Lwspafm4 001 Chap 02

c .
eIn
® itu
t
SASstPlatform n .
Administration: I nFast i o
Track
t
S
A tri b u
t S s
i g h d i
y r r e
o p f o r Course Notes
C o t
N
SAS® Platform Administration: Fast Track Course Notes was developed by Sheila Riley and Christine
Vitron. Additional contributions were made by Marty Flis, John Hall, Dave Naden, Gerry Nelson, and
Raymond Thomas. Editing and production support was provided by the Curriculum Development and
Support Department.
SAS and all other SAS Institute Inc. product or service names are registered trademarks or trademarks of
SAS Institute Inc. in the USA and other countries. ® indicates USA registration. Other brand and product
names are trademarks of their respective companies.
SAS® Platform Administration: Fast Track Course Notes
c .
Copyright © 2016 SAS Institute Inc. Cary, NC, USA. All rights reserved. Printed in the United States of
In
America. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in
any form or by any means, electronic, mechanical, photocopying, or otherwise, without the prior written
e
t t
permission of the publisher, SAS Institute Inc.
u
Book code E70625, course code SPAFTM3, prepared date 12May2016. SPAFTM3_002
s t i n .
I n t i o
ISBN 978-1-62960-280-6
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N
For Your Information iii
Table of Contents
Course Description ..................................................................................................................... vii
Prerequisites .............................................................................................................................. viii
Chapter 1 Reviewing the Platform for SAS® Business Analytics ...................... 1-1
1.1 Exploring the Platform for SAS Business Analytics Overview ....................................... 1-3
c .
Demonstration: Accessing the Classroom Environment ......................................... 1-14
e In
Exercises.................................................................................................................. 1-17
1.2
u t
Exploring the Platform Architecture .............................................................................. 1-23
t
t i .
Exercises.................................................................................................................. 1-32
s n
1.3
I n
Reviewing Platform Administration Tasks .................................................................... 1-34
t i o
Demonstration: Exploring SAS Management Console ........................................... 1-46
S u
Exercises.................................................................................................................. 1-48
A tri b
1.4
t S
Exploring SAS Environment Manager .......................................................................... 1-52
s
Demonstration: Exploring SAS Environment Manager.......................................... 1-61
i g h d i
Exercises.................................................................................................................. 1-67
1.5
y r r e
Solutions ........................................................................................................................ 1-70
o p f o r
Solutions to Exercises ............................................................................................. 1-70
C Chapter 2
2.1
o t Understanding SAS® Metadata and the Metadata Server................. 2-1
Exploring the SAS Metadata Server and Metadata Repositories..................................... 2-3
2.2
N Exercises.................................................................................................................. 2-11
Exploring SAS Metadata Objects .................................................................................. 2-15

Demonstration: Exploring SAS Metadata in SAS Environment Manager ............. 2-27
Exercises.................................................................................................................. 2-34
2.3 Implementing a SAS Metadata Server Cluster .............................................................. 2-39
2.4 Backing Up the SAS Metadata Server ........................................................................... 2-49

Exercises.................................................................................................................. 2-60
2.5 Backing Up the SAS Environment ................................................................................ 2-62

Demonstration: Listing the Deployment Schedule and Using the Backup
Manager in SAS Environment Manager ....................................... 2-71
iv For Your Information
Exercises.................................................................................................................. 2-77
2.6 Solutions ........................................................................................................................ 2-81

Chapter 3 Understanding Initial Authentication and Administering

Users, Groups, and Roles .................................................................. 3-1
3.1 Exploring Initial Authentication to the Metadata Server ................................................. 3-3
c .
In
Exercises.................................................................................................................... 3-8
3.2
u t e
Administering Users and Groups ................................................................................... 3-12
Demonstration: Viewing SAS Environment Manager’s Administration Tab ......... 3-20
i t
Exercises.................................................................................................................. 3-22
t .
3.3
I n s i o n
Exploring Other Authentication Mechanisms and Managing Credentials ..................... 3-28
Exercises.................................................................................................................. 3-38
3.4
S u t
Administering Roles and Administrative Identities ....................................................... 3-40
A tri b
Exercises.................................................................................................................. 3-47
S
3.5
t s
Solutions ........................................................................................................................ 3-50
h i
r i g r e d
p y
Chapter 4
o r
Securing Metadata .............................................................................. 4-1
C o4.1
f
Reviewing Metadata Security .......................................................................................... 4-3
t Demonstration: Exploring the Repository ACT ..................................................... 4-11
4.2N o Exercises.................................................................................................................. 4-19
Exploring Metadata Permissions and ACTs................................................................... 4-24

Demonstration: Identifying Applicable Permissions............................................... 4-34
Exercises.................................................................................................................. 4-37
4.3 Customizing SAS Folders .............................................................................................. 4-44

Demonstration: Securing Folders with ACTs.......................................................... 4-55
Exercises.................................................................................................................. 4-62
4.4 Solutions ........................................................................................................................ 4-73

For Your Information v
Chapter 5 Establishing Connectivity to Data Sources ...................................... 5-1
5.1 Registering Libraries and Tables in Metadata .................................................................. 5-3

Demonstration: Registering SAS Library and Table Metadata in SAS
Environment Manager ................................................................... 5-14
Demonstration: Registering SAS Library and Table Metadata in
SAS Management Console (Optional) .......................................... 5-23
Exercises.................................................................................................................. 5-26
c .
In
5.2 Setting Up Data Access .................................................................................................. 5-29
Exercises.................................................................................................................. 5-38
5.3
u t e
Solutions ........................................................................................................................ 5-45
i t
t .
Chapter 6
n s o n
Monitoring the SAS® Environment with SAS® Environment
I i
6.1
u t
Manager ............................................................................................... 6-1
S
Operating SAS Servers and Spawners ............................................................................. 6-3
S A tri b
Demonstration: Using SAS Environment Manager to Operate Servers and
Spawners ....................................................................................... 6-10
h t i s
Exercises.................................................................................................................. 6-12
6.2
r i g e d
Monitoring a SAS Environment with SAS Environment Manager ............................... 6-15
r
p y Demonstration: Viewing Analyze Pages and Creating an Alert in
o r SAS Environment Manager........................................................... 6-24
C o t fExercises.................................................................................................................. 6-30
6.3
N oExploring SAS Environment Manager Service Architecture......................................... 6-37

Demonstration: Changing Report Parameters in SAS Management Console ........ 6-45
Exercises.................................................................................................................. 6-47
6.4 Solutions ........................................................................................................................ 6-50

Chapter 7 Managing SAS® Compute Servers and Spawners ............................ 7-1
7.1 Understanding SAS Compute Servers ............................................................................. 7-3

Demonstration: Monitoring SAS Servers and Sessions from
SAS Management Console............................................................ 7-19
Exercises.................................................................................................................. 7-21
7.2 Administering Server Logging ...................................................................................... 7-26

vi For Your Information
Demonstration: Viewing Metadata Server Logging in SAS Management

Console .......................................................................................... 7-36
Exercises.................................................................................................................. 7-40
7.3 Solutions ........................................................................................................................ 7-44

Chapter 8 Exploring SAS® Middle Tier ................................................................ 8-1
c .
In
8.1 Reviewing SAS Middle-Tier Architecture ....................................................................... 8-3
Exercises.................................................................................................................. 8-16
8.2
u t e
Monitoring SAS Middle Tier Servers ............................................................................ 8-23
i t
Exercises.................................................................................................................. 8-30
t .
8.3
I n s i o n
High Availability, Authentication, and Secure Communication .................................... 8-34
8.4
S u t
Solutions ........................................................................................................................ 8-45
Chapter 9
S A tri b
Exploring Ongoing Administration Tasks ......................................... 9-1
9.1
h t i s
Updating SAS Software ................................................................................................... 9-3
r i g r e d
Exercises.................................................................................................................. 9-10
9.2
p y r
Finding Resources for SAS Administrators ................................................................... 9-11
o
C o9.3
f
Solutions ........................................................................................................................ 9-16
t Solutions to Exercises ............................................................................................. 9-16
N o
Chapter 10 Learning More ................................................................................... 10-1
10.1 SAS Resources ............................................................................................................... 10-3
10.2 Beyond This Course ....................................................................................................... 10-6

For Your Information vii
Course Description
This intensive training course provides accelerated learning for those students who will administer the
platform for SAS Business Analytics. This course is for individuals who are comfortable with learning
large amounts of information in a short period of time. The SAS® Platform Administration: Metadata
Administration and SAS® Platform Administration: System Administration courses are available to
provide the same type of information in a more detailed approach over a longer period of time.
To learn more…
c .
e In
For information about other courses in the curriculum, contact the SAS
t u t
Education Division at 1-800-333-7660, or send e-mail to training@sas.com.
You can also find this information on the web at http://support.sas.com/training/
t i .
as well as in the Training Course Catalog.
s n
I n t i o
For a list of other SAS books that relate to the topics covered in this
S
A tri
course notes, USA customers can contact the SAS Publishing Department
u
at 1-800-727-3228 or send e-mail to sasbook@sas.com. Customers outside
b
the USA, please contact your local SAS office.
t S s
Also, see the SAS Bookstore on the web at http://support.sas.com/publishing/
i g h d i for a complete list of books and a convenient order form.
y r r e
o p f o r
C o t
N
viii For Your Information
Prerequisites
Before attending this course, it is useful but not required to have experience with the Platform for SAS
Business Analytics. You can gain this experience by attending the Getting Started with the Platform for
SAS® Business Analytics course.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N
For Your Information ix
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N
Chapter 1 Reviewing the Platform
for SAS® Business Analytics
1.1 Exploring the Platform for SAS Business Analytics Overview ..................................1-3
c .
Demonstration: Accessing the Classroom Environment ...................................................... 1-14
e In
Exercises .............................................................................................................................. 1-17
t u t
1.2
s i
Exploring the Platform Architecture ..........................................................................1-20
t n .
Exercises .............................................................................................................................. 1-20
1.3
I n t i o
Reviewing Platform Administration Tasks ................................................................1-20
S
A tri b u
Demonstration: Exploring SAS Management Console ........................................................ 1-20
t S
Exercises .............................................................................................................................. 1-20
s
1.4
h d i
Exploring SAS Environment Manager .......................................................................1-20
i g
y r r e
Demonstration: Exploring SAS Environment Manager ........................................................ 1-20
o p f o r
Exercises .............................................................................................................................. 1-20
C
1.5
t
Solutions .....................................................................................................................1-20
o Solutions to Exercises .......................................................................................................... 1-20
N Solutions to Student Activities (Polls/Quizzes) ..................................................................... 1-20

1-2 Chapter 1 Reviewing the Platform for SAS® Business Analytics
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N
Copyright © 2016, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
1.1 Exploring the Platform for SAS Business Analytics Overview 1-3
1.1 Exploring the Platform for SAS

Business Analytics Overview
Objectives
 Compare the two types of SAS installations.
c .
In
 Explore the platform for SAS Business Analytics.
 Identify the different platform applications
and job roles.
u t e
t i t .
I n s i o n
S u t
S A tri b
3
h t i s
r i g r e d
p y Two “Flavors” of SAS
o r
C o t f
With SAS®9, there are two types of SAS installations:
 SAS Foundation
N o
 Platform for SAS Business Analytics
SAS Foundation
Platform for SAS Business

Analytics
4
SAS Foundation is the traditional SAS installation, which enables you to write SAS programs or use
a point-and-click application such as SAS Enterprise Guide to assist with creating programs.
The platform for SAS Business Analytics is enterprise software that uses multiple machines throughout
the organization. This SAS platform consists of applications that help you accomplish the various tasks
for accessing and creating information, as well as performing analysis and reporting.
SAS Foundation
 The SAS windowing environment is used to develop

and run SAS programs.
SAS Enterprise Guide is a point-and-click interface
c .

that can also develop SAS programs.
SAS Studio is a development application for SAS that
e In
t u t
you access through your web browser.
s t i n .
I n t i o
S
A tri b u
5
t S s
g h d i
SAS Studio supports multiple web browsers, such as Microsoft Internet Explorer, Apple Safari, Mozilla
Firefox, and Google Chrome.
i
y r r e
o p f o r
Platform for SAS Business Analytics
t
The Platform for SAS Business Analytics is enterprise
C software with components that exist on multiple machines
o
throughout the organization.
The platform for SAS Business Analytics is also known as the SAS Enterprise Intelligence Platform
and the SAS Intelligence Platform.
The platform for SAS Business Analytics consists of several software offerings, including the following:
 SAS BI Server
 SAS Enterprise BI Server
 SAS Enterprise Data Integration Server (for renewals only) and SAS Data Integration Server
 SAS Data Management (Standard or Advanced)
SAS High-Performance Analytics

c .
SAS High-Performance Analytics is powered by the
strengths of core technologies such as Grid Computing,
e In
t
In-Database Analytics, and In-Memory Analytics.
t i t u .
I n s i o n
S u t
S A tri b
h t i s
7
r i g r e d
p y o r
SAS Grid Computing
C o t f
SAS Grid Manager provides a shared, centrally managed
N o
analytic computing environment that has high availability
and accelerates processing. It provides workload
management to optimally process multiple applications
and workloads to maximize overall throughput.
The Grid
SAS Grid
Manager
…
Set of Servers
SAS In-Database
The SAS In-Database processing integrates SAS
solutions, SAS analytic processes, and third-party
database systems. SAS procedures, DS2 thread
programs, formatted SQL queries, and scoring models
are run inside the database.
SAS Scoring Accelerator: Score data inside the
database using code generated in SAS Enterprise Miner.
c .
In
Base SAS
SAS/ACCESS Executes
to Teradata Query
e
SAS Analytics Accelerator for Teradata: Enables
t
in-database processing for a set of core statistical
and analytic functions to reduce movement of data
t i t u
Teradata
.
between SAS and the database.
I n s Server
i o n
S u t
A tri
SAS In-Memory Analytics
S b
h t i s
The SAS In-Memory Analytics Server divides analytic
processes into manageable pieces and distributes them
r i g r e d
in parallel across a dedicated set of blade servers, either
Hadoop or commercial databases such as Greenplum
p y r
and Teradata.
o
C o t f
N o
10
SAS In-Memory Analytics product solutions are:

 SAS High-Performance Analytics products
 SAS Visual Analytics
 SAS In-Memory Statistics
 SAS Code Accelerator for Hadoop (DS2)
Hadoop is an open-source software framework that provides distributed storage and processing of large
amounts of data. The data is divided into blocks and stored across multiple connected nodes (computers)
that work together.
Data Management
The data management components enable you
to consolidate and manage enterprise data from a variety
of source systems, applications, and technologies.
The software and applications primarily include
the following:
 SAS Data Integration Studio
 SAS Data Quality Server

c .
 DataFlux Data Management Studio
 DataFlux Data Management Server
e In
t u t
s t i n .
11
I n t i o
S
A tri b u
Data management components in SAS enable a data warehouse developer to create and manage metadata
objects that define sources, targets, and the sequence of steps for the extraction, transformation,
t S
and loading of data.
s
i
SAS Data Integration Studio provides a powerful visual design tool for building, implementing, and
i g h
managing data integration processes regardless of data sources, applications, or platforms. An easy-to-
d
manage, multiple-user environment enables collaboration on large enterprise projects with repeatable
r r e
processes that are easily shared. The creation and management of data and metadata are improved with
y r
extensive impact analysis of potential changes made across all data integration processes.
o p f o
SAS Data Quality Server enables you to cleanse data and execute jobs and services on the DataFlux Data
t
Management Server to improve data quality. It is part of a number of SAS software offerings, including
C SAS Data Quality and SAS Data Management.
o
N
SAS Data Quality Solution includes the following features:
 business rule validation – ensures that data meets organizational standards for data quality
and processes.
 data profiling – examines the structure, completeness, and suitability of your information assets.
 data quality – improves the quality of your enterprise information.
 entity resolution – matches data and identifies potential relationships across sources.
 master data management foundation – creates a hub of master data based on a subset of your existing
data through a phased MDM approach.
DataFlux Data Management Studio is a data management suite that combines data quality, data
integration, and master data management. It is the main administrative interface for DataFlux Data
Management Servers, DataFlux Authentication Servers, and other optional components.
DataFlux Data Management Server provides a scalable server environment for large Data Management
Studio jobs. Jobs can be uploaded from Data Management Studio to the Data Management Server where
the jobs are executed.
Advanced Analytics
SAS offers a rich and expansive portfolio of analytic
products. The portfolio includes products for predictive
and descriptive modeling, data mining, text analytics,
forecasting, optimization, simulation, data visualization,
model management, and experimental design.
 SAS Enterprise Miner
 SAS Forecast Server
c .
 SAS Model Manager
 JMP
e In
t u t
s t i n .
12
I n t i o
S
A tri b u
SAS Enterprise Miner enables analysts to create and manage data mining process flows. These flows
include steps to examine, transform, and process data to create models that predict complex behaviors
t S
of economic interest. The SAS Intelligence Platform enables SAS Enterprise Miner users to centrally
store and share the metadata for models and projects. In addition, SAS Data Integration Studio provides
s
i g h d i
the ability to schedule data mining jobs.
SAS Forecast Server enables organizations to plan more effectively for the future by generating
r r e
large quantities of high-quality forecasts quickly and automatically. This solution includes the
y r
SAS High-Performance Forecasting engine, which selects the time series models, business drivers,
o p f o
and events that best explain your historical data, optimizes all model parameters, and generates high-
quality forecasts. SAS Forecast Studio provides a graphical interface to these high-performance
C t
forecasting procedures.
o
SAS Model Manager supports the deployment of analytical models into your operational environments.
N
It enables registration, modification, tracking, scoring, and reporting on analytical models that have been
developed for BI and operational applications.
JMP is interactive, exploratory data analysis and modeling software for the desktop. JMP makes data
analysis—and the resulting discoveries—visual and helps communicate those discoveries to others.
JMP presents results both graphically and numerically. By linking graphs to each other and to the data,
JMP makes it easier to see the trends, outliers, and other patterns that are hidden in your data.
SAS Business Intelligence

The business intelligence components enable users
with various needs and skill levels to create, produce,
and share their own reports and analyses.
The software tools in the business intelligence category
address two main functional areas: information design
and self-service reporting and analysis.
c .
In
SAS Enterprise
BI Server
SAS Business
Intelligence
u t e SAS Office
Analytics
t i t .
SAS Visual
Analytics
13
I n s i o n
S u t
The SAS platform applications were created to organize the functions of various job roles into
A tri b
the different applications. Instead of having one large client application that does everything for all people
S
across the organization, there are several applications to accomplish these tasks.
t s
Some of the applications are installed on each user’s machine; others are accessed using a Web browser.
h i
i g
SAS Add-In for
r
Microsoft Office
r e d The SAS Add-In for Microsoft Office enables business users to
transparently leverage the power of SAS analytics, reporting, and data
p y o r access directly from Microsoft Office via integrated menus and toolbars.
C o f
SAS BI Dashboard
t
SAS BI Dashboard is a point-and-click dashboard development application
that enables the creation of dashboards from a variety of data sources to
N o
SAS Data
surface information visually.
SAS Data Integration Studio enables a data warehouse developer to create

Integration Studio and manage metadata objects that define sources, targets, and the sequence
of steps for the extraction, transformation, and loading of data.
SAS Enterprise SAS Enterprise Guide provides a guided mechanism to exploit the power
Guide of SAS and publish dynamic results throughout the organization. SAS
Enterprise Guide can also be used for traditional SAS programming.
SAS Information The SAS Information Delivery Portal is a Web application that can surface
Delivery Portal the different types of business analytic content such as information maps,
stored processes, and reports.
SAS Information SAS Information Map Studio is used to build information maps, which
Map Studio shield business users from the complexities of the underlying data by
organizing and referencing data in business terms.
SAS Management SAS Management Console provides a single interface for administrators to
Console manage the metadata and servers in the SAS platform. Specific
administrative tasks are supported by plug-ins to the SAS Management
Console.
SAS OLAP Cube SAS OLAP Cube Studio is used to create OLAP cubes, which are
Studio multidimensional structures of summarized data. The Cube Designer
provides a point-and-click interface for cube creation.
c .
In
SAS Web Report SAS Web Report Studio provides intuitive and efficient access to query and
Studio reporting capabilities on the Web.

u t e
The applications listed above are not all of the applications available with the SAS platform.
t i t .
SAS Visual Analytics
I n s i o n
S
offerings from SAS.
u t
SAS Visual Analytics is one of the business intelligence
A tri b
This diagram shows a typical distributed deployment
S
of SAS Visual Analytics.
h t i s
r i g r e d
p y o r
C o t f Can be installed on
a separate machine
14
N o Not part of
Visual
Analytics
SAS Visual Analytics is a web-based product that leverages SAS high-performance analytics technologies
to enable organizations to explore data of any size. The SAS Visual Analytics infrastructure includes some
of the same software components that are included in the SAS platform. However, SAS Visual Analytics
is installed in a dedicated environment that includes specialized hardware and its own instances of
SAS software and servers.
SAS Solutions
SAS Business Solutions leverage traditional strengths
of SAS in data management and data analysis into
cross-functional, as well as vertically specific, analytic
application areas:
 Manage credit risk in financial services
 Develop, execute, and manage drug trials to market

in life sciences
c .
 Identify cross-sell opportunities in retail
e
 Forecast demand to predict outcomes in manufacturing In
 Prevent fraud in insurance
t u t
 Monitor transactions for money laundering
t i .
and terrorist financing activities in banking
s n
15
I n t i o
S
A tri b
SAS Platform Job Roles
u
t S s
There are five high-level job roles for users
i g h d i
of the platform for SAS Business Analytics:
e
 platform administrator
y r r r
 data integration developer
 data quality steward
o p f o
 power user
Platform
Administrator
C t
 information consumer
o
Data
Information
Integration
Developer Consumer
N Who are the users in

your environment? Platform for
SAS Business
Analytics
Data Quality
Power User
Steward
16
16
Data integration developers collect, cleanse, and store the data required for reporting and analysis.
Data quality stewards profile data for inconsistencies, apply various data-cleansing techniques, and
monitor data to ensure that it is usable for reporting and analysis.
Information consumers of the SAS platform use point-and-click applications to access existing
information and to create ad hoc reports and analyses.
Power users of the SAS platform understand not only their organization’s data, but also the applications
that are required to create reports and analyses that are suitable for information consumers.
Classroom Environment
The classroom environment consists
of a two-machine collection of a
SAS deployment. sasserver
sasclient
Windows 2008 Server
c .
e In
t u t sasserver
s t i n .
17
I n t i o Linux Server
S
A tri b u
Accessing Your Deployment Collection
t S s
Use Remote Desktop Connection to log on to the
i g h d i
Windows client machine with an ip address. Use the
following credentials:
y r r e
o p f o r
id: Student
pw: Metadata0
C o t
N
18
Accessing Your Server Machine

From your client (sasclient) machine, use mRemoteNG
to access your sasserver machine. Select sasserver from
the left side of the mRemote window. You will
automatically be logged on with the SAS installer
credentials.
c .
e In
t u t
s t i n . Linux Server
19
I n t i o
Windows 2008 Server
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N
Accessing the Classroom Environment
This demonstration illustrates how to access your two-machine collection and verify that the SAS servers
are started.
1. Use the remote desktop connection to log on to the classroom environment, with the ip address that
is given to you. Use these credentials:
User: Student
c .
Password: Metadata0
e In
t
2. Connect to the server machine and check the status of SAS Servers.
1.
For Windows Server
t i t u .
Use mRemoteNG as a terminal session to the Windows server. A connection to
I s i o n
sasserver.demo.sas.com is set up in mRemoteNG, using the install account sas and password
n
Student1. Double-click the connection.
S u t
S A tri b
h t i s
r i g r e d
p y 2.
r
Click the Services button in the system tray. With Services selected, scroll down to the
o
SAS services. Verify that the status for all the SAS services is Started.
C o t f
N o
 In a typical deployment, the Windows services would have a start-up type of

Automatic. The classroom image uses a batch file to start services.
3. If the SAS services are not started, open a CMD window under Start  Command Window.
4. Enter the d: command.
5. Enter cd \thirdparty\scripts.
6. Enter stopSAS.
c .
This displays the services that are being stopped. A message is displayed when the script is
done.
e In
7.
u t
Start the servers with the startSAS script. This displays the services as they are starting.
t
s t i n .
8. Click OK. I n t i o
S
A tri b u
t S s
i g h d i
y r
9.
e
Click OK.
r
o p f o r
C o t
N A message is displayed when the script is done. (You can start the Task Manager to watch the
CPU activity.)
For Linux Server

1. Use mRemoteNG as a terminal session to the Linux server. A connection to
sasserver.demo.sas.com is set up in mRemoteNG.
Double-click the mRemoteNG button on the desktop and then double-click the
sasserver.demo.sas.com session.
c .
e In
t u t Linux Server
For
2.
t i .
Navigate to /opt/sas/config/Lev1. Use the sas.servers script to verify the status of the
s n
SAS servers: ./sas.servers status
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o3.
t If the servers are not started, enter the command ./sas.servers start. (The valid commands are
stop, start, restart, and status.)
Exercises
1. Locating and Opening the Instructions.html Document

This exercise illustrates how to find SAS web application URLs for our SAS environment, which
are documented in Instructions.html.
Instructions.html is the reference document for your SAS deployment and would contain any
c .
In
manual configuration steps that must be performed. It provides an overview of your deployment,
including the web application URLs. It is located under the SAS configuration directory in the

u e
Levn/Documents subdirectory (for example: D:\SAS\Config\Lev1\Documents).
t
An Instructions.html document is created on each machine that executes the
i t
SAS Deployment Wizard.
t .
I s i o n
a. Use the remote desktop connection to log on to the classroom environment, with the ip address
n
that is given to you. Use these credentials:
User: Student
S
Password: Metadata0
u t
S A tri b
b. Connect to the server machine and check the status of SAS Servers.
h t s
For Windows Server
i
r i g
1.
e d
Double-click the mRemoteNG button on the client machine desktop. The connection is set
up to connect to sasserver.demo.sas.com as the install account sas and password Student1.
r
p y o r
C o t f
N o
2. Click the Services button in the system tray. With Services selected, scroll down to the
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S

s
i g h d i In a typical deployment, the Windows services would have a start-up type of
y r 3.
r e
If the SAS services are started, go to Step C.
o p 4.
5.
f o r
If they are not started, open a CMD window under Start  Command Window.
Enter the d: command.
C o t
6. Enter cd \thirdparty\scripts.
N 7. Enter stopSAS.
done.
8. Start the servers with the startSAS script. This displays the services as they are starting.
9. Click OK to the message prompt.
10. Click OK to the second message prompt.

