadm

Authentication and User Security Default Users

37

the user ID in the login should be fully qualified with a host or domain name—for example, myhostname\sassrv . That is the pattern shown in this table. ** The user that is specified as the metadata user in sas.solutions.services.ear/ sas.solutions.common.war/WEB-INF/web.xml must have read and write access to all areas of the metadata server. By default, this user is the SAS Trusted User.

The solutions installation creates additional users. The following table lists those metadata identities and associated information:

Table 4.2 Default Users That Are Created during SAS Solutions Services Installation

Logins

 

Default

Metadata

Default

Authentication

Identity

User ID

Password

Domain

Notes

Solutions

domain\slninstl

AdminAdmin1

DefaultAuth

The slninstl user account must exist on the data-tier machine and must belong to the machine’s Administrators group and SAS Server Users group.

Installer

Solutions Role

domain\slnadm

AdminAdmin1

DefaultAuth

The slnadm user account must exist on the machine where the metadata server is located, and must be a member of the machine’s SAS Server Users group.

Administrator*

This identity should not be used to log on to the portal.

* The Solutions Role Administrator is a system user that should always be a member of all roles that are created by the solutions. It is used for cases in which a user must perform a query as a part of a larger process, but the query requires a role that the user does not generally need. Rather than requiring that the user be assigned that role, the application recognizes the Solutions Role Administrator as a user with the proper role in order to successfully complete the process.

Note:

There are three special user identities that are cached when the J2EE

application server is started: SAS Trusted User, SAS Administrator, and Solutions Role Administrator. Changes to these users in the SAS Management Console do not take effect until the J2EE application server is restarted. Other user identities are loaded from the metadata repository when the user logs on to the portal.

The SAS Intelligence Platform describes a small set of required users. Typically, there are many solutions users. For more information, see “Determining Group and Role Assignments” on page 40.

38

Default Groups Chapter 4

Default Groups

The SAS Intelligence Platform configuration creates several default groups in the metadata:

SAS System Services

SAS General Servers

Portal Admins

Portal Demos

In addition, there are two implicit groups: SASUSERS (which includes all users who have a metadata identity) and PUBLIC (which includes all users who can access the metadata server). For more information about these groups, see “Standard Group Metadata Identities” in the SAS Intelligence Platform: Security Administration Guide

The following table lists these group metadata identities, their logins, and default members.

Table 4.3 Groups That Are Created during SAS Intelligence Platform Configuration

Logins

 

Default

 

Default

Authentication

Group

User ID

Password

Domain

Default Members

SAS System

SAS Trusted User*

Services

SAS Web

Administrator

SAS General

domain \sassrv

UserUser1

DefaultAuth

SAS Trusted User

Servers**

Portal Admins

SAS Web

Administrator

SAS Trusted User*

Portal Demos

SAS Demo User

* The SAS Trusted User identity should not be used to log on to the portal.

** There is no metadata identity for the SAS General Server user (sassrv). It is the account used by the object spawner to launch stored process servers and requires Log on as a batch job

rights.

The solutions installation configures an additional set of groups:

Solutions Users is the base group for all solutions users.

Administrators is a subgroup of Solutions Users.

The MYSQL Users group is used to grant access to users who run stored processes and ETL processes that reference MYSQL tables.

The following table lists these group metadata identities, their logins, and default members. In addition to the default mapping, you must add site-created users to some of the solutions groups. For more information, see “Assign a Solutions-Wide Group” on page 40.

Authentication and User Security Default Groups

39

Table 4.4 Groups That Are Created during SAS Solutions Services Installation

 

Logins

 

Authentication

Group

User ID

Password

Domain

Default Members

Administrators

SAS Trusted User

Solutions Installer

Solutions Users

domain \

UserUser1

SpAuth

Administrators group

sasspusr

SAS Demo User

 

Solutions Role

Administrator

MYSQL Users

sqladmin

AdminAdmin1 MysqlAuth

SAS Demo User

 

Solutions Installer

SAS General Servers

HR

Members of this group have “superuser” access to HCM tables. There are no default members.

