SAS Publishing
SAS Solutions Services 1.3
System Administration Guide Second Edition
The correct bibliographic citation for this manual is as
follows: SAS Institute Inc. 2006. SAS Solutions Services 1.3:
System Administration Guide, Second Edition. Cary, NC: SAS
Institute Inc. SAS Solutions Services 1.3: System Administration
Guide, Second Edition Copyright 2006, SAS Institute Inc., Cary, NC,
USA All rights reserved. Produced in the United States of America.
For a Web download or e-book: Your use of this publication shall be
governed by the terms established by the vendor at the time you
acquire this publication. U.S. Government Restricted Rights Notice.
Use, duplication, or disclosure of this software and related
documentation by the U.S. government is subject to the Agreement
with SAS Institute and the restrictions set forth in FAR 52.227-19
Commercial Computer Software-Restricted Rights (June 1987). SAS
Institute Inc., SAS Campus Drive, Cary, North Carolina 27513. 1st
printing, December 2006 SAS Publishing provides a complete
selection of books and electronic products to help customers use
SAS software to its fullest potential. For more information about
our e-books, e-learning products, CDs, and hard-copy books, visit
the SAS Publishing Web site at support.sas.com/pubs or call
1-800-727-3228. SAS and all other SAS Institute Inc. product or
service names are registered trademarks or trademarks of SAS
Institute Inc. in the USA and other countries. indicates USA
registration. Other brand and product names are registered
trademarks or trademarks of their respective companies.
ContentsChapter 1
Overview of SAS Solutions Services Architecture 2 Assumptions
and Recommendations Required Skills 4 Documentation Conventions
4
4 Understanding SAS Solutions Services1 3
1
Chapter 2 Solutions
4 Planning, Installing, and Conguring SAS Solutions Services and
the7
Overview of Conguration 8 Plan the Installation 8 Install the
Software 9 Set Application Properties 10 Make Localization Changes,
If Necessary 10 Secure Your System 10 Load Transformations and Jobs
15 Back Up the System 19 Verify Using Sample Data (Optional) 19
Create the Sites Users and Groups 21 Congure Content 22 Load
Production Data 24 Install the SAS Strategic Performance Management
Migration Wizard (Optional) Load Client Applications 25 Congure the
J2EE Application Server and Web Applications 25 Maintain the System
26 Check SAS Notes for Additional Information 27
25
Chapter 3
About Security 29 Authentication 29 Authorization 30 Server
Security and Data Transmission Auditing 32
4 Planning the Sites Security
29
31
Chapter 4
Overview of Authentication and User Security 33 Default Users
and Groups 36 Determining Group and Role Assignments 40 Registering
Users 48 Synchronizing Users, Groups, and Roles 49
4 Authentication and User Security
33
Chapter 5
4 Content Administration
51
iv
What Is Content? 51 Organizing Content 52 About Security
Authorization for Content 53 Dening Security Authorization for
Content 55 Creating Site Content 60
Chapter 6
BEA WebLogic Administration 64 IBM WebSphere Administration 71
Conguring the Web Applications 74 Conguring Themes 75 Using ODCS
Clustering to Reduce Wait Time
4 J2EE Server Administration
63
76
Chapter 7
About Portal Administration 81 Assigning a Content Administrator
81 Creating Default Portal Pages 83 Customizing the Portal 84
Accessing the Default Portlets of the SAS Information Delivery
Portal Securing Logs to Enhance Portal Security 91
4 Portal Administration
81
91
Chapter 8
Administering the Remote Services 94 About Solutions
Administration 96 Conguring Applications Using the SAS Management
Console Using the Solutions Web Administration Application 99
Conguring Log Files 105 Using Command-Line Diagnostic Tools 106
4 Application Administration
93
96
Chapter 9
About Server Security 113 Basic Protections 113 Securing Data
Exchanges between Server Components Secure Sockets Layer (SSL)
114
4 Server Security and Encryption 4 MySQL Server
Administration
113
113
Chapter 10
115
MySQL Overview 115 MySQL Installation and Conguration (Windows)
115 MySQL Installation and Conguration (UNIX) 116 Backing Up MySQL
Databases 116 MySQL Security Issues 116
Chapter 11
About WebDAV 117 Conguring Content Folder Permissions on the
Xythos WebFile Server Changing the Apache Port Number 118 More
Information 120
4 WebDAV Server Administration
117117
v
Chapter 12
Overview 121 Metadata Repositories Databases 122
4 Conguration Files121
121
The Lev1\Data Folder 122 The Lev1\SASMain\SASSolutionsServices
Folder
122
Chapter 13
Overview 125 A Note about Repositories
4 Deploying SAS Web OLAP Viewer and SAS Web Report Studio125
128
125
SAS Web OLAP Viewer for Java 126 SAS Web Report Studio and SAS
Web Report Viewer
Chapter 14
Client Setup 135 Client Applications 136 Java Runtime
Environment
4 Client Installation and Conguration140
135
Conguring Logging for ETL Jobs 140 Uninstalling the Client
Applications 141
Appendix 1Port Usage
4 Default Port Usage143
143
Appendix 2
Overview of Log Files 147 Log Files on the Middle Tier
4 Log Files
147147 149
Log Files on the Data Tier 148 Log Files for Client
Applications
Appendix 3
General Troubleshooting Tips Errors in the SASV9.CFG File Errors
in the Portal 152
4 Troubleshooting
151151 151
BEA WebLogic Errors 153 IBM WebSphere Errors and Warnings MySQL
Errors 154 Errors Running Client Applications
154 154
Index
157
vi
1
CHAPTER
1Understanding SAS Solutions ServicesOverview of SAS Solutions
Services 1 Architecture 2 Assumptions and Recommendations 3
Required Skills 4 Documentation Conventions 4
Overview of SAS Solutions ServicesSAS Solutions Services is a
set of services that provide common functionality and a framework
for specic solutions. SAS Solutions Services builds upon the SAS 9
Intelligence architecture and includes the following areas of
functionality: 3 Document management allows users to create,
organize and secure documents of disparate types based upon their
own folder structures. Document Manager, a Web application,
supports management and viewing of the documents. Document Manager
also allows customization of the menus for each document type,
based upon user roles. A My Favorites portlet provides shortcuts to
the folders or the documents themselves, and documents can also be
viewed within a portlet. 3 Collaboration enables the user to
collaborate on objects surfaced by the applications or portlets.
Comment Manager, a Web application, provides a standard interaction
user interface for all types of objects. 3 Measure and metric
management provides a means for creating and managing measures used
by key performance indicators or SAS Strategic Performance
Management (SPM) Elements. A Web application, Measure Manager,
allows the user to interactively manage measures. An ETL process is
provided to create measures and metrics. Standard measures are
shipped as part of SAS Solutions Services. Metric export is also
available from the SAS Financial Management Add-In for Microsoft
Excel. 3 Key performance indicator (KPI) management enables the
user to create and manage KPIs for various levels within an
organization. Based upon security authorization, a user can create,
manage, and modify KPI projects and scorecards. A Web application,
KPI Viewer, allows the user to view the scorecards. The Dashboard
portlet allows the user to put KPIs on a dashboard. 3 Alerts
provide the ability to alert the users to when specic events
happen. Various types of alerts are supported. Applications have
the ability to participate in alerts based upon the events of the
application. An Alerts portlet displays alerts to a user logged in
to the Information Delivery Portal. Alerts can also be sent via
e-mail. 3 Directives direct the user to another application or
action. Directives can be used by an application to provide links
between applications. The My Favorites portlet is based upon
directives.
2
Architecture
4
Chapter 1
3 Dimension Management provides the ability to create, manage,
and add values todimensions and hierarchies. A Java client
application, Dimension Editor, allows the user to interactively
create and modify the dimensions. 3 Microsoft Ofce integration
provides the ability to integrate documents from SAS Solutions
Services within the Microsoft Ofce suite of applications. There is
a common SAS Solutions Services Add-In for Microsoft Ofce that can
be extended by solutions that want to add their document types. 3
Data-level security allows application objects that are represented
by data in the Solutions Data Mart to be secured using an
object-based authorization facility. In this way, complex objects
such as scorecards and planning forms can be secured. Authorization
decisions are based on user and group permissions per object that
are also applied to additional hierarchical information (such as
organization tables, legal reporting structures, and project
hierarchies).
3 Role-based user interface customization and authorization
provide a means ofcustomizing the user interface based on the roles
a user is associated with (for example, administrator or analyst).
A role determines which actions a user can take by limiting the
menu options available in the user interface. 3 Application
conguration provides the ability to congure SAS Solutions Services
and the solutions. Conguration is administered via a SAS Management
Console plug-in. 3 Administration enables Web-based monitoring of
users and administration of SAS Solutions Services and other
solutions. The following products use SAS Solutions Services 1.3: 3
SAS Financial Management 4.3 3 SAS Strategic Performance Management
2.3 3 SAS Human Capital Management 4.3 Within this book, these
products are referred to as solutions.