A message is displayed when the script is done. (You can start the Task Manager to watch
the CPU activity.)
 The SAS Web Application Server may take from 20 to 30 minutes to start.
1.
For Linux Server
Use mRemoteNG as a terminal session to the Linux server. A connection to
c .
e In
t
u
t i t .
I n s i o n
S u t
A tri b
For
Linux Server
2.
t S s
Navigate to /opt/sas/config/Lev1. Use the sas.servers script to verify the status of the
i g h d i
y r r e
o p f o r
C o t
N
3. If the servers are not started, enter the command ./sas.servers start. (The valid commands
are stop, start, restart, and status.)
 The SAS Web Application Server may take from 20 to 30 minutes to start.
c. Locate and open the Instructions.html document. In a default deployment, it is located under the
configuration directory in the Levn/Documents subdirectory.
For Windows Server

1. Access Windows Explorer and navigate to D:\SAS\Config\Lev1\Documents.
2. Double-click Instructions.html to open the document in Internet Explorer.
 You are opening Internet Explorer on the server machine.
c .
For Linux Server
e In
1.
t
Use WinSCP located on the client desktop. Navigate to /opt/sas/config/Lev1/Documents.
t u
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r 2.
r e
Right-click Instructions.html and select Open. (Double-clicking the file renders it in the
WinSCP editor, not Internet Explorer.).
o p 3.
f o r
(Optional) You can use MRemoteNg. Use the firefox
/opt/sas/config/Lev1/Documents/Instructions.html command to open the document.
C o t
d. Click SAS Web Applications in the Overview list at the top of the page.
Ne. Review the URLs of the SAS web applications. Scroll to SAS Studio Mid-Tier and click the
URL for the SAS Studio web application.
For Windows Server
For Linux Server
The page request is going through the SAS Web Server. The port for the SAS Web Server will
differ on Windows and Linux environments.
f. The SAS Logon Manager appears initially. The purpose of the SAS Logon Manager is to
c .
In
authenticate and direct a successful sign-in to the appropriate web application. It enables the user
to access all SAS web applications without a credential change.
t e
Sign in as Eric and use the password: Student1.
u
proc setinit;
t i t
g. Enter the following code into the Program Editor:
.
run;

I n s i o n
t
This procedure will write site information to the log, such as site number, expiration
S
A tri b u
of license, and the SAS products that are licensed.
h. Click the running person button located above the code to submit the program.
t S s
i g h d i
y r r e
o p f o r
i. The Log window appears. It contains a note that includes a list of the SAS software products that
are licensed in this environment. Review the information.
C o t
On what operating system are these products licensed?
N What products listed pertain to data access?

j. Close out of Internet Explorer.
2. Looking Up the SAS Software Components That Are Licensed and Installed
a. On the client machine, open SAS Enterprise Guide. Select Start  All Programs  SAS 
SAS Enterprise Guide 7.1. (Close the Welcome window.)
b. On the Resources pane in the bottom left of SAS Enterprise Guide, expand Servers.
c. Expand SASApp.
d. Right-click SASApp and select Properties.
e. Click the Software tab.
 In order to see the software that is licensed and installed, the client has to be connected
to a workspace server.
f. Click View SAS Server Products.

This view shows licensed and installed products for the SASApp server context. When you run
the SETINIT procedure, which was done in the demonstration and exercise, the list written
to the log is only what is licensed.
g. Close the SAS Server Products window and the SASApp Properties window.
3. Considering Users and Applications
a. What types of users do you have at your site?
c .
Platform Job Role
e
Job Role at Your Site
In
t
Platform Administrator
Data Quality Steward

t i t
Data Integration Developer
u .
Power User
I n s i o n
S
Information Consumer
u t
A tri b
b. Which SAS applications are used by employees?
S
h tPlatform Job Role
i s
Applications
r i g r e d
p y r
o
C o f
Power User
t
N o Information Consumer
1.2 Exploring the Platform Architecture 1-23
1.2 Exploring the Platform Architecture
Objectives
 Explore the SAS platform architecture.
 Examine how to secure a SAS platform configuration.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
S
23
h t i s
r i g r e d
SAS Platform Architecture
p y o r
C o t f
N o
24
The four tiers listed above represent categories of software that perform similar types of computing tasks
and require similar types of resources. The tiers do not necessarily represent separate computers or groups
of computers.
For a large company, the tiers can be installed across a multitude of machines with different operating
systems. For prototyping, demonstrations, or very small enterprises, all of the tiers can be installed
on a single machine.
Data Sources
The platform includes several
options for data storage, including
SAS data sets, SAS OLAP cubes,
c .
In
and the SAS Web Infrastructure
Platform Data Server.
u t e
t i t In addition, SAS provides
.
products that enable you to
I n s i o n
access data in your existing
third-party data stores and
S u tERP systems.
25
S A tri b
t
25
h i s
SAS data sets are analogous to relational database tables.
g d
y r i r e
SAS SPD Engine tables can be read or written by multiple threads.
SAS OLAP cubes are multidimensional structures of summarized data.
o p f o r
The SAS Web Infrastructure Platform Data Server is the default location for middle-tier data such
as alerts and comments. It can store the data for the SAS Content Server. The server is provided
C t
as an alternative to using a third-party relational database.
o
N
The SAS/ACCESS interfaces provide direct access to a variety of data stores.
SAS Servers
SAS servers execute
SAS analytical and reporting
processes for distributed clients.
These servers are typically
accessed either by desktop
clients or by web applications
that run in the middle tier.
c .
 The term server refers
e
to a process or processes. In
t u t
s t i n .
26
26
I n t i o
S
A tri b u
On the platform, the term server refers to a process or processes that wait for and fulfill requests from
client programs for data or services. The term server does not necessarily refer to a specific computer,
t S
because a single computer can host one or more servers of various types.
s
i
The SAS servers use the SAS Integrated Object Model (IOM). The IOM is a set of distributed object
i g h
interfaces that make SAS software features available to client applications when SAS is executed
d
on a server. Each server uses a different set of IOM interfaces and has a different purpose.
y r r e
o p o r
Middle Tier
f
C o t The middle tier includes
the following:
N  SAS Web Server and

SAS Web Application Server
 a Java Runtime Environment
(JRE)
 SAS web applications
 SAS Web Infrastructure

Platform
 SAS Environment Manager
27
27
The middle tier enables users to access intelligence data and functionality via a web browser. This tier
provides web-based interfaces for report creation and information distribution, while passing analysis
and processing requests to the SAS servers.
Beginning with the release of SAS 9.4, SAS includes an embedded middle-tier server called SAS Web
Application Server. SAS no longer requires nor supports external third-party application servers.
SAS also now includes several new middle-tier capabilities, including enhanced monitoring
and management, web-based administration, load balancing, and improved availability.
The SAS Web Infrastructure Platform includes the SAS Content Server and other infrastructure
applications and services.
c .
A JMS broker provides distributed communication with Java Messaging Services. Some SAS web
e
applications use queues and topics for business logic. In
t u t
A cache locator is used by SAS web applications to locate and connect to a distributed cache.
data.
s i
The SAS web applications use the cache to maintain awareness of user sessions and to share application
t n .
I n o
SAS Environment Manager is used to monitor and manage the server tier and middle tier
of the SAS deployment.
t i
S
A tri b u
Clients
t S s
i g h d i Desktop clients run on Windows
desktops.
y r r e Some of these clients are native

Windows applications and others
o p f o r are Java applications.
C o t Some clients require only a web
N browser to be installed on each

client machine, including SAS
Information Delivery Portal, SAS
BI Dashboard, SAS Environment
Manager, and SAS Web Report
28 Studio.
The client tier provides users with desktop access to intelligence data and functionality through easy-
to-use interfaces. For most information consumers, reporting and analysis tasks can be performed with
only a web browser. For more advanced design and analysis tasks, SAS client software is installed
on users’ desktops.
SAS Management Console is supported on all platforms except z/OS.
In addition, Adobe Flash Player is required for SAS BI Dashboard.
SAS Platform Architecture (Review)
c .
e In
t u t
s t i n .
29
I n t i o
S
A tri b u
SAS Installation and Configuration
t S s
SAS installation and configuration files are stored
i g h d i
in separate locations.
y r SASHOME
r
directory
e The location on a file system where
an instance of SAS software is installed
o p SAS
f o r
Configuration
Directory
The location on a file system where configuration
information for a SAS deployment is stored
C o t
N
30
30
The location of the SASHOME directory is established at the initial installation of SAS software
by the SAS Deployment Wizard. That location becomes the default installation location for any other
SAS software that is installed on the same computer.
Securing a SAS Configuration

The SAS configuration directory on each server machine
must be protected by operating system controls. These
controls prevent inappropriate access to the following:
 metadata repository data sets
 server scripts
 server logs
c .
In
 configuration files
u t e
t i t .
31
I n s i o n
t
31
S
A tri b u
Securing a SAS Configuration: Windows
t S s
On Windows, all of the
i g h d i
configuration directories, files,
and scripts are owned by the user
y r r e
who performed the installation.
o p o r
It is recommended that you set
additional operating system
f
permissions.
C o t
N
32
32
These recommendations assume that your SAS servers and spawners run as services under the
Local System account. If servers and spawners run under a different account, then grant that account
the permissions that are recommended for SYSTEM.
Directories Recommended Permissions for Windows

 SAS-configuration-directory  SYSTEM and Administrators: Full Control
 SAS-configuration-directory\Lev1  All other users: List Folder Contents, Read
 Lev1 subdirectories: Documents, ReportBatch,
SASApp, SASMeta, Utilities, Web
c .
In
Lev1 subdirectories:  SYSTEM and Administrators: Full Control
 ConnectSpawner  Remove all other users and groups
 Logs
 ObjectSpawner
u t e
 SASApp\OLAPServer
t i t .
 SASMeta\MetadataServer
 FrameworkServer
I n s i o n
 ShareServer
S u t
SASApp subdirectories:PooledWorkspaceServer,  SYSTEM, Administrators, and SAS Spawned
S A tri
StoredProcessServer
b Servers (sassrv): Full Control
 Remove all other users and groups
h t
SASApp subdirectories:
i s  SYSTEM and Administrators: Full Control
r g
 ConnectServer\Logs
i
 Data\wrsdist
r e d
p y
 Data\wrstemp
o r
 PooledWorkspaceServer\Logs
C o t f
 PooledWorkspaceServer\sasuser
 StoredProcessServer\Logs
N o
 StoredProcessServer\sasuser
 WorkspaceServer\Logs
SASMeta\WorkspaceServer\Logs
sasv9_meta.cfg file  SYSTEM and Administrators: Read and Write

 Remove all other users and groups
If you selected the customer installation option to place all of your log files in a single directory, then you
will need to grant the SAS Spawned Servers (sassrv) user Full Control of the central log destination.
If you enable logging for a standard workspace server, then you will need to grant all users
of the workspace server Full Control of the log directory.
Securing a SAS Configuration: UNIX and z/OS

On UNIX and z/OS systems, the SAS Deployment Wizard
automatically applies the permissions that give
appropriate access to the configuration directory
of the following:
 SAS Installer account (typically sas)
 sas group (which includes sas and sassrv)
In addition to the default security, you might want

c .
to give administrators access to the configuration
e
directory so that they can modify files and run backups.
In
t u t
s t i n .
33
I n t i o
S
A tri b u
On UNIX and z/OS systems, the SAS Deployment Wizard automatically applies the appropriate
permissions. The default permissions are shown below.
t S s
i g h d i
y r r e
o p f o r
C o t
N
Directories Default Permissions for UNIX and z/OS

 SAS-configuration-directory  SAS Installer: Read, Write, and Execute
 SAS-configuration-directory\Lev1  All other users: Read and Execute
 Lev1 subdirectories: Documents, ReportBatch,
SASApp, SASMeta, Utilities, Web
Lev1 subdirectories:  SAS Installer: Read, Write, and Execute
 ConnectSpawner
 Logs
 All other users: no access
c .
 ObjectSpawner
 SASApp/OLAPServer
e In
 SASMeta/MetadataServer
 FrameworkServer
t u t
 ShareServer
s t i n .  SAS Installer: Read, Write, and Execute
n
SASApp subdirectories: PooledWorkspaceServer,
StoredProcessServer
I t i o  sas group: Read and Execute
SASApp subdirectories
S
A tri
 ConnectServer/Logs
b u  SAS Installer: Read, Write, and Execute
 sas group: Read, Write, and Execute
 Data/wrsdist
 Data/wrstemp
t S s
i g h d i
 PooledWorkspaceServer/Logs
y r e
 PooledWorkspaceServer/sasuser
r
 StoredProcessServer/Logs
o p f o r
 StoredProcessServer/sasuser
 WorkspaceServer/Logs
C o t
SASMeta/WorkspaceServer/Logs
 sasv9_meta.cfg file  SAS Installer: Read and Write
N  All other users: no access
If you selected the customer installation option to place all of your log files in a single directory, then you
will need to grant the SAS Spawned Servers (sassrv) user Read, Write, and Execute permission to the
central log destination.
If you enable logging for a standard workspace server, then you will need to grant all users
of the workspace server Read, Write, and Execute permission to the log directory.
Make sure the SAS Spawned Server (sassrv) account is a member of the sas group, which has
the necessary permissions to server configuration files and log directories.
Exercises
4. Locating the Installation and Configuration Directories of the SAS Deployment

a. On the server machine, locate the installation directory.
For Windows Server
c .
In
Access Windows Explorer and navigate to D:\Program Files\SASHome. Are any desktop
applications installed on the server machine?
For Linux Server
u t e
t i t .
Navigate to /opt/sas/SASHome. Are any desktop applications installed on the server
machine?
I n s i o
b. Locate the configuration directory. n
S
For Windows Server
u t
A tri b
Access Windows Explorer and navigate to D:\SAS\Config\Lev1.
S
h t i s
For Linux Server
r i g d
Navigate to /opt/sas /config/Lev1.
r e
p y 
o r The Levn subdirectory contains configuration information and other files for a particular
installation instance. Lev1 is generally used for production environments. Additional
C o t f levels such as Lev2 and Lev3 can be used for environments that you install for purposes
such as development and testing. During installation, the SAS Deployment Wizard
N o enables you to select the level number.

5. Diagramming Your SAS Environment
a. At your site, how many physical servers are used for your SAS environment?
b. What operating systems run on your servers?
c. Use the blank diagram to indicate where the components are installed in your environment.
Draw additional boxes if necessary.
SAS Servers Middle Tier Data Sources
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S
6. Examining details_diagram.html
s
h i
A 9.4 Standard Deployment plan is an XML-based description of the topology for your SAS system.
Similar to an architect’s floor plan, the plan describes the intended final SAS software environment.
r i g r e d
The plan is used in the SAS software deployment process to “tell” the SAS Deployment Wizard
which software components to install and configure on each machine. A diagram of your customized
p y o r
deployment plan, called details_diagram.html (optimized for Firefox) or
details_diagram_for_ie7.mht (optimized for Internet Explorer), comes with your custom plan file.
C o 
t f See Installation Note 44320: Using deployment plans during a SAS® installation.
N o
a. On the server machine, locate and open the details_diagram.html file.
For Windows Server

Access Windows Explorer, and navigate to D:\SAS\depot\
SPAFT_94m3_Midas1195073_win_15w29\plan_files
For Linux Server

Navigate to /opt/sas/depot/SPAFT_94m3_Midas1195073_laz_15w29/plan_files.
b. Where is SAS Management Console installed? Configured?

Where is SAS Foundation software installed? Configured?
Where is SAS Enterprise Guide installed? Configured?
1.3 Reviewing Platform Administration

Tasks
Objectives
 Explore the platform administration tasks.
c .
In
 Explore applications used to administer the platform.
u t e
t i t .
I n s i o n
S u t
S A tri b
37
h t i s
r i g r e d
p y Platform Administrator
o r
C o t f
In some organizations, the role of the platform
administrator is split between a system administrator
o
and a SAS administrator.
N SAS
Administrator



Some knowledge of SAS, the deployment
architecture, and familiarity with the content
being created
Responsibility for the SAS deployment
Might have limited authority over
the hardware infrastructure on which
it is running
System  Responsibility for the host (physical) systems
Administrator  Limited or no significant knowledge
of SAS
38
38
1.3 Reviewing Platform Administration Tasks 1-35
Platform administrators install, configure, administer,
and maintain the platform for SAS Business Analytics.
The software and applications primarily used
by platform administrators include the following:
 SAS Management Console
c .
In
 SAS Deployment Manager
u t e
t i t .
40
I n s i o n
t
40
S
A tri b u
Another tool, SAS Web Administration Console is a web-based interface that enables you to:
 monitor which users are logged on to SAS web applications
t S
 view audit reports of logon and logoff activity
s
 manage notification templates and letterheads
g h d i
 manage web-layer authorization (including privileges, roles, and permissions)
i
y r r e
 access the SAS Content Server Administration Console
 view the current configuration of the web applications
p o r
 dynamically adjust logging levels for some web applications
o f
C o t
SAS Management Console
N SAS Management Console is a desktop client application
that enables administrators to administer metadata,
register users, and set metadata security.
Administrative functionality is
presented through plug-ins.
Metadata is organized
in folders.
41
41
SAS Management Console provides a single interface for administrators to manage the metadata
and servers in the SAS platform. Specific administrative tasks are supported by plug-ins to
SAS Management Console.
SAS Environment Manager

SAS Environment Manager is a web-based administration
tool that enables you to manage your SAS environment,
including the operation of SAS servers on the server tier
c .
In
and middle tier.
Features include the following:
t e
 collect and chart data on metrics for SAS resources
u
 monitor log events and reporting alerts
t i t
 incorporate the monitoring and managing of IT and
.
SAS resources into a service management strategy
I n s
including predefined reports
i o n
S u t
42
S A tri b continued...
t
42
h i s
SAS Environment Manager is an operational monitoring and management system for SAS deployments.
g d
SAS Environment Manager incorporates VMware’s Hyperic technology in order to offer enterprise-class
r i e
operational features. It incorporates plug-ins that are designed for administration, management,
y r
and monitoring of SAS technologies.
p o r
Over the lifecycle of SAS 9.4, functions will be added to extend the capabilities of SAS Environment
o f
Manager as a centralized administration application for all SAS products. At this time, no functionality
C t
has been removed from the other SAS administrative applications such as SAS Management Console
o
and the SAS Web Administration Console. During this transition, SAS Management Console will
N
continue to be supported.
For details, see SAS® Environment Manager: User’s Guide and the Help for SAS Environment Manager.

SAS Environment Manager enables you to manage
SAS resources and resource definitions, including:
 folders and objects
 authorization controls
 user and group definitions
 library definitions
c .
In
 database server definitions
 SAS content backups
u t e
t i t .
43
I n s i o n
t
43
S u
Comparison of SAS Management Console and the Current Version of SAS Environment Manager
A tri b
t S s
Administration Task Available in
SAS EV
Available in
SAS MC
g h d i 
Start, stop, and restart the SAS Web Application Server; and start,
i
y r r e
stop, and reload web applications

p o r
View metrics on the availability, performance, utilization, resource
consumption, and throughput of server machines on the middle tier
o f
and the SAS server tier. Set up alerts based on these metrics.
C o t 
Use reporting tools to obtain a comprehensive view of the
N
performance and status of your SAS environment and its resources.
Start servers on the SAS server tier. 

Pause, resume, quiesce, and stop servers on the SAS server tier; and  
view the status of server processes on the SAS server tier.
View events of a specified level from server log files.  

View server logs and dynamically change logging levels. 
Validate servers on the SAS server tier and run the Deployment 
Tester.
Schedule, configure, monitor, and perform integrated backups of 

your SAS content across multiple tiers and machines.
Administration Task Available in Available in

SAS EV SAS MC
Back up and restore the metadata server, and create and administer
metadata repositories.

Monitor the operation of grids, and administer grid hosts, queues,
 
.
and jobs.
Schedule flows to run on a scheduling server.


In c
 
t e
Browse the contents of SAS folders, view and update properties of
folders and objects, and rename and delete objects.
tu 
i
t  n.
Create, rename, and delete SAS folders.
s
n o
Create and modify metadata definitions for users, groups, and roles;
I i
ut 
and manage memberships, logins, and internal accounts.
S b
Define metadata access rules, and create and update access control
A i
r
templates (ACTs).
t S s t  
Browse any type of library or server that has been defined in
i g h
SAS metadata.
d i
y r r e
Create and modify metadata definitions for Base SAS libraries,
SAS LASR Analytic Server libraries, and SAS LASR Analytic
p
Servers.
o f o r 
C t
Create and modify metadata definitions for other types of
o
SAS libraries and servers.
N 
Create and modify metadata definitions for database schemas, map
services, servers, stored processes, publication channels, and
subscribers.
Display lineage information.


Promote (export and import), copy, and paste metadata.

View and modify configuration attributes for SAS applications, and
view and modify deployment configurations for infrastructure and

extension services that are used by these applications.
SAS Deployment Manager

SAS Deployment Manager enables administrators
perform tasks to manage SAS deployment.
c .
e In
t u t
s t i n .
44
I n t i o
S
A tri b u
SAS Deployment Manager is a graphical user interface that enables you to do the following:
 update passwords for service accounts that were configured when you ran the SAS Deployment Wizard
has changed
t S
 rebuild and redeploy web applications that have previously been configured but whose configuration
s
i g h d i
 uninstall SAS software from the local machine
y r e
 remove one or more components of a SAS Intelligence Platform configuration from your environment
r
 update setinit (license) information in metadata for some SAS solutions that depend on SAS middle tier
o p f o r
 manage the default associations between file types and SAS software
 change the host names (including the network domains to which they belong) of server machines
C t
in your deployment
o
 apply downloaded hot fixes to your SAS software
N
 change the passphrase that is used to encrypt stored passwords
 configure the language and region for SAS Foundation and certain SAS applications
 configure and manage the SAS Deployment Agent service
For details, see “Overview of SAS Deployment Manager” in SAS® 9.4 Intelligence Platform: System
Administration Guide, Third Edition.
Overview of Administration Tasks

After the platform is installed, configured, and validated,
you can begin performing administration tasks.
Are necessary to protect the integrity of

First-Priority your system and should be performed
Setup Tasks
first.
c .
Standard
Setup Tasks
e
Enable the users in your organization to
begin using SAS applications
In
t
to access and analyze data.
t i t u
Ongoing System
. Keep the platform operational.
s
Administration
45
I n
Tasks
i o n
t
45
S
A tri b u
First-Priority Setup Tasks
t S s
i g h d i
First-Priority
Setup Tasks
Are necessary to protect the integrity of your
e
system and should be performed first.
y r r r
p
 Secure the SAS configuration on each server
o t f o machine.
Operating system controls prevent inappropriate
C o
access to repository data sets, server scripts, server
logs, and configuration files.
N  Establish a formal, regularly scheduled, backup

process.
The backup process should include your metadata
repositories as well as associated physical files.
46
46
Standard Setup Tasks
Standard Enable the users in your organization to

Setup Tasks begin using SAS applications to access
and analyze data.
 Add users and manage access.

c .
In
 Set up your metadata folder structure.
 Establish connectivity to your data sources.
u t e
t i t .
47
I n s i o n
t
47
S
A tri b u
There are also some optional setup tasks that might be necessary for you to modify your initial
configuration to meet specific requirements in your environment. Optional administration
t S
and configuration tasks include the following:
 install sas.servers as a boot script
s
i g h d i
 optimize performance of the metadata server
 modify the configuration of your processing servers
r r e
 optimize web application performance
y
o p f o r
 adjust server logging
 enable job and report scheduling
C t
 increase Java head memory allocation for desktop applications
o
 set up change management for SAS Data Integration Studio jobs
N
 collect ARM log information for SAS Data Integration Studio batch use
For additional information, see “Optional Setup Tasks” in the SAS® 9.4 Intelligence Platform: System
Administration Guide, Third Edition.
Adding Users and Managing Access

In order to make access distinctions and track user
activity, create SAS identities for your users.
Users
c .
In
Groups
Ellen
Henri
u t e Sales
t i t .
Marketing
48
I n s i o n
t
48
S
A tri b u
Setting Up Your Metadata Folder Structure
t S s
The SAS applications use a hierarchy of SAS folders
i g h
shown below:
d i
to store metadata, including the metadata folders
y r r e
 libraries
o p o r
 tables
 OLAP cubes
f
 jobs
C o t information maps
N
 stored processes
 reports
49
49
The initial SAS folder structure provides private folders for individual users. Within the SAS folders,
you should create a customized folder structure that meets your specific needs.
Metadata Security
Setting security in the metadata occurs in conjunction
with several administrator tasks:
 adding users and managing access
 establishing connectivity to data sources
 setting up your metadata folder structure
c .
In
It is important to plan security for your
environment before implementing it.
u t e
t i t .
50
I n s i o n
t
50
S
A tri b u
Establishing Connectivity to Data Sources
t S s
In order to make data available to most SAS applications,
i g h d i
you need to register data sources in the metadata,
including these listed below:
y r r e
r
OLAP cubes
o p f o
SAS data sets
C t
LASR tables
N o RDBMS tables
Hadoop (HDFS)
Information maps
XML files
51
51
Ongoing System Administration Tasks
Ongoing System
Administration
Keep the platform operational.
Tasks
.
 Start, stop, pause, resume, and refresh the servers that

are used in the system.
Check the status of a server or of a metadata repository.
Monitor the activity of servers.
In c

u t e
Perform regular full backups of the metadata server.
Use server logs and configure logging options.

t i t
Promote individual metadata objects or groups of objects.
.
52
I n s i o n
t
52
S
A tri b u
Checking the Status and Operating Servers
t S s
SAS provides a number of tools that you can use
i g h d i
to determine the status, operation, and monitoring
of your servers and spawners, including the following:
y r r e
o p o r
 scripts
f
 third-party monitoring tools
C o t
N Each server has a logging configuration file
that controls the destination, contents, and
format of the log for that server.
53
53
Beginning with SAS Environment Manager 2.4, the component SAS Environment Manager Data Mart
Performance and Usage Reporting is also included. Extract, transform, and load (ETL) processes obtain
metric information from the SAS Environment Manager agent and from SAS logs, standardize the data,
and store the data in the SAS Environment Manager Data Mart. From there, the data is used to produce
predefined reports in the Report Center.
Administering Repositories
and Moving Metadata
As an administrator, you might need to create additional
metadata repositories in your environment.
You might also need to move metadata either within
the same deployment or across different deployments.
Promotion
c .
In
(selected content)
Export
u t e
t i t Import
.
54
I n s i o n
S u t
S A tri b
h t i s
r i g r e d
p y o r
C o t f
N o
Exploring SAS Management Console
This demonstration introduces SAS Management Console.