Finance

These are example groups. They have no default permissions assigned.

SPM Users

There is no metadata identity for sasspusr (the SAS Stored Process user). It is the account used to authenticate to the stored process server. This user exists on the stored process physical server and requires Log on as a batch job user rights; this user should have no access to data. With SAS Solutions Services, the stored process server is configured to have an authentication domain of SPAuth. Any user who invokes a stored process must be authenticated on this server, either with the user’s own login or via a group login. If you are installing other applications in addition to the solutions, and you do not want the users of those applications to be members of the Solutions Users group, you can create a similar group and stored process user. Follow these instructions:

1 On the stored process physical server, create a user (for example, sasspusr2).

This user should have no access to data.

2 If this is a Windows installation, grant this user the Log on as a batch job right.

3 Log on to SAS Management Console as the administrative user (sasadm).

4 In the User Manager, create a group (for example, Stored Process Users).

5 On the Logins tab for this group, add a login for sasspusr2.

Enter the user name and password that you created in Step 1. For the authentication domain, select SPAuth .

6 Add your users to the Stored Process Users group.

Alternatively, you can give each user a login on the stored process physical server. Follow the same criteria as for the group login. Then add the login to the user’s properties in SAS Management Console.

40

Determining Group and Role Assignments Chapter 4

Determining Group and Role Assignments

Overview of Group and Role Assignments

At each site, the system administrator creates metadata identities (user IDs) for each end user, defines the user’s authentication login, and assigns the user to the appropriate groups and roles. As a part of the planning process, you must determine the following information:

the authentication mechanisms to be used. Each solutions user is required to have a login to verify that he or she is authenticated. For the most current information regarding these mechanisms, see “Understanding Authentication” in the SAS Intelligence Platform: Security

the set of users, groups, and roles, and the mapping between them.

Assigning groups and roles consists of these tasks:

1 Assign each user to a solutions-wide group.

2 Create custom groups for the site, and then assign users to those groups.

3 Assign each user to a solutions-wide role for Document Manager access.

4 Assign each user to one or more domain roles—for example, roles for SAS Financial Management or roles for SAS Human Capital Management.

5 Optionally, assign SAS Web Report Studio roles.

6 Optionally, create additional SAS Data Integration Studio users by assigning the necessary groups and roles.

Each of these tasks is described in the remainder of this chapter.

Note:

Some roles appear in more than one place; for example, the Analyst role

applies to the Document Manager and to each of the solutions. This is the same role,

but the functionality it confers depends on the application that is being used.

Assign a Solutions-Wide Group

Assign each user to one, and only one, of the groups that are described in the following table:

Table 4.5 Solutions-Wide Groups

Authentication and User Security Assign Custom Groups

41

Group

Description

Solutions Users

The base group for all solutions users. Members of this group are able to access the Document Manager, are configured to run solutions stored processes, and have default portal customization capabilities.

Any user who will log on to the portal to run solutions applications must belong to the Solutions Users group or to a subgroup of Solutions Users.

Administrators

A subgroup of Solutions Users. In the Document Manager, the SAS Content folder in each repository is accessible to Administrators. This folder contains standard reports and stored processes that are provided with the solutions. Administrators can also open the Solutions Web Administration application.

In SAS Financial Management, members of the Administrators group have special “superuser” privileges that enables full access to SAS Financial Management objects (cycles, result models and composite results). Permissions on these objects are ignored for users in the Administrators group. (These special privileges apply only to these objects, not to cell data. There is no superuser for data level security in SAS Financial Management.) For details, see the online Help for SAS Financial Management Studio.

Do not assign users to both the Administrators group and the Solutions Users group.