ArchitectureThe diagram in Figure 1.1 on page 3 gives an
overview of the n-tier architecture of SAS Solutions Services and
the solutions. The presentation tier includes Web browser-based
clients, add-ins to Microsoft Ofce applications, and Java desktop
applications such as Dimension Editor. On the middle tier, SAS
applications are deployed to a J2EE application server, usually as
either Web Archive (WAR) les (such as the SAS Information Delivery
Portal) or Enterprise Archive (EAR) les. SAS Solutions Services is
deployed in this middle tier, along with specic domain solutions
applications, such as SAS Strategic Performance Management or SAS
Financial Management. The SAS Foundation Services (running in a
separate Java Virtual Machine) are extended to support SAS
Solutions Services and are also deployed in this tier. The data and
compute tier typically hosts the SAS application servers, the SAS
Metadata Server, the MySQL server, and the WebDAV repository.
However, these components might reside on multiple physical
machines.
Understanding SAS Solutions Services
4
Assumptions and Recommendations
3
Figure 1.1 SAS Solutions Services Tiered Architecture
SAS Data Integration Studio
Assumptions and RecommendationsThis book is written for system
administrators and consultants and contains instructions for
initial system administration and maintenance of the system. SAS
Solutions Services: Data Administration Guide is a companion
document. It is available at
http://support.sas.com/documentation/solutions/admin/index.html.
The book makes the following assumptions and recommendations: 3
Microsoft Windows: 3 The fully qualied host name will be used.
Note: In this book, instructions that reference Windows are
oriented toward the Microsoft Windows 2000 Server operating
environment. There might be differences between Microsoft Windows
2000 and Microsoft Windows XP for some tasks. 4 3 You have enabled
the viewing of hidden les and folders. To enable these views,
complete the following steps: 1 In a Microsoft Windows Explorer
window, select Tools I Folder Options.
4
Required Skills
4
Chapter 1
2 Select the View tab. 3 Under Advanced Settings, select Show
hidden files and folders.
3 This guide lists the default password values for accounts that
are created duringthe installation process. You might have chosen
different passwords during your installation.
3 SAS Solutions Services uses the SAS Intelligence n-tier
architecture, as describedin the SAS Intelligence Platform: System
Administration Guide (available
athttp://support.sas.com/documentation/configuration/913admin.html).
This architecture enables software components that are installed
on a single machine or on multiple physical machines (servers).
While this guide refers to different tiers within the
documentation, it is assumed that you understand how to determine
the appropriate n-tier structure for your installation and
conguration.
3 Microsoft Internet Explorer 6.0 or greater is required for use
as your Web browser.
Required SkillsTo administer the solutions software, you must be
familiar with the operating system on which it is installed. For
example, you must know how to create folders, run scripts (.bat les
or .sh les), and update environment variables. On Microsoft
Windows, you must be an administrator of the machine.
Documentation ConventionsThis book uses the following
documentation conventions to identify paths in the solutions
conguration:Table 1.1
Path SAS-install-dir
Refers to path to the SAS installation directory
Examples Windows: C:\Program Files\SAS UNIX: /usr/local/SAS
SAS-cong-dir
path to the conguration directory
Windows: C:\SAS\SASSolutionsConfig UNIX: /usr/local/SAS/
SASSolutionsConfig
BEA-home-dir
path to the BEA WebLogic home directory
Windows: C:\bea UNIX: n.a.
WebSphere-install-dir
path to the IBM WebSphere installation directory
UNIX: /usr/local/WebSphere Windows: n.a.
Understanding SAS Solutions Services
4
Documentation Conventions
5
Path MySQL-install-dir
Refers to path to the MySQL installation directory
Examples Windows: C:\mysql UNIX: /usr/local/mysql
Apache-install-dir
path to the Apache installation directory
Windows: C:\Program Files\Apache Group\Apache2 UNIX:
/usr/local/IBMIHS
Xythos-install-dir
path to the Xythos WebFile Server installation directory
Windows: C:\Xythos UNIX: /usr/local/SAS/xythos
File system pathnames are typically shown with Windows
separators (\); for UNIX, substitute a forward slash (/).
6
7
CHAPTER
2
Planning, Installing, and Conguring SAS Solutions Services and
the Solutions
Overview of Conguration 8 Plan the Installation 8 Install the
Software 9 Installation Overview 9 Install SAS/GRAPH Maps
(Optional) 9 Change Threading Options for SAS Metadata Server
(Optional) 9 Congure the SAS Servers for Alternative Authentication
Mechanisms (Optional) Set Application Properties 10 Make
Localization Changes, If Necessary 10 Secure Your System 10 About
Securing Your System 10 Remove Unnecessary Default Metadata
Identities 11 Congure Security Settings for Folders and Files
(Windows) 11 Protect System Conguration Folders 11 Protect
Additional Folders and Files 12 Congure Security Settings for
Folders and Files (UNIX) 13 Default Settings 13 Additional Settings
13 Secure the J2EE Server Conguration 15 Secure Your WebDAV
Installation 15 Secure Data Transmissions (Optional) 15 Load
Transformations and Jobs 15 Apply Hot Fixes 15 Set Up a SAS Data
Integration Studio User 16 Dene a Batch Job Deployment Directory
(Optional) 16 Import Transformations, Jobs, and Error and Exception
Table Metadata 17 Restrict the Events That Data Administrators See
(Optional) 17 Back Up the System 19 Verify Using Sample Data
(Optional) 19 Load Sample Data 19 Verify the System 20 Restore the
System 21 Create the Sites Users and Groups 21 Overview 21 Grant
Log on as a batch job Rights to Users (Windows) 21 Create Metadata
Identities 22 Run the UserGroupValidation Utility 22 Congure
Content 22 Overview 22 Assign a Content Administrator 22 Create
Content Folder Structure for the Site 22
9
8
Overview of Conguration
4
Chapter 2
Modify Permissions for Information Maps 23 Modify Permissions
for OLAP Cubes 23 Create Content for the Site 24 Set Permissions to
Refresh Stored Process Reports 24 Congure the Information Delivery
Portal for the Site 24 Load Production Data 24 Install the SAS
Strategic Performance Management Migration Wizard (Optional) Load
Client Applications 25 Congure the J2EE Application Server and Web
Applications 25 Maintain the System 26 Synchronize the Server
Clocks 26 Restart Servers 26 Tune System Performance 26 Monitor and
Maintain Your System 26 Check SAS Notes for Additional Information
27
25
Overview of CongurationSAS Solutions Services, and the solutions
that use SAS Solutions Services, are built on the SAS 9
Intelligence Architecture. The SAS Intelligence Platform:
Installation Guide describes several planning steps that can occur
prior to the physical installation and conguration of the software.
As a system administrator or consultant, you should be familiar
with those planning steps as well as the steps outlined in this
guide. Because solutions are geared towards specic user
communities, the solutions can provide information for some of
these planning areas. Following are the steps that are used during
installation and conguration. Note that the initial installation
and conguration of solutions includes a set of installation
verication data that you can use to verify the installation. This
data is also called sample data, because it can be used to
demonstrate the software. Before a production warehouse can be
loaded, the installation verication data must be removed. For
information about the les that are installed with SAS Solutions
Services and the solutions, see Chapter 12, Conguration Files, on
page 121. For more information about the solutions, see the online
Help and users guides, as well as the SAS Solutions Services: Data
Administration Guide (available at http://
support.sas.com/documentation/solutions/admin). For more
information about the SAS Intelligence Platform, see the following
references: 3 SAS Intelligence Platform: Installation Guide 3 SAS
Intelligence Platform: System Administration Guide 3 SAS
Intelligence Platform: Security Administration Guide
3 SAS Intelligence Platform: Application Server Administration
Guide 3 SAS Intelligence Platform: Web Application Administration
GuideThese books are available at
http://support.sas.com/documentation/
configuration/913admin.html.
Plan the InstallationIn addition to the planning steps outlined
in the SAS Intelligence Platform: Installation Guide, follow these
steps in planning your installation.
Planning, Installing, and Conguring
4
Congure the SAS Servers for Alternative Authentication
Mechanisms (Optional)
9
1 Determine the set of users that are necessary to run SAS
Solutions Services and
the solutions.2 Decide on the authentication method(s) to be
used
For more information, see Chapter 4, Authentication and User
Security, on page 33.
Install the Software
Installation Overview1 Using SAS Software Navigator, install and
congure the SAS Intelligence
Platform, as well as SAS Solutions Services and any licensed
solutions.2 Follow the instructions that were generated by the SAS
Conguration Wizard, as
well as the installation guide for SAS Financial Management, SAS
Strategic Performance Management, and SAS Human Capital
Management.3 Follow the procedures described in the remainder of
this chapter.
Install SAS/GRAPH Maps (Optional)The SAS/GRAPH map data sets are
not installed by default. If you want to install them, either as
part of your regular installation or afterwards, follow these
steps:1 On the Select Components screen of the SAS 9.1 Foundation
install, expand the
listing under SAS 9.1.2 Scroll down and select SAS/Graph Map
Data Sets.
To install selected maps, expand SAS/Graph Map Data Sets and
select only the locations needed.
Change Threading Options for SAS Metadata Server (Optional)After
installation and conguration, the maximum number of threads for the
SAS Metadata Server has been set to a value that represents the
number of processors on the machine hosting the metadata server. To
maximize performance, you might need to change the threading
options. These options are described in Optimizing the Performance
of the SAS Metadata Server in the SAS Intelligence Platform: System
Administration Guide, available at
http://support.sas.com/documentation/
configuration/913admin.html.