1. On the client machine, start SAS Management Console by selecting Start  SAS Management
Console. When the Connection Profile window appears, click OK to connect with the My Server
connection profile. Log on as Ahmed using the password Student1.
c .
In
 Ahmed is the SAS administrator in our classroom environment.
u t e
t i t .
I n s i o n
S u t
S A tri b
2. Because we are logged on as Ahmed, we can see all three tabs: Plug-ins, Folders, and Search.
h t i s
r i g r e d
p y o r
C o t f
N o
The plug-ins enable administration of metadata. These are some of the plug-ins:
 Authorization Manager: used to define and maintain access rules to control how users and groups
can access metadata definitions.
 Data Library Manager: used to create and maintain definitions for SAS libraries and database
schemas.
 Metadata Manager: used to perform administration tasks related to the SAS Metadata Server.
 Server Manager: used to create and maintain server definitions.
 User Manager: to create and maintain definitions for users, groups, and roles.
c .
In
3. The Folders tab displays the SAS Folders hierarchy. Metadata is organized and viewed through
the folders.
u t e
t i t .
I n s i o n
S u t
S A tri b
h t i s
r i g r e d
p y o r
C o t f
N o
Exercises
7. Comparing Server Hierarchy in SAS Management Console

Compare the server hierarchy in the Server Manager plug-in in SAS Management Console
to the configuration directory on the server.
a. On the client machine, log on to SAS Management Console. Use the sasserver profile
and provide the user ID Ahmed and the password Student1.
c .
b. On the Plug-ins tab, expand Server Manager. Compare the server hierarchy in the Server
e
Manager plug-in to the configuration directory on the server. In
u t
What server definitions under the Server Manager plug-in have corresponding directories
t
s i
in the configuration directory?
t
Expand SASMeta and SASApp.
n .
I n i o
How many servers are defined under SASMeta?
t
S
How many servers are defined under SASApp?
A tri b u
Which directories do not directly correspond to servers listed under the SASApp context?
t S s
i g h d i
y r r e
o p f o r
C o t
N
1.02 Quiz
Who should have SAS Management Console installed
on their desktops?
Who should have access to SAS Environment Manager?
c .
e In
t u t
s t i n .
58
I n t i o
S
A tri b u
t S
1.03 Multiple Choice Poll
s
i g h d i
How often do you need to secure the SAS configuration
and set up your metadata folder structure?
y r a. never
r e
o p f o r
b. at installation time and as needed thereafter
c. as needed
C o t
d. daily
N
60

How often do you need to check the status of your
SAS servers?
a. never
c. as needed
d. daily
c .
e In
t u t
s t i n .
62
I n t i o
S
A tri b
u
t S s
How often do you need to investigate server logs
i g h d i
or modify logging?
y r
a. never
r e
o p f o
d. dailyr
c. as needed
C o t
N
64

How often do you need to back up your environment?
a. never
c. as needed
d. daily
c .
e In
t u t
s t i n .
66
I n t i o
S
A tri
1.07 Multiple Choice Pollb u
t S s
How often do you need to add users to the environment,
i g h
sources?
d i
manage their access, and establish connectivity to data
y r a. never
r e
o p f o r
c. as needed
C o t
d. daily
N
68
1.08 Multiple Answer Poll

How often do you need to move metadata?
a. never
c. as needed
d. daily
c .
e In
t u t
s t i n .
70
I n t i o
S
1.4 Exploring SAS Environment
A tri b uManager
t S s
i g h
Objectives
d i
y r 

r e
Describe the SAS Environment Manager architecture.
Describe the SAS Environment Manager interface.
o p 
f r
Explore the resource inventory model.
o
Explore metrics and monitoring resources.
C o

t Explore the use of the dashboard.
N
73
1.4 Exploring SAS Environment Manager 1-53

SAS Environment Manager provides a framework for
SAS administrators to monitor the performance, health,
and operation of their SAS deployments.
 A comprehensive view of all resources related to
SAS is displayed.
 It provides drill-down into different levels of detail on
resources.
c .
 It provides a flexible alerting function to warn
administrators of problems.
e In
t u t
s t i n .
74
I n t i o
Hyperic: S
A tri b u
SAS Environment Manager surfaces the following key monitoring and management capabilities from
t S
 Resource discovery automatically discovers resources and software, and enables the detailed and
s
customized monitoring of them.
i g h
memberships.
d i
 Personal dashboards can display summaries and high-level monitoring, based on user IDS or on role
r r e
 Metric collection collects a standard set of metrics that reflect availability, performance, utilization, and
y
throughput.
p o r
 Event tracking monitors log and configuration files and records events of interest for most server types.
o f
 Resource control: You can use SAS Environment Manager for remote control and administration of
C o t
your software resources (for example, starting, stopping, or pausing a server).
 Alerting and escalation: You can set alerts on metrics and configure actions to perform when an alert
N
fires. For example, when an alert fires, the system can issue email notifications, set SNMP traps,
perform a control action, or issue a communication to another management system.
 Visualizations are in the form of graphic displays for server monitoring, memory/disk, and/or processor
usage.
 Live data: Hyperic provides Live Exec views for all platform types. You can run a variety of real-time
system commands to obtain the live system status.
SAS Environment Manager Architecture

Platform 1 (machine 1)
SAS Environment
Manager Server
Service A
SAS Environment Management Server
Service B
Manager Agent
Middle Tier resources, metrics,
Servers events, alerts,
.
control actions
Platform 2 (machine 2)
SAS Environment
Manager web
application
In c
e
Service C
t
SAS Environment
Service D SAS Environment Manager
Manager Agent
u
SAS Servers database
t
Object
i
Spawner
t .
Upgradeable through plug-ins: each plug-in is
associated with a specific resource
75
I n s i o n
S u
Components of SAS Environment Manager:t
S A tri b
The SAS Environment Management Server communicates with the agents to collect information
about discovered resources, metrics, and availability. It issues control actions received from the
t i s
SAS Environment Manager application.
h
r i g e d
The SAS Environment Manager Agent is a software process that runs on each machine in the
configuration (middle-tier and server-tier machines in a SAS deployment). It scans the machine, the
r
p y
process table, and the file system for processes that it is familiar with, and gathers that information.
r
Periodically, the agents send their information to the server, where it is summarized and added to the
o
C o t f
database as part of the inventory.
SAS Environment Manager Database is a repository for all of the resource information that is known to
N o
SAS Environment Manager. It uses the SAS Web Infrastructure Platform Data Server, which is based on
PostgreSQL. After resources are discovered and added to your inventory, the database stores data that is
collected from the agents about the resources.
SAS Environment Manager Application is the web-based interface to the SAS Environment Manager
system. Administrators can use the web-based interface to view this data, and thereby obtain a host of
information about the various resources that are running in the system. The interface also enables
administrators to set up alerts when specified events occur, and generate reports that summarize the state
of the platform. SAS Environment Manager also enables administrators to control the servers, via the
agents, and perform such actions as starting and stopping servers, deploying and undeploying web
applications, and modifying the configurations of various servers.
Plug-ins enable agents to discover and monitor resources in a SAS environment. Each plug-in is
associated with a specific resource, and provides the agents with the instructions needed to recognize the
resource during auto-discovery and to monitor and collect metrics for the resource.
The basic architecture of SAS Environment Manager consists of an agent process running on each
platform in a SAS deployment that communicates to a central management server. Agents monitor
detected resources and periodically report resource metrics back to the server. The server provides an
interface for interacting with those agents, managing the data collected by the agents, distributing plug-
ins, creating alerts and escalation procedures based on collected metrics, and graphing the metrics
provided through the installed plug-ins.
SAS Environment Manager Architecture

c .
In
A broad set of operational metrics is collected.
e
Solutions
t
Web Application Servers
u
WIP Services and DB
t
ActiveMQ Messaging
i Availability
Apache tc Server
SAS Servers
•
•
Metadata
Object Spawner
s t n .
Performance
•
• ….
Operating Systems
n
StoredProcess Server
I t i o Configuration
changes
S u
• Memory
Events
• Processor Service Database
• IO
A tri
Storage & IO Systems
•
S
LASR
b Log entries
t
• Scalable Performance Data
76
•
g h
Server
i
SAS Data Set
d s
Virtualization
i e
76
y r r
Metrics are the measurements taken by the SAS Environment Manager agents, on the various computing
r
p
resources being monitored. Metrics can be static numbers, frequencies over some time period,
database.
t f o
percentages, or averages over some time period. They are periodically sent to the server, and stored in the
o
C o
N
SAS Environment Manager Interface

The SAS Environment Manager interface includes five
main areas:
Dashboard Configurable collections of portlets
Resources Resource-level monitoring and management
c .
Analyze Deployment-wide views of events and alerts
e In
Administration
t
Access and management of SAS metadata
u
folders and SAS metadata user definitions
t
Manage
t i .
Native users, roles, permissions, plug-ins
s n
77
77
I n t i o
S
A tri
Monitoring Resourcesb u
t S s
Monitoring enables you to track a resource’s availability
i g h d i
and overall health. A variety of metric data is displayed,
both in numeric and graphic format, to enable you to
y r r e
examine detailed information about the resource’s
r
operation.
o p f o
 Monitoring provides the basis for quick decisions or
action if something about the system is out of order,
C o t such as a server down.

 SAS Environment Manager Extended Monitoring can
N be enabled so that SAS Environment Manager is

automatically set up by using tuned resource
configurations, alert definitions, and metrics.
78
78
SAS Environment Manager Extended Monitoring is discussed in a later chapter.
Resource Inventory Model

The relation between service, server, and platform is a
resource hierarchy.
Platform Platform
Machine, OS,
.
network switch, or SAS
Server
c
deployment
Service
In
Server
A task-specific
A software product or Service software component,
processes such as,
SAS Metadata server
or tc Server, that runs
u t e such as SAS logical

server, that runs on a
t
server or platform
on a platform
s t i n .
The Resources page lists the inventory of resources.
79
79
I n t i o
S
Examples of types of resources:
A tri b u
S
Platforms: operating system platforms (such as sasserver.demo.sas.com), SAS deployments (such as
SAS 9.4 Application Server Tier), virtual and network platforms (such as Cisco IOS or
h t i s
GemFire Distributed System)
Servers:
r i g r e d web application server, web server, Postgres server, SAS Metadata Server, SAS Object
Spawner, SAS Home Directory Service
p y
Services:
o r DNS service, Fileserver mount, Windows service, Work directory
C o

t f When you run SAS Environment Manager for the first time, the application auto-discovers
and auto-accepts the resources listed in the auto-approved.properties file. (This is created when
N o the SAS Deployment Wizard installs SAS applications and is located in the <agenthome>/conf
directory.) Resource types that are not listed in this file must be accepted for monitoring after
they have been discovered.
Additional Groups That Can Be Created
Compatible Groups These groups contain selected instances of a single type of resource (for
example, SAS Object Spawners or VA nodes). Because every member of a
compatible group is uniform, the metrics collected across the group can be
aggregated for reporting purposes.
Mixed Groups These are user-created groups that can contain multiple types of resources, such
as other groups, platforms, servers, and services. Availability is the only metric
that is available for a mixed group.
Application These groups are sets of selected services, usually running on different servers
on multiple platforms that together fulfill a single business purpose. Creating
application groups enables you to manage your infrastructure from an
application perspective, as opposed to a hardware perspective.
Metrics
Metrics are the measurements taken by the
SAS Environment Manager agents on the various
computing resources being monitored.
 The ‘Availability’ metric is required by all plug-ins, and
is the one measure that is found on all resources.
 A different set of metrics is collected for each type of
resource.
c .
 There is a default
subset of metrics
e In
that will be displayed
for each resource
t u t
type, but this can
be modified.
s t i n .
80
80
I n t i o
S
A tri
Using the Dashboard b u
t S s
The Dashboard is your first view when you start
i g h d i
SAS Environment Manager. It provides a configurable
graphical display of important items to be watched. The
y r r e
administrator is able to do the following:
o p o r
 focus on a few specific resources and their availability
 focus on specific metrics that are most important for a
fgiven resource
C o t compare similar resources on a specific metric
 organize alerts
N  create multiple dashboards for different purposes, for

example, a ‘basic monitoring’ dashboard or a
‘troubleshooting’ dashboard
81
81
Each user can access their own personal Dashboard as well as a Dashboard for each of the native roles of
which the user is a member. Each Dashboard can be customized to meet the needs of the user or role.
Using the Dashboard

The Dashboard is divided into two columns. The portlets
can be rearranged, deleted, and added back in. Some
portlets can appear only once, whereas other portlets can
appear more than once.
Left Column Only Right Column Only
Availability Summary * Auto-Discover
c .
In
Saved Charts * Metric Viewer *
Summary Counts Group Alerts Summary *
Recently Added
Search Resources
t e
Control Actions
Favorite Resources *
u
t
Recent Alerts *
s t i .
Problem Resources *
n
 The portlets with an asterisk (*) are specifically for
82
82 monitoring.
I n t i o
S
A tri b u
The portlets that can appear more than once are ones that display information about a selected group of
resources. Each instance of the portlet displays information about different resources. The portlets that
t S
can appear only once display information for the entire environment.
Available Portlets
s
i g h
Name
d i Description Location Instances
Auto-
y r r e
Lists new and changed resources and enables you to add them to Right One
Discovery
o p f o r the inventory. Check this portlet after you install a plug-in to

accept the newly discovered resources into the inventory.
C o
Summary
t
Availability Indicates the availability of selected resources, grouped by
resource type. This portlet refreshes every minute.
Left Multiple
N
Control
Actions
Lists recently performed actions on managed resources and
upcoming scheduled actions. Also indicates which quick control
actions are most frequently performed.
Right One
Favorite Lists selected resources. Right One

Resources
Saved Displays selected charts as a slide show. Left One

Charts
Recent Lists the most recently triggered alerts for selected resources. This Right Multiple
Alerts portlet refreshes every minute.
Recently Lists platforms that have been recently added to inventory. Left One
Added
Name Description Location Instances
Search Enables you to search for resources. The search supports case- Left One
Resources insensitive, partial-term queries for a specified inventory type
Summary Displays a count of managed resources by inventory type. Only Left One
Counts those resources that you are allowed to access are displayed.
Group
Alerts
Displays traffic light indicators for resource alerts and group alerts
for selected groups. To view a list of alerts that have fired for a
group, click that group’s traffic light. To view a group page, click
Right One
c .
In
Summary
that group’s name.
Metric
Viewer
Displays selected metrics for selected resources. This portlet
refreshes every minute.
u t e
Right Multiple
Problem
t i t .
Lists all resources that have problem metrics and provides details, Right One
Resources
n s o n
including availability status, number of alerts per resource, number
of times the metric has been out of bounds, and the most recent
I i
t
time that the out-of-bounds metric was collected.
S
A tri
Exercise Scenario b u
t S s
Throughout the class, exercises will involve using
i g h d i
SAS Environment Manager to do the following:
e
 look at resources
y r r
 use control actions
r
p
 create alerts
o t f o
 add portlets
C
 manage SAS metadata
N o In the following exercise, you will add Ahmed, the

SAS Administrator, to a SAS Environment Manager role,
so that a dashboard can be created for Ahmed.
83
83
Exploring SAS Environment Manager
This demonstration introduces SAS Environment Manager.

1. Open Internet Explorer from the client machine using the taskbar. Click SAS Environment Manager
on the Favorites bar.
 To access SAS Environment Manager, use your web browser to go to

c .
In
http://<localhost>:7080, where localhost is the machine on which the SAS Environment
Manager server is installed.

t e
The recommended browser for SAS Environment Manager 2.5 is Google Chrome.
u
t i t .
I n s i o n
S u t
S A tri b
2. Sign in as sasadm@saspw using the password Student1.
h t i s
r i g r e d
p y o r
C o t f
o
3. The interface is organized around five main areas.
N
Dashboard Configurable collections of portlets; this is the initial view
when starting SAS Environment Manager
Resources Resource-level monitoring and management
Analyze Deployment-wide views of events and alerts
Administration Metadata definitions for folders and objects, servers,

libraries, users, and metadata security and access controls
Manage Native users, roles, permissions, plugins
4. Dashboard: The Dashboard interface is the initial view when a user logs on. It contains two columns
of portlets. Each portlet contains the resources and metrics that are most important to your
environment.
 The Dashboard interface is customized by deleting, adding back, or rearranging the various portlets
that you see.
 Selecting an entry in a portlet takes you to more detailed information about the entry.
 Each user can access his or her own personal dashboard as well as a dashboard for each
.
of the native roles of which the user is a member. Each dashboard can be customized to meet
the needs of the user or role. To choose a different dashboard, select the one that you want
to use from the Select a Dashboard field.
In c
u t e
t i t .
I n s i o n
S u t
S A tri b
h t i s
r i g r e d
p y o r
C o t f
o
5. Resources: Click Resources  Browse. The Resources page enables you to monitor, configure, and
N
manage inventory resources, organized by type (for example, Platforms, Servers, Services).
 The buttons on the left of the resource name ( ) enable you to quickly jump to the Monitor,
Inventory, or Alerts page for the resource. You can also click the resource to open the Details page
that includes links to Monitor, Inventory, or Alerts pages.
 The number of resources extends to two pages. You can change items per page in the bottom right
of the interface, or hit the black arrow to move to the second page of resources.
c .
e In
t u t
s t i n .
6. Click Platforms (2). In this installation, there are two platforms: the machine and the
I n
SAS Application Server Tier.
t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
7. Click sasserver.demo.sas.com. The details about this resource, the OS platform, are displayed. You
can get similar details for any resource (a platform, a server, or a service) by clicking it. The details
t
for each resource differ somewhat, depending on what type of resource it is.
C o
 Across the top, basic machine specifications are given: OS, CPU speed, architecture, IP address,
N
RAM, and more.
 Notice the five links on the upper left: Monitor, Inventory, Alert, Control, and Views. By default,
you are on the Monitor page. A variety of metric data is displayed, both in numeric and graphic
format, to enable you to examine detailed information about the resource’s operation.
 The fastest way to check the status of a resource is to use the availability bar, which is above the
indicator charts. The availability bar displays a color-coded dot that represents the availability
during a time slice. The length of each time slice depends on the display range that you select (for
example, if you display the past eight hours of data, each dot corresponds to approximately eight
minutes). The percentage of time that the resource was available is displayed at the end of the
availability bar.
The dots are color-coded using the following format:
Green = 100% availability
Yellow = Partial availability; between 0% and 100%
Red = 0% availability
 To the left of the indicator charts, there are links to other resources that are under this resource in
the hierarchy.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S
 The events bar is displayed below the indicator charts. It is similar to the availability bar, with dots
representing time slices. The bar displays a dot if an event occurs during a time slice. If no event
s
i g h d i
occurs, the bar remains black.
y r r e
o p f o r
C o t
8. On the bottom left of the page, click the down arrow next to Problem Metrics and select All Metrics
N
to display a list of all available metrics for this resource. Click the arrow next to a metric to add the
chart to those displayed on the page.
9. Analyze: The Analyze pages contains the Alert Center, Report Center, (only if you have enabled
SAS Environment Manager Service Architecture), Environment Snapshot, Event Center, and
Operations Center. (You might see a Monitoring Center, which is part of the Job Monitor service.
It would contain SAS jobs submitted by the Data Management solution.)
 An event is any type of activity in a resource that you are monitoring.
 An alert is a user-defined type of event that acknowledges a critical condition in a selected

resource. You can configure SAS Environment Manager to also log events for log messages and
resource configuration changes.
 The pages in the Analyze tab will be discussed in a later chapter.
c .
e In
t u t
10. Administration: Click the Administration tab. This page enables you to manage resource
t i .
definitions in SAS metadata. The page contains a set of modules, each of which enable you to manage
s n
a type of metadata definition. The application displays the Folders module by default.
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N
11. To switch to a different module, click the Side Menu button , which displays a list of all of the
available modules.
12. Manage: Click the Manage tab. The pages under Manage control how the SAS Environment
Manager application works.
 Authentication/Authorization: enables the management of users and roles. (These are not
the same as the users and roles in SAS metadata that control access to SAS metadata objects,
although SAS Environment Manager users are synchronized with users that are defined in metadata
and added to specific groups.)
 Server Settings: change settings for the SAS Environment Manager server; set default monitoring
and alerting definitions for all types of platforms, servers, and services; define notification or
plug-ins.
c .
logging actions that are taken for alerts; list currently loaded plug-ins; and enable deleting or adding
to perform a specific action.
e In
 Plug-ins: contain functions that are added to the base functionality of SAS Environment Manager
t u t
 Licenses Usage Status: displays the number of licenses in use on the platform as well as the total
number of licenses that are permitted.
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N
Exercises
8. Adding a SAS Administrator to the Super User Role in SAS Environment Manager
The internal account sasadm@saspw is the default account for signing on to SAS Environment
Manager. In order to have other users such as Ahmed access SAS Environment Manager, the user
needs to be added to a SAS Environment Manager group in metadata and then synchronized to the
c .
In
corresponding role in SAS Environment Manager.
a. Open Internet Explorer from the client machine using the taskbar. Click SAS Environment
Manager on the Favorites bar.
u t e
t i t
b. Sign in as Ahmed using the password Student1.
.
I s i o n
Ahmed cannot log on since he is not a member of the following groups in metadata:
n
SAS Environment Manager App Server Tier Users, SAS Environment Manager Guests,
S u t
SAS Environment Manager Super Users.
A tri b
c. Sign out and sign back in as sasadm@saspw and Student1.
t S
d. Go to the Manage page  List Users to see a list of the current users in Environment Manager.
s
i g
 h d i
e. Click List Roles to see the Environment Manager Roles. There should be three.
e
These three roles map to three user groups created in SAS metadata.
y r r r
f. Add Ahmed to the SAS Environment Manager Super User group in metadata.
o p f o
Go to Administration page side menu  Users.
C t
g. Filter on Group.
o
N
h. Type “SAS” in the Search field to get to the SAS Environment Manager Super Users.
i. Right-click SAS Environment Manager Super Users and select Open to open the metadata
properties.
j. From the drop-down menu, (arrow next to Basic Properties), select Members.
c .
e In
t u t
k. Add Ahmed to the group by clicking the Edit button in the upper right toolbar.
s t i n .
I n t i o
l. Move Ahmed over from the Available identites: to the Direct members. Click OK.
S
A tri b u
m. Do not click Close until you save your changes by clicking the Save button . Click Close.
t S s
g h d i
n. Go back to the Manage page and click Synchronize Users.
i
y r r e
o. Click Ok when prompted for verification.
o p f o r
p. Click Ok to close out of message that synchronization was successful.
q. Sign out as sasadm@saspw and sign back in as Ahmed to verify that he now has access to
C o t
SAS Environment Manager. Stay signed in for the next exercise.
N
9. Adding an Availability Summary Portlet to Your Dashboard
a. In SAS Environment Manager, click the Dashboard tab if not already there. Make sure you are
logged in as Ahmed.
b. Create an OS and SAS Server Tier availability summary portlet.
1) On the left side of the Dashboard page, select Availability Summary in the Add Content
to this column field.
2) Click the Configure button to display the Dashboard Settings page for the portlet.
3) Click Add to List in the Selected Resources area.
4) In the View field, make sure that Platforms is selected. Move both resources to the right.
Click OK.
5) Specify the name OS and SAS Server Tier in the Description field. Click OK.
6) Move the OS and SAS Server Tier availability summary portlet to the top by clicking
the heading and dragging it to the top of the left column.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N
1.5 Solutions
Solutions to Exercises
1. Locating and Opening the Instructions.html Document
This exercise illustrates how to find SAS web application URLs for our SAS environment, which
are documented in Instructions.html.
c .
In
Instructions.html is the reference document for your SAS deployment and would contain any
manual configuration steps that must be performed. It provides an overview of your deployment,
t e
including the web application URLs. It is located under the SAS configuration directory in the
Levn/Documents subdirectory (for example: D:\SAS\Config\Lev1\Documents).
u

i t
An Instructions.html document is created on each machine that executes the
t
SAS Deployment Wizard.
.
I n s i o n
a. Use the remote desktop connection to log on to the classroom environment, with the ip address
User: Student
S u t
that is given to you. Use these credentials:
A tri
Password: Metadata0
S b
b. Connect to the server machine and check the status of SAS Servers.
h t i s
For Windows Server
r i g
1.
e d
Use the remote desktop connection on the client machine desktop. The connection is set up
r
y
to connect to sasserver.demo.sas.com as the install account sas and password Student1.
o p f o r
C o t
N
1.5 Solutions 1-71
2. Click the Services button in the system tray. With Services selected, scroll down to the
c .
e In
t u t
s t i n .
I n t i o
 S
A tri b u
In a typical deployment, the Windows services would have a start-up type of
t S Automatic. The classroom image uses a batch file to start services.
s
h i
3. If the SAS services are started, go to Step C.
r i g
4.
r e d
If they are not started, open a CMD window under Start  Command Window.
p y 5.
6.
o
Enter the d: command.
r
Enter cd \thirdparty\scripts.
C o t
7.f Enter stopSAS.
N o
done.
8. Start the servers with the startSAS script. This displays the services as they are starting.
9. Click OK to the message prompt.
10. Click OK to the second message prompt.
c .
e In
t u t
s t i n .
A message is displayed when the script is done. (You can start the Task Manager to watch
I n
the CPU activity.)
t i o

S
A tri u
The SAS Web Application Server may take from 20 to 30 minutes to start.
b
t S
For Linux Server
s
i
1.
g h d i
Use mRemoteNG as a terminal session to the Linux server. A connection to
y r r e
o p f o r
C o t
N Linux Server
For
1.5 Solutions 1-73
2. Navigate to /opt/sas/config/Lev1. Use the sas.servers script to verify the status of the
c .
e In
t u t
3.
s t i n .
If the servers are not started, enter the command ./sas.servers start. (The valid commands
 n t i o
are stop, start, restart, and status.)
IThe SAS Web Application Server may take from 20 to 30 minutes to start.
S
A tri b u
c. Locate and open the Instructions.html document. In a default deployment, it is located under the
t S
configuration directory in the Levn/Documents subdirectory.
s
i
For Windows Server
i g
1.h d
Access Windows Explorer and navigate to D:\SAS\Config\Lev1\Documents.
y r r e
o p f o r
C o t
N
For Linux Server

1. Use WinSCP located on the client desktop. Navigate to /opt/sas/config/Lev1/Documents.
c .
e In
2.
u t
Right-click Instructions.html and select Open. (Double-clicking the file renders it in the
t
3.
s t i
WinSCP editor, not Internet Explorer.)
n .
(Optional) You can use MRemoteNg. Use the firefox
I n t i o
/opt/sas/config/Lev1/Documents/Instructions.html command to open the document.
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N
1.5 Solutions 1-75
d. Click SAS Web Applications in the Overview list at the top of the page.
c .
e In
t u t
s t i n .
I n t i o
e. Review the URLs of the SAS web applications. Scroll to SAS Studio Mid-Tier and click the
S
A tri b
For Windows Server u
URL for the SAS Studio web application.
t S s
i g h d i
y r r e
o p f o r
For Linux Server
C o t
N The page request is going through the SAS Web Server. The port for the SAS Web Server will
differ on Windows and Linux environments.
f. The Logon Manager appears initially. It is a web application that handles all authentication
requests for SAS web applications. Users see the same logon page when they access any
SAS web application. It is a global single sign-in session. It enables the user to access all
SAS web applications without a credential change.
Sign in as Eric and use the password Student1.
g. Enter the following code into the Program Editor:
c .
In
proc setinit;
run;

t e
This procedure will write site information to the log, such as site number, expiration
u
of license, and the SAS products that are licensed.
t i t .
h. Click the running person button located above the code to submit the program.
I n s i o n
S u t
S A tri b
h t i s
i.
r i g e d
The Log window appears. It contains a note that includes a list of the SAS software products that
are licensed in this environment. Review the information.
r
p y o r
C o t f
N o
On what operating system are these products licensed?
1.5 Solutions 1-77
What products listed pertain to data access? SAS/ACCESS Interface products, such
as the following:
c .
e In
j.
t
Close out of Internet Explorer.
t u
i
2. Looking Up SAS Software Components That Are Licensed and Installed
t .
a. On the client machine, open SAS Enterprise Guide. Select Start  All Programs  SAS 
s n
n
SAS Enterprise Guide 7.1. (Close the Welcome window.)
I t i o
b. On the Resources pane in the bottom left of SAS Enterprise Guide, expand Servers.
S
A tri
c. Expand SASApp.
b u
t S s
i g h d i
y r r e
d. Right-click SASApp and select Properties.
o p o r
e. Click the Software tab.
f
C o t
 In order to see the software licensed and installed, the client has to be connected
f. Click View SAS Server Products.