Assign Custom Groups

Assign users to one or more custom groups, as appropriate for the site’s needs. If your custom groups are subgroups of Solutions Users, then you should not also assign those group members to Solutions Users. A common approach to defining groups for use in managing document security is to define a single hierarchy, that is derived from Solutions Users, and that matches the content structure (see “Organizing Content” on page 52). Examples include groups made up of departments or projects. Add users to the lowest level group of which they are members. For example, assume you defined an organizationally-based group hierarchy that looked like this:

Finance Division Finance Planning Dept

You would then add John Doe, a member of the Finance Planning Department, to the Finance Planning Dept group. For an example of restricting access to content based on group membership, see “Defining Security Authorization for Content” on page 55.

Note:

In addition to the basic security that is applied to managing documents,

specific security is applied to details within the SAS Financial Management data models. For more information, consult the SAS Financial Management documentation.

The installation includes two examples of custom groups: Finance and SPM Users. These groups have no default permissions assigned. You are free to use these groups or to create others. On the other hand, members of the HR group have “superuser” access to HCM tables, regardless of the hierarchical filters that are applied to those tables. As a

42

Assign a Solutions-Wide Role Chapter 4

customization it is possible to restrict access to individual members of the HR group, by means of a user filter.

Assign a Solutions-Wide Role

The roles assigned to solutions users determine the users’ authorization level and the functionality that they are able to perform. Remember to assign users (not groups) to roles. Assign each user to one role from the following table, to control the actions users can perform in the Document Manager.

Table 4.6 Solutions-Wide Roles

Role

Document Manager Privileges

Information Consumer

Users with this role have read access to content. They cannot create or move content.

Analyst

Users with the Analyst role have the ability to view, edit, and move authorized content.

System Administrator

Users with this role have full access to all functionality within the Document Manager.

(Do not confuse this role with the Administrators group.)

Assign SAS Strategic Performance Management Roles

1 For each SAS Strategic Performance Management user or KPI Viewer user, select one role from the following table. Roles are listed in increasing levels of functionality.

Authentication and User Security Assign SAS Financial Management Roles

Table 4.7 SAS Strategic Performance Management Roles

43

Role

Description

Scorecard Data Entry

A user who enters data into forms for scorecards.

Users with this role can access only the tables in projects and scorecards that they are authorized to view. They use these tables to manage and use data entry forms.

Analyst

A user who analyzes and creates reports, views scorecard information, and performs other similar tasks.

Analysts can view tables, aggregate tables, dashboards, diagrams, associations, and ranges. They can edit column selections and set personal thresholds and formats, as well as access and customize historical trend charts. In addition, SPM Analysts can manage and use data entry forms. Unlike Scorecard Modelers, Analysts cannot create scorecard projects.

Scorecard Modeler

A modeler who implements the performance management strategy at a site.

Users with this role can create scorecard projects and can fully manage the content of templates, projects, and scorecards that they are authorized to view, edit, and delete.

2 Optionally, assign users to the Dimension Modeler role.

Table 4.8 Dimension Modeler Role

Role

Description

Dimension Modeler

Users with the Dimension Modeler role are able to use the SAS Dimension Editor.

Assign SAS Financial Management Roles

SAS Financial Management Studio

1 For users who will work in SAS Financial Management Studio, select one of the roles in the following table:

44

Assign SAS Financial Management Roles Chapter 4

Table 4.9 SAS Financial Management Studio Roles

Role

Description

Finance Adjuster

A financial specialist who performs manual adjustments and creates or edits adjustment rules.

Users with this role have the following privileges:

all features of the Models workspace except for creating and editing unbalanced manual adjustments

read access to the Dimensions, Cycles, Rates, and Forms workspaces

Finance Process

An administrator who configures SAS Financial Management, creates cycles, rates, and formsets, manages data security, exports measures, and performs other administration tasks.

Administrator

Users with this role can use all the features of SAS Financial Management Studio.

2 Optionally, select the Dimension Modeler role that is described in the following table:

Table 4.10 Dimension Modeler Role in SAS Financial Management Studio

Role

Description

Dimension Modeler

Finance Adjusters with the Dimension Modeler role have access to all features of the Dimensions workspace. (Without the Dimension Modeler role, Finance Adjusters have read-only access to this workspace.)