Congure the SAS Servers for Alternative Authentication
Mechanisms (Optional)If you use an authentication mechanism other
than host authentication, see Understanding Authentication and
Customizing the Authentication Conguration in the SAS Intelligence
Platform: Security Administration Guide (available at http://
support.sas.com/documentation/configuration/913admin.html). This
guide contains an overview of user authentication, as well as
information about modications
10
Set Application Properties
4
Chapter 2
you must make to the server conguration (.cfg) les to support
authentication mechanisms such as LDAP or Active Directory.
Set Application PropertiesAfter installation and conguration,
you might need to make these changes:
3 Set e-mail addresses for administrators.If you did not already
do so during the installation process, set the mail host and the
e-mail addresses for administrative and error messages. This task
is performed by using the Conguration Manager plug-in of the SAS
Management Console. For instructions, see Modify E-Mail Settings on
page 97.
3 Optionally, install a service to start the remote services.See
Install a Service to Start the Remote Services on page 94.
Make Localization Changes, If NecessaryIf you installed SAS
Human Capital Management in a language other than English, you must
modify the setlocs.sas le as follows:1 In the SAS Management
Console, locate the text for the OLAP schema, as follows:a b c
d
In the HR repository, navigate to Server Manager. Right-click
HR-OLAP and select Properties. Click the Olap Schema tab. Make a
copy of the text that is displayed there. In English, this text is
HR-OLAP - OLAP Schema, but you will see a translated string.
2 Change directory as follows:
Windows: !SASROOT\hrds\sasmacro UNIX: !SASROOT\sasautos 3 Open
the setlocs.sas le for editing.4 Locate this line:%let
HRSchema=HR-OLAP - OLAP Schema;
5 Replace the text to the right of the equal sign with the
translated text from the
SAS Management Console.6 Save the le.
Secure Your SystemAbout Securing Your SystemAfter you have
veried that your system is functioning correctly, you need to take
additional steps to secure it, including (but not necessarily
limited to) the tasks that are described in this section. In
addition to setting metadata access controls, you must protect the
physical server(s) that make up the data-tier level (in other
words, the servers where your MySQL database is located and where
your SAS application servers are running). You
Planning, Installing, and Conguring
4
Congure Security Settings for Folders and Files (Windows)
11
also should protect the physical server(s) that make up the
middle-tier level, where your J2EE server is running. In addition
to the MySQL database, les on these servers might contain vital
information such as encoded passwords.
Remove Unnecessary Default Metadata IdentitiesYou should remove
default metadata identities that are no longer needed. For
security, you should remove the Solutions Installer from production
environments after the installation and conguration are complete.
(You might need to re-create this user identity if you need to
install upgrades or hot xes later.) You can also remove the SAS
Demo User identity from production environments. For more
information about the default metadata identities, see Table 4.1 on
page 36 and Table 4.2 on page 37.
Congure Security Settings for Folders and Files (Windows)
Protect System Conguration FoldersBy default, the conguration
directory folders on a Windows machine do not have any special
protections. It is important to secure some of these folders
because they can contain information such as repository data sets
and encoded passwords. The following table summarizes the
recommended protections. It assumes that your SAS servers and
spawners run as services under the Local System account, which is
the recommended conguration.Table 2.1 Recommended Operating System
Protections on WindowsFolders* MetadataServer, OLAPServer[_domain],
ObjectSpawner Permissions Grant Full Control to SYSTEM and
Administrators, and remove all other users and groups. Grant Full
Control to SYSTEM, and grant Read permission to all SAS server
users. If you enable logging for the workspace server and you use
this default location for the logs, then all users of the workspace
server should be granted Modify permission for this subdirectory.
Grant Full Control to SYSTEM, grant Full Control to SAS General
Server User (sassrv), and remove all other users and groups.
BatchServer, SASEnvironment, Users, Utilities, WorkspaceServer
WorkspaceServer\logs
StoredProcessServer, StoredProcessServer\logs
12
Congure Security Settings for Folders and Files (Windows)
4
Chapter 2
Folders* SASEnvironment\SASCode\Jobs
SASSolutionsServices\SASCode\Jobs
SASSolutionsServices\SASCode\ETLMetadata
SASSolutionsServices\SASFormats
SASFinancialManagement\SASCode\Jobs
Permissions Grant Modify permission to all SAS server users.
SASFinancialManagement\SASCode\ETLMetadata
SASHumanCapitalManagement\SASCode\Jobs
SASStrategicPerformanceManagement\SASCode\Jobs query cache library
for SAS Web Report Studio** Grant all SAS Web Report Studio users
read, write, and execute permissions for the directory that holds
the cache. Grant the SAS Web Administrator (saswbadm) full control
of the cache directory.
* By default, these folders are located under
SAS-Config-Dir\Lev1\SASMain\. To learn more about the conguration
directory structure, see Chapter 12, Conguration Files, on page
121. ** During installation and conguration of SAS Web Report
Studio, a query cache library is created at
SAS-config-dir/Lev1/SASMain/Data/wrstemp. By default, all users
have read and write permissions on this library. If you set up
workspace server pooling, then you can implement tighter security
and grant full permissions only to the user IDs that you specied
for the puddle login denitions in your pool. To use the query
cache, make sure each puddle login denition has access permissions
(read and write) for the query cache library. If you have not
congured pooling, then each requesting users individual (or shared)
account will need read and write permissions for the library in
order to access the tables. In either case, the SAS Web
Administrator (saswbadm) should be granted full permissions for the
cache directory, so that les can be deleted automatically and the
cache will not become too large. For more information, see SAS Web
Report Studio Administration in the SAS Intelligence Platform: Web
Application Administration Guide.
For additional information, see Securing a Deployment in the SAS
Intelligence Platform: Security Administration Guide. This chapter
describes setting folder permissions, securing your metadata
repositories, encryption, and related topics. If you installed SAS
Web Report Studio, see SAS Web Report Studio Administration in the
SAS Intelligence Platform: Web Application Administration Guide.
This chapter includes information about securing the folders that
are used by SAS Web Report Studio, including folders that hold
temporary les. Both books can be found at
http://support.sas.com/documentation/
configuration/913admin.html.
Protect Additional Folders and FilesIn addition to securing the
folders mentioned above, secure the following folders and les:
Planning, Installing, and Conguring
4
Congure Security Settings for Folders and Files (UNIX)
13
Table 2.2 Additional Recommended Operating System
ProtectionsFolders !SASROOT\nls\en\sasv9.cfg
SAS-config-dir\Lev1\Data and its subdirectories Permissions Grant
Read and Execute permission to the SAS Server Users group. Grant
Full Control to SAS General Server User (sassrv) and to SAS
Administrator (sasadm). Grant Read/Write/Create permission to users
who will run ETL or SAS jobs to update data in the warehouse. This
includes the user that is specied in the jdbcconnection-userid of
the web.xml le for sas.solutions.common.war. MySQL-Install-Dir
Grant Full Control to MySQL-Install-Dir only to SYSTEM and
Administrators. Grant Read and Execute permission to everyone.
MySQL-Install-Dir\bin
Congure Security Settings for Folders and Files (UNIX)Default
SettingsFor UNIX systems, the following table lists the default
permissions for the directories, les, and scripts that are created
in a planned installation. All les reside in the SAS-config-dir
directory.Table 2.3 Default Directory Permissions for
UNIXDirectories/Files/Scripts Server-specic directories, les, and
scripts, except for the StoredProcessServer directory Lev1/SASMain/
StoredProcessServer Lev1/SASMain/Data The sas user ID Read, write,
execute Read, write, execute Read, write, execute Read, write,
execute Read, write, execute The sas User Group No access All Users
No access
Read, write, execute Read, write, execute Read, execute Read,
execute
No access Read, write, execute Read, execute Read, execute
All other Lev1 directories and les All other Lev1 scripts
Additional SettingsAfter installation, change directory to
SAS-config-dir and set the following additional permissions: Note:
The -R ag is used to set permissions recursively.
4
14
Congure Security Settings for Folders and Files (UNIX)
4
Chapter 2
Table 2.4 Additional Directory Permissions for
UNIXDirectories/Files/Scripts Lev1/Data Permissions permit full
access for the sas user ID and the sas user group: chmod -R 775
Lev1/Data permit full access for the sas user ID and the sas user
group: chmod 775 Lev1/SASMain permit full access for the sas user
ID and the sas user group. For example: chmod -R 775 Lev1/SASMain/
SASSolutionsServices/SASCode/Jobs
Lev1/SASMain
Depending on the solutions that you have installed:
Lev1/SASMain/SASSolutionsServices/ SASCode/Jobs
Lev1/SASMain/SASSolutionsServices/ SASCode/ETLMetadata
Lev1/SASMain/SASSolutionsServices/ SASFormats
Lev1/SASMain/SASFinancialManagement/ SASCode/Jobs
Lev1/SASMain/SASFinancialManagement/ SASCode/ETLMetadata
Lev1/SASMain/ SASStrategicPerformanceManagement/ SASCode/Jobs
Lev1/SASMain/ SASHumanCapitalManagement/SASCode/ Jobs user-dened
stored processes
If you have created any directories to hold stored processes
that are created by users, set those directories permissions to
allow full access for the sas user ID and the sas user group. For
example: chmod -R 770 Lev1/SASMain/ SASSolutionsServices/SASCode/
UserDefined
query cache library for SAS Web Report Studio*
Grant all SAS Web Report Studio users read and write permission
for the query cache, unless workspace server pooling is enabled.