This view shows licensed and installed products for the SASApp server context. When you run
the SETINIT procedure, which was done in the demonstration and exercise, the list produced
in the log is only what is licensed.
c .
e In
t u t
s t i n .
I n t i o
S u
g. Close the SAS Server Products window and the SASApp Properties window.
A tri b
t S
3. Considering Users and Applications
s
a. What types of users do you have at your site?
i g h d i
Platform Job Role Job Role at Your Site
y r r e
o p o r
f
C o t
Power User
N Information Consumer
b. Which SAS applications are used by employees?
Platform Job Role Applications
Power User
Information Consumer
4. Locating the Installation and Configuration Directories of the SAS Deployment
1.5 Solutions 1-79
a. On the server machine, locate the installation directory.
For Windows Server

Access Windows Explorer and navigate to D:\Program Files\SASHome. Are any desktop
applications installed on the server machine? Yes, SAS Management Console and
SAS Deployment Manager.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t For Linux Server
N
Navigate to /opt/sasinside/sas. Are any desktop applications installed on the server
machine? Yes, SAS Management Console and SAS Deployment Manager.
b. Locate the configuration directory.
For Windows Server

Access Windows Explorer and navigate to D:\SAS\Config\Lev1.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
For Linux Server
i g h d i
Navigate to /opt/sasinside /config/Lev1.
y r r e
o p f o r
C o
t
N The Levn subdirectory contains configuration information and other files for a particular
installation instance. Lev1 is generally used for production environments. Additional levels,
such as Lev2 and Lev3, can be used for environments that you install for purposes such as
development and testing. During installation, the SAS Deployment Wizard enables you to
select the level number.
5. Diagramming Your SAS Environment
a. How many physical servers are used in your SAS environment?
b. What operating systems run on your servers?
c. Use the blank diagram to indicate where the components are installed in your environment.
Draw additional boxes if necessary.
1.5 Solutions 1-81
6. Examining details_diagram.html
A 9.4 Standard Deployment plan is an XML-based description of the topology for your SAS system.
Similar to an architect’s floor plan, the plan describes the intended final SAS software environment.
The plan is used in the SAS software deployment process to “tell” the SAS Deployment Wizard
which software components to install and configure on each machine. A diagram of your customized
deployment plan, called details_diagram.html (optimized for Firefox) or
details_diagram_for_ie7.mht (optimized for Internet Explorer), comes with your custom plan file.
 See Installation Note 44320: Using deployment plans during a SAS® installation.
c .
In
a. On the server machine, locate and open the details_diagram.html file.
For Windows Server
u t e
Access Windows Explorer, and navigate to D:\SAS\depot\
i t
SPAFT_94m3_Midas1195073_win_15w29\plan_files
t .
I n s i o n
S u t
S A tri b
h t i s
r i g e d
For Linux Server
r
p y o rNavigate to /opt/sas/depot/SPAFT_94m3_Midas1195073_laz_15w29/plan_files.
C o t f
N o
b. Where is SAS Management Console installed? Configured? For both, server and middle tier
machine and client machine.
Where is SAS Foundation software installed? Server and Middle Tier machine
Configured? It is not configured.
Where is SAS Enterprise Guide installed? Client machine
Configured? It is not configured.
7. Comparing Server Hierarchy in SAS Management Console

Compare the server hierarchy in the Server Manager plug-in to the configuration directory
on the server.
a. On the client machine, log on to SAS Management Console. Use the My Server profile
and provide the user ID Ahmed and the password Student1.
b. On the Plug-ins tab, expand Server Manager. Compare the server hierarchy in the Server
Manager plug-in to the configuration directory on the server.
For the Windows server, the configuration directory is D:\SAS\Config\Lev1.
c .
In
For the Linux server, the configuration directory is /opt/sas/config/Lev1.
e
What server definitions under the Server Manager plug-in have corresponding directories
t u t
in the configuration directory?
i
SASMeta, SASApp, Object Spawner, Connect Spawner, and
t
WebInfrastructurePlatformDataServer
s n .
n
Expand SASMeta and SASApp. How many servers are defined under SASMeta. How many
I i o
servers are defined under SASApp?
t
S
There is one under SASMeta.
A tri b u
There are eight under SASApp.
S
Which directories do not directly correspond to servers listed under the SASApp context?
t s
Data and SASEnvironment
h i
i g d
8. Adding a SAS Administrator to the Super User Role in SAS Environment Manager
r r e
p yThe internal account sasadm@saspw is the default account for signing on to SAS Environment
r
Manager. In order to have other users such as Ahmed access SAS Environment Manager, the user
o
C o t f
needs to be added to a SAS Environment Manager group in metadata and then synchronized to the
corresponding role in SAS Environment Manager.
N o
Manager on the Favorites bar.
b. Sign in as Ahmed using the password Student1.
Ahmed cannot log in because he is not a member of the following groups in metadata:
SAS Environment Manager App Server Tier Users, SAS Environment Manager Guests,
SAS Environment Manager Super Users.
1.5 Solutions 1-83
c. Sign out and sign back in as sasadm@saspw and Student1.

c .
In
d. Go to the Manage page  List Users to see a list of the current users in Environment Manager.
e
t u t
Three or four users will be listed.
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
e. Click List Roles to see the Environment Manager Roles. There should be three.
y r r e
o p f o r
C o t
These three roles map to three user groups created in SAS metadata.
Nf. Add Ahmed to the SAS EV Super User group in metadata.

Go to Administration page side menu  Users.
g. Filter on Group.
h. Type “SAS” in the Search field to get to the SAS Environment Manager Super Users.
c .
e In
t u t
i.
s t i .
Right-click SAS Environment Manager Super Users and select Open to open the metadata
properties.
n
j.
I n t i o
From the drop-down menu, (arrow next to Basic Properties), select Members.
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
Nk. Add Ahmed to the group by clicking the Edit button in the upper right toolbar.
1.5 Solutions 1-85
l. Move Ahmed over from the Available identites: to the Direct members. Click OK.
c .
e In
t u t
s t i .
m. Do not click Close until you save your changes by clicking the Save button
n
. Click Close.
I n t i o
S u
n. Go back to the Manage page and click Synchronize Users.
A tri b
t S s
i g h d i
y r r e
o p f o r
o. Click Ok when prompted for verification.
C o t
Np. Click Ok to close out of message that synchronization was successful.
q. Sign out as sasadm@saspw and sign back in as Ahmed to verify that he now has access to
SAS Environment Manager.
9. Adding an Availability Summary Portlet to Your Dashboard

a. In SAS Environment Manager, click the Dashboard tab if not already there. Make sure you are
logged in as Ahmed.
b. Create an OS and SAS Server Tier availability summary portlet.
1) On the left side of the Dashboard page, select Availability Summary in the Add Content
to this column field.
c .
e In
t
2) Click the Configure button to display the Dashboard Settings page for the portlet.
t i t u .
I n s o n
3) Click Add to List in the Selected Resources area.
i
S u t
S A tri b
h t i s
4) In the View field, make sure that Platforms is selected. Move both resources to the right.
r i g Click OK.
r e d
p y o r
C o t f
N o
5) Specify the name OS and SAS Server Tier in the Description field. Click OK.
6) Move the OS and SAS Server Tier availability summary portlet to the top by clicking
the heading and dragging it to the top of the left column.
1.5 Solutions 1-87
Solutions to Student Activities (Polls/Quizzes)
1.02 Quiz – Correct Answer

Who should have SAS Management Console installed
on their desktops?
c .
In
Who should have access to SAS Environment Manager?
SAS Administrators, not end users
u t e
t i t .
I n s i o n
S u t
59
S A tri b
h t i s
1.03 Multiple Choice Poll – Correct Answer
r i g r e d
How often do you need to secure the SAS configuration
p y r
and set up your metadata folder structure?
o
C o t f
a. never
N o c. as needed
d. daily
61

How often do you need to check the status of your
SAS servers?
a. never
c. as needed
d. daily
c .
e In
t u t
s t i n .
63
I n t i o
S
A tri b u
t S s
How often do you need to investigate server logs
i g h d i
or modify logging?
y r
a. never
r e
o p f o
d. dailyr
c. as needed
C o t
N
65
1.5 Solutions 1-89

How often do you need to back up your environment?
a. never
c. as needed
d. daily
c .
e In
t u t
s t i n .
67
I n t i o
S
A tri b u
t S s
How often do you need to add users to the environment,
i g h
sources?
d i
manage their access, and establish connectivity to data
y r a. never
r e
o p f o r
c. as needed
C o t
d. daily
N
69
1.08 Multiple Answer Poll – Correct Answer

How often do you need to move metadata?
a. never
c. as needed
d. daily
c .
e In
t u t
s t i n .
71
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N
Chapter 2 Understanding SAS®
Metadata and the Metadata Server
2.1 Exploring the SAS Metadata Server and Metadata Repositories ...............................2-3
c .
In
Exercises .............................................................................................................................. 2-11
e
2.2
t
Exploring SAS Metadata Objects ...............................................................................2-15
t u
s i
Demonstration: Exploring SAS Metadata in SAS Environment Manager ............................ 2-27
t n .
Exercises .............................................................................................................................. 2-31
2.3
I n t i o
Implementing a SAS Metadata Server Cluster ..........................................................2-31
2.4
S
A tri b u
Backing Up the SAS Metadata Server .......................................................................2-31
t S s
Exercises .............................................................................................................................. 2-31
i g h d i
e
2.5 Backing Up the SAS Environment .............................................................................2-31
y r r
Demonstration: Listing the Deployment Schedule and Using the Backup Manager in
r
o p f o
SAS Environment Manager ........................................................................ 2-31
Exercises .............................................................................................................................. 2-31
C 2.6
o t
Solutions .....................................................................................................................2-31
N Solutions to Exercises .......................................................................................................... 2-31

2-2 Chapter 2 Understanding SAS® Metadata and the Metadata Server
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N
2.1 Exploring the SAS Metadata Server and Metadata Repositories 2-3
2.1 Exploring the SAS Metadata Server

and Metadata Repositories
Objectives
 Explore the role of the metadata server.
c .
In
 Identify how metadata is stored.
 Examine the types of metadata repositories.

u t e
Explore how the metadata server locates, accesses,
and updates metadata repositories.

t i t
Explore how the metadata server starts up.
.
I n s i o n
S u t
S A tri b
3
h t i s
r i g r e d
p y SAS Metadata Server
o r
C o f
SAS applications connect to the metadata server.
t
N o
4
4
In most cases, users access and update metadata using SAS applications, including SAS Management
Console, SAS Environment Manager, SAS Data Integration Studio, and SAS Enterprise Guide. Web-
based applications need only a web browser. The connection profile is built into the web application.
You can also access and manage SAS metadata through programmatic interfaces, including the
METADATA and METALIB procedures, DATA step functions, and the batch tools for metadata
management. The tools are documented in SAS® 9.4 Intelligence Platform: System Administration Guide.
Other parts of the SAS platform also communicate with the metadata server, including SAS spawners,
SAS servers, and SAS middle-tier applications.
SAS Metadata Server

c .
In
The metadata server’s role is to read and write metadata.
u t e
t i t .
I n s i o n
S u t
S A tri b
h t i s
g d
5
i
5
r r e
The management and use of threads are controlled by the MAXACTIVETHREADS, THREADSMIN,
y
o f o r
and THREADSMAX options. See “Configuring the Number of Threads Used by the Metadata Server”
p
in SAS® 9.4 Intelligence Platform: System Administration Guide.
C t
The metadata server
o
 uses multi-threaded processing to read metadata but uses a single thread to write
N
and update.
 is an ‘in-memory’ server, enabling high-speed access by applications.
 supports concurrent users.
 provides centralized management of metadata resources.
 enables metadata exchange between applications so that applications can work together easily and
efficiently.
 is built on the SAS Open Metadata Architecture, a metadata management facility that provides
common metadata services to applications, including creating, accessing, and updating metadata.
 SAS 9.4 provides the option of implementing a metadata server cluster. Client applications and
users interact with the cluster in the same way that they would interact with a metadata server that
is not clustered.
SAS Metadata
The SAS Metadata Server provides centralized
management of metadata resources. Metadata describes
the location and structure of the SAS platform.
 server definitions
 data definitions
 users and groups
c .
In
 security settings
 business intelligence content
u t e
t i t .
6
I n s i o n
S u t
SAS applications connect to the SAS Metadata Server and issue SAS Open Metadata interface method
A tri b
calls that access metadata from repositories.
S
h t i s
Metadata Repositories
r i g e d
A metadata repository is
r
p y  a library of tables in which a collection of related
r
metadata objects is stored
o
C o t f
 stored in a physical location
 managed by a repository manager.
N o  .
7
7
Repository Manager
The repository manager is a library of tables that holds
information about the other repositories in the
environment.
c .
e In
t
OBJNAME ID REPTYPE RPOSPATH
u
Foundation A0000001.A5STDM7N FOUNDATION MetadataServer\MetadataRepositories
t
\Foundation
Repository
s i
Ole’s Work A0000001.A5590EKV
t
PROJECT
Barbara’s A0000001.A5WWW6FH PROJECT
n .
MetadataServer\MetadataRepositories
\OleWork
MetadataServer\MetadataRepositories
n o
Work \BarbaraWork
8
8 Repository
S I t i
A tri
one repository manager.
b u
A metadata server cannot be started without a repository manager. Each metadata server can have only
t S s
i g h d i
Metadata Repositories
y r r e
The metadata server supports these types of metadata
repositories:
o p f o r
Foundation
repository
Required metadata store for a metadata server. You
cannot create more than one foundation repository.
C o t
Custom
repository
An optional metadata store that is useful for
physically separating metadata for storage or security
N purposes.
9
9
The BI Lineage repository created for the BI Lineage plug-in is a custom repository. Custom repositories
appear as folders in the metadata folder tree under the SAS root folder.
A third type of metadata repository is available for Data Management solutions. A project repository
is an optional metadata store that acts as an isolated work area for SAS Data Integration Studio. Each user
who participates in change management has a project repository.
You can use the Metadata Manager plug-in to create and manage repositories.
Creating a new repository Creates initial repository content and all the metadata that defines the
repository.
Registering a repository Creates the metadata that defines the repository and points to existing
repository content.
Deleting a repository Deletes the repository content and all the metadata that defines the
repository.
Unregistering a repository Removes the metadata that describes the repository without removing
c .
In
the content of the repository itself.
SAS Metadata Server

u t e
t i t .
To enable high-speed access by users, the metadata
server is an “in-memory” server. As clients submit
I n s i o n
queries, the requested records are read from repository
data sets on disk into the server’s memory.
S u t
S A tri b
h t i s
r i g r e d
p y o r
C o
10
10
t f
N o
When the first query for a specific type of metadata object (for example, a table) is submitted, all table
metadata is loaded into memory. The in-memory database remains until the metadata server is paused
or stopped.
SAS Metadata Server Journaling

When journaling is enabled, access is returned to clients
as soon as the metadata updates are written to the
in-memory database and the journal file. The more
time-consuming updates to the repository data sets
are performed later in the background.
c .
e In
t u t
s t i n .
11
11
I n t i o
S
A tri b u
Journaling is enabled by default for the metadata server. For best performance, it is recommended that
journaling be enabled at all times. If the metadata server fails before the update process can apply
t S
all updates from the journal file, the metadata server automatically recovers them from the journal file
when it is restarted.
s
i g h d i
In addition, journaling must be properly configured in order for roll-forward recovery to be available
in the event that you need to restore the metadata server. When the OMA JOURNALTYPE= option is set
r r e
to ROLL_FORWARD, the metadata server creates a linear journal file that permanently stores
y r
all transactions that occurred since the most recent backup.
o p f o
The metadata server is initially set up to write journal entries to a journal file that is stored in </SAS
t
Configuration Directory/Levn/>SASMeta/MetadataServer/Journal. Each time a new backup is executed,
C journaling stops and a new journal file is started in this location.
o
N
Journaling is controlled by options set in the omaconfig.xml file.
Metadata Server Start-up

The metadata server reads the omaconfig.xml file
at start-up. The omaconfig.xml file contains SAS
Metadata Server settings, including the following:
 location of the repository manager
 email addresses to which alert emails are to be sent
 journaling options
c .
 Any changes to this file require a restart
e
of the metadata server in order for the changes In
to take affect.
t u t
s t i n .
12
12
I n t i o
S
A tri b u
Alert emails that are generated by the metadata server are sent to the addresses that are specified
in the OMA ALERTEMAIL option in the omaconfig.xml file. The generated email has Metadata Server
t S
Alert in the subject line. The body of the message specifies the error that occurred, the name
of the metadata server host machine, the metadata server port, and the location of the metadata server log.
s
i g h d i
The metadata server sends alert emails in these situations:
 An error occurs during metadata server backup or recovery.
r r e
 A problem occurs and prevents the repository data sets from being updated from the journal.
y
p o r
To test the alert email configuration, do the following:
o f
C t
1. Log on to SAS Management Console.
o
2. Expand the Metadata Manager plug-in. Right-click Active Server and select Properties.
N
3. In the Active Server Properties dialog box, select Send Test Message.
4. In the Send Alert E-mail Message dialog box, enter text to be included in the email. Click OK.
Metadata Server Start-up
c .
e In
t u t
s t i n .
18
18
I n t i o
S
A tri b u
1. The metadata server is launched from the operating system either as a Windows service or from
a command. As part of the start-up, the metadata server reads the omaconfig.xml file in the metadata
t S
server configuration directory.
s
i
2. One of the settings in the omaconfig.xml file is the location of the repository manager.
i g h d
3. The metadata server connects to the repository manager.
y r r e
4. The repository manager provides information about the metadata repositories including location, type,
o p
and name.
f o r
5. The metadata server connects to the metadata repositories.
C o t
N
Exercises
1. Exploring Metadata Pointers in SAS Management Console and the Contents of the Metadata
Server Directory
a. On your client machine, log on to SAS Management Console as Ahmed with the password
Student1. (SAS Management Console is listed under the start menu.)
c .
In
b. Where is all the metadata physically stored? Expand the Metadata Manager plug-in.
Select Active Server.
t e
c. Where is the Foundation repository physically located? Under Active Server, select Foundation.
u
t i t
d. In what format is the metadata in the repository stored?
.
s
For Windows Server
I n i o n
Use Windows Explorer to navigate to D:\SAS\Config\Lev1\SASMeta\
S u t
MetadataServer\MetadataRepositories\Foundation.
A tri b
For Linux Server
S
h t i s
Navigate to /opt/sas/config/Lev1/SASMeta/MetadataServer/
MetadataRepositories/Foundation.
r i g e d
The metadata is stored in specially formatted SAS data sets. You should never access these tables
r
directly. While the metadata server is running, these tables are locked. Any access (query, update,
p y o r
and so on) to these must be done via the metadata server. If you do not use the metadata server
to access these tables, you risk corrupting the metadata.
C o t
 f Metadata queries that are made using SAS applications, PROC METADATA, batch tools
N o for metadata management, or DATA step functions are processed by the metadata server.
2. Checking the Availability of the Metadata Server in SAS Environment Manager
In the SAS platform, the metadata server is the most critical component. It must always be running
and responsive. In this exercise, you check the availability and health of the metadata server.
a. Open Internet Explorer on the client machine and select SAS Environment Manager on the
Favorites toolbar.
b. Sign in to SAS Environment Manager as Ahmed with password Student1.
c. Click the Resources tab.
d. Click Servers. How many Servers are listed?
e. Click sasserver.demo.sas.com SASMeta - SAS Metadata Server.
 You might need to go to the second page of server listings, by clicking the arrow at the
bottom right of the page.
 You can use the Search field and type in Metadata Server. Make sure All Server Types
is selected in the second field, and then click to the far right.
f. Look for the following metrics for a quick overview:
Availability
Server Health
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S
g. If the metadata server is overusing virtual memory (too much page swapping), that could indicate
s
trouble and might cause slow responses. These metrics are helpful:
i g h d i
Process Page Faults Per Minute
Time in Calls Per Minute
y r r e
Not all metrics for this resource, the metadata server, are displayed by default, such as Time in
o p f o r
Calls Per Minute.
h. Select All Metrics in the drop-down list on the left to see a list of all the metrics for this resource.
C o t
(Currently Problem Metrics is displayed in the drop-down list.)
i. Add the Time in Calls Per Minute to the list of metrics displayed by clicking the black arrow
N next to the metric.

j. Move the Time in Calls Per Minute and Process Page Faults Per Minute to the top using the up
arrow to the right of the named metric.
k. Click Apply next to View: Update Default located above the Availability metric and to the right.
 You want to know how much the metadata server is having to use disk space because it
does not have enough memory available to it. Paging is when individual memory
segments, or pages, are moved to or from the swap area. When memory is low, portions
of a process are moved to use disk space as a temporary place to store information that it
would normally just hold in memory. This is called swapping to disk. When a process
needs to swap some data from disk to memory so that it can access the data in memory, a
page fault occurs. It is an event that occurs because the page of memory the process
wanted is currently not in memory; it is held on the swap file on the disk. Thus, when a
page fault occurs, the operating system knows that it needs to swap the data that the
process wants back into memory, and it will swap some other existing data from memory
to the disk to free up the required memory so that there is room for the required page.
One of the metrics available from the OS that describes what a process does when it
enters this memory-constrained state is the number of page faults (swaps between disk
and memory) per period of time. You can see this metric for the process examined here,
the SAS metadata server.
You expect some degree of virtual memory swapping (page faults), which is normal, but
if you see a trend of increase over time, then you should probably investigate.
l. The data for the past eight -hour time period is displayed. Change this to a 30-minute interval. Use
the Last (number)/(Unit) drop-down list to change the length of the time period displayed. Click
OK. (You can use the Previous Page/Next Page buttons to scroll through earlier time periods as
c .
In
well.)
u t e
m. Select the Metric Data button to display the data underlying the charts.
You see all of the metrics displayed here in a tabular table, whereas with the Indicators selected,
i t
there is only a subset showing, unless you add a metric to be displayed (step i).
t .

I n s o n
You can also click the Chart button next to an entry in the table to see a chart of that
metric. However, the chart is different from the indicator chart.
i
n. Select Alert.
S u t
A tri b
o. Select Configure. How many alerts are configured? How many alerts are active?
S
There are built-in alerts because Extended Monitoring has been enabled in this environment.
t i s
(Extending Monitoring is discussed in a later chapter.)
h
r i g

r d
Two alerts that might be useful are “Metadata Server ERROR message in log” and
e
“Metadata User Lockout”. If either of these alerts is fired, you might want to check the
p y o r
logs for the metadata server to get more details about why these events are happening.
o f
p. Click Metadata Time in Calls per Minute to look at the alert definition.
C t
3. Searching for Resources in SAS Environment Manager
o
N
a. Click the Resources tab. You can search for resources within a resource category (Platforms,
Servers, Services, or groups).
1) Select a resource category, such as Servers.
2) Type in a search string (for example, ‘config’) and Resource type (for example, ‘SAS Config
Level Dir’).
3) After selections are made, click the arrow to the right .
b. Use the Search menu and the resource level selector to locate the following resources:
Servers
SAS Spawners (1 object and 1 connect spawner—search on the string “spawner”)
SAS OLAP Server
SAS Home Directory
SAS Config Level Directory
Services
SAS Workspace Server
SAS Stored Process Server

c .
In
The SAS spawners, the metadata server, and OLAP server are at the Servers level in the
platform hierarchy. The SAS Application Server Tier is considered a Platform. The
t e
SAS Logical workspace servers and SAS Logical stored process servers are at the
Services level in the platform hierarchy.
u
t i t
c. Open SAS Management Console and log on as Ahmed using the password Student1. Expand the
.
Server Manager plug-in. The components above conform to the servers shown here.
I n s i o n
S u t
S A tri b
h t i s
r i g r e d
p y o r
C o t f
N o
2.2 Exploring SAS Metadata Objects 2-15
2.2 Exploring SAS Metadata Objects
Objectives
 Define SAS metadata.