SAS Financial Management

For each user who will perform SAS Financial Management tasks in the portal, select one or more roles from the following table:

Authentication and User Security Assign SAS Financial Management Roles

Table 4.11 SAS Financial Management Roles in the Portal

45

Role

Description

Form Submitter

A data entry person who submits budgets or other forms for approval.

Users with this role can enter data in forms. They have access only to the forms that they have some responsibility for.

In a top-down workflow, all users need this role so that they can edit a form, if necessary, and push it to the next level.

In a bottom-up workflow, all users who might edit forms need this role.

Form Approver

A user who approves forms and sends them to the next stage in the approval process.

Users with this role can approve forms that they have some responsibility for.

This role is not needed for top-down workflows.

In a bottom-up workflow, all users who need to approve forms need this role.

Finance Process

An administrator who performs tasks such as freeing a form that is stuck in the workflow process.

Administrator

Users with this role can enter data in forms and can approve forms. They have access to all currently active forms.

The need for these roles depends in part on the workflow that the users will be participating in. In a top-down workflow , data is entered at the highest level of the hierarchy and pushed down to lower levels. In a bottom-up workflow , data is entered at the lowest level of the hierarchy (in the leaf forms ) and submitted for approval to the next higher level in roll-up forms . For more information about workflow, see the SAS Financial Management User’s Guide (available at http://support.sas.com/

Notice that bottom-up workflows often require users to have both the Form Approver role and the Form Submitter role. If a user is assigned as the author for a roll-up form, then that user must have the Form Submitter role in order to submit the form to the next-level approver. If that user is also responsible for approving all leaf forms below that form, then the user must also have the Form Approver role, as shown in this example:

WW: Author=Fred (Form Submitter role, Form Approver role)

USA: Author=Mary (Form Submitter role), Approver=Fred

Europe: Author=Jean (Form Submitter role), Approver=Fred

However, it is possible to design a workflow in which some users are only approvers, while other users are only form submitters. In this example, one user is assigned to roll up a form, while a different user approves leaf forms:

WW: Author=Fred (Form Submitter role)

USA: Author=Mary (Form Submitter role), Approver=Carl (Form Approver role)

Europe: Author=Jean (Form Submitter role), Approver=Carl

Note:

In order for a user to receive alerts for forms that need attention, the user

must be directly assigned to the Form Submitter or Form Approver role. Only individual users—not groups—should be assigned to roles.

46

Assign SAS Human Capital Management Roles Chapter 4

Excel Reports

If the SAS Financial Management Add-in for Microsoft Excel is installed, then users with the appropriate permissions are able to view and create reports. The default role permissions are as follows:

Table 4.12 Roles for Excel Reports

Role

Description

Information Consumer

Users with the Information Consumer role can view Excel reports, by opening those reports from the portal or opening them directly in Microsoft Excel. They can edit an existing report—for example, to format the data—and share a report.However, they cannot create new reports.

Analyst

Form Submitter

Form Approver

Finance Process

Administrator

Users with any of these roles can both view and create financial reports in Microsoft Excel, whether they open a report from the portal or directly in Excel. Unlike Information Consumers, they can insert documents, read-only tables, and CDA tables.

Stored Process Reports

The default role permissions do not restrict the refreshing and viewing of stored process reports in the portal. To restrict access to stored processes and stored process reports, it is recommended that you use group and user folder permissions. For example, you might create one set of stored process reports for managers and a smaller set of reports for individual users. The managers’ reports might expose a full set of parameters, to give managers greater flexibility in creating reports, while the individual users’ reports might expose a more limited set of parameters. You would store these reports in separate folders and apply permissions accordingly. For more information, see Chapter 5, “Content Administration,” on page 51.

Assign SAS Human Capital Management Roles

For each user who will perform SAS Human Capital Management tasks, select one role from the following table:

Authentication and User Security Assign SAS Web Report Studio Roles

Table 4.13 SAS Human Capital Management Roles

47

Role

Description

HCM User

A user who views employee, organizational, and geographic data, and who creates presentations and reports.

