| About This Document |
|
vii | |
| What's New in Security Administration in SAS 9.3 |
|
ix | |
| Accessibility |
|
xiii | |
| Recommended Reading |
|
xv | |
| Part 1 Fundamentals |
|
1 | (36) |
|
Chapter 1 Security Overview |
|
|
3 | (6) |
|
Introduction to Security Features |
|
|
3 | (1) |
|
|
|
3 | (1) |
|
Support for Single Sign-On |
|
|
4 | (1) |
|
Auditing of Security Events |
|
|
4 | (1) |
|
Metadata-Based Authorization |
|
|
5 | (1) |
|
Support for Authorization Reporting |
|
|
6 | (1) |
|
Role-Based Access to Application Features |
|
|
6 | (3) |
|
Chapter 2 User Administration |
|
|
9 | (14) |
|
About User Administration |
|
|
9 | (2) |
|
|
|
11 | (1) |
|
|
|
12 | (1) |
|
|
|
13 | (2) |
|
|
|
15 | (2) |
|
|
|
17 | (1) |
|
|
|
18 | (1) |
|
|
|
18 | (2) |
|
|
|
20 | (1) |
|
|
|
21 | (2) |
|
Chapter 3 Access Management |
|
|
23 | (6) |
|
|
|
23 | (2) |
|
Basics of Metadata Authorization |
|
|
25 | (2) |
|
WriteMetadata and WriteMemberMetadata |
|
|
27 | (1) |
|
Review: Key Points about Authorization |
|
|
27 | (2) |
|
|
|
29 | (8) |
|
About Security Task Instructions |
|
|
29 | (1) |
|
Create Metadata User Definitions |
|
|
29 | (2) |
|
Update a Managed Password |
|
|
31 | (3) |
|
Unlock an Internal Account |
|
|
34 | (1) |
|
|
|
35 | (2) |
| Part 2 Authorization |
|
37 | (54) |
|
Chapter 5 Authorization Model |
|
|
39 | (22) |
|
|
|
39 | (1) |
|
Three Levels of Granularity |
|
|
40 | (1) |
|
Two Relationship Networks |
|
|
40 | (2) |
|
|
|
42 | (2) |
|
Permissions by Object Type |
|
|
44 | (4) |
|
|
|
48 | (4) |
|
|
|
52 | (1) |
|
|
|
53 | (1) |
|
Fine-Grained Controls for Data |
|
|
54 | (6) |
|
Use and Enforcement of Each Permission |
|
|
60 | (1) |
|
Chapter 6 Permissions on Folders |
|
|
61 | (12) |
|
|
|
61 | (2) |
|
Example: Business Unit Separation |
|
|
63 | (1) |
|
Variation 1: Regional Separation, Designated Content Creators |
|
|
64 | (3) |
|
Variation 2: Functional Separation |
|
|
67 | (2) |
|
Key Points about the Baseline ACT Approach |
|
|
69 | (1) |
|
Further Considerations for Permissions on Folders |
|
|
70 | (3) |
|
Chapter 7 Permissions on Servers |
|
|
73 | (8) |
|
Protect Server Definitions |
|
|
73 | (3) |
|
|
|
76 | (5) |
|
Chapter 8 Security Report Macros |
|
|
81 | (10) |
|
Overview of Authorization Reporting |
|
|
81 | (1) |
|
|
|
82 | (3) |
|
Additional Resources for Building Authorization Data Sets |
|
|
85 | (2) |
|
|
|
87 | (4) |
| Part 3 Authentication |
|
91 | (76) |
|
Chapter 9 Authentication Model |
|
|
93 | (14) |
|
Introduction to the Authentication Model |
|
|
93 | (1) |
|
Authentication to the Metadata Server |
|
|
94 | (2) |
|
Authentication to Data Servers and Processing Servers |
|
|
96 | (1) |
|
|
|
97 | (2) |
|
|
|
99 | (2) |
|
|
|
101 | (2) |
|
|
|
103 | (1) |
|
PUBLIC Access and Anonymous Access |
|
|
104 | (3) |
|
Chapter 10 Authentication Mechanisms |
|
|
107 | (22) |
|