Explore SAS metadata types.
Explore connections between metadata objects
c .
In
and external content.
 Identify associations between metadata objects using
u t e
the Export SAS Package Wizard.
Identify associations between metadata objects using
t i t
the BI Lineage Plug-in.
.
Identify associations between metadata objects using
I n s
SAS Platform batch tools.
i o n
S u t
22
22
S A tri b
h t i s
r i g
SAS Metadata
r e d
y
A metadata object, also known as a metadata definition,
o p f o r
is a SAS resource that is used by SAS applications.
C o t Exploration
Report
23
23
Users (directly or through the groups to which they belong) need access to metadata as well
as to the non-metadata elements that they reference.
SAS Metadata Types

The SAS metadata model includes metadata types. Each
metadata object is a unique instance of a metadata type.
c .
e In
t u t
s t i n .
24
I n t i o
S
A tri
SAS Metadata b u
t S s
SAS metadata is displayed in
i g h d i
 SAS Management Console on the Plug-ins tab
y r r e
 SAS Environment Manager’s Administration tab
 the folder structure in SAS applications.
o p f o r
C o t
N Metadata Administration
Metadata is
organized in folders.
25
Renaming, moving, or deleting SAS folders and the objects that they contain can cause
unpredictable results.
Before renaming, moving, or deleting an object or a folder, see the guidelines in “Best Practices for
Managing SAS Folders” and “Best Practices for Maintaining Associations among Objects in
SAS Folders,” in SAS® 9.4 Intelligence Platform: System Administration Guide.
The initial folder structure includes the following main components:

SAS Folders is the root folder for the folder structure. This folder cannot be renamed, moved, or deleted.
It can contain other folders, but it cannot contain individual objects.
My Folder ( ) is a shortcut to the personal folder of the user who is currently logged on.
BILineage is the root folder for the BILineage metadata repository. This repository stores results from
scans that have been run using the BI Lineage plug-in. This folder should not be renamed, moved, or
deleted. The repository and folder should not be used for any purpose other than storing scan results
c .
In
Products contains folders for individual SAS products. These folders contain content that is installed
along with the product. For example, some products have a set of initial jobs, transformations, stored
e
processes, or reports that users can modify for their own purposes. Other products include sample content
u t
(for example, sample stored processes) to demonstrate product capabilities. Where applicable, the content
is stored under the product's folder in subfolders that indicate the release number for the product.
t

t i .
During installation, the SAS Deployment Wizard enables the installer to assign a different name
s n
to this folder. Therefore, your Products folder might have a different name.
I n t i o
Shared Data is provided for you to store user-created content that is shared among multiple users. Under
S
this folder, you can create any number of subfolders, each with the appropriate permissions, to further
organize this content.
A tri b u

S
You can also create additional folders under SAS Folders in which to store shared content.
t s
g h
the following folders:
i d i
System contains SAS system objects that are not directly accessed by business users. This folder contains
y r e
 Administration is not currently used.
r
 Applications contains folders for individual SAS applications that have system objects. Under these
o p f o r
folders, the objects are stored in subfolders that correspond to individual release numbers.
 Publishing contains channel and subscriber objects that are used by the Publishing Framework.
C t
 Secured Libraries contains secured data folders, secured library objects, and secured table objects that
o
have been created to support metadata-bound libraries. See the SAS Guide to Metadata-Bound
N
Libraries.
 Security and Servers contain references to security objects (users, user groups, roles, access control
templates, and authentication domains) and server objects. The white folders indicate that these are
virtual folders. The folders are displayed only in SAS Management Console to support operations such
as promotion. See “Promoting Security Objects and Server Objects.”
 Services is used by SAS BI Web Services to store metadata for generated web services.
 Types contains type definitions for public objects that exist on this metadata server.
User Folders contains folders that belong to individual users. These folders are referred to as the users'
home folders. The name of each home folder is based on the value of the user's Name field in the
User Manager plug-in for SAS Management Console.
The first time a user logs on to an application that requires a home folder, the user's home folder
is automatically created. That same folder is then used by other applications that the user logs on to.
SAS Metadata: SAS Servers
Metadata server objects

c .
e In
t u t Associated server
s t i n .
directory containing
configuration files
26
I n t i o
S
A tri b u
SAS Metadata: Users and Groups
t S s
i g h d i
y r r e
o p f o r
C o t
N  Typically, groups contain metadata users. An external
account can be associated with a group for third-party
database access.
27
Users, Groups, and Roles can be created, viewed, and managed in the following:
 User Manager plug-in in SAS Management Console
 Administration tab of SAS Environment Manager
SAS Metadata: Folders

Folder Metadata Object Folder
Hierarchical organization In most cases, no direct physical
of metadata objects content
.
No direct physical
c
content
e In
t u t
t i .
 Content mapping is in place. Digital content
s n
is stored on the SAS Content Server.
28
28
I n t i o
S
A tri b u
SAS Metadata: Libraries and Tables
t S s
h i
Library Metadata Object Library
g d
Connection information and Collection of tables stored in the
i
nickname (libref) for library operating system or RDBMS
y r r e
r
Table Metadata Object Table
o p f o
Description of the table including
columns (names, types, attributes),
indexes, and library
Physical store of relational data
C o t
N
29
29
Create and manage libraries and registration using one of the following:
 Data Library Manager plug-in in SAS Management Console.
 Administration tab of SAS Environment Manager.
In SAS Environment Manager 2.5 (the current release), SAS LASR analytic Server and SAS BASE
libraries are the only two available values for the Type field.
 Some of the metadata representations described above, such as tables, are actually a collection
of associated metadata objects.
SAS Metadata: OLAP Cubes

and Information Maps
OLAP Cube Metadata OLAP Cube
Object
Description of cube, including Hierarchical, multidimensional
dimensions, levels, measures, arrangement of data to enable
drill-through table, and schema quick analysis
c .
In
Information Map Metadata Information Map
Object
Collection of data items and
t e No direct physical content, but

filters that provide a user-friendly information map points to tables
view of the data
u or cubes for input
t i t .
30
I n s i o n
t
30
S
A tri b u
SAS Metadata: Stored Processes
t S
and Reports
s
i g h d i
Stored Process Metadata Stored Process
e
Object
y r r r
Location of SAS code (or code SAS code stored if stored
itself) and execution parameters outside of metadata on a server
o p f o
(including server used for
execution, type of output created)
C o t Report Metadata Object Report
N
Location of report definition and Report definition and additional
associated files files like graphics stored in SAS
Content Server
31
31
Metadata Object Associations

Many metadata objects are also associated with other
metadata objects. The following tools can help with
discovering the associations:
 Export SAS Package
Wizard, part of the
SAS Promotion Tools
 BI Lineage plug-in server library folder
c .
 Batch tools
e In
t u t table information
map
report
s t i n . folder folder folder

32
32
I n t i o
S
A tri b u
For example, a library metadata object is associated with a server and a folder. A table depends
on a library and is associated with a folder. An information map can depend on a table and be associated
t S
with a folder. A report can depend on an information map and be associated with a folder.
s
i
Some of these associations are also the paths through which metadata permissions are inherited.
i g h d
y r r
Promotion e
o p o r
Promotion is the process of copying selected metadata
f
and associated content within or between planned
C o t
deployments of SAS.
33
Objects can be promoted from one location in the SAS Folder tree to another location in the same tree.
For example, you might want to promote a newly created or modified object from a user’s home folder
to a shared location.
Promotion can also be used to create a backup of specific folders and objects.
These promotion tools are:

 Export SAS Package and Import SAS Package Wizards in SAS Management Console, SAS Data
Integration Studio, and SAS OLAP Cube Studio. However, SAS Data Integration Studio and
SAS OLAP Cube Studio can export and import only the objects that pertain to the application.
 the batch export tool and the batch import tool. The batch import and export tools are called
ImportPackage and ExportPackage and are found in SAS-installation-directory
\SASPlatformObjectFramework\9.4
The package format is the same regardless of the host machine’s operating system or the tool (wizard
or batch tool) used to create it.
c .
e In
Promoting Selected Content
t u t
i
You can selectively promote content.
s t
 Select multiple nested folders.
 Include all or selected objects
n .
in a folder.
I n
 Include or exclude dependent
t i o
objects.
S
A tri b u
 Use a filter to select objects
t S
based on the object name,
s
object type, or time period
i g h d i
during which the object was
created or last modified.
y r r e
 Include empty folders.
r
 Include associated physical
o p
34
content.
f o
C o t
In order for objects to function properly in the target environment, you must import the resources
N that objects depend on, unless those resources already exist in the target environment. For
example, if you want reports to function properly, the information maps that the reports depend
on must be present. If a report has stored processes or images associated with it, then those
objects must be present in the target system.
Virtual folders called Servers and Security are displayed in the SAS Folders tree in SAS Management
Console for use in promoting these objects.
BI Lineage Plug-in
The BI Lineage plug-in for SAS Management Console
identifies connections between BI objects.
 Scan results are stored in a special metadata
repository called the BILineage repository.
 BI Lineage scans can be run and viewed only
by an unrestricted administrative user.
c .
e In
t u t
s t i n .
35
I n t i o
S
A tri b u
The BILineage repository is created automatically the first time an unrestricted administrative user logs
on to SAS Management Console. The BILineage repository should not be used for any purpose other than
t S
storing scan results.
s
i
To give users permission to view scan results, you must update the BILineage repository's Default ACT
i g h
to grant ReadMetadata permissions.
d

y r r e
You cannot provide access by setting permissions on the BILineage folder that appears in the
r
SAS Folders tree, because scan results are not stored in the folder.
o p f o
Because the lineage information is not generated in real time, it is important to keep the scan information
updated. To make this task easier, you can create jobs and then schedule them to run at regular intervals.
C t
The plug-in can generate jobs for running, exporting, or deleting BI Lineage scans. After the jobs are
o
generated, you can use the Schedule Manager plug-in to schedule the jobs. For details about these tasks,
N
see the BI Lineage plug-in Help in SAS Management Console.
SAS Intelligence Platform Batch Tools

The SAS platform provides a variety of batch tools that
you can use to perform actions on objects and other
components of the SAS platform.
The batch tools are located in the path

SAS-install-directory/SASPlatformObjectFramework/9.4/
and fall under these categories:
c .
In
 metadata management tools
 export and import tools
t e
 batch relationship reporting tools
u
 metadata server administration tools
(…/tools)
t i t .
 the Deployment Backup and Recovery tool
36
(…/tools/admin)
I n s i o n
S u t
The batch tools can be incorporated into scripts so that you can run them repeatedly on either an ad hoc
A tri
or scheduled basis.
S b
 Metadata management tools can be used for tasks such as listing selected objects, deleting selected
h t i s
objects, creating new folders, and managing metadata access.
 Export and import tools enable you to promote individual objects or groups of objects from one SAS
r i g r e d
deployment to another, or from one folder location to another within the same deployment.
The promotion includes all associated content except physical files for tables and external files.
p y
 Batch relationship reporting tools enable you to identify relationships among the content objects
o r
in the SAS Folder tree. For example, you can identify the objects that a given object depends
C o t f
on or contains; the objects that depend on or contain a given object; and the objects that are associated
with a given object. Both direct and nested relationships can be identified.
N o
 Metadata server administration tools can be used by administrators to perform tasks such as executing
metadata server backups and restores, creating and deleting metadata repositories, and updating
metadata profiles.
 The Deployment and Backup and Recovery tool provides an integrated method for backing
up and recovering your SAS content across multiple tiers and machines.
Additional batch tools are available for middle-tier administration. See “Using the SAS Web
Infrastructure Platform Utilities” in SAS® Intelligence Platform: Middle-Tier Administration Guide.
 In all of the SAS Intelligence Platform batch tools, you must use the correct case for option
names (for example, -includeDep and –newOnly) and object types (for example,
InformationMap). All other elements of the commands are case insensitive.
Common Options for Batch Tools

For the Deployment Backup and Recovery batch
commands and batch relationship reporting tools:
Option Description
-host host-name Identifies the host machine for the SAS Web
Server or SAS Web Application Server.
-port port Specifies the port on which the SAS Web
Server or SAS Web Application Server runs.
c .
In
-user user-ID Specifies the user ID of the connecting user.
-password password Specifies the password of the connecting user.
-protocol
HTTP|HTTPS
t e
Specifies the communication protocol that is
u
used by the specified host machine and port.
-profile file-name
t i t
Specifies the name of a file that contains the
.
host, port, user ID, and password options. This
37
I n s i o n
option can be provided in place of
-host, -port, -user, and –password.

S u t
The password should be encrypted using SAS proprietary 32-bit encryption. To obtain the
A tri b
encrypted password, use PROC PWENCODE.
S


h t
If the –protocol option is not specified, the default protocol (HTTP) is assumed.
i s
r i g e d
A sample profile called environment.properties is located in SAS-installation-
directory/SASPlatformObjectFramework/9.4/tools/admin/conf/sample. If you use this file, be
r
y
sure to use operating system controls to protect access to the file.

o p o r
The sas-recover-offline command uses different connection options. This command needs to
f
connect to the metadata server, not the web server or web application server.
C o t
The following additional options can be specified for the Deployment Backup and Recovery batch
commands:
N
-maxattempt maximum-number-of-attempts: The maximum number of attempts that are to be made to
execute the command if the first attempt fails. The default value is 2.
-help
Common Options for Metadata Batch Tools

You must provide connection options to log on to the SAS
Metadata Server.
Option Description
-host host-name Identifies the host machine for the metadata
-port port
server.
Specifies the port on which the metadata
c .
In
server runs.
-user user-ID Specifies the user ID of the connecting user.
-password password
t e
Specifies the password of the connecting user.
u
-profile profile-name
t t
Specifies the name of the connection profile
i .
that is to be used to connect to the metadata
server. This option can be provided in place
38
I n s i o n
of -host, -port, -user, and –password.
S u t
The connection profile must exist on the computer where the command is executed. You can specify any
A tri b
connection profile that has been created for use with client applications such as SAS Management
S
Console, SAS Data Integration Studio, and SAS OLAP Cube Studio. When you open one of these
h t
applications, the available connection profiles are displayed in the drop-down box in the Connection
Profile dialog box.
i s
r i
commands: g r e d
The following additional options can be specified with any of the metadata server administration batch
p y r
-log log-path | log-path-and-filename specifies the path (or the path and filename) where the log file
o
C o
-help
t f
is to be written.
N o
Exploring SAS Metadata in SAS Environment Manager
This demonstration illustrates how to use SAS Environment Manager to explore a library metadata object,
the tables registered to that library in metadata, and the physical location of the tables.
1. Log on to SAS Environment Manager with Ahmed’s credentials.
2. Go to Administration page  Side Menu.
c .
e In
3. Select Libraries.
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
4. Here is a list of the registered library definitions in metadata.
y r r e
o p f o r
C o t
N
5. Right-click Orion Star Library and select Open. With what metadata folder is the library
associated?
 Time stamps will be different for the SAS deployment on Windows versus Linux.
6. From the drop-down menu select Options. To what physical location does the library point?
c .
e In
t u t
s t i n .
I n i o
The path for data stored on the Windows server would be D:\Workshop\OrionStar\orstar.
t
S u
7. From the drop-down menu select Assigned SAS Servers.
A tri b
t S s
i g h d i
y r r e
o p f o r
C o t
N
8. With what server grouping is the library associated?
9. From the drop-down menu select Tables. The tables registered to this library and their metadata
folder location are listed.
c .
e In
t u t
s t i n .
I n t i o
10. Right-click Orion Star Customers and select Open to see the metadata definition of this table.
S
A tri b u
11. Click the Side Menu button and select Folders.
t S s
i g h d i
y r r e
o p f o r
C t
12. Expand Orion Star  Marketing Department  Data. The library and tables are listed here.
o
N
(Optional) Demonstration Using SAS Management Console

This demonstration illustrates how to use SAS Management Console to explore a library metadata object,
the tables registered to that library in metadata, and the physical location of the tables.
1. Verify that you are logged on to SAS Management Console as Ahmed.
2. Click the Plug-ins tab. Expand Data Library Manager  Libraries. Select Orion Star Library.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
3. Right-click Orion Star Library and select Display LIBNAME Statement. This is the SAS syntax
actually submitted to make the connection to the physical data store. The statement starts with
t S
the keyword LIBNAME, followed by a nickname (libref) and the connection information. After
s
the library connection is established, each table in the library is referenced using a two-level name,
i g h
libref.table-name.
d i
y r r e
The physical path is different depending on the operating system. Windows has the following:
o p f o r
C o t
NOn Linux, it is the following:
4. Click OK.
5. Right-click Orion Star Library and select Properties.
With what metadata folder is the library associated?
c .
e In
6. Click the Assign tab.
t u t
t i .
With what server grouping is the library associated?
s n
I n t i o
S
A tri b u
t S s
i g h d i
7. Click the Options tab.
y r e
To what physical location does the library point?
r
o p f o r
For Windows Server
On the Windows server, this library points to SAS data sets stored in
C o t D:\Workshop\OrionStar\orstar.
For Linux Server

On the Linux server, this library points to SAS data sets stored in
/opt/sas/Workshop/OrionStar/orstar.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S
8. Click Cancel to close the properties of Orion Star Library.
s
i g h d i
9. Right-click Orion Star Customers table and select Properties.
y r r e
o p f o r
C o t
NIn what metadata folder is the table metadata stored?
10. Click the Physical Storage tab.
Where is the table physically stored? What is the table’s physical name? What type of data is this?
c .
In
11. Click Cancel.
12. Navigate to the location of the physical data.
For Windows Server
u t e
1.
t i t .
Use Windows Explorer to navigate to D:\Workshop\OrionStar\orstar. The
s
customer_dim.sas7bdat SAS data set is stored in this location.
I n i o n
S u t
S A tri b
h t i s
r i g d
For Linux Server
r e
y
1. Navigate to /opt/sas/DemoData/Workshop/OrionStar/orstar. The customer_dim.sas7bdat
o p f o r
SAS data set is stored in this location.
C o t
N
Exercises
4. Using the Export SAS Package Wizard to Examine Dependencies and Associations between
Metadata Objects
The Export SAS Package Wizard and Import SAS Package Wizard enable you to promote individual
metadata objects or groups of objects from one SAS deployment to another or from one folder
location to another within the same deployment. The wizards display the associations and
c .
In
dependencies between metadata objects.
t e
a. In SAS Management Console, on the Folders tab, expand the Orion Star folder. Right-click
the Marketing Department folder and select Export SAS Package.
u
t i t
b. Accept the defaults and click Next. (You are not going to create this package,
.
so the location and options will not matter.)
n s o n
c. Under the Data folder, select Orion Star Customers. The Dependencies tab identifies
I i
the metadata objects on which the Orion Star Customers table depends.
S u t
d. Click the Used By tab. The Used By tab identifies the metadata objects that depend
A tri b
on the Orion Star Customers table.
S
e. Click Cancel.
h t i s
5. Using Relationship Reporting Tools
r i g r e d
Generating a report is a two-step process.
p y First, use the sas-relationship-loader batch tool to scan folders and objects, retrieve their
r
relationship information, and load the information into a database in the Web Infrastructure
o
o f
C o

t Effective with the third maintenance release for SAS 9.4, automatic loading of relationship
data is configured by default to execute on an hourly basis. The load process scans the SAS
N Folders tree for content items that were created or modified since the last scheduled load
operation.
Cleaning of relationship data is configured by default to execute daily at 11:00 p.m. The
cleaning operation removes relationship information for objects that have been deleted
from your content repositories.
 Secondly, use the sas-relationship-reporter batch tool to read the database populated by the
Relationship Loader and report on the relationships between selected objects.
a. Because we are working in SAS 9.4 Maintenance Release 3, automatic loading of relationship
data is configured by default. Look at the configuration details in SAS Management Console.
1) Open SAS Management Console and log on as Ahmed using the password Student1.
2) On the Plug-ins tab, select Application Management  Configuration Manager 
SAS Application Infrastructure  Web Infra Platform Services 9.4.
3) Under Web Infra Platform Services 9.4, right-click RelationshipContentService and select
Properties.
4) Select the Settings tab.
Is Scheduling for Load Task Enabled?
How often is the relationship data automatically loaded?
.
Is the cleaning of relationship data configured by default?
When and how often does this cleaning occur?
 The cleaning operation removes relationship information for objects that have been
In c
 t e
deleted from your content repositories.
u
t t
You can configure a different schedule for the loading and cleaning process here (or
i .
set the schedule if you are using a release earlier than the third maintenance release).
I s i o n
If you make any schedule changes, you must restart the SAS Web Application Server.
n
5) Click Cancel to close the Properties window.
S u t
b. To report on the relationships, use the sas-relationship-reporter tool. To execute a standard report
A tri b
on direct dependencies for objects in the /Orion Star/Marketing Department/Information
S
Maps folder:
h t s
For Windows Server
i
r i g1.
e d
Open the CMD windows under the Start Menu. Navigate to D:\Program
Files\SASHome\SASPlatformObjectFramework\9.4\tools.
r
p y 2.
o r Issue the command:
C o t f sas-relationship-reporter.exe -host sasserver.demo.sas.com –port 80 –user

sasadm@saspw –password Student1 –report directDependencies “/Orion
N o Star/Marketing Department/Information Maps”
For Linux Server
1. Navigate to /opt/sas/SASHome/SASPlatformObjectFramework/9.4/tools.
2. Issue the following command:

./sas-relationship-reporter -host sasserver.demo.sas.com –port 7980 –user
sasadm@saspw –password Student1 –report directDependencies “/Orion
Star/Marketing Department/Information Maps”
c. To determine the impact of changing one table, create an impact report.
For Windows Server

1. Navigate to D:\Program Files\SASHome\SASPlatformObjectFramework\9.4\tools.
Issue the command:
2.
sas-relationship-reporter.exe -host sasserver.demo.sas.com –port 80 –user
sasadm@saspw –password Student1 –report impact “/Orion Star/Marketing
Department/Data/GOLDORDERS (Table)”
c .
For Linux Server
e In
1.
t
Navigate to /opt/sas/SASHome/SASPlatformObjectFramework/9.4/tools.
t u
2.
s i
Issue the following command:
t n .
./sas-relationship-reporter -host sasserver.demo.sas.com –port 7980 –user
I n t i o
sasadm@saspw –password Student1 –report impact “/Orion Star/Marketing
S
A tri b u
d. If your environment is SAS 9.4 and prior to M3, you would first need to run the sas-relationship-
loader batch tool and load all relationships to the database before running reports in steps b and c.
t S
See the solutions for an example of this.
s
h i
6. (Optional) Using the BI Lineage Plug-in to Identify Connections between Objects
r i g r e d
To generate lineage information, run a scan on a subset of folders. The scan examines reports
and information maps that are stored in the selected folders. It also identifies objects (regardless
p yof their locations in metadata) that are connected to those reports and information maps.
o r
a. In SAS Management Console, on the Plug-ins tab, right-click BI Lineage and select New Scan.
C o t f
b. Enter Orion Star Marketing Department Information Map Scan in the Name field.
N o Click Browse to navigate to Orion Star  Marketing Department  Information Maps.

Click OK  Next  Finish  Yes.
c. Under the BI Lineage plug-in, expand Orion Star Marketing Department Information Map
Scan  Information Maps  SAS Folders  Orion Star  Marketing Department  and
select Information Maps. These are the objects that were examined during the lineage scan.
d. Right-click Orion Star Gold Orders Cube and select Lineage.
 Lineage identifies all connected objects regardless of their locations in the metadata.
Reverse lineage includes only those objects in the folders that were selected for the scan.
e. Examine the contents of the Report and Graph tabs.
 The Report tab displays the connected objects in a hierarchical view. The Graph tab
displays the connected objects in a process flow view.
There are two types of lineage results: high level and low level. High-level results illustrate
connections between high-level objects such as tables, reports, information maps, cubes,
and stored processes. Low-level results illustrate connections to other low-level objects such
as columns, hierarchies, or data items.
The results that you viewed in the last step are high-level results.
f. Click Cancel twice.
g. Right-click Orion Star Gold Orders Cube and select Properties. Right-click Average Quantity
and select Low Level Lineage. Examine the Report and Graph tabs.
c .
h. Click Cancel.
e In
t u t
7. (Optional) Using the List Objects Batch Tool
Use the List Objects batch tool (sas-list-objects) to create a list of metadata objects that are stored
t i .
in the SAS Folders tree. You can filter the list based on criteria such as object name, object type,
s
folder location, creation date and time, modification date and time, keywords, notes, and responsible
n
n
user. You can create the list in text, comma-separated values (CSV), or XML format.
I t i o
a. First, find the metadata object type for a stored process. In SAS Management Console, under
S
A tri b u
the Folders tab, navigate to System  Types. Right-click Stored process and select Properties.
Click the Advanced tab. Find the value for TypeName. This will be used for the type option
S
when using the batch tool.
h t i s
r i g r e d
p y o r
C o t f
N o
b. Navigate to the location of the SAS batch tools and run the sas-list-objects batch tool to list all
stored processes in the Orion Star  Marketing Department. How many objects were found?
For Windows Server
1. Open the CMD window. It is under the Start menu. Navigate to

D:\Program Files\SASHome\SASPlatformObjectFramework\9.4\tools.
2. Change the drive to D.