Users with the HCM User role have these capabilities:

Employee Browser: all functions, including the ability to view employee detail (profile view), to search for employees, and to edit the category list

Organizational Analysis: open and print organizational charts; launch a linked scorecard; create a presentation view

Geographic Analysis: open a geographic analysis document and drill down into the content; print a map or employee list

Analyst

An HR analyst who creates organizational and geographic analyses.

Users with the Analyst role have these capabilities:

Employee Browser: all functions (same as the HCM User role)

Organizational Analysis: in addition to the HCM User privileges, these users can add and remove measures, create new organizational charts, and modify the organizational structure or organizational analysis

Geographic Analysis: in addition to the HCM User privileges, these users can create a geographic analysis document

HCM Administrator

An administrator who configures SAS Human Capital Management and manages data security.

Users with the HCM Administrator role have full access to all functionality within SAS Human Capital Management. In addition to the capabilities described for Analysts, they can perform HCM configuration, including configuring data, organizational analysts, categories, and the employee browser.

Assign SAS Web Report Studio Roles

There are three roles that apply to authoring or viewing reports in SAS Web Report Studio. Each role (as listed in the following table) is a superset of the previous role. By default, these roles are not assigned, and as a result all users have implicit membership in all three roles. If you want to restrict SAS Web Report Studio functionality to certain users, then you should assign the roles accordingly. After you have assigned a role to a user, then that role and its superset(s) have no implicit members. Select one of the following roles:

48

Assign SAS Data Integration Studio Groups and Roles Chapter 4

Table 4.14 SAS Web Report Studio Roles

Role

Description

WRS Report Consumer

Users who have this role can view reports and manipulate report data in the View Report view. Users can copy, move, save, rename, or delete reports. Users cannot create new reports.

WRS Report Author

In addition to the abilities assigned to WRS Report Consumers, users who have this role can create reports with the report builder or report wizard. Users can also schedule reports.

WRS Advanced User

In addition to the abilities assigned to WRS Report Authors, users who have this role can distribute reports. Users cannot create or delete recipient lists that are used for report distribution.

There is one additional role, WRS Administrator, that provides full access to SAS Web Report Studio functionality. However, adding a member to the WRS Administrator role does not affect implicit membership in the other three roles. For more information about these roles, see “SAS Web Report Studio Administration” in the SAS Intelligence Platform: Web Application Administration Guide (available at

Assign SAS Data Integration Studio Groups and Roles

During the configuration process, you created a SAS Data Integration Studio user (see Chapter 2, “Planning, Installing, and Configuring SAS Solutions Services and the Solutions,” on page 7). These users run ETL jobs, submit data, and perform other ETL-related tasks for the solutions. You might want to define additional SAS Data Integration Studio users for the solutions. These users must belong to the groups and roles that are described in the following table:

Table 4.15 SAS Data Integration Studio Groups and Roles

Group or Role

Description

Solutions Users group

Required only if the user will be logging on to the portal and viewing solutions content.

MYSQL Users group

Required for all SAS Data Integration Studio users, in order to run jobs that access the MySQL database.

Data Administrator role

Required for all SAS Data Integration Studio users.

Users with this role receive information about ETL job status. For more information, see “Restrict the Events That Data Administrators See (Optional)” on page 17.

Registering Users

About Registering Users

After you determine the authentication mechanisms and the group and role assignments, you can register users in the metadata repository. The system

Authentication and User Security Synchronizing Data Tables

49

administrator can use the SAS Management Console to create the users interactively. There is also a mechanism for bulk loading a large set of users and groups (see “Bulk Loading Users and Groups” on page 49). When you define each user, be sure to include the user’s login information, group and role membership as described in “Determining Group and Role Assignments” on page 40, and e-mail address. E-mail notifications are often sent to users. Be sure to define an e-mail address for every user as you create the user’s metadata identity. This is a requirement for the successful processing of some functions.