Grant the SAS Web Administrator (saswbadm) full control of the
cache directory.
* During installation and conguration of SAS Web Report Studio,
a query cache library is created at
SAS-config-dir/Lev1/SASMain/Data/wrstemp. By default, all users
have read and write permissions on this library. If you set up
workspace server pooling, then you can implement tighter security
and grant full permissions only to the user IDs that you specied
for the puddle login denitions in your pool. To use the query
cache, make sure each puddle login denition has access permissions
(read and write) for the query cache library. If you have not
congured pooling, then each requesting users individual (or shared)
account will need read and write permissions for the library in
order to access the tables. If workspace server pooling has not
been congured, then the query cache is not automatically cleared.
You might want to clear these les on a regular basis so that the
cache will not grow too large. In either case,
Planning, Installing, and Conguring
4
Apply Hot Fixes
15
the SAS Web Administrator (saswbadm) should be granted full
permissions for the directory. For more information, see "SAS Web
Report Studio Administration" in the SAS Intelligence Platform: Web
Application Administration Guide.
If you want multiple users to be able to update the same data
sets that are created by SAS Data Integration Studio, you might
want to set the default umask that is applied to the data sets when
they are created. For more information, see Administering SAS Data
Integration Studio in SAS Intelligence Platform: Desktop
Application Administration Guide (available at
http://support.sas.com/
documentation/configuration/913admin.html).
Secure the J2EE Server Conguration1 Secure the J2EE server
conguration and log les. 2 The installation process congures
WebLogic to use the sas.weblogic.policy le. If
you applied the sas.allpermissions.weblogic.policy le during the
initial testing, you should reapply the sas.weblogic.policy le. For
more information, see the instructions.html le that was generated
by the SAS Conguration Wizard. That le is located in
SAS-config-dir\SASSolutionsConfig. 3 For information about the lter
policy le and security conguration for WebSphere, see the
instructions.html le that was generated by the SAS Conguration
Wizard.
Secure Your WebDAV InstallationIf you are using Xythos as your
WebDAV server, the conguration process requires that all Users with
Accounts have full permissions for Xythos content folders. After
the conguration is complete, deny those permissions and add
permissions for the SAS Trusted User. Follow the instructions in
Conguring Content Folder Permissions on the Xythos WebFile Server
on page 117 to secure the Xythos content folders for running the
solutions. For more information about WebDAV, see Chapter 11,
WebDAV Server Administration, on page 117.
Secure Data Transmissions (Optional)For information about using
encryption to protect data transmissions, see Securing Data
Exchanges between Server Components on page 113.
Load Transformations and JobsAs part of conguring your system,
you must use SAS Data Integration Studio to load transformations,
jobs, and error and exception table metadata that are required by
the solutions.
Apply Hot FixesBefore opening SAS Data Integration Studio,
download and apply necessary hot xes by following these steps:
16
Set Up a SAS Data Integration Studio User
4
Chapter 2
1 Point your browser to
http://ftp.sas.com/techsup/download/hotfix/
dis34.html.2 Download and install Hot Fix 34DATABLDR02. 3 Log on
to the SAS Management Console as an administrator. 4 Select
Tools
I Update Metadata for SAS Data Integration Studio.
Set Up a SAS Data Integration Studio UserSet up at least one SAS
Data Integration Studio user for the solutions, as follows: 1 If
necessary, create a user ID and password on the host system on
which the jobs are being submitted. On Windows, SAS Data
Integration Studio users must have the Log on as a batch job right.
For more information, see Grant Log on as a batch job Rights to
Users (Windows) on page 21. 2 In the folders security properties,
grant Read/Write/Create permission to the user for the directory
where the data warehouse resides (that is, SAS-config-dir\Lev1\Data
and its subdirectories). 3 In the SAS Management Console, create
the user (if necessary), and add the user to the following groups
and roles: 3 Solutions Users group 3 MYSQL Users group 3 Data
Administrator role Note: The user ID that is used to log on to SAS
Data Integration Studio must not be the unrestricted user (sasadm).
If you log on as the unrestricted user, then you will not be able
to attach the libraries that are necessary to run SAS Data
Integration Studio. 4 You will dene additional SAS Data Integration
Studio users later; see Assign SAS Data Integration Studio Groups
and Roles on page 48.
Dene a Batch Job Deployment Directory (Optional)In SAS Data
Integration Studio, when you deploy a job for scheduling, you must
select a directory to hold the generated code. Your directory
choices are set in the SAS Management Console, in the Schedule
Manager. To dene a batch job deployment directory: 1 Log on to the
SAS Management Console as the administrative user (sasadm). 2
Right-click Schedule Manager and select Deployment Directories. 3
From the Application Server drop-down list, select the application
server that will be used to deploy jobs. 4 Click New. 5 In the New
Directories dialog, specify a name for the directory, and either
type a directory name or click Browse to select a directory. For
SAS Human Capital Management, we recommend that you create a
subdirectory in
theSAS-config-dir\Lev1\SASMain\SASHumanCapitalManagement\SASCode
directory (such as SASCode\ScheduledJobs). Grant it the same le
permissions as the SASCode\Jobs directory. For more information
about le permissions, see
Secure Your System on page 10. 6 Click OK.
Planning, Installing, and Conguring
4
Restrict the Events That Data Administrators See (Optional)
17
Import Transformations, Jobs, and Error and Exception Table
MetadataSAS Solutions Services is shipped with a comprehensive set
of transformations and jobs that provide a framework for
extracting, transforming, and loading enterprise data, as well as
error and exception table metadata. You must import the
following:
3 Detail Data Store repository error and exception table
metadataThese are imported in a single SAS package le (DDS Error
Tables.spk). 3 Detail Data Store repository transformations and
jobs
3 Solutions repository transformations and jobsThese
transformations and jobs are imported in a single SAS package
(Solutions_DIS_Jobs.spk). 3 If you installed SAS Financial
Management: Finance repository transformations and jobs As with the
Solutions repository, these transformations and jobs are imported
in a single SAS package (Finance_DIS_Jobs.spk). 3 If you installed
SAS Human Capital Management: HR repository transformations and
jobs 3 If you are migrating data from SAS Strategic Performance
Management 1.4, or if you want to be able to load numeric values
into the SAS Strategic Performance Management database: Performance
Management repository transformations and jobs For instructions,
see the SAS Solutions Services: Data Administration Guide
(http://support.sas.com/documentation/solutions/admin).
Restrict the Events That Data Administrators See (Optional)You
can set permissions on events so that Data Administrators see
onlyDataChanged events. In SAS Data Integration Studio, Data
Administrators see a list of
events that can be sent to the portal. The only event that is
appropriate in this context is the DataChanged event. Consequently,
you want to deny Data Administrators permission to see all other
events. To set metadata permissions on events, follow these steps:
1 Log on to the SAS Management Console.2 Expand Foundation Services
Manager
Broker Service.
I Remote Services I Event I Event
You should see a list of all available events, similar to the
image below:
18
Restrict the Events That Data Administrators See (Optional)
4
Chapter 2
3 For all events except SAS.Solutions.Data.DataChanged, perform
the following
steps:a Right-click the event name and select Properties. b
Click the Authorization tab. c Click the Add button, and add the
Data Administrator role to Selected
Identities.d Click OK. e Deny all permissions to the Data
Administrator. Ensure that the background
for each of the check boxes is white, as shown in the image that
follows. (If the check box has a non-white background, click the
box again to clear the background.) This last step ensures that the
permission is set directly on the item and that any future changes
to its inherited permission set do not affect it.
Planning, Installing, and Conguring
4
Load Sample Data
19
Back Up the SystemBack up the server content. This backup
(referred to as the Default Backup) contains the content of the
system prior to any load of data. It can be used to restore the
system to its default state (before any data was loaded). As part
of good system administration practice, it is suggested that you
make a complete backup of each machine in the conguration before
proceeding. For information about backing up and restoring the
server content, see the documentation for the Backup, Restoration,
and Migration tool.
Verify Using Sample Data (Optional)Sample data is provided to
help you verify the correct operation of the system and to
demonstrate system functionality. Follow these steps to verify the
installation, or skip to Create the Sites Users and Groups on page
21.
Load Sample Data1 Back up the server content if the Default
Backup was not created.