3. Use the cd (change directory) command to navigate to D:\Program
.
4.
5.
Use the dir command to list the contents of the directory.
Issue the following command: sas-list-objects.exe –help

In c
t e
This displays the available options for this command.
u
6.
i t
Generate the list of stored processes with the following options:
t .
s n
sas-list-objects.exe -host sasserver.demo.sas.com –port 8561 –user Ahmed –password
n
“Student1” –folderTree “Orion Star/Marketing Department” –types StoredProcess
I
–format LIST
i o
S u t
A tri b
For Linux Server
S
1.
h t Use MRemote to navigate to
i s
/opt/sas/SASHome/SASPlatformObjectFramework/9.4/tools
r i g
2.
e d
Use the cd (change directory) command to navigate to
r
p y 3.
o r
List the contents of the directory.
C o 4.
t f Issue the following command: ./sas-list-objects -help
N o 5.
Generate the list of stored processes with the following options:

./sas-list-objects -host sasserver.demo.sas.com -port 8561 -user Ahmed -password
“Student1” -folderTree “Orion Star/Marketing Department” -types StoredProcess
-format LIST
2.3 Implementing a SAS Metadata Server Cluster 2-39
2.3 Implementing a SAS Metadata Server

Cluster
Objectives
 Explore how a metadata server cluster operates.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
h i
43
r i g r e d
p y SAS Metadata Server Cluster
o r
C o t f
A metadata server cluster is a coordinated set of
metadata servers that act as a single metadata server for
o
a SAS software deployment. Client applications and users
interact with the cluster in the same way that they would
N interact with a metadata server that is not clustered.
Metadata Server  Provides redundancy and high

Clustering availability of the metadata
server.
 Ensures that the server
continues to operate if a server
host machine fails.
44
For documentation about metadata server clustering, refer to SAS® 9.4 Intelligence Platform: System
Administration Guide.
SAS Metadata Server Cluster

A cluster is three or more metadata server nodes.
Each node
 typically runs on a separate machine
 runs its own server process
 has a complete copy of all metadata
 has its own server configuration directory,
c .
In
configuration files, journal file, and logs.
t e
If you change a configuration file or start-up script
that is associated with the metadata server, be sure
u
in the cluster.
t t
to make the identical changes on each node
i .
45
I n s i o n
S u t
Each node also maintains a complete in-memory copy of the metadata repository.
S A tri b
h t
Master Node and Slave Nodes
i s
r i g r e d
p y o r
C o t f
N o
46
When a clustered metadata server is started, the nodes establish communication with one another. One
of the nodes becomes the master node that coordinates activity within the cluster. The other nodes are
considered slave nodes. A load-balancing process automatically distributes work among the slave nodes.
Maintaining Quorum in a Clustered

Environment
For a cluster to operate, a quorum of nodes must be
running. If a quorum is not achieved, the server is paused
to offline status. A quorum exists if
 in clusters with an odd number of nodes, more than
one half of the nodes are running
 in clusters with an even number of nodes, one half of
c .
the nodes are running as long as the initially
configured server is running.
e In
t u t
s t i n .
47
I n t i o
S u
Quorum Determination with an Odd Number of Nodes
A tri b
S
Node 1 Node 2 Node 3 Quorum? Server (Cluster)
t
Status
g h d i s Yes Online
y r i r e Yes Online
o p f o r No
Yes
Offline
Online
C o t No Offline
N
Quorum Determination with an Even Number of Nodes
Node 1 (initially
configured
Node 2 Node 3 Node 4 Quorum? Server (Cluster)
Status
server)
Yes Online
Yes Online
Yes Online
No Offline
Yes Online
No Offline
No Offline
How Clients Connect

to a Metadata Server Cluster
c .
e In
t u t
s t i n .
48
I n t i o ...
S
A tri b u
A client application can connect to any of the three nodes. If a client application attempted to connect to
the master node, it would be redirected to a slave node.
t S
In this example, the first client application connects to node 1, which is a slave node.
s
i g h d i
y r r e
How Clients Connect
to a Metadata Server Cluster
o p f o r
C o t
N
50
When the second client application attempts to connect to node1, it is redirected to one of the other slave
nodes (node 2 in this example) by a load-balancing process. Currently, the load-balancing algorithm
is a round-robin process.
After a client application is connected, it can never be redirected to another node. If the node fails,
the client must reconnect to another node.
Metadata Read Requests
c .
e In
t u t
s t i n .
51
I n t i o
S
A tri b u
Client applications request metadata from the slave node to which they are connected. If the request does
not require an update to metadata, the slave node executes the request using the metadata that is stored
t S
on that node (or in memory). The other nodes are not aware and do not participate.
s
g h d i
Metadata Update Requests
i
y r r e
o p f o r
C o t
N
56
1. If the request requires an update to metadata, the slave node forwards the request to the master node.
2. The master node performs all of the needed preparation work before the metadata is updated,
including constraint checks and permission checks. After it is accepted, the master node creates
a journal entry in its journal and queues the update to its in-memory copy of the metadata.
3. The master node forwards the journal entry to the slave nodes. The slave nodes add the journal entry
to their individual journal files and queue the update to their in-memory copy of the metadata.
4. The slave node updates its in-memory copy of the metadata. When it completes the update, the slave
node responds to the client application that is connected to the slave node. Be aware that the other
slave nodes might not have performed the update to their in-memory metadata yet. If any read
requests come to the other slave nodes, they respond with consistent data without the pending
updates.
c .
In
Slave Node Failure
u t e
t i t .
I n s i o n
S u t
S A tri b
h t i s
57
r i g r e d ...
p y o r
If a slave node fails, it drops out of the cluster. The master node becomes aware that the slave node is
C o t f
gone and no longer sends updates there. If quorum is maintained, load balancing uses only the remaining
slave nodes for new connections. When a slave node fails, in-flight transactions can fail.
N o
If a client application is currently connected to a node that dies, the application automatically tries
to connect to another node.
Slave Node Failure
c .
e In
t u t
s t i n .
58
I n t i o
S
A tri b u
The client application reconnects to another slave node. The reconnection is either automatic
or the application prompts the user. Most applications have access to a list of nodes in the cluster.
t S
For most applications, the list is updated automatically. On each machine that includes an object spawner,
s
a SAS/CONNECT spawner, or components of SAS Application Servers (such as workspace servers,
i g h d i
pooled workspace servers, OLAP servers, and stored process servers), you need to use the sas-update-
metadata-profile batch tool to update the metadata profiles.
y r r e
o p o r
Master Node Failure
f
C o t
N
59 ...
If the master node fails, one of the slave nodes is promoted to the server when the master node
and the cluster resume operation.
Master Node Failure
c .
e In
t u t
s t i n .
60
I n t i o ...
S
A tri b u
When the master node goes away, the slave nodes go offline. The remaining nodes immediately establish
communication with each other and select a new master node. After a quorum is available, the cluster
t S
comes back online.
s
g h d i
Master Node Failure
i
y r r e
o p f o r
C o t
N
61
In this particular example, a client application was connected to a node that became the master node.
Because connection redirects happen only at connection time, this client application is not redirected
and stays connected to the master node, which services its requests. The new master node does not accept
new connections.
Prerequisites for Cluster Configuration

All of the host machines in the cluster must have
the same operating system and meet the requirements
to run a metadata server.
In addition, all of the servers in the cluster must
do the following:
 use the same network path to access the metadata
server backup location
c .
 be started using a single user account
e In
t u t
 On a Windows Server, SAS Metadata Server service
needs to be changed over to a user account. It is
t i
currently running under System.
s n .
62
I n t i o
S
A tri
machine deployment.
b u
When setting up metadata server clustering, you must use a deployment plan that specifies a multiple-
t S
The single user account must be recognized by all of the machines that participate in the cluster.
s
i g h d i
y r r e
Configuring a Metadata Server Cluster
o p o r
To configure the cluster, do the following:
Step1: Configure the initial metadata server to use the
fnetwork location for backups and the service login
C o t account.
 This can be done during the initial
N configuration of the metadata server or

you can modify an existing metadata server.
Step 2: Install and configure additional metadata server
nodes.
63
If you want to configure the initial metadata during the initial configuration, do the following
in the SAS Deployment Wizard:
 Override the default metadata server backup location and specify the network path to a backup location
that all of the nodes in the cluster can access.
 If necessary (for example, on Windows), specify the external account that is used to start the server
(service logon account).
To modify the configuration of an existing metadata server in preparation for clustering, do the following:
 Specify the network location for the metadata server backup path. You can use SAS Management
Console and select Metadata Manager  Metadata Utilities  Server Backup 
c .
Backup Configuration.
 Ensure that the metadata server is started with an external account that is recognized
e In
– Stop the metadata server.
t u t
by all the machines that participate in the cluster. On the Windows system, follow these steps:
t i .
– In the Windows Services Manager, open the properties of the SASMeta – Metadata Server service.
s n
On the Log On tab, specify the appropriate external account.
I n
– Start the metadata server.
t i o
S
A tri b u
Monitoring Clustered Metadata Servers
t S
There are two ways to monitor clustered metadata
s
i
servers:
h d
i g
y r r e
o p f o r
C o  t SAS Environment Manager
N
64
SAS Management Console enables you to view the overall status of a metadata server cluster and to
individually monitor each node in the cluster.
 To view the overall status of the cluster: Expand the Metadata Manager plug-in. Right-click the
Active Server node and select Properties. Select the Cluster tab to see the overall status of the cluster
(including the presence or absence of a quorum) and the status of each of the nodes in the cluster.
2.4 Backing Up the SAS Metadata Server 2-49
 To view more detail about the individual nodes in a cluster: Navigate to Server Manager 
SASMeta  SASMeta - Logical Metadata Server. Expand SASMeta - Logical Metadata Server.
Each node appears on a separate line.
Select a node and connect to it.
Use the tabs on the right pane to view the node’s connections, clients, options, loggers, and log events.
Select Stop to stop only the selected node. Select Pause, Resume, Quiesce, or Validate. These actions
affect the entire cluster.
SAS Environment Manager supports monitoring of SAS metadata server clusters, effective with the
c .
In
second maintenance release for SAS 9.4. To view status indicators and metrics for the cluster:
 On the Resources tab, select Platforms. In the list of platforms, select SAS 9.4 Application Server
t e
Tier. Deployment-wide information is displayed at the top of the page, including the message
Metadata Clustered: Yes.
u
t i t .
Select Monitor and then select a time period to display.
I s i o n
Select Indicators, and then scroll down to display Metadata Cluster Nodes Available, Metadata
n
Cluster Nodes Defined, Metadata Cluster Percent Available, and Metadata Cluster Quorum
Available.
2.4 Backing Up the SASS Metadata u tServer

S A r i b
h t
Objectives i s t
r i g

r e d
Examine the best practices for backing up your
p y 
o r
SAS environment.
Examine the automatic metadata backup schedule
C o t
 f and backup configuration.
Use the metadata server backup facility to perform
N o an ad hoc backup and recovery.
67
Backing Up the SAS Platform

To ensure the integrity of the content that is created
and managed by the SAS platform, the following are
recommended best practices:
 Always use the metadata server backup facility
to back up the repository manager and metadata
repositories.
 Perform regularly scheduled full backups.
c .
 Perform backups before and after major changes.
e
 Specify a reliable backup destination that is included In
in daily system backups.
t u t
s t i n .
68
68
I n t i o

S u
In some situations, it might be appropriate to back up specific objects or folders in the metadata
A tri b
folders (SAS Folders) tree. In these situations, you can use the promotion tools, which include
t S
the Export SAS Package Wizard, the Import SAS Package Wizard, and the batch export and
s
import tools.
g h d i
Suggested Approach for Synchronizing Metadata Backups with Physical Backups
i
r r e
1. Back up the metadata server, the SAS Content Server, the SAS Web Infrastructure Platform Data
y
Server, and the physical files concurrently (that is, in the same backup window). One way to do this
o p f o r
is to use the Deployment Backup and Recovery tool.
2. Back up the SAS Content Server, the SAS Web Infrastructure Platform Data Server, and the physical
C t
files immediately after the metadata server is backed up, and do not allow clients to update metadata
o
while you are performing these backups. If you are running the backup on a batch basis (for example,
N
as part of a daily schedule), then you can do the following to implement this approach:
a. Write a program that uses PROC METAOPERATE to pause the metadata server to an Offline
state. See “Example of a PROC METAOPERATE Program That Pauses the Metadata Server
to an Offline State” in SAS® 9.4 Intelligence Platform: System Administration Guide, Third
Edition. You can use this program to pause the metadata server while you back up the SAS
Content Server, the SAS Web Infrastructure Platform Data Server, and associated physical data.
If you use operating system commands to back up the metadata server, then you can use this
program to pause the server before running the backup.
b. Write another program that resumes the metadata server to an Online state. See “Example
of a PROC METAOPERATE Program That Resumes the Metadata Server,” in SAS® 9.4
Intelligence Platform: System Administration Guide, Third Edition. You can use this program after
using operating system commands to back up the metadata server, or you can use it after backing
up the SAS Content Server, the SAS Web Infrastructure Platform Data Server, and associated
physical data.
3. If you are running an ad hoc (unscheduled) backup and you need to also back up associated data, then
you can do the following to prevent clients from updating metadata while you are backing up the
associated data:
a. Use the metadata backup facility to back up the metadata server. Then immediately use
SAS Management Console to pause the metadata server. As an alternative, you can use
SAS Management Console to temporarily change the registered access mode of the repositories
to ReadOnly.
b. Back up the SAS Content Server, the SAS Web Infrastructure Platform Data Server,
and the physical data.
c .
c. When you are finished backing up the SAS Content Server, the SAS Web Infrastructure Platform
e
Data Server, and the physical data, use SAS Management Console to resume the metadata server In

t u t
(or to return the registered access mode of the repositories to Online).
s i
In addition, you should synchronize the backups with the backup of other physical files.
t n .
I n
Back Up and Restore Tools
t i o
S
A tri b u
Formal, regularly scheduled backups are scheduled
at deployment of your SAS platform with these tools:
t S
 Metadata Server Backup Facility in SAS Management
Console
s
i g h d i
 SAS Backup Manager in SAS Environment Manager
or Deployment Backup and Recovery Tool
y r r e
o p f o r
C o t
69
N69
SAS Metadata Server Backup Facility

The metadata server backup facility automatically backs
up these files:
 the metadata repositories
 the repository manager
 all of the files in the metadata server
configuration directory
c .
In
 the journal file
u t e
t i t .
70
I n s i o n
S u t
A tri b
SAS Metadata Server Backup Facility
S
h t i s
The metadata server includes a server-based facility that
 executes in a separate thread while the metadata
r i g e d
server is running
r
 is configured by default to perform automatic
p y o r
scheduled backups
 can also be used
C o t fto perform ad hoc

backups and
N o roll-forward
recovery
 can be managed
from the Metadata
Manager plug-in.
71
71
If you use operating system commands to back up your metadata repositories and Metadata
Manager instead of using the metadata server’s backup facility, then you must be sure to pause
the metadata server to an Offline state before you perform the backup. If the metadata server
is in an Online state or is paused to an Administration state, then the backup files are not usable.
 You can use PROC METAOPERATE to pause the server to an Offline state before the backup
is taken and to resume the server to an Online state when the backup is complete.
The backup facility executes in a separate thread while the metadata server is running. Therefore,
the metadata server does not need to be paused during backups unless certain options are selected.
If journaling is disabled or if the Reorganize Repositories backup option is selected, the server is paused
for Read-Only use so that queries (but not updates) can continue to be processed.
In addition to running scheduled backups, the metadata server automatically backs itself up under certain
unscheduled situations. Unscheduled backups use the same server-based facility and the same
configuration options that are used for scheduled backups.
A backup is run automatically in the following situations:
 after the SAS Deployment Wizard configures a metadata server.
c .
 after you complete a successful recovery of the metadata server.
e
 if you change the JOURNALTYPE option in the omaconfig.xml file to NONE or SINGLE (which In
t u t
is not recommended), and later change the option back to ROLL_FORWARD. A metadata server
backup is run automatically when you restart the metadata server.
t i .
You can also run an ad hoc backup using the MetadataServer command or the backupServer.sas program.
s n
Backups that are run using these methods use the same server-based backup facility and the same backup
I n i o
options that are used for scheduled backups.
t
S
A tri b u
You can schedule a backup using the MetadataServer command or the backupServer.sas program. First,
disable the automatic backups in the Backup Schedule properties.
t S
You cannot reorganize repositories when you run a backup with the MetadataServer command
s
i g h d i
or the backupServer.sas program.
y r r e
Automatically Configured Backups
o p f o r
C o t
N
Backups are performed daily
at 1:00 a.m. server local time.
On Mondays, the Reorganize
Repositories option is used.
Backups are stored in

/Lev1/SASMeta/MetadataServer/Backups.
Backups are retained for seven days.

Each time a backup is completed
successfully, backup files that are
more than seven days old are deleted.
72
 If the backup is unsuccessful, no backups are deleted.
 If you do not want backups to be deleted automatically based on a retention policy, select 0 for
the Number of days to retain backups field in the Backup Configuration.
 In a metadata server clustered environment, a network accessible absolute path needs to be

specified.
To access the backup schedule, expand Metadata Manager  Metadata Utilities. Right-click
Server Backup and select Backup Schedule.
c .
e In
t u t
s t i n .
To access the backup configuration, expand Metadata Manager  Metadata Utilities. Right-click
I n i o
Server Backup and select Backup Configuration.
t
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
Backup Location
N By default, the metadata server backup facility writes
backup files to the Backups subdirectory of the metadata
server’s configuration directory.
73
73
Within the backup location, each set of backup files (along with the associated journal file) is stored
in a directory whose name is based on the date and time that the backup is started.
 As a best practice, you should modify your backup configuration to specify a storage device
other than the device that is used to store the metadata repositories and server configuration
files. Specifying a separate device ensures that the backup files and their associated journal files
(including the most current journal file) are available in the event of a disk failure.

.
Make sure that the Backups directory (or the backup destination that you specify) is included
c
in your regular system backups.
e
Backup Retention Policy and Backup History In
t u t
Each time a successful backup is completed, previous
s t i
backups that are older than the specified number of days
.
are deleted automatically. The backup history automatically
n
displays the offline status icon for deleted backups.
I n t i o
deleted S
A tri b u
t S
backups
s
i g h d i
y r r e
o
74
p 74
f o r
C t
It is strongly recommended that you use operating system tools to copy backups to another location.
o
These copies are no longer under the control of the backup retention policy. In particular, it is a very
N
good idea to retain the backups that you did at critical times, such as the initial backup that you did after
configuration.
If you do not want backups to be deleted automatically based on a retention policy, select 0 for the
Number of days to retain backups field in the Backup Configuration. If you make this selection, you
need to delete files manually from the backup location on a regular basis to ensure disk space availability.
 The offline status icon ( ) is not displayed automatically for backups that you delete manually.
To update the status icon for a manually deleted backup, you must access the backup’s Properties
dialog box.
The check-mark icon means that the backup or recovery was successful. For backups, this icon also
means that the backup was determined to be valid the last time the files were checked. A backup
is considered valid if all of the files are present in the backup location, all of the files have the correct
universally unique identifier (GUID), and all of the filenames and file sizes are correct.
The x icon indicates that either the backup or recovery was not successful or the backup was successful,
but when the files were last checked, they were invalid.
Reorganize Repositories Option

When metadata is removed from a metadata repository,
the record is removed from both memory and disk.
However, the disk space allocated for the record remains
in the data set.
When you use the Reorganize Repositories option as part
of a backup, the unused disk space from previously
deleted records is reclaimed.
c .
e
The Reorganize Repositories option should be used
In
u t
only during times of little or no user activity. The
metadata server is paused during the reorganization
t
s i
process, and any update transactions that are
t n .
issued during this process fail.
75
75
I n t i o
S
A tri b u
The default backup schedule specifies a weekly reorganization. It is not necessary to reorganize
the repositories more frequently than once a week, except in extraordinary situations such as deletions
t S
of a large amount of metadata. The repository reorganization process affects disk space only. It does not
affect the memory usage of the metadata server.
s
i g h d i
If the Reorganize Repositories option is selected, the backup process does the following:
r e
1. pauses the server, placing it in a ReadOnly state
y r
o f o r
2. copies the metadata server files to the backup destination
p
3. re-creates the repository data sets in place, which eliminates the unused disk space in the process
C o t
4. resumes the server to an Online state
Backing Up a Metadata Server Cluster

The metadata server facility backs up the node that
is acting as the master node.
 In the backup configuration for each node, make
sure that you have specified the same backup
destination.
 Make sure that the backup destination is
accessible to all of the nodes via the same
c .
network path so that the backup occurs regardless
of which node is the master node.
e In
t u t
 The Reorganize Repositories option is ignored.
s t i n .
76
76
I n t i o
S
A tri b u
The REORG backup option is ignored when you back up a server that was started with the clustering
option. However, you can use this option when you back up a single node that was started without
t S
the clustering option.
s
i
To start a single node without the clustering option, use the following command:
i g h d
For Windows Server
y r r e
D:\SAS\Config\Lev1\SASMeta\MetadataServer\metadataserver.bat –startNoCluster
o p f o r
For Linux Server
C o t
opt/sas/config/Lev1/SASMeta/MetadataServer/metadataserver.sh –startNoCluster
N
The node starts as a single, non-clustered metadata server that is paused to the Administration state.
This action is useful when you want to perform one of the following administrative tasks on a node:
 perform a metadata server recovery
 back up the metadata server with the REORG option
 run the optimizeIMDB command option of the metadata server script
 run the Metadata Analyze and Repair tools
After you perform one of these functions, you must restart the node to place it in the cluster
mode as the master node. Then start the other nodes in the cluster. The master node updates
the other nodes with the new data from the recovery, REORG, optimizeIMDB, or analyze
and repair operation.
Recovering the Metadata Server

You can use the Metadata Manager plug-in to recover
the metadata repositories and repository manager.
c .
In
You can choose to
recover the
configuration files.
u t e
You can choose to
apply updates stored
t i t .
77
I s
in the journal file.
n i o n
t
77
S
A tri b u
If you need to recover an unresponsive metadata server, refer to “What to Do If the SAS
Metadata Server Is Unresponsive” in SAS 9.4 Intelligence Platform: System Administration
t S
Guide, Fourth Edition.
s
i g h d i
The recovery facility provides safeguards to ensure the integrity of the backup files from which you are
recovering. The recovery operation checks that the backup directory contains the correct files and that
y r r e
the files have the correct name and file sizes. In addition, each backup file contains a universally unique
identifier that is used to make sure that you are recovering files for the correct metadata server. If any
o p f o r
problems exist, the recovery is not started and a warning message is displayed.
During recovery operations, the metadata server is paused automatically to a Recovery state. The state
C t
is similar to an Offline state but more restrictive. After the recovery, the metadata server performs
o
an automatic backup. If the recovery is successful, the metadata server is returned to the state that it was
 N
in before the recovery process.
In the first maintenance release for SAS 9.4, the metadata server script includes a –recover
option. This option starts a server that is not currently running, and then restores the server’s
metadata repository from the most recent backup. The option provides an easy way to recover
a server or node that is unresponsive. The option does not provide roll-forward recovery, recovery
of configuration files, or recovery from a backup other than the most recent backup.
You can recover from a backup that is listed in the backup history pane.
You can also recover from backup files stored in an alternate network-accessible location.
c .
 When recovering from a metadata backup, you replace all of the metadata with the backup copy.
e In
u t
If you might need to restore only a small portion of the metadata, use the Export Wizard
on a regular basis to create package files that include metadata and associated objects
t
i
if appropriate. If you then need to restore part or all of the package, use the Import Wizard.
s t n .
The Export and Import Wizards’ functionality is also available in batch mode. Refer to SAS® 9.4
Intelligence Platform: System Administration Guide for details about how to use the promotion
I n t i o
tools, and the batch export and import tools in particular.
S
A tri b u
Recovering a Clustered Metadata Server
t S
You can use the metadata server recovery facility only
s
i
on a single metadata server node.
i h d
Step 1: Stop all of the nodes in the cluster.
g
y r r e
Step 2: Start one of the metadata server nodes
with the startNoCluster option.
o p f o r
Step 3: Use the metadata server recovery facility
on the single node.
C t
Step 4: Restart the node and place it in cluster mode.
N o Step 5: Start all of the other nodes in the cluster.
78
78
After you recover the single node, the master node updates the other nodes with the new data from
the recovery operation.
Exercises
8. Exploring the Backup Schedule and Backup Configuration in SAS Management Console
a. In SAS Management Console, on the Plug-ins tab, expand Metadata Manager  Metadata
Utilities. Right-click Server Backup and select Backup Schedule.
When did the last automatic backup occur? Did it invoke the Reorganize Repositories option?
c .
Click Cancel.
e
b. Expand Metadata Manager  Metadata Utilities. Right-click Server Backup and select In
backups are stored there?
t u t
Backup Configuration. Where are the metadata server backups stored? And how many days of
Click Cancel.
s t i n .
I n
c. Locate backup files.
t i o
S
For Windows Server
A tri b u
t S
MetadataServer\Backups.
s
i g h d i
For Linux Server
y r r e
Navigate to /opt/sas/config/Lev1/SASMeta/MetadataServer/Backups.
o p o r
How many backup subdirectories are there in the Backups directory? Does this match the number
f
of usable backups in the backup history pane in SAS Management Console?
C o t
9. Performing an Ad Hoc Backup
Na. Use the Metadata Manager to perform an ad hoc backup of the metadata. Provide a comment
when you are prompted.
b. Verify that the backup is marked with a green check mark in the backup history.
c. Verify that the backup directory was created and populated in the backup destination.
10. (Optional) Restoring the Metadata
a. On the Folders tab, create a new folder. Include the current time in the name of the folder.
Make a note of the current time.
b. Wait a few minutes and create another new folder. Include the current time in the name.
c. Delete the two new folders.
d. As a best practice, it is recommended that you pause the metadata server to the Administration
state before you perform a recovery. On the Plug-ins tab, expand Metadata Manager.
Right-click Active Server and select Pause  Administration. Provide a comment and
click OK.
e. Expand Metadata Manager  Metadata Utilities and select Server Backup. Right-click
the ad hoc backup that you created in the last exercise. Select Recover from this backup.
f. Provide comments for the backup history and for the server that you paused. Use the
ROLLFORWARD transaction option to restore the metadata from the last backup
to a time immediately after you created the first folder but before you created the second folder.
c .
Was the backup successful?
e In
t u t
In addition to the ad hoc backup and the restore, what else now appears in the backup history?
i
g. Resume the metadata server by expanding Metadata Manager. Right-click Active Server
and select Resume.
s t n .
n
Switch to the Folders tab. Verify that only the first folder now appears on the Folder tab.
I t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N
2.5 Backing Up the SAS Environment
Objectives
 Explore the Deployment Backup and Recovery tool.
 Explore and use the Backup Manager in
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
S
82
h t i s
r i g r e d
Back Up and Restore Tools
y
Formal, regularly scheduled backups are scheduled
o p f o r
at deployment of your SAS platform with these tools:
 Metadata Server Backup Facility in SAS Management
t
Console
C o  SAS Backup Manager in SAS Environment Manager

or Deployment Backup and Recovery Tool
83
83
 The Deployment Backup and Recovery tool is the underlying software used for SAS Backup
Manager in SAS Environment Manager.
2.5 Backing Up the SAS Environment 2-63
 The SAS Deployment Agent must be running on each middle-tier and server-tier host machine.
The Deployment Backup and Recovery tool connects with the agent and automatically discovers
the tiers in your deployment and their installed components. New components in your
deployment are detected automatically and added to the backup. For example, the tool detects
new instances of the SAS Web Infrastructure Data Server and new databases that are managed by
the server.
What Is Backed Up?

c .
e In
t u t
s t i n .

n t i o
The Config Directories include the contents of the
I
Data directories, SASEnvironment directories, and
S
A tri b u
server configuration directories for each server on the
SAS server tier. Additional directories can be included
using the command sas-update-backup-config.