Bulk Loading Users and Groups

During rollout of solutions, large sets of users are typically added. These sets of users can come from other authentication systems or from currently existing products. The bulk-load process is used to create many metadata identities in a batch manner, rather than interactively. Bulk loading creates metadata identities and can also assign those identities (for example, users) to groups or roles. For more information about the bulk-load process, see “Bulk-Load Processes for Identity Management” in the the SAS Intelligence Platform: Security Administration

913admin.html ). This appendix describes bulk-load examples under the topic “How to Perform an Initial Import of Identity Information.” Some of the sample code is in that section, and other examples are provided in the !SASROOT\core\sample directory (on Windows) or !SASROOT\samples (on UNIX). Before performing bulk loading, be sure you understand about users, groups, and roles.

Synchronizing Users, Groups, and Roles

Synchronizing Data Tables

When you add users, groups, and roles to the metadata repository, you must synchronize those changes with MySQL database tables that are used for data-level security. Information for users, groups, and roles is stored in database tables which must be kept in synchronization with the metadata. As a part of best practices, it is recommended that you set up a SAS Data Integration Studio job as a scheduled process to synchronize data tables. In some cases, changes to users, groups, and roles might need to be reflected in the database as soon as those changes are made in the metadata. In that case you can run the jobs manually, rather than waiting for the scheduled process to run. If you need to synchronize on demand, follow these steps:

1 Log on to the portal as a member of the Administrators group.

2 Open the Document Manager and select the Solutions repository.

3 Navigate to the SAS Content Data Management Solutions Data Mart folder.

4 Select and run the Import Users and Groups stored process.

To run the stored process, click the action menu process and select Refresh .

the action menu process and select R e f r e s h . to the

to the left of the stored

In addition, if you create new groups or roles, group permission trees for the portal must be created in the metadata repository. Those group permission trees can be

50

Creating Group Permission Trees for the Portal Chapter 4

created automatically, or you can initialize them with a batch job; see “Creating Group Permission Trees for the Portal” on page 50.

Creating Group Permission Trees for the Portal

Group permission trees enable content sharing for groups. If you simply add users to existing groups or roles, those user permission trees are created when the user logs on to the portal. If you create new groups or roles, those group permission trees are added to the metadata repository when the J2EE server for the portal Web application is started, or when a member of the Portal Admins group logs on to the portal. If there is a large number of new users or groups, this process could cause the portal to take a long time to open. On Windows, to create group permission trees without restarting the J2EE server or without logging on as a member of the Portal Admins group, you can run a batch job that creates the necessary metadata for the portal from users and groups that are currently listed in the metadata repository. Follow these steps:

1 Change directory to SAS-install-dir\Web\Portal2.0.1\Tools.

2 Edit the initPortalData.bat file and add weblogic.jar, sas.svc.sec.login.weblogic.jar, sas.entities.jar, and sas.oma.joma.rmt.jar to the classpath.

The JAR files are located in the remote services library folder

( SAS-install-dir \SASSolutionsServices\1.3\RemoteServices\lib ). If you copy

the JAR files to the appropriate location ( %CPJARSDIR% ), then you can add these lines at the end of the set CLASSPATH section:

set CLASSPATH=%CLASSPATH%;%CPJARSDIR%\weblogic.jar set CLASSPATH=%CLASSPATH%;%CPJARSDIR%\sas.svc.sec.login.weblogic.jar set CLASSPATH=%CLASSPATH%;%CPJARSDIR%\sas.entities.jar set CLASSPATH=%CLASSPATH%;%CPJARSDIR%\sas.oma.joma.rmt.jar

3 Change directory to

SAS-install-dir\Web\Portal2.0.1\SASServices\WEB-INF\conf .

4 Update the sas_metadata_source_client.properties file so that it matches the corresponding properties file in the WEB-INF\conf directory of the deployed Portal Web application.

5 Change directory to SAS-install-dir \Web\Portal2.0.1\Tools .

6 From a command prompt, run initPortalData.bat .

If the initPortalData utility runs successfully, then a message like the following is displayed:

Done initializing metadata information

Transaction count: [0]