For instructions, see the documentation for the Backup,
Restoration, and Migration tool.2 Log on to the middle-tier server
and load the sample data to be used for
installation verication:
20
Verify the System
4
Chapter 2
a At a command prompt, change directory to SAS-config-
dir\Lev1\Utilities\SASSolutionsServices\Deployment\bin.b If this
is a multi-machine conguration, start the Ant server. On
Windows,
use this command:StartAntServer.bat
On UNIX, use this command:./StartAntServer.sh c Run the command
to load the SAS Solutions Services sample data. On
Windows:SolutionsLoadSampleData.bat
On UNIX:./SolutionsLoadSampleData.sh d If you have installed SAS
Human Capital Management, you can also load the
HCM sample data.i
To load the sample data on Windows, run this
command:HCMLoadSampleData.bat
On UNIX:./HCMLoadSampleData.sh ii After loading the sample data,
re-create the HCM cubes and information
maps. For more information, see the SAS Solutions Services: Data
Administration Guide.3 Create any sample users and groups necessary
for demonstration and verication
purposes.4 Synchronize users and groups by following these
steps:a Log on to the portal as a member of the Administrators
group. b Open the Document Manager and click the Browse tab. c From
the Repository drop-down list, select Solutions.
To support different content types and dependencies, the Browse
page displays documents and folders for one repository at a time.
Your repository selection is remembered and applied the next time
you open the Document Manager. d Navigate to SAS Content I Data
Management I Solutions Data Mart. beside the Import Users and
Groups stored process e Click the action menu and select Refresh.5
Create any document folders necessary for demonstration and
verication
purposes.6 Optionally, administer data-level security on the
installation verication data for
demonstration and verication purposes. For instructions, see SAS
Solutions Services: Data Administration Guide
(http://support.sas.com/documentation/solutions/admin).
Verify the SystemAfter you load the sample data, verify the
operation of the system. The following steps are an example of
verication:
Planning, Installing, and Conguring
4
Grant Log on as a batch job Rights to Users (Windows)
21
1 Run the MailValidation utility to check that the e-mail
interface was set up
correctly. For details, see Validate the E-Mail Interface on
page 111.2 Log on to the portal as sasdemo. 3 Add an instance of
each portlet. 4 In the My Favorites portlet, add the Manage
Documents task. 5 Select Manage Documents and import a document to
the SAS Demo User folder. 6 Add a comment to the document.
Restore the SystemWhen the installation has been veried, the
system needs to be restored to its default state (before the sample
data was loaded). For instructions, see the documentation for the
Backup, Restoration, and Migration tool.
Create the Sites Users and GroupsOverviewAfter you verify the
installation and operation of the solutions, you can create and
load production information. To load the production users, perform
the tasks described in this section. You can use the SAS Management
Console, or you can use the bulk-load process as described in Bulk
Loading Users and Groups on page 49. As you expand the set of users
and groups, you can repeat these tasks.
Grant Log on as a batch job Rights to Users (Windows)If you are
using host authentication on Windows systems, then all users must
have the local Log on as a batch job right on machines that host
SAS servers, including the SAS Metadata Server, workspace servers,
the SAS Stored Process Server, the SAS OLAP Server, the SAS/CONNECT
server, and the SAS/SHARE server. Note: There is an exception:
machines hosting pooled workspace servers (and no other SAS
servers) do not need this right to be assigned. 4 The recommended
way to grant this right is as follows:1 Create a SAS Server Users
group and add your users to that group.
Be sure to include the SAS General Server User (sassrv). Note:
This is an operating-system group, not a SAS metadata identity. It
can be created as a network (global) group, or it can be created as
a local group on each server machine.
4
2 On each server machine, assign the Log on as a batch job right
to the SAS
Server Users group. These rights must be assigned locally. For
more information about assigning local policy rights, see your
computers online help.
22
Create Metadata Identities
4
Chapter 2
Create Metadata IdentitiesRegister users at the site and assign
them to groups and roles. For instructions, see Determining Group
and Role Assignments on page 40 and Registering Users on page 48.
After you have registered the users, log on to the portal as an
administrator and run Import Users and Groups to synchronize users,
groups, and roles. For details, see Synchronizing Users, Groups,
and Roles on page 49. Note: The stored process server is congured
to have an authentication domain of SPAuth. Any user who invokes a
stored process must be authenticated on this server, either with
his own login or via a group login. For more information, see
Default Groups on page 38. 4
Run the UserGroupValidation UtilityThe UserGroupValidation
utility checks to make sure that all users belong to the Solutions
Users group or to a subgroup, as required for logging on to the
portal. For details, see Validate Group Assignments on page
109.
Congure ContentOverviewIn terms of SAS Solutions Services,
content is dened as any document, stored process, or viewable
object. SAS Solutions Services provides a Web application, called
the Document Manager, that displays content in a hierarchical
folder structure. Content that is displayed within the Document
Managers tree view can also be shown in portlets. Content
conguration tasks include creating the sites content folder
structure in the Document Manager, creating stored process reports,
and conguring the Information Delivery Portal.
Assign a Content AdministratorIt is recommended that you assign
a user to administer portal content. This could be the user who is
the system administrator for the site. You can assign a single user
to administer all portal content, or you can assign different
content administrators for different groups. These user identities
must have logins that can be authenticated on the metadata server
host. For instructions about assigning a content administrator, see
Assigning a Content Administrator on page 81.
Create Content Folder Structure for the SiteIn the Document
Manager, create a set of shared folders that correspond to the
group hierarchy you created for the sites users. Assign security to
these folders. For instructions, see these topics:
Planning, Installing, and Conguring
4
Modify Permissions for OLAP Cubes
23
3 Organizing Content on page 52 3 About Security Authorization
for Content on page 53 3 Dening Security Authorization for Content
on page 55
Modify Permissions for Information MapsIf you have installed SAS
Web Report Studio or SAS Web OLAP Viewer, you must modify the
permissions for accessing information maps. For each repository
that will be used to hold information maps:1 Log on to the SAS
Management Console as an administrator. 2 Open the repository that
you want to modify. 3 In the navigation tree, select the folder
that will hold information maps.
If you have installed SAS Web Report Studio, the typical
location for its maps is BI Manager I BIP Tree I Report Studio I
Maps. Note: The rst time that a user opens SAS Web Report Studio,
the ReportStudio folder structure is created for that domain in the
metadata repository and in the external content server
(WebDAV).
4
4 Right-click the Maps folder and select Properties. 5 Click the
Authorization tab. 6 Grant Solutions Users these permissions: Read
and ReadMetadata.
You might need to add the Solutions Users group to the list. Be
sure that the Read and ReadMetadata permissions are granted
directlythat is, be sure that the Read and ReadMetadata Grant check
boxes are selected and have white backgrounds. If the background is
gray, click the check box until the background changes to
white.
Modify Permissions for OLAP CubesIn order for users to access
OLAP cubes in SAS Web Report Studio or SAS Web OLAP Viewer, they
must have Read permission for the cubes (in addition to any
information maps that are built on the cubes). To modify the
permissions for accessing OLAP cubes:1 Log on to the SAS Management
Console as an administrator. 2 Open the repository that you want to
modify. 3 Navigate to Authorization Manager
4
select Properties.
I Resource Management I By I OLAP server name I OLAP server name
OLAP Schema. Right-click OLAP server name I OLAP server name OLAP
Schema andLocation
5 Click the Authorization tab. 6 Grant Solutions Users these
permissions: Read and ReadMetadata.
You might need to add the Solutions Users group to the list. Be
sure that the Read and ReadMetadata permissions are granted
directlythat is, be sure that the Read and ReadMetadata Grant check
boxes are selected and have white backgrounds. If the background is
gray, click the check box until the background changes to white.
You can also set permissions for an individual cube, a dimension, a
hierarchy within a dimension, or a level within a dimension. For
details, see the SAS OLAP Server:
24
Create Content for the Site
4
Chapter 2
Administrators Guide, available at
http://support.sas.com/documentation/configuration/913admin.html.
Create Content for the SiteCreate content for the site by
importing content, creating stored process reports, and developing
custom stored processes. A number of stored processes are provided
with the solutions. These stored processes are located in the SAS
Content folders of the repositories that are used by those
solutions. One way of creating content for the site is to create
stored process reports that are customized for different groups.
For instructions about creating site content, including stored
process reports, see Creating Site Content on page 60.
Set Permissions to Refresh Stored Process ReportsIf you have
installed SAS Human Capital Management and want users to be able to
refresh stored process reports, you must grant ReadMetadata
permission to Solutions Users for the corresponding stored
processes. For details, see Enable Users to Refresh Stored Process
Reports on page 60.
Congure the Information Delivery Portal for the SiteConguring
the portal includes assigning default portal pages for users or
groups, as described in Applying the Solutions Users Page Templates
on page 83. You can also create custom page templates; for more
information, search for page templates in the portals online Help.
Users can customize their own portal pages. Some suggestions are in
Customizing the Portal on page 84. If you want to make available
additional portlets of the SAS Information Delivery Portal, see
Accessing the Default Portlets of the SAS Information Delivery
Portal on page 91.
Load Production DataYou are now ready to load production data.
Follow these steps:1 Back up the server content.
For instructions, see the documentation for the Backup,
Restoration, and Migration tool.2 Load production data. The user
and group information is retained in metadata.
The content folder structure is maintained.3 Apply data security
to the production data.
For instructions about loading production data and applying data
security, see SAS Solutions Services: Data Administration Guide
(http://support.sas.com/ documentation/solutions/admin).
Planning, Installing, and Conguring
4
Congure the J2EE Application Server and Web Applications
25
Install the SAS Strategic Performance Management Migration
Wizard (Optional)If you are migrating data from an earlier release
of SAS Strategic Performance Management, you should install and run
the Migration Wizard. For instructions, refer to SAS Strategic
Performance Management Migration Wizard on page 139.