t S
By default, all of the databases are backed up that are
s
i
managed by the SAS Web Infrastructure Platform
84
i g h d
Data Server.
r e
84
p y r
For metadata server backups, the metadata server backup utility is used.
r

o t f o
If symbolic links in the configuration directories point to other locations, the referenced locations
C
are not backed up.
N o Additional directories under SAS-configuration-directory/Levn can be included in the backup,

using the command sas-update-backup-config. If your deployment is not current with the third
maintenance release for SAS 9.4, then use the command sas-update-backup-config.
 If you need to exclude specific tiers, servers, databases, directories, or files from the backup, you
can do so by using the command sas-update-backup-config. You can also use the SAS Backup
Manager user interface to update the basic backup configuration. You cannot use the user
interface to define filters.
The SAS Content Server contains content that is associated with metadata objects including content for
the SAS Information Delivery Portal, report definition files, other supporting files for reports including
PDF files and images, and content for SAS solutions.
You can use the Deployment Backup and Recovery tool to back up the SAS Content Server.
Alternatively, if you are storing SAS Content Server content in the file system, you can back it up
as follows:
1. As a best practice, stop either the SAS Web Application Server or the SAS Content Server before
making the backup.
2. Use operating system commands or third-party tools to copy all of the files and subdirectories from
the following path:
SAS-configuration-directory/Lev1/AppData/SASContentServer/Repository
c .
If you need to back up just a subset of the SAS Content Server, you can use the WebDAVDump
e
and WebDAVRestore utilities. For instructions, see SAS Usage Note 38667. In
t u t
s i
Deployment Backup and Recovery Tool
t n .
The Deployment Backup and Recovery tool consists
I n
to do the following:
t i o
of a variety of batch commands that you can use
S
A tri b u
 execute an ad hoc (unscheduled) backup
 customize your backups
t S
 display information such as the current schedule,
s
the current configuration, and detailed backup history
i g h d i
 perform a full or partial recovery from one
e
of the backups
y r r r
o p f o
C 85
o
85
t
N
The Deployment Backup and Recovery tool is a collection of commands that provides an integrated
method for backing up and recovering your SAS content across multiple tiers and machines. The tool is
installed on the middle tier as part of the SAS Web Infrastructure Platform. It connects with the SAS
Deployment Agent on each middle-tier and server-tier host machine.
SAS Backup Manager

SAS Backup Manager is a user interface, accessed in
SAS Environment Manager, that enables you to schedule,
configure, monitor, and perform integrated backups of
your SAS content across multiple tiers and machines.
c .
e In
t u t
s t i n .
86
86
I n t i o
S
A tri b u
The SAS Backup Manager interface, which is new with the third maintenance release of SAS 9.4, enables
you to perform most of the functions of the Deployment Backup and Recovery tool. In previous SAS
t S
releases, these functions were available only through batch commands.
s
i g h d i
Backup Schedule
y r r e
By default, the Deployment Backup and Recovery tool
o p f o r
runs automatically each Sunday at 1:00 a.m.
Backup files are retained for a period of 30 days.
C o t
N
87
87
Coordination of Backups
The two backup tools provided by SAS coordinate their
backup schedules to avoid conflicts.
 The SAS Metadata Server Backup and Recovery
Facility is scheduled to run by default at 1:00 a.m.
local machine time every day except Sunday.
 The SAS Deployment Backup and Recovery Tool
performs a scheduled backup each Sunday at 1:00
c .
a.m. local machine time.
e In
t u t
s t i n .
88
88
I n t i o
S
A tri b u
The backup schedules might be modified as appropriate for your deployment. However, be sure not to
schedule the Deployment Backup and Recovery tool to run at the same time as the stand-alone metadata
t S
server backups. Also, if you schedule multiple backups per day, be sure to leave enough time for each
s
backup job to complete before the next scheduled backup starts.
i g h d i
y r r e
Default Backup Location
o p f o r
All components, except for the metadata server, are
backed up to the following path on each host machine:
C o t SAS-configuration-directory/Lev1/Backup/Vault
The directory is created on each machine the first time
N a backup is executed.
89
89
By default, backup files are stored locally on the same machine where the backed up component is
located.
For metadata server backups, the tool uses the backup files that are created by the metadata server backup
utility. The tool copies these files to SAS-configuration-directory/Lev1/Backup/Vault on the metadata
server machine.
 If metadata server clustering is configured, the files are copied to the initially configured
metadata server.
Central Vault Locations

c .
In
In addition, if you specify a central, network-accessible
vault location, the backups from each host machine are
u t e
copied to that location following each backup operation.
t i t .
I n s i o n
S u t
S A tri b
h t i s
90

90
r i g r e d
p y A central vault location is required in clustered middle-tier environments and is highly
r
recommended for multiple machine deployments.
o
C o

t f
A central vault location is highly recommended to avoid the loss of backup files in the event that
a host machine fails.
N o
The SAS Deployment Wizard enables you to specify a central vault location during the installation and
configuration process, if you have a homogeneous operating system environment. Otherwise, you can use
either SAS Backup Manager or the sas-update-backup-config command to specify a central vault
location. A homogeneous environment is one in which all of the host machines that are included in the
backup are in the same operating system family. For example, Solaris and HP-UX machines are both
considered to be in the UNIX operating system family.
What Is Not Backed Up?

The Deployment Backup and Recovery Tool has the
following limitations:
 Host machines on which the SAS Deployment Agent
is not installed are excluded from backups.
 The tool backs up only SAS content and configuration
information. It does not back up your SAS software.
 If you are using a third-party vendor database (instead
c .
of the SAS Web Infrastructure Platform Data Server)
e
for the SharedServices database, the Deployment
In
u t
Backup and Recovery Tool cannot back it up.
 The tool does not back up the entire contents of your
t
t i
SAS configuration directories, only Data directories,
.
the SASEnvironment directories, and the server
s n
configuration directories for each server on the
91
91
I n
SAS server tier.
t i o
S
A tri b
command sas-update-backup-config. u
To back up additional subdirectories under SAS-configuration-directory/Levn, add them with the
t S
For commands that require input data, you supply the data using the JavaScript Object Notation (JSON)
s
i
format. Sample JSON files are provided in SAS-installation-
i g h
directory/SASPlatformObjectFramework/9.4/tools/admin/conf/sample.
d
y r r e
o p f o r
C o t
N
Batch Tool Commands
sas-backup Execute an ad hoc (unscheduled) deployment backup.
sas-status-backup Display status information for a particular backup or recovery operation.
sas-list-backups Display details about backups and recoveries that are recorded in backup history,
.
including backups that were purged due to the retention policy.
sas-display-backup Display details about a particular backup recorded in backup history.
In c
sas-set-backup-
schedule
u t e
Specify days and times that are to be added to the deployment backup schedule.
sas-set-backup-
t i t .
Display detailed information about the contents of a specific backup that was
source-content
I n s i o n
taken from a particular source on a particular host machine.
t
sas-list-backup- Display the deployment backup schedule that is currently in effect.
S u
schedule
sas-remove-backup-
schedule
S A tri b
Remove specified days and times from your deployment backup schedule.
h t
sas-display-backup-
i s List the configuration properties that are currently in effect for your deployment
config
r i g r e d backups.
p y
config
o r
sas-update-backup- Update the backup configuration properties that are in effect for your
deployment.
C o t f
sas-update-backup- Specify custom directories that are to be backed up (in addition to the directories
config
N o included by default). Each directory must be located under SAS-configuration-

directory/Levn on a host machine where the Deployment Backup and Recovery
tool is installed.
sas-recover-offline Perform a full or partial recovery when some of the resources in the deployment
are unavailable or have been taken offline to prevent user activity.
sas-display-recovery Display details about a particular recovery that was performed.
When submitting a deployment backup or recovery command, you must provide the following connection
options to log on to the SAS Web Application Server:
-host host-name Identifies the host machine for the SAS Web Server. If your deployment does
not include SAS Web Server, specify the host machine for the SAS Web
Application Server.
The option is required if the –profile option is not set.
-port port Specifies the port on which the SAS Web Server runs. If your deployment does
c .
In
not include SAS Web Server, specify the port on which the SAS Web
Application Server runs.
t e
The option is required if the –profile option is not set.
u
-user user-ID
t i t
Specifies the user ID of an unrestricted user.
.
I n s i o n
This option is required if the –profile option is not set.
-password password
S u t
Specifies the password of the specified user.
This option is required if the –profile option is not set.
-protocol
S A tri b
Specifies the communication protocol that is used by the specified host machine
HTTP|HTTPS
h t i s and port. If the option is not specified, the default protocol (HTTP) is assumed.
r i g r e d You can specify this option either on the command line or in the file that is
specified in the –profile option.
p y r
-profile filename
o
Specifies the name of a file that contains the host, port, user ID, and password
C o t f
options. It can also contain the –protocol option. A sample profile file named
environment.properties is in the SAS-installation-
directory/SASPlatformObjectFramework/9.4/tools/admin/conf/sample.
N o
Listing the Deployment Schedule and Using the Backup

Manager in SAS Environment Manager
This demonstration illustrates how to use a command to list the deployment schedule and locate the
Backup Manager in SAS Environment Manager.
1. The SAS Deployment Agent must be running on every machine that has a SAS deployment.
c .
In
We will start the Agent using SAS Environment Manager. Open SAS Environment Manager if not
already open. (Go to a web browser on the client machine and select SAS Environment Manager
from the Favorites bar.)

u t e
You can also start the SAS Deployment Agent in the Operating System or it can be started in
t i
t .
 For Windows Server use Window Services.
n s n
 For Linux Server the command is located in the SASHome directory: SASHome
I i o
t
Directory/SASDeploymentAgent/9.4. The command to start the agent is agent.sh start. The
S
command to check the status of the agent is agentadmin.sh stat up.
A tri b u
2. Sign in as Ahmed with password Student1.
t S
3. Go to Resources  Servers and select sasserver SAS Deployment Agent 1.0.
s
i g h d i
y r r e
o p f o r
C o t
N
4. It is not currently up as seen by the Availability. Select Control.
5. Under Quick Control section, select Start from the drop down menu next to Control Action: and
click the arrow to the right.
c .
e In
t u t
s t i n .
6. Navigate to the location where the Deployment Backup tools are installed.
I n
For Windows Server
t i o
S
A tri b u
Open a command window and issue the following command:
cd D: \Program Files\SASHome\SASPlatformObjectFramework\9.4\tools\admin
t S s
i g h d i
For Linux Server
y r e
Navigate to
r
o p f o r
/opt/sas/SASHome/SASPlatformObjectFramework/9.4/tools/admin.
7. Run the sas-list-backup-schedule tool.
C o t
N
For Windows Server
1. In the command window, issue this command: sas-list-backup-schedule.exe –help
c .
e In
2.
t u t
sas-list-backup-schedule.exe –host sasserver.demo.sas.com –port 80 –user
sasadm@saspw –password Student1
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
For Linux Server
y r
1.
r e
./sas-list-backup-schedule –help
o p f o r
C o t
N
2. ./sas-list-backup-schedule –host sasserver.demo.sas.com –port 7980 –user
8. Access Backup Manager in SAS Environment Manager.

Open SAS Environment Manager if not already open. (Go to Internet Explorer on the client machine
and select SAS Environment Manager from the Favorites bar.)
 We are logged in as Ahmed. But to run an ad hoc backup, which you will do in the exercises,
you need to be logged in as sasadm@saspw in order for the SAS Web Infrastructure
Platform Data Server to be backup up.
9. Select Administration tab. When the Administration page is brought up in a separate window,
maximize the window.
 Maximizing the window addresses Problem Note 56368: The SAS® Backup Manager module
in SAS® Environment Manager Administration does not open, even after several minutes.
10. Click the Side Menu button
c
in the SAS Environment Manager banner and select SAS Backup.
In
Manager.
u t e
t i t .
I n s i o n

S u t
The SAS Backup Manager takes several minutes to discover the assets in your deployment
A tri b
that are available for backup.
S
h t
11. Select Policy from the drop-down menu. The Policy page displays the following:
i s
a. Diagram (Source View and Machine View) – displays a tree diagram of the currently defined
r i g r e d
backup sources. To see a different view of the diagram:
 Click the Source View button in the toolbar to display a node for each backup source.
p y o r
Under each backup source, a child node is displayed for each host machine for that source.
 Click the Machine View button
o f
in the toolbar to display a node for each host machine.
t
Under each machine, child nodes are displayed for the backup sources that are on the machine.
C o When a diagram is displayed, you can do the following:
N  Zoom in or out by clicking the diagram to select it and then pressing the Ctrl key while
scrolling the mouse wheel.
 If parts of the diagram are not visible, drag the entire diagram right, left, upward, or downward.
 Click a node to collapse its child nodes.
 Click the node again to expand it so that its child nodes reappear.
b. Configuration Details - displays details about the current backup configuration.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u

t S s
You can also use the sas-display-backup-config command to display the backup policy.
i g h d i
Backup sources are discovered automatically. The sources are displayed in the Source View and
y r r e
Machine View diagrams, and they are also listed at the bottom of the Configuration Details pane.
To view additional information about a source, click the Collapsed arrow ( ) to the left of the
o p f o r
source name. The following information is displayed:
 Host – the host name of the machine where the source is located.
C o t
 Included – indicates whether the source is currently included or excluded from backups.
 This setting cannot be changed in the SAS Backup Manager user interface. To include
N 

or exclude a backup source, use the command sas-update-backup-config.
Operating System – the host name of the machine where the source is located.
Configurable Path – the path to the configuration directory for this source. This field is not
applicable to all source types.
 SAS Config – the path to the Levn directory that is associated with this backup source.
 Includes and Excludes – lists any filters that are associated with this backup source. Filters are
applied using the batch commands via JSON files.
 The source information is for display only. To filter physical data or add or remove tiers,
servers, or database instances from the backup configuration, use the sas-update-backup-
config command.
12. From the drop-down menu, select Schedule.

The Schedule page displays a row for each time of day that backups are scheduled to run. Check
marks in the columns indicate the scheduled days of the week for each time. By default, the SAS
Deployment Wizard schedules backups to be performed automatically each Sunday at 1:00 a.m.
 This schedule coordinates backups with the SAS Metadata Server Backup and Recovery
Facility.
You can modify this scheduled backup here by clicking the Add button or Edit button
c .
in the
In
toolbar.
For example, if you add a row, a new row is added to the schedule with the default time (1:00 a.m.)
t e
and default day (Sunday) selected. In the new row, click the Time field. Use the time selector to
u
specify the additional backup start time and then click OK.
t i t .
I n s i o n
S u t
S A tri b
h t i s
r i g r e d
You can verify the updated backup schedule using the Deployment Backup and Recovery tool batch
command sas-list-backup-schedule.
p y o r
C o t f
N o
Exercises
11. Using Backup Manager to Run an Unscheduled Backup and View the Backup Contents
The third maintenance release for SAS 9.4 includes SAS Backup Manager, an easy-to-use interface
for the Deployment Backup and Recovery tool. You can use SAS Backup Manager for the following
tasks:
 view backup and recovery history
c .
 run an immediate (ad hoc) backup
 view the backup configuration
e In
t u t
 modify the backup configuration (except backup filters and custom directories)
 view information about backup and recovery sources
t i
 view and modify the backup schedule
s n .
I n o
In previous SAS 9.4 releases, these functions were available only through batch commands.
t i
S
SAS Backup Manager can be accessed from the Administration tab of SAS Environment Manager.
A tri b u
a. Start the SAS Deployment Agent using SAS Environment Manager.
t S
1) Open SAS Environment Manager . (Go to a web browser on the client machine and select
s
SAS Environment Manager from the Favorites bar or you can type in the following URL:
i g h d i
http://sasserver.demo.sas.com:7080 .) Sign in as sasadm@saspw with password Student1.
y r r e
 In order to run a full backup, you must be logged in to SAS Environment Manager as
sasadm@saspw with the password Student1.
o p o r
2) Go to Resources  Servers and select sasserver SAS Deployment Agent 1.0.
f
C o t
3) Select Control.
4) Under Quick Control section, select Start from the drop down menu next to Control
N
Action: and click the arrow to the right.
You can also start the SAS Deployment Agent in the Operating System, or it can be started in
Directory/SASDeploymentAgent/9.4. The command to start the agent is agent.sh start. The
b. Access Backup Manager in SAS Environment Manager.
sasadm@saspw with the password Student1.
1) Click the Administration tab in SAS Environment Manager. When the Administration page
appears, maximize the window.
2) Click the Side Menu button in the SAS Environment Manager banner and select SAS
Backup Manager.
 The SAS Backup Manager takes several minutes to discover the assets in your
deployment that are available for backup.
The drop-down menu shows the following selections:
 History – view information about a particular backup or recovery
 Policy – view details of the current backup policy
 Schedule – view and modify the current backup schedule
c .
Keep the current selection, History.
e In
c. Run an unscheduled backup.
t u t

backup.
s i
The backup may take a few minutes to complete. See Problem Note 56910: The SAS
t n .
Deployment Backup and Recovery tool takes longer than expected to complete the
I n t i o
1) With History selected in the drop-down menu, select the Start Backup button in the upper
S
A tri b u
right of the SAS Backup Manager Window.
2) Provide a meaningful name and comment for the backup. The backup name must be unique.
t S
Both the name and comment are optional and are recorded in backup history and displayed in
the backup’s Operation Details.
s
i g h d i
3) Select Start.
y r r e
A notification is displayed when the backup starts and when it is completed.
o p f o r
C o t
N 4) To see the status of the backup on the History page, refresh your browser.
 Recoveries cannot be run from SAS Backup Manager. Instead, use the sas-recover-
offline command.
d. View the list of Sources. Click the backup to display the details. It might take a minute to load the
data.
The sources for the currently selected backup or recovery are listed in the right pane, below the
operation details. Items appear only as they complete. For example, you might see only the
Metadata Server at first after running the back up. (If you are viewing details for a recovery, only
the sources that were recovered are listed.)
The status icon next to each source indicates the status of its backup or recovery.
By default, the backup sources include the following:
 Metadata Server
 Content Server
 Config Directories
 Database
 Custom might also be listed. This means additional directories under SAS-configuration-
directory/Levn, as specified by the administrator, were backed up or recovered.
To view details about a particular backup or recovery source, click the Collapsed arrow ( ) to the
left of the source name. The following details are displayed:
c .
 the host name of the machine where the source is located
e
 the status of the source’s backup or recovery In
t u t
 the directory location of the source’s local backup files on the host machine
 the total size of the backup files for this source
t i .
 the directory location of the source’s configuration files
s n
 the operating system of the source’s host machine
I n t i o
e. Select View Diagram from the lower right of the screen.
S
A tri b u
The diagram includes the following:
 The root node specifies the ID of the backup or recovery, which is based on the date and time
t S
that the backup or recovery started (for example, 2015-02-01T03_13_01). For backups, the ID
s
g h d i
is also the name of corresponding backup directory.
 Under the root node, a child node is displayed for each backup source that was included in the
i
y r r e
backup or recovery. You can click a node to collapse its child nodes.
 Under each source node, a child node is displayed for each host machine for that source.
o p o r
f. Hold the mouse pointer on a node to see the size of the files that were backed up or recovered.
f
t
g. Click the node sasserver.demo.sas.com under the Database node. The child node of Web
C o
Infrastructure Platform Data Server 9.4 appears under the Database tree.
Nh. Click the node Web Infrastructure Platform Data Server 9.4. The databases that are a part of
the node appear.
The green check mark in the bottom right of the node indicate its backup status. The green check
indicates that the backup or recovery was completed without errors or warnings.
i. Place your mouse pointer over each of the databases in the Web Infrastructure Platform Data
Server 9.4 node. Notice that many of the databases are relatively small in size.
j. Select Close to close the Backup Details window.
k. Find the location of the backup. Select History from the drop-down menu.
l. Click the Collapsed arrow ( ) to the left of the Content Server. The directory location of the
source’s local backup files on the host machine is under Backup Location.
m. Find this location on the server’s local file system. There is a directory for each of the sources
listed in Backup Manager.
For Windows Server
Navigate to D: \sas\config\Lev1\Backup\Vault.
For Linux Server
Navigate to /opt/sas/config/Lev1/Backup/Vault.
n. Click the Collapsed arrow ( ) to the left of the Metadata Server and examine the Backup
c .
In
Location.
Why is this location different from the others?
t e
Verify that the content for the Metadata Server backup specified by the Backup Manager is the
u
t t
same as the metadataserver directory in the backup vault location.
i .
12. Displaying the Backup Configuration Using Batch Tools
I n s o n
a. Navigate to the location where the Deployment Backup tools are installed.
i
S
For Windows Server
u t
A tri b
Open a command window, and issue the following command:
S
t
D: cd \Program Files\SASHome\SASPlatformObjectFramework\9.4\tools\admin
g h d i s
y r i r e
For Linux Server
Navigate to /opt/sas/SASHome/SASPlatformObjectFramework/9.4/tools/admin.
o p f o r
b. Run the sas-display-backup-config tool.
C o t For Windows Server
N
In the command window, issue the following command:
sas-display-backup-config.exe –host sasserver.demo.sas.com –port 80 –user
For Linux Server

./sas-display-backup-config –host sasserver.demo.sas.com –port 7980 –user
2.6 Solutions 2-81
2.6 Solutions
1. Exploring Metadata Pointers in SAS Management Console and the Contents of the Metadata
Server Directory
a. On your client machine, log on to SAS Management Console as Ahmed with the password
Student1. (SAS Management Console is listed under the start menu.)
c .
b. Where is all the metadata physically stored? Expand the Metadata Manager plug-in.
Select Active Server.
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
The metadata is stored in repositories. Most metadata is stored in the Foundation repository.
i g h d i
Every metadata server has exactly one Foundation repository.
y r r e
c. Where is the Foundation repository physically located? Under Active Server, select Foundation.
o p f o r
t
The Foundation repository is a foundation-type repository. The repository path indicates where
C o
the content of the Foundation repository is stored. It is a relative path.
Nd. In what format is the metadata in the repository stored?
For Windows Server

MetadataServer\MetadataRepositories\Foundation.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b
For Linux Server u
t S
Navigate to /opt/sas/config/Lev1/SASMeta/MetadataServer/
s
MetadataRepositories/Foundation.
i g h d i
y r r e
o p f o r
C o t
N
The metadata is stored in specially formatted SAS data sets. You should never access these tables
directly. While the metadata server is running, these tables are locked. Any access (query, update,
and so on) to these must be done via the metadata server. If you do not use the metadata server
to access these tables, you risk corrupting the metadata.
 Metadata queries that are made using SAS applications, PROC METADATA, batch tools
for metadata management, or DATA step functions are processed by the metadata server.
2.6 Solutions 2-83
2. Checking the Availability of the Metadata Server in SAS Environment Manager

In the SAS platform, the metadata server is the most critical component. It must always be running
and responsive. In this exercise, you check the availability and health of the metadata server.
a. Open Internet Explorer on the client machine and select SAS Environment Manager on the
Favorites toolbar.
c .
b. Sign in to SAS Environment Manager as Ahmed with the password Student1.
e In
t u t
s t i n .
I n t i o
S
c. Click the Resources tab.
A tri b u
S
d. Click Servers. How many Servers are listed? Answers can vary.
h t i s
r i g r e d
p y o r
C o t f
N o
e. Click sasserver.demo.sas.com SASMeta - SAS Metadata Server.
 You might need to go to the second page of server listings, by clicking the arrow at the
bottom right of the page.
 You can use the Search field and type in Metadata Server. Make sure All Server Types
is selected in the second field, and then select the to the far right.
f. Look for the following metrics for a quick overview:

Availability
Server Health
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
g. If the metadata server is overusing virtual memory (too much page swapping), that could indicate
t S
trouble, and might cause slow responses. Metrics that will be helpful are these:
s
Process Page Faults Per Minute
i g h d i
Time in Calls Per Minute
y r r e
Not all metrics for this resource, the metadata server, are displayed by default, such as Time in
Calls Per Minute.
o p f o r
h. Select All Metrics in the drop-down list on the left to see a list of all the metrics for this resource.
(Currently Problem Metrics is displayed in the drop-down list.)
C o t
N
2.6 Solutions 2-85
i. Add the Time in Calls Per Minute to the list of metrics displayed, by clicking the black arrow
next to the metric.
j. Move the Time in Calls Per Minute and Process Page Faults Per Minute to the top using the up
arrow to the right of the named metric.
c .
In
k. Click Apply next to View: Update Default located above the Availability metric and to the right.
u t e
t i t .
I n s i o n
S u t
S A tri b
h t i s
r i g r e d
p y 
o r You want to know how much the metadata server is having to use disk space because it
C o t f does not have enough memory available to it. Paging is when individual memory
segments, or pages, are moved to or from the swap area. When memory is low, portions
N o of a process are moved to use disk space as a temporary place to store information that it
would normally just hold in memory. This is called swapping to disk. When a process
needs to swap some data from disk to memory so that it can access the data in memory, a
page fault occurs. It is an event that occurs because the page of memory the process
wanted is currently not in memory; it is held on the swap file on the disk. Thus, when a
page fault occurs, the operating system knows that it needs to swap the data that the
process wants back into memory, and will swap some other existing data from memory to
the disk to free up the required memory so that there is room for the required page.
One of the metrics available from the OS that describes what a process does when it
enters this memory-constrained state is the number of page faults (swaps between disk
and memory) per period of time. We can see this metric for the process examined here,
the SAS metadata server.
You expect some degree of virtual memory swapping (page faults), which is normal, but
if you see a trend of increase over time, then you should probably investigate.
l. The data for the past 8-hour time period is displayed. Change this to a 30-minute interval. Use the
Last (number)/(Unit) drop-down list to change the length of the time period displayed. Click OK.
(You can use the Previous Page/Next Page buttons to scroll through earlier time periods as well.)
c .
e In
t u t
s t i n .
m. Select the Metric Data button to display the data underlying the charts.
I n t i o
You see all of the metrics displayed here in a tabular table, whereas with the Indicators selected
S u
there is only a subset showing, unless you add a metric to be displayed (step i).
A tri b
t S s
i g h d i
y r r e
o p f o r
C o t
N  You can also click the chart icon next to an entry in the table to see a chart of that metric.
However, the chart is different from the indicator chart.
n. Select Alert.
o. Select Configure. How many alerts are configured? 7 How many alerts are active? 5
2.6 Solutions 2-87
c .
There are built-in alerts because Extended Monitoring has been enabled in this environment.
e
(Extending Monitoring is discussed in a later chapter.) In

u t
Two alerts that might be useful are “Metadata Server ERROR message in log” and
t
s i
“Metadata User Lockout.” If either of these alerts are fired, you might want to check the
t n .
logs for the metadata server to get more details about why these events are happening.
I n t i o
p. Click Metadata Time in Calls per Minute to look at the alert definition.
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N
3. Searching for Resources in SAS Environment Manager
a. Click the Resources tab. You can search for resources within a resource category (Platforms,
Servers, Services, or groups).
1) Select a resource category, such as Servers.
2) Type in a search string (for example, ‘config’) and Resource type (for example, ‘SAS Config
Level Dir’).
3) After selections are made, click the arrow to the right ( ).
b. Use the Search menu and the resource level selector to locate the following resources:
Servers
SAS Spawners (1 object and 1 connect spawner—search on the string “spawner”)
SAS OLAP Server
SAS Home Directory
SAS Config Level Directory
.
Services
 In c
The SAS spawners, the metadata server, and OLAP server are at the Servers level in the
t e
platform hierarchy. The SAS Application Server Tier is considered a Platform. The SAS
u
Logical workspace servers and SAS Logical stored process servers are at the Services
i t
level in the platform hierarchy.
t .
I s i o n
c. Open SAS Management Console and log on as Ahmed using the password Student1. Expand
n
Server Manager plug-in. The components above conform to the servers shown here.
S u t
S A tri b
h t i s
r i g r e d
p y o r
C o t f
N o
4. Using the Export SAS Package Wizard to Examine Dependencies and Associations between
Metadata Objects
The Export SAS Package Wizard and Import SAS Package Wizard enable you to promote individual
metadata objects or groups of objects from one SAS deployment to another or from one folder
location to another within the same deployment. The wizards display the associations
and dependencies between metadata objects.
2.6 Solutions 2-89
a. In SAS Management Console, on the Folders tab, expand the Orion Star folder. Right-click
the Marketing Department folder and select Export SAS Package.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
S
b. Accept the defaults and click Next. (You are not going to create this package,
t
so the location and options will not matter.)
g h d i s
y r i r e
o p f o r
C o t
N
c. Under the Data folder, select Orion Star Customers. The Dependencies tab identifies
the metadata objects on which the Orion Star Customers table depends.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
d. Click the Used By tab. The Used By tab identifies the metadata objects that depend
o p f o r
on the Orion Star Customers table.
C o t
N
e. Click Cancel.
5. Using Relationship Reporting Tools
Generating a report is a two-step process.
 First, use the sas-relationship-loader batch tool to scan folders and objects, retrieve their
relationship information, and load the information into a database in the Web Infrastructure
2.6 Solutions 2-91
 Effective with the third maintenance release for SAS 9.4, automatic loading of
relationship data is configured by default to execute on an hourly basis. The load process
scans the SAS Folders tree for content items that were created or modified since the last
scheduled load operation.
Cleaning of relationship data is configured by default to execute daily at 11:00pm. The
cleaning operation removes relationship information for objects that have been deleted
from your content repositories.
 Secondly, use the sas-relationship-reporter batch tool to read the database populated by the
Relationship Loader and report on the relationships between selected objects.
c .
In
a. Because you are working in SAS 9.4 Maintenance Release 3, automatic loading of relationship
data is configured by default. Look at the configuration details in SAS Management Console.
t e
1) Open SAS Management Console and log on as Ahmed using the password Student1.
u
t i t
2) On the Plug-ins tab, select Application Management  Configuration Manager 
.
SAS Application Infrastructure  Web Infra Platform Services 9.4.
I n s i o n
S u t
S A tri b
h t i s
r i g r e d
p y o r
C o t f
N o
3) Under Web Infra Platform Services 9.4, right-click RelationshipContentService and select
Properties.
4) Select the Settings tab.

