You can also use Integrated Windows authentication to provide direct connections to
OLAP servers (for example, from a data provider) when there is no active connection to
the metadata server.
Overview of Initial Users
During installation, several initial user accounts are created. Some of these accounts are
created for all installations, some are optional, and some are created only if certain
software components are installed. The required users include the following:
• The SAS Administrator account and the SAS Trusted User Account. These users are
generally set up as internal accounts, which exist in metadata but are not known to
the host machine. The SAS Administrator account has access to all metadata,
regardless of SAS permissions settings. The SAS Trusted User is a privileged service
account that can act on behalf of other users when connecting to the metadata server.
• The SAS Spawned Servers account and the SAS Installer account, which must be
defined in the operating system of certain server machines. The SAS Spawned
Servers account is the initially configured process owner for pooled workspace
servers and stored process servers. The SAS Installer Account is used to install and
configure SAS software. On UNIX and z/OS systems, this account is also the owner
of configuration directories and their contents and is the process owner for items
such as the metadata server, the OLAP server, and the object spawner.
Other initial users include the LSF Administrator and LSF User, which are required if
Platform Suite for SAS is installed. In addition, the SAS Anonymous Web Service User
is an optional account that is used to grant clients access to applicable SAS Web
Infrastructure Platform components. Most installations set up this user as an internal
account, which exists in metadata but is not known to the host machine.
SAS offers encryption features to help you protect information on disk and in transit.
When passwords must be stored, they are encrypted or otherwise encoded. Passwords
that are transmitted by SAS are also encrypted or encoded. You can choose to encrypt all
traffic instead of encrypting only credentials.
If you have installed SAS/SECURE, you can use an industry standard encryption
algorithm such as AES. SAS/SECURE offers maximum protection, including support of
the Federal Information Processing Standard (FIPS) 140-2 encryption specification. If
you have not installed SAS/SECURE, you can use the SASProprietary algorithm to help
Security Reporting and Logging Overview
Security reporting creates a snapshot of metadata layer access control settings. SAS
provides the %MDSECDS autocall macro to enable you to easily build data sets of
permissions information. You can use those data sets as the data source for security
reports. You can also identify changes in settings by comparing data sets that are
generated at different times.
58 Chapter 7 • Security Overview