Load Client ApplicationsAfter installing the servers, system
administrators can install some client applications on the users
systems. Alternatively, users can install these clients themselves.
For descriptions of these applications and for installation
instructions, see Chapter 14, Client Installation and Conguration,
on page 135.
Congure the J2EE Application Server and Web ApplicationsAfter
installation and conguration, you can make the following
modications to the J2EE application servers and to the deployed Web
applications. The rst few modications are required under certain
circumstances. The remaining modications are optional. 3 Deploy
themes to a Web server. If you are deploying your applications on
WebSphere, you cannot deploy your themes to the same servers that
are referencing the themes. You must deploy them to a separate
WebSphere instance or to a Web server. For instructions, see Move
Themes to a Web Server on page 75. 3 WebLogic only: Set the
Frontend Host parameter for a WebLogic server. This can be
particularly important if you are deploying SAS Web Report Studio
and SAS Solutions Services on different managed servers. 3 WebLogic
only: If you have installed SAS Human Capital Management, increase
the heap size for the HR managed server. For instructions, see
Startup Scripts on page 65. Note: Do not make this modication for a
single-machine installation.
4
3 WebLogic only: Install services to start the managed servers.
3See Setting Up Managed Servers as Windows Services on page 68.
WebSphere only: Suppress warning messages that occur as the result
of data access from a thread that was spawned by an application
event (optional). To suppress these warning messages, see Suppress
Warning Messages for Data Access on page 73. Modify timeout values
for Web applications. The default timeout is 30 minutes. For
instructions about changing this value, see Set Session Timeout
Values on page 74. Make the Winter theme available to portal users.
See Make the Winter Theme Available on page 75. Change the port
number for an application server.
3 3 3
26
Maintain the System
4
Chapter 2
For WebLogic managed servers, see Changing the Port Number for a
Managed Server on page 69. 3 Congure ODCS clustering to improve
performance. ODCS clustering is designed to reduce wait time by
distributing query processing to additional machines. For more
information, see Using ODCS Clustering to Reduce Wait Time on page
76. For additional information about J2EE application
administration, see Chapter 6, J2EE Server Administration, on page
63.
Maintain the SystemSynchronize the Server ClocksIf you installed
the solutions on more than one server, you should set up a job to
synchronize clocks between servers. Otherwise there might be errors
when you try to update datafor example, if the target server has a
later date or time than the source. Typically, this job should run
on a daily basis.
Restart ServersIf you are running SAS Human Capital Management
on the BEA WebLogic application server: for best performance, we
recommend that you restart the managed servers, as well as the SAS
application servers, once a week.
Tune System PerformanceThe SAS Intelligence Platform: System
Administration Guide, SAS Intelligence Platform: Web Application
Administration Guide, and SAS Intelligence Platform: Application
Server Administration Guide have several topics about performance
tuningfor example, for SAS Web Report Studio, for SAS OLAP Server,
for the metadata server, and for the workspace servers. These books
are available at http://
support.sas.com/documentation/configuration/913admin.html. For
information about performance tuning for WebLogic or WebSphere,
follow the recommendations in Chapter 6, J2EE Server
Administration, on page 63.
Monitor and Maintain Your SystemMaintaining your system is a
complex set of tasks that cannot be fully described in this book.
Here are some references to chapters in this book, as well as other
sources of information: 3 Using the Solutions Web Administration
Application on page 99 Describes the utilities that are available
in the Solutions Web Administration Console. 3 Using Command-Line
Diagnostic Tools on page 106 Describes the status, users,
UserGroupValidation, StoredProcessValidation, and MailValidation
diagnostic utilities. 3 Appendix 2, Log Files, on page 147
Planning, Installing, and Conguring
4
Check SAS Notes for Additional Information
27
Describes useful log les, some of which might need regular
rotation to prevent their becoming too large. For information about
controlling the level of information that is logged, see Conguring
Log Files on page 105.
3 Appendix 3, Troubleshooting, on page 151Describes some common
problems and possible courses of action. For information about
generating a status report that can be sent to SAS Technical
Support, see Check System Status on page 107. For information about
port numbers, see Appendix 1, Default Port Usage, on page 143.
3 SAS Intelligence Platform: System Administration Guide and SAS
IntelligencePlatform: Application Server Administration Guide
Contain information about maintaining SAS servers, such as the SAS
Metadata Server, the SAS Stored Process Server, and workspace
servers. These books are available at
http://support.sas.com/documentation/configuration/
913admin.html.
Check SAS Notes for Additional InformationWe strongly recommend
that you check the SAS Notes, available on the SAS Technical
Support Web site, for additional information and support xes. To nd
the available SAS Notes, go to
http://support.sas.com/techsup/intro.html, click Advanced Search,
and search for the phrase solutions services.
28
29
CHAPTER
3Planning the Sites SecurityAbout Security Authentication
Authorization Server Security Auditing 3229 29 30
and Data Transmission
31
About SecuritySAS Solutions Services and the solutions that use
SAS Solutions Services build on the SAS Intelligence Architecture
security plan, as described below. You should be familiar with the
Security Administration chapters of the SAS Intelligence Platform:
Security Administration Guide (available at http://support.sas.com/
documentation/configuration/913admin.html).
AuthenticationAuthentication is the process of verifying the
identity of a person or process within the guidelines of a specic
policy. Authentication is a prerequisite for authorization. An
authentication provider is a technology that servers or
applications can use to verify that users are who they say they
are. An implementation of SAS Solutions Services and the solutions
uses the authentication providers supported by the SAS Intelligence
Platform: 3 By default, the authentication provider for a SAS
server is the host operating system of the machine on which the
server is running. When you request access to a SAS server that is
using the default authentication process, the server asks its host
environment to verify that your user ID and password correspond to
a valid user account in the operating system. This method of
verifying identities is called host authentication. 3 At many
sites, the host authentication process makes use of LDAP or Active
Directory as a back-end authentication mechanism. 3 SAS Web
applications run on third-party servers that can use a variety of
authentication providers. For more information, see the
documentation for the third-party server on which your SAS Web
applications run. 3 SAS Solutions Services and the various
solutions applications (such as SAS Financial Management and SAS
Strategic Performance Management) are deployed on standard J2EE
application servers. These servers might also employ a variety of
third-party authentication providers.
30
Authorization
4
Chapter 3
3 End-user client access to the solutions typically involves
authentication to theapplications deployed on the J2EE application
server. By default, the applications are congured to pass user
authentication on to the SAS Metadata Server. For more information
about authentication providers, see Understanding Authentication
and Customizing the Authentication Conguration in the SAS
Intelligence Platform: Security Administration Guide (available at
http:// support.sas.com/documentation/configuration/913admin.html).
For information about the metadata identities that must be created
for SAS Solutions Services, see Chapter 4, Authentication and User
Security, on page 33.
AuthorizationAuthorization is the process of determining which
users have which permissions for which resources. The outcome of
the authorization process is an authorization decision that permits
or denies a specic action on a specic resource, based on the
requesting users identity and group memberships. It is important to
understand how authorization works in the SAS Intelligence Platform
and with SAS Solutions Services. Authorization enables you to
perform the following activities: 3 manage access to resources
across multiple authorization layers 3 dene an effective,
manageable set of access controls in the metadata authorization
layer The SAS Intelligence Platform uses an authorization facility
to control user access to repositories and to specic metadata in
those repositories. The authorization facility is a subsystem of
the SAS Metadata Server that returns authorization decisions based
on access controls that are in the metadata. To secure a metadata
resource, you must create authorization metadata and associate it
with your resource metadata. The authorization metadata denes who
can do what to a given resource. The secured resources can be both
metadata and the actual computing resources represented by the
metadata. The SAS Metadata Server enforces ReadMetadata,
WriteMetadata, and CheckinMetadata permissions on resources. The
authorization facility also provides a mechanism by which client
applications can request authorization decisions on other actions
which include Create, Delete, Read, Write, and Administer
permissions. Applications use the authorization facility to obtain
a users authorization to perform an action dened by the
application. In this way, it is the responsibility of the
application to request and enforce authorization decisions. In
order to effectively secure a sites enterprise metadata, an
administrator must understand these concepts: 3 the authorization
facility 3 the default security provided by the metadata server 3
the way in which the authorization facility makes authorization
decisions 3 the options that are available for securing metadata In
addition, the administrator needs to know the security requirements
that SAS Solutions Services and related SAS applications might have
that are enforced via metadata. In particular: 3 The SAS
Intelligence Platform provides the ability to secure data such as
tables and columns via metadata security. The authorization
facility of the SAS Metadata Server evaluates and enforces specic
metadata layer permissions. There are three basic types of access
controls that you can use to set permissions in the metadata
authorization layer, including:
Planning the Sites Security
4
Server Security and Data Transmission
31
3 direct access controls 3 inherited access controls 3
repository-level access controlsSAS Solutions Services installs a
set of direct access controls to dene permissions to the tables in
the SAS Detailed Data Store and the SAS Solutions Data Mart. In
addition, a site can further secure access to tables and other
metadata objects using the Authorization Manager plug-in for SAS
Management Console. For more information about setting those
permissions, see the online Help for SAS Management Console.