Introduction to Authentication Mechanisms |
|
|
107 | (1) |
|
|
|
108 | (2) |
|
Direct LDAP Authentication |
|
|
110 | (1) |
|
|
|
111 | (2) |
|
Integrated Windows Authentication |
|
|
113 | (2) |
|
Pluggable Authentication Modules (PAM) |
|
|
115 | (1) |
|
SAS Internal Authentication |
|
|
116 | (2) |
|
|
|
118 | (1) |
|
|
|
119 | (2) |
|
|
|
121 | (1) |
|
|
|
121 | (3) |
|
Summary of Methods for LDAP Integration |
|
|
124 | (1) |
|
Summary for Single Sign-On |
|
|
125 | (1) |
|
|
|
126 | (3) |
|
Chapter 11 Authentication Tasks |
|
|
129 | (22) |
|
How to Facilitate Authentication |
|
|
129 | (2) |
|
How to Configure SAS Token Authentication |
|
|
131 | (1) |
|
How to Configure Web Authentication |
|
|
132 | (1) |
|
How to Configure Direct LDAP Authentication |
|
|
133 | (3) |
|
How to Configure Integrated Windows Authentication |
|
|
136 | (6) |
|
How to Store Passwords for the Workspace Server |
|
|
142 | (1) |
|
How to Store Passwords for a Third-Party Server |
|
|
143 | (1) |
|
How to Change Internal Account Policies |
|
|
144 | (3) |
|
How to Reduce Exposure of the SASTRUST Password |
|
|
147 | (1) |
|
About the Workspace Server's Options Tab |
|
|
148 | (3) |
|
Chapter 12 Server Configuration, Data Retrieval, and Risk |
|
|
151 | (16) |
|
|
|
151 | (1) |
|
|
|
152 | (1) |
|
|
|
153 | (4) |
|
Host Access to SAS Tables |
|
|
157 | (5) |
|
Choices in Workspace Server Pooling |
|
|
162 | (5) |
| Part 4 Encryption |
|
167 | (16) |
|
Chapter 13 Encryption Model |
|
|
169 | (6) |
|
Encryption Strength and Coverage |
|
|
169 | (1) |
|
Default Settings for On-Disk Encryption |
|
|
170 | (1) |
|
Default Settings for Over-the-Wire Encryption |
|
|
170 | (1) |
|
|
|
171 | (4) |
|
Chapter 14 Encryption Tasks |
|
|
175 | (8) |
|
How to Change Over-the-Wire Encryption Settings for SAS Servers |
|
|
175 | (3) |
|
How to Increase Encryption Strength for Passwords at Rest |
|
|
178 | (1) |
|
How to Increase Encryption Strength for Outbound Passwords in Transit |
|
|
178 | (2) |
|
How to Configure SSL between the Metadata Server and an LDAP Server |
|
|
180 | (3) |
| Part 5 Appendix |
|
183 | (30) |
|
Appendix 1 User Import Macros |
|
|
185 | (22) |
|
Overview of User Bulk Load and Synchronization |
|
|
185 | (3) |
|
|
|
188 | (2) |
|
|
|
190 | (1) |
|
|
|
191 | (2) |
|
Sample Code for User Synchronization |
|
|
193 | (1) |
|
Sample Code for Generic Bulk Load |
|
|
194 | (3) |
|
About the Sample Code for UNIX /etc/passwd |
|
|
197 | (1) |
|
About the Sample Code for Active Directory |
|
|
198 | (2) |
|
Location of the User Bulk Load and Synchronization Macros |
|
|
200 | (1) |
|
|
|
200 | (7) |
|
|
|
207 | (6) |
|
Checklist for a More Secure Deployment |
|
|
207 | (2) |
|
Distribution of Selected Privileges |
|
|
209 | (1) |
|
Permission Patterns of Selected ACTs |
|
|
210 | (1) |
|
Who's Who in the SAS Metadata |
|
|
211 | (2) |
| Glossary |
|
213 | (4) |
| Index |
|
217 | |