3 In addition to data resources, SAS Intelligence Platform
deployment can includeone or more custom trees that you can use to
organize and manage access for certain resources. In SAS Solutions
Services, Document Manager has a default folder, Documents, that
serves as the root level of the sites content within a repository.
Below that folder are three additional default folders: SAS
Content, Shared Documents, and Users. Within this content tree,
each folder inherits the effective permissions of its parent
folder. For more information about security for these folders, see
Organizing Content on page 52.
3 The actions allowed on a particular metadata-dened content
type are determinedby the metadata authorization facility based on
role assignments. SAS Solutions Services provides two other
authorization mechanisms that extend the authorization capabilities
of the SAS Metadata Server:
3 For some forms of table access, row-level security is provided
via information thatis stored in a separate table in the Solutions
Data Mart. Modifying this security information is a
customization.
3 Application objects that are represented by data in the
Solutions Data Mart aresecured by means of an extended object-based
authorization facility. In this way, complex objects such as
scorecards and planning forms can be secured. Authorization
decisions are based on user and group permissions per object that
are also applied to additional hierarchical information (such as
organization tables, legal reporting structures, and project
hierarchies). This facility is shared by SAS Solutions Services and
applications such as SAS Financial Management and SAS Strategic
Performance Management. For detailed information about applying
this object-based security, see the documentation for the
solutions. The ability of users to perform a particular action is
determined not only by these metadata-based access controls,
row-level security schemes, and application-level authorization,
but also by external authorization mechanisms such as operating
system permissions and database controls. In order to perform a
particular action, a user must have the necessary permissions in
all of the applicable authorization layers. For additional
information about authorization in the SAS Intelligence Platform,
see the SAS Intelligence Platform: Security Administration
Guide.
Server Security and Data TransmissionThe third major area of
security deals with securing servers and encryption. Sending
unsecured data exposes it to various risks. How do you protect data
transmissions? The SAS Intelligence Architecture and SAS Solutions
Services make it easy for you to distribute critical information to
key decision-makers while ensuring that this critical
32
Auditing
4
Chapter 3
information does not fall into the wrong hands. However, this
distributed model often requires more than application-level
authorization and data security. It is also important to consider
how access to physical servers is congured. In general, the
solutions are designed for use inside a corporate rewall. Because
much of the data deals with particularly sensitive information, an
organization typically deploys a rewall at appropriate network
gateways to protect the resources of its private network from users
of other networks. This private network (or intranet) enables an
enterprise to provide its workers with access to protected data
resources. As organizations distribute the business intelligence
found in their data, there is an increased need to ensure the
condentiality of business transactions over a network and within an
enterprise. SAS Solutions Services makes available a number of data
security technologies from SAS and from third parties to further
protect data and credentials (such as user IDs and passwords) that
are exchanged in a networked environment. Fundamental to these
technologies is the use of proven, industry-standard encryption
algorithms for data protection. Encryption is the transformation of
intelligible data (plaintext) into an unintelligible form
(ciphertext) by means of a mathematical process. The ciphertext is
translated back to plaintext when the appropriate key that is
necessary for decrypting (unlocking) the ciphertext is applied.
Although encryption increases the protection of data, it does not
prevent unauthorized access to data. For more information about
these security mechanisms, see Chapter 9, Server Security and
Encryption, on page 113.
AuditingIt is not enough to protect data resources and
applications by prohibiting access by unauthorized users. A good
security system must also provide a record that indicates who has
accessed an application or resource and what operations he or she
has performed during a given period of time. Such records are known
as audit trails, and they are useful not just in maintaining
security but also in identifying the process by which information
is routed through the system. SAS Solutions Services provides
several mechanisms for producing audit trails and user history,
including a common user history mechanism in SAS Solutions Services
that is used by the solutions (see View an Audit Trail for a User
on page 103). The solutions have the capability to extend the
auditing capabilities of SAS Solutions Services. For more
information about those auditing capabilities, see the
documentation for the solutions. In addition, SAS Solutions
Services uses the auditing capabilities provided by SAS Data
Integration Studio. For more information about these features, see
the online Help for SAS Data Integration Studio.
33
CHAPTER
4Authentication and User SecurityOverview of Authentication and
User Security 33 Group MembershipWhat Can I See? 34 About Groups 34
How Content Permissions Are Enforced 34 Role MembershipWhat Can I
Do? 34 About Roles 34 Groups and Roles: An Example 34 How Roles Are
Dened 35 How Role Permissions Are Enforced 36 Default Users and
Groups 36 Default Users 36 Default Groups 38 Determining Group and
Role Assignments 40 Overview of Group and Role Assignments 40
Assign a Solutions-Wide Group 40 Assign Custom Groups 41 Assign a
Solutions-Wide Role 42 Assign SAS Strategic Performance Management
Roles 42 Assign SAS Financial Management Roles 43 SAS Financial
Management Studio 43 SAS Financial Management 44 Excel Reports 46
Stored Process Reports 46 Assign SAS Human Capital Management Roles
46 Assign SAS Web Report Studio Roles 47 Assign SAS Data
Integration Studio Groups and Roles 48 Registering Users 48 About
Registering Users 48 Bulk Loading Users and Groups 49 Synchronizing
Users, Groups, and Roles 49 Synchronizing Data Tables 49 Creating
Group Permission Trees for the Portal 50
Overview of Authentication and User SecurityA metadata identity
is created when you dene an individual user or group in the User
Manager plug-in to the SAS Management Console, or when you import
user and group denitions from an enterprise source by using SAS
bulk-load macros. The authorization facility uses identity metadata
to dene who is granted or denied permission to access a
resource.
34
Group MembershipWhat Can I See?
4
Chapter 4
The SAS Intelligence Platform and SAS Solutions Services require
a specic set of users that are created and congured during the
deployment process. These users are described in the SAS
Intelligence Platform: Security Administration Guide (available at
http://support.sas.com/documentation/configuration/913admin.html).
The users of a solutions application, however, are typically the
business users in a particular domain, such as nance. A sites
administrator must load all of the appropriate information for each
user who requires access to the solutions application. This chapter
describes the default metadata identities representing users,
groups, and roles required by SAS Solutions Services, as well as
the identities that need to be created on site. For background
information about authentication and authorization, see About
Security on page 29.
Group MembershipWhat Can I See?About GroupsGrouping users is a
way of simplifying the process of authorizing access to content.
Typically, you create a folder structure on-site that best ts the
sites needs, and you assign permissions to read, write, delete, and
administer that content. After you dene a group of users, you can
assign permissions to the group rather than to individual users.
Default groups are congured in the installation processes of both
the SAS Intelligence Platform and the solutions. These default
groups are described in Default Users and Groups on page 36. On
site, you create additional custom groups, and you assign users to
the default and the custom groups, as described in Determining
Group and Role Assignments on page 40 and Registering Users on page
48.
How Content Permissions Are EnforcedContent permissions are
enforced by the metadata server. They can be assigned in the
Document Manager or in the SAS Management Console. For instructions
and an example, see Dening Security Authorization for Content on
page 55. For more information about the way the metadata server
enforces these permissions, see Understanding Authorization in the
SAS Intelligence Platform: Security Administration Guide.
Role MembershipWhat Can I Do?About RolesIn SAS Solutions
Services, roles are predened on the basis of functionality that the
user can perform in each solution. It is important to understand
the difference between groups and roles, and the privileges that
each conveys. Simply put, your group membership determines which
content you have access to, whereas your role assignments determine
which actions you can perform with this content. Note: Unlike
groups, roles are not hierarchical; they do not inherit properties
from other roles. Roles should be assigned to individual users, not
to groups. 4
Groups and Roles: An ExampleAs an example, assume that you
belong to a group called Travel, and you are assigned the
Information Consumer role. The Travel group has permission to
access the contents of a folder called Travel Dept, that is located
under Shared Documents.
Authentication and User Security
4
Role MembershipWhat Can I Do?
35
In the Document Manager, you can see the list of documents in
the Travel Dept folder, because of the group permissions attached
to that folder and its contents. However, you are an Information
Consumer, which by default can view documents but cannot move them.
When you open the action menu for a Web document, you see this list
of available actions:
If you had been assigned the Analyst or System Administrator
role instead, you would see an action menu that included the Move
action, like this:
How Roles Are DenedIn the SAS Management Console, a role is
dened as a special kind of group . If you open a roles properties,
you will see a checkmark in the box that is labeledMake this group
available as a Role for applications.
During the solutions installation process, a set of default
roles is dened. The Solutions Role Administrator is a member of all
roles, and the SAS Demo User is a member of several of the roles.
In addition to the default mappings, you must add site-created
users to some of these roles. For more information, see Determining
Group and Role Assignments on page 40. Note: Best practice suggests
that roles not be added on-site unless they are for extensions that
are added specically for that site. 4
36
Default Users and Groups
4
Chapter 4
How Role Permissions Are EnforcedPermissions that are based on
roles are enforced in two different ways:
3 The Document Manager enforces the permissions that are set in
the metadatarepository. For each content type, such as WebDocument,
ExcelReport, or StoredProcessReport, there is a dened set of
actions, such as Move, AddtoPortlet, and Comment. Roles are granted
permission to perform various actions based on content type. In
Groups and Roles: An Example on page 34, the permissions are set on
the Move action for the WebDocument content type. If a user has one
role that grants an action for a particular content type and
another role that denies the same action, then the least
restrictive permission applies. If a user is directly granted or
denied permission to perform an action, then the users grant or
denial applies, regardless of any roles the user might belong
to.
3 In the solutions, roles are enforced by the application. Each
applicationdetermines the functionality that is permitted to
various roles. It is not possible to modify role permissions in
applications.
Default Users and GroupsDefault UsersDuring installation of the
SAS Intelligence Platform, several users are created in the
metadata, as shown in the following table.Table 4.1 Default Users
That Are Created during SAS Intelligence Platform
InstallationLogins* Metadata Identity SAS Administrator SAS Trusted
User** User ID domain\sasadm domain\sastrust Default Password
AdminAdmin1 UserUser1 Default Authentication Domain If you use
Xythos as your WebDAV server, the authentication domain for sasadm
and sastrust should be the same domain as the WebDAV server.
DefaultAuth DefaultAuth DefaultAuth
SAS Guest SAS Demo User SAS Web Administrator
domain\sasguest domain\sasdemo domain\saswbadm or saswbadm
UserUser1 DemoDemo1 AdminAdmin1
* The Logins column shows the authentication mechanism for each
metadata identity. The user IDs should correspond to accounts in
your authentication provider. On Microsoft Windows,
Authentication and User Security
4
Default Users
37
the user ID in the login should be fully qualied with a host or
domain namefor example, myhostname\sassrv. That is the pattern
shown in this table. ** The user that is specied as the metadata
user in sas.solutions.services.ear/
sas.solutions.common.war/WEB-INF/web.xml must have read and write
access to all areas of the metadata server. By default, this user
is the SAS Trusted User.
The solutions installation creates additional users. The
following table lists those metadata identities and associated
information:Table 4.2 Default Users That Are Created during SAS
Solutions Services InstallationLogins Metadata Identity Solutions
Installer Default Password AdminAdmin1 Default Authentication
Domain Notes DefaultAuth The slninstl user account must exist on
the data-tier machine and must belong to the machines
Administrators group and SAS Server Users group. The slnadm user
account must exist on the machine where the metadata server is
located, and must be a member of the machines SAS Server Users
group. This identity should not be used to log on to the
portal.
User ID domain\slninstl
Solutions Role domain\slnadm Administrator*
AdminAdmin1
DefaultAuth
* The Solutions Role Administrator is a system user that should
always be a member of all roles that are created by the solutions.
It is used for cases in which a user must perform a query as a part
of a larger process, but the query requires a role that the user
does not generally need. Rather than requiring that the user be
assigned that role, the application recognizes the Solutions Role
Administrator as a user with the proper role in order to
successfully complete the process.
Note: There are three special user identities that are cached
when the J2EE application server is started: SAS Trusted User, SAS
Administrator, and Solutions Role Administrator. Changes to these
users in the SAS Management Console do not take effect until the
J2EE application server is restarted. Other user identities are
loaded from the metadata repository when the user logs on to the
portal. 4 The SAS Intelligence Platform describes a small set of
required users. Typically, there are many solutions users. For more
information, see Determining Group and Role Assignments on page
40.
38
Default Groups
4
Chapter 4
Default GroupsThe SAS Intelligence Platform conguration creates
several default groups in the metadata:
3 3 3 3
SAS System Services SAS General Servers Portal Admins Portal
Demos
In addition, there are two implicit groups: SASUSERS (which
includes all users who have a metadata identity) and PUBLIC (which
includes all users who can access the metadata server). For more
information about these groups, see Standard Group Metadata
Identities in the SAS Intelligence Platform: Security
Administration Guide (available at
http://support.sas.com/documentation/configuration/ 913admin.html).
The following table lists these group metadata identities, their
logins, and default members.Table 4.3 Groups That Are Created
during SAS Intelligence Platform CongurationLogins Default Password
Default Authentication Domain
Group SAS System Services
User ID
Default Members SAS Trusted User* SAS Web Administrator
SAS General Servers** Portal Admins
domain\sassrv
UserUser1
DefaultAuth
SAS Trusted User SAS Web Administrator SAS Trusted User*
Portal Demos
SAS Demo User
* The SAS Trusted User identity should not be used to log on to
the portal. ** There is no metadata identity for the SAS General
Server user (sassrv). It is the account used by the object spawner
to launch stored process servers and requires Log on as a batch job
rights.
The solutions installation congures an additional set of
groups:
3 Solutions Users is the base group for all solutions users. 3
Administrators is a subgroup of Solutions Users. 3 The MYSQL Users
group is used to grant access to users who run stored processesand
ETL processes that reference MYSQL tables. The following table
lists these group metadata identities, their logins, and default
members. In addition to the default mapping, you must add
site-created users to some of the solutions groups. For more
information, see Assign a Solutions-Wide Group on page 40.
Authentication and User Security
4
Default Groups
39
Table 4.4
Groups That Are Created during SAS Solutions Services
InstallationLogins
Group Administrators
User ID
Password
Authentication Domain
Default Members SAS Trusted User Solutions Installer
Solutions Users
domain\ sasspusr
UserUser1
SpAuth
Administrators group SAS Demo User Solutions Role
Administrator
MYSQL Users
sqladmin
AdminAdmin1 MysqlAuth
SAS Demo User Solutions Installer SAS General Servers
HR
Members of this group have superuser access to HCM tables. There
are no default members. These are example groups. They have no
default permissions assigned.
Finance SPM Users
There is no metadata identity for sasspusr (the SAS Stored
Process user). It is the account used to authenticate to the stored
process server. This user exists on the stored process physical
server and requires Log on as a batch job user rights; this user
should have no access to data. With SAS Solutions Services, the
stored process server is congured to have an authentication domain
of SPAuth. Any user who invokes a stored process must be
authenticated on this server, either with the users own login or
via a group login. If you are installing other applications in
addition to the solutions, and you do not want the users of those
applications to be members of the Solutions Users group, you can
create a similar group and stored process user. Follow these
instructions:1 On the stored process physical server, create a user
(for example, sasspusr2).
This user should have no access to data.2 If this is a Windows
installation, grant this user the Log on as a batch job
right.3 Log on to SAS Management Console as the administrative
user (sasadm). 4 In the User Manager, create a group (for example,
Stored Process Users). 5 On the Logins tab for this group, add a
login for sasspusr2.
Enter the user name and password that you created in Step 1. For
the authentication domain, select SPAuth.6 Add your users to the
Stored Process Users group.
Alternatively, you can give each user a login on the stored
process physical server. Follow the same criteria as for the group
login. Then add the login to the users properties in SAS Management
Console.
40
Determining Group and Role Assignments
4
Chapter 4
Determining Group and Role AssignmentsOverview of Group and Role
AssignmentsAt each site, the system administrator creates metadata
identities (user IDs) for each end user, denes the users
authentication login, and assigns the user to the appropriate
groups and roles. As a part of the planning process, you must
determine the following information: 3 the authentication
mechanisms to be used. Each solutions user is required to have a
login to verify that he or she is authenticated. For the most
current information regarding these mechanisms, see Understanding
Authentication in the SAS Intelligence Platform: Security
Administration Guide (available at
http://support.sas.com/documentation/
configuration/913admin.html.
3 the set of users, groups, and roles, and the mapping between
them.Assigning groups and roles consists of these tasks:1 Assign
each user to a solutions-wide group. 2 Create custom groups for the
site, and then assign users to those groups. 3 Assign each user to
a solutions-wide role for Document Manager access. 4 Assign each
user to one or more domain rolesfor example, roles for SAS
Financial Management or roles for SAS Human Capital Management.
5 Optionally, assign SAS Web Report Studio roles.6 Optionally,
create additional SAS Data Integration Studio users by assigning
the
necessary groups and roles. Each of these tasks is described in
the remainder of this chapter. Note: Some roles appear in more than
one place; for example, the Analyst role applies to the Document
Manager and to each of the solutions. This is the same role, but
the functionality it confers depends on the application that is
being used. 4
Assign a Solutions-Wide GroupAssign each user to one, and only
one, of the groups that are described in the following table:
Authentication and User Security
4
Assign Custom Groups
41
Table 4.5 Solutions-Wide GroupsGroup Solutions Users Description
The base group for all solutions users. Members of this group are
able to access the Document Manager, are congured to run solutions
stored processes, and have default portal customization
capabilities. Any user who will log on to the portal to run
solutions applications must belong to the Solutions Users group or
to a subgroup of Solutions Users. Administrators A subgroup of
Solutions Users. In the Document Manager, the SAS Content folder in
each repository is accessible to Administrators. This folder
contains standard reports and stored processes that are provided
with the solutions. Administrators can also open the Solutions Web
Administration application. In SAS Financial Management, members of
the Administrators group have special superuser privileges that
enables full access to SAS Financial Management objects (cycles,
result models and composite results). Permissions on these objects
are ignored for users in the Administrators group. (These special
privileges apply only to these objects, not to cell data. There is
no superuser for data level security in SAS Financial Management.)
For details,