Is Scheduling for Load Task Enabled? Yes
How often is the relationship data automatically loaded? Hourly
Is the cleaning of relationship data configured by default? Yes
When and how often does this cleaning occur? 11pm daily

c
The cleaning operation removes relationship information for objects that have been
deleted from your content repositories. .

In
You can configure a different schedule for the loading and cleaning process here (or
e
u t
set the schedule if you are using a release earlier than the third maintenance release).
If you make any schedule changes, you must restart the SAS Web Application Server.
t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N
5) Click Cancel to close the Properties window.
2.6 Solutions 2-93
b. To report on the relationships, use the sas-relationship-reporter tool. To execute a standard

report on direct dependencies for objects in the /Orion Star/Marketing
Department/Information Maps folder:
For Windows Server
1. Open the CMD windows from the Start Menu. Navigate to D:\Program
2. Issue the command:
c .
In
sas-relationship-reporter.exe -host sasserver.demo.sas.com -port 80 -user
sasadm@saspw -password Student1 -report directDependencies “/Orion
u t e
t i t .

I n s i o n
The relationship direction is noted with an arrow.
S u t
S A tri b
h t i s
r i g r e d
p y o r
C o t f
N o
For Linux Server
./sas-relationship-reporter -host sasserver.demo.sas.com -port 7980 -user
sasadm@saspw -password Student1 -report directDependencies “/Orion
c .

e In
t u t
The relationship direction is noted with an arrow.
s t i n .
I n t i o
S
A tri b u
t S
c. To determine the impact of changing one table, create an impact report.
s
i g h d i
For Windows Server
y r 1.
r e
Navigate to D:\Program Files\SASHome\SASPlatformObjectFramework\9.4\tools.
r
p
2.
o t f osas-relationship-reporter.exe -host sasserver.demo.sas.com -port 80 -user

sasadm@saspw -password Student1 -report impact “/Orion Star/Marketing
C o
 The relationship direction is noted with an arrow.
2.6 Solutions 2-95
For Linux Server
./sas-relationship-reporter -host sasserver.demo.sas.com -port 7980 -user sasadm@saspw
-password Student1 -report impact “/Orion Star/Marketing
.
In c
u t e
t i t .
I n s i o n
S u t
S A tri b
h t i s
r i g 
r e d The relationship direction is noted with an arrow.
p y o r
d. If your environment was SAS 9.4 but prior to M3, you would first need to run the sas-
relationship-loader batch tool first and load all relationships to the database before running
C o t
 f
reports in steps b and c. The steps are below.
N o The first time you run the Relationship Loader tool, consider specifying the -loadAll
option so that relationships will be loaded for all content objects in the SAS Folders tree.
Doing so ensures that the Relationship Reporter tool (sas-relationship-reporter) has
all of the information that it needs to produce accurate and complete reports.
 All command options are case sensitive.
For Windows Server
1. Open the CMD window. (It is under the Start menu.) Navigate to D:\Program
Files\SASHome\SASPlatformObjectFramework\9.4\tools\admin.
2. Issue the following command: sas-relationship-loader.exe -help
3. Issue the command with the following options:

sas-relationship-loader.exe -host sasserver.demo.sas.com -port 80 -user sasadm@saspw -
c .
In
password Student1 -loadAll
 Port 80 is the default port for the SAS Web Server on the Windows server.
u t e
t i t .
I n s i o n
S
For Linux Server
u t
1.
A tri b
Use MRemote to navigate to
S
/opt/sas/SASHome/SASPlatformObjectFramework/9.4/tools/admin.
2.
h t i s
Issue the following command: sas-relationship-loader.exe -help
r i g r e d
p y o r
C o t f
N o 3.
Issue the command with the following options:
sas-relationship-loader.exe -host sasserver.demo.sas.com -port 7980 -user sasadm@saspw
-password Student1 -loadAll
 Port 7980 is the default port for the SAS Web Server on the Windows server.
6. (Optional) Using the BI Lineage Plug-in to Identify Connections between Objects

To generate lineage information, run a scan on a subset of folders. The scan examines reports
and information maps that are stored in the selected folders. It also identifies objects (regardless
of their locations in metadata) that are connected to those reports and information maps.
2.6 Solutions 2-97
a. In SAS Management Console, on the Plug-ins tab, right-click BI Lineage and select New Scan.
b. Enter Orion Star Marketing Department Information Map Scan in the Name field.
Click Browse to navigate to Orion Star  Marketing Department  Information Maps.
Click OK  Next  Finish  Yes.
c .
e In
t u t
t i .
c. Under the BI Lineage plug-in, expand Orion Star Marketing Department Information Map
s n
Scan  Information Maps  SAS Folders  Orion Star  Marketing Department  and
I n i o
select Information Maps. These are the objects that were examined during the lineage scan.
t
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N
d. Right-click Orion Star Gold Orders Cube and select Lineage.
 Lineage identifies all connected objects regardless of their locations in the metadata.
Reverse lineage includes only those objects in the folders that were selected for the scan.
e. Examine the contents of the Report and Graph tabs.
 The Report tab displays the connected objects in a hierarchical view. The Graph tab
displays the connected objects in a process flow view.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N
There are two types of lineage results: high level and low level. High-level results illustrate
connections between high-level objects such as tables, reports, information maps, cubes,
and stored processes. Low-level results illustrate connections to other low-level objects such
as columns, hierarchies, or data items.
The results that you viewed in the last step are high-level results.
f. Click Cancel.
2.6 Solutions 2-99
g. Right-click Orion Star Gold Orders Cube and select Properties. Right-click Average Quantity
and select Low Level Lineage. Examine the Report and Graph tabs.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
Nh. Click Cancel.
7. (Optional) Using the List Objects Batch Tool (sas-list-objects)
Use the List Objects batch tool (sas-list-objects) to create a list of metadata objects that are stored
in the SAS Folders tree. You can filter the list based on criteria such as object name, object type,
folder location, creation date and time, modification date and time, keywords, notes, and responsible
user. You can create the list in text, comma-separated values (CSV), or XML format.
a. First, find the metadata object type for a stored process. In SAS Management Console, under
the Folders tab, navigate to System  Types. Right-click Stored process and select Properties.
Click the Advanced tab. Find the value for TypeName. This will be used for the type option
when using the batch tool.
c .
e In
t u t
s t i n .
I n t i o
b. Navigate to the location of the SAS batch tools and run the sas-list-objects batch tool to list
all stored processes in the Orion Star  Marketing Department. How many objects were
found?
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N
2.6 Solutions 2-101
For Windows Server
1. Open the CMD window. It is under the Start menu. Navigate to

D:\Program Files\SASHome\SASPlatformObjectFramework\9.4\tools.
2. Change the drive to D.
c .
3. Use the cd (change directory) command to navigate to D:\Program
e
Files\SASHome\SASPlatformObjectFramework\9.4\tools. In
t u t
s t i n .
I n t i o
4. Use the dir command to list the contents of the directory.
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
5. Issue the following command: sas-list-objects.exe -help
N This displays the available options for this command.
6. Generate the list of stored processes with the following options:

sas-list-objects.exe -host sasserver.demo.sas.com -port 8561 -user Ahmed -password
-format LIST
For Linux Server
1. Use MRemote to navigate to

2. Use the cd (change directory) command to navigate to
/opt/sasinside/sas/SASPlatformObjectFramework/9.4/tools.
.
3. List the contents of the directory.
In c
u t e
t i t .
I n s i o n
S u t
4.
S A tri b
Issue the following command: ./sas-list-objects -help
h t i s
r i g r e d
p y o r
C o t
5.f Generate the list of stored processes with the following options:
N o ./sas-list-objects -host sasserver.demo.sas.com -port 8561 -user Ahmed -password

-format LIST
8. Exploring the Backup Schedule and Backup Configuration in SAS Management Console
a. In SAS Management Console, on the Plug-ins tab, expand Metadata Manager 
Metadata Utilities. Right-click Server Backup and select Backup Schedule.
2.6 Solutions 2-103
When did the last automatic backup occur? Did it invoke the Reorganize Repositories option?
c .
e In
t u t
s t i n .
I n t i o
S
Click Cancel.
A tri b u
t S
b. Expand Metadata Manager  Metadata Utilities. Right-click Server Backup and select
Backup Configuration. Where are the metadata server backups stored? And how many days of
s
i g h d i
backups are stored there?
y r r e
o p f o r
C o t
N
Click Cancel.
c. Locate backup files.
For Windows Server

MetadataServer\Backups.
c .
e In
t u t
s t i n .
I n
For Linux Server
t i o
S u
Navigate to /opt/sas/config/Lev1/SASMeta/MetadataServer/Backups.
A tri b
t S s
i g h d i
y r r e
o p f o r
How many backup subdirectories are there in the Backups directory? Does this match the number
of usable backups in the backup history pane in SAS Management Console?
C o t
N
9. Performing an Ad Hoc Backup
a. Use the Metadata Manager to perform an ad hoc backup of the metadata. Provide a comment
when prompted.
1) Expand Metadata Manager  Metadata Utilities. Right-click Server Backup and select
Run Backup Now.
2.6 Solutions 2-105
c .
e In
t u t
2) Provide a comment for the backup history. Click OK.
s t i n .
I n t i o
S
A tri b u
t S s
i g h
3) Click OK.
d i
y r r e
o p f o r
C o t
b. Verify that the backup is marked with a green check mark in the backup history.
N
c. Verify that the backup directory was created and populated in the backup destination.
For Windows Server
Use the Windows Explorer to navigate to

D:\SAS\Config\Lev1\SASMeta\MetadataServer\Backups. Open the folder created by the
ad hoc backup.
c .
e In
t u t
s t i n .
I n
For Linux Server
t i o
S
A tri b u
Navigate to /opt/sas/config/Lev1/SASMeta/MetadataServer/Backups. Open the directory
S
created by the ad hoc backup.
h t i s
r i g r e d
p y o r
C o t f
N o
10. (Optional) Restoring the Metadata
a. On the Folders tab, right-click SAS Folders and select New Folder. Include the current time
in the name of the folder. Make a note of the current time.
2.6 Solutions 2-107
1) Enter Added Before Restore in the Name field. Click Finish.
2) Verify that the folder is now listed under SAS Folders.

c .
e In
t u t
s t i n .
b. Wait a few minutes and create another new folder. Include the current time in the name.
I n t i o
S
A tri b
c. Delete the two new folders.u
t S
d. As a best practice, it is recommended that you pause the metadata server to the Administration
s
state before you perform a recovery. On the Plug-ins tab, expand Metadata Manager.
i g h
click OK.
d i
Right-click Active Server and select Pause  Administration. Provide a comment and
y r r e
e. Expand Metadata Manager  Metadata Utilities and select Server Backup. Right-click
o p f o r
the ad hoc backup created in the last exercise. Select Recover from this backup.
C o t
N
f. Provide comments for the backup history and for the server that you paused. Use the
ROLLFORWARD option to restore the metadata from the last backup to a time immediately
after you created the first folder but before you created the second folder.
c .
e In
t u t
s t i n .
I n t i o
S
Click OK.
A tri b u
t S s
i g h d i
y r r e
Was the backup successful? Yes
o p o r
In addition to the ad hoc backup and the restore, what else now appears in the backup history?
f
A backup was automatically done immediately after the recovery.
C o t
Ng. Resume the metadata server by expanding Metadata Manager. Right-click Active Server and
select Resume.
Switch to the Folders tab. Verify that only the first folder now appears on the Folder tab.
2.6 Solutions 2-109
11. Using Backup Manager to Run an Unscheduled Backup and View the Backup Contents
The third maintenance release for SAS 9.4 includes SAS Backup Manager, an easy-to-use interface
for the Deployment Backup and Recovery tool. You can use SAS Backup Manager for the following
tasks:
 view backup and recovery history
 run an immediate (ad hoc) backup
 view the backup configuration
 modify the backup configuration (except backup filters and custom directories)
c .
In
 view information about backup and recovery sources
 view and modify the backup schedule
t e
In previous SAS 9.4 releases, these functions were available only through batch commands.
u
i t
SAS Backup Manager can be accessed from the Administration tab of SAS Environment Manager.
t .
I s i o n
a. Start the SAS Deployment Agent using SAS Environment Manager.
n
1) Open SAS Environment Manager . (Go to a web browser on the client machine and select
S u t
SAS Environment Manager from the Favorites bar, or you can type in the following URL:
http://sasserver.demo.sas.com:7080 .) Sign in as sasadm@saspw with password Student1.
A tri b
S
h t sasadm@saspw with the password Student1.
i s
2) Go to Resources  Servers and select sasserver SAS Deployment Agent 1.0.
r i g r e d
p y o r
C o t f
N o
3) Select Control.
4) Under Quick Control section, select Start from the drop down menu next to Control
c .
In
Action: and click the arrow to the right.
u t e
t i t .
I n s i o n
S u t
S A tri b
h t i s

r i g r e d
You can also start the SAS Deployment Agent in the Operating System, or it can be started in
p y o r
C o t f Directory/SASDeploymentAgent/9.4. The command to start the agent is agent.sh start. The
o
Nb. Access Backup Manager in SAS Environment Manager.
sasadm@saspw and password Student1.
1) Click the Administration tab in SAS Environment Manager. When the Administration page
appears, maximize the window.
2) Click the Side Menu button in the SAS Environment Manager banner and select SAS
Backup Manager.
2.6 Solutions 2-111
c .
 The SAS Backup Manager takes several minutes to discover the assets in your
deployment that are available for backup.
e In
u t
Notice that the drop-down menu shows the following selections:
t
 History – view information about a particular backup or recovery
t i .
 Policy – view details of the current backup policy
s n
 Schedule – view and modify the current backup schedule
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
Keep the current selection, History.
o p o r
c. Run an unscheduled backup.
f
C o t
 The backup may take a few minutes to complete. See Problem Note 56910: The SAS
Deployment Backup and Recovery tool takes longer than expected to complete the
N backup.
1) With History selected in the drop-down menu, select the Start Backup button in the upper
right of the SAS Backup Manager Window.
2) Provide a meaningful name and comment for the backup. The backup name must be unique.
Both the name and comment are optional and are recorded in backup history and are
displayed in the backup’s Operation Details.
3) Select Start.
A notification is displayed when the backup starts and when it is completed.
c .
4) To see the status of the backup on the History page, refresh your browser.

e In
u t
Recoveries cannot be run from SAS Backup Manager. Instead, use the sas-recover-
offline command.
t
t i .
d. View the list of Sources. Click the backup to display the details. It might take a minute to load the
data.
s n
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p o r
The sources for the currently selected backup or recovery are listed in the right pane, below the
operation details. If you are viewing details for a recovery, only the sources that were recovered
f
are listed.
C o t
The status icon next to each source indicates the status of its backup or recovery.
N By default, the backup sources include the following:

 Metadata Server
 Content Server
 Config Directories
 Database
 Custom might also be listed. This means additional directories under SAS-configuration-
directory/Levn, as specified by the administrator, were backed up or recovered.
To view details about a particular backup or recovery source, click the Collapsed arrow ( ) to the
left of the source name. The following details are displayed:
 the host name of the machine where the source is located
 the status of the source’s backup or recovery
 the directory location of the source’s local backup files on the host machine
 the total size of the backup files for this source
2.6 Solutions 2-113
 the directory location of the source’s configuration files

 the operating system of the source’s host machine
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S
e. Select View Diagram from the lower right of the screen.
s
i
The diagram includes the following:
i h d
 The root node specifies the ID of the backup or recovery, which is based on the date and time
g
y r r e
that the backup or recovery started (for example, 2015-02-01T03_13_01). For backups, the ID
is also the name of corresponding backup directory.
o p f o r
 Under the root node, a child node is displayed for each backup source that was included in the
backup or recovery. You can click a node to collapse its child nodes.
C o t
 Under each source node, a child node is displayed for each host machine for that source.
f. Hold the mouse pointer on a node to see the size of the files that were backed up or recovered.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S
g. Click the node sasserver.demo.sas.com under the Database node. The child node of Web
s
i g h d i
Infrastructure Platform Data Server 9.4 appears under the Database tree.
y r r e
o p f o r
C o t
N
h. Click the node Web Infrastructure Platform Data Server 9.4. The databases that are a part of
the node appear.
The green check mark in the bottom right of the node indicate its backup status. The green check
indicates that the backup or recovery was completed without errors or warnings.
2.6 Solutions 2-115
i. Place your mouse pointer over each of the databases in the Web Infrastructure Platform Data
Server 9.4 node. Notice that many of the databases are relatively small in size.
c .
In
j. Select Close to close the Backup Details window.
e
k. Find the location of the backup. Select History from the drop-down menu.
u t
l. Click the Collapsed arrow ( ) to the left of the Content Server. The directory location of the
t
source’s local backup files on the host machine is under Backup Location.
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C t
m. Find this location on the server’s local file system. There is a directory for each of the sources
o listed in Backup Manager.
N For Windows Server
Navigate to D: \sas\config\Lev1\Backup\Vault.
For Linux Server
Navigate to /opt/sas/config/Lev1/Backup/Vault.
n. Click the Collapsed arrow ( ) to the left of the Metadata Server and examine the Backup
Location.
c .
e In
t u t
i
Why is this location different from the others? This is where the metadata server backups are
stored by default.
s t n .
n
Verify that the content for the Metadata Server backup specified by the Backup Manager is the
I i o
same as the metadataserver directory in the backup vault location.
t
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N
12. Displaying the Backup Configuration Using Batch Tools
a. Navigate to the location where the Deployment Backup tools are installed.
For Windows Server
Open a command window, and issue the following command:

D: cd \Program Files\SASHome\SASPlatformObjectFramework\9.4\tools\admin
2.6 Solutions 2-117
For Linux Server
Navigate to the following:

/opt/sas/SASHome/ASPlatformObjectFramework/9.4/tools/admin
b. Run the sas-display-backup-config tool.
For Windows Server
In the command window, issue the following command:

c .
sas-display-backup-config.exe –host sasserver.demo.sas.com –port 80 –user
e
sasadm@saspw –password Student1 In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
For Linux Server
C o t Issue the following command:
N ./sas-display-backup-config –host sasserver.demo.sas.com –port 7980 –user

c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N
Chapter 3 Understanding Initial
Authentication and Administering
Users, Groups, and Roles
c .
3.1 Exploring Initial Authentication to the Metadata Server .............................................3-3
e In
t u t
Exercises ................................................................................................................................ 3-8
3.2
t i .
Administering Users and Groups ..............................................................................3-12
s n
I n
Demonstration: Viewing SAS Environment Manager’s Administration Tab ......................... 3-20
t i o
Exercises .............................................................................................................................. 3-22
3.3 S
A tri b u
Exploring Other Authentication Mechanisms and Managing Credentials ..............3-28
t S
Exercises .............................................................................................................................. 3-38
s
3.4
i g h d i
Administering Roles and Administrative Identities ..................................................3-40
y r r e
Exercises .............................................................................................................................. 3-47
o p
3.5
f o r
Solutions .....................................................................................................................3-50
C o t Solutions to Exercises .......................................................................................................... 3-50
N Solutions to Student Activities (Polls/Quizzes) ..................................................................... 3-69

3-2 Chapter 3 Understanding Initial Authentication and Administering Users, Groups, and Roles
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N
3.1 Exploring Initial Authentication to the Metadata Server 3-3
3.1 Exploring Initial Authentication to the

Metadata Server
Objectives
 Explore initial authentication to the metadata server.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
h i
3
r i g r e d
p y SAS 9.4 Authentication Mechanisms
o r
C o t f
Authentication is the process of verifying the identity
of a person or process for security purposes.
N oExternal 



Host authentication (credential-based)
Direct LDAP authentication
Integrated Windows authentication
Web authentication
Internal  SAS internal authentication
 SAS token authentication
External authentication mechanisms integrate SAS into your computing environment.
SAS Metadata Server

SAS desktop applications connect to the metadata server
using connection profiles. A connection profile is a file
stored on the user’s machine. It contains the information
necessary for connection to the metadata server.
c .
Metadata Server
e In
t u t
Windows applications
ConfigurationV71.xml
s t i n . Java applications
I n t i o
sasserver.swa
S
A tri b u
Web-based applications connect through the SAS Logon Manager, a web application that handles all
authentication requests for SAS web applications. As a result, users see the same sign-in page when they
t S
access any of the SAS web applications.
s
g h d i
Connection Profiles
i
y r r e
Connection information is stored in different files
o p f o r
for Java applications and Windows applications.
Regardless, the connection information includes
t
the metadata server host name and port. By default,
C o
users have the option to save a user ID and password
in the profile.
The Connection Profile window enables a user to open an existing profile, edit an existing profile,
or create a new profile. Profiles are stored locally on the user’s machine:
C:\Users\Student\AppData\Roaming\SAS\MetadataServerProfiles. If there are no profiles on the
machine, the user is prompted to create one before logging on. In that location, Java applications have the
connection information in .swa files. Windows applications are in a file named ConfigurationV71.xml.
(The version might be different.)
Initial Connection to the SAS Metadata Server
c .
e In
t u t
s t i n .
13
I n t i o
S
A tri
 user ID: Ahmed
b u
1. Ahmed supplies these credentials to log on to the metadata server:
t S
 password: Student1
s

i g h i
An alternative to providing credentials is to use Integrated Windows Authentication.
d
y r e
2. The metadata server passes Ahmed’s credentials to its host authentication provider. By default,
r
the metadata server passes the credentials to its host. If the accounts are local, they are verified
o p o r
by the host. The host can also be configured to pass the authentication request to LDAP
or Microsoft Active Directory.
f
C t
3. The authentication provider verifies that the credentials are valid and returns the fully qualified
o
user ID (sasserver\Ahmed) to the metadata server.
N 

The authentication provider does not return the password to the metadata server.
The form of the fully qualified user ID varies depending on the authentication provider.
If the account is a UNIX account, the returned user ID is Ahmed, for example.
4. The metadata server searches for the fully qualified user ID in the metadata repository (inbound
logon).
5. The metadata server determines which metadata identity owns the user ID. Based on the metadata
identity, the metadata server can determine what level of access Ahmed has to the metadata. Access
to the metadata server is set in the repository ACT (access control template). Only users with
ReadMetadata and WriteMetadata in the repository ACT, named Default ACT by default, are allowed
to connect to the metadata server.
6. The metadata server sends a credential handle to the application so that when the application requests
information from the metadata server, it can pass the handle. The metadata server then knows
the metadata identity of the user.
Initial Connection Using Integrated Windows

Authentication (IWA)
c .
e In
t u t
s t i n .
22
I n t i o
S u
Integrated Windows Authentication (IWA)
A tri b
S
1. The client asks Windows for a token that represents the user who is currently logged on to the client
computer.
h t i s
2. Windows provides the token to the client.
r i g e d
3. The client sends the Windows token to the metadata server. Notice that only the token is sent. The
r
y
user's password is not available to the metadata server.
p o r
4. The metadata server sends the token back to Windows for verification.
o f
C t
5. Windows tells the metadata server that the token is valid.
N o
6. The metadata server identifies the user and verifies that the user was granted access to the metadata
in the repository ACT.
7. The metadata server accepts the connection from the client.
 For initial connection to the metadata server, this represents the verification phase.
The identification phase is essentially the same in all authentication models. After
verification, the authenticated token includes the user ID. The metadata server searches its
logons for a match. An inbound logon is still required.
 There are limitations to IWA for servers on UNIX. In order to use IWA on UNIX platforms:
 For the first maintenance release for SAS 9.4 on all platforms, you must purchase, install,
and configure an additional third-party product (Quest Authentication Services 4.0).
 For the second maintenance release for SAS 9.4 on Linux platforms, you must ensure that
a shared library that implements the GSSAPI with Kerberos 5 extensions is installed and
configured to allow authentication against your Active Directory domain or Kerberos
realm. Quest Authentication Services fulfills this requirement, as do the krb5 packages
provided in supported operating system distributions and in various third-party solutions.
 When you use IWA on UNIX, only Kerberos connections are supported. (There is no
support for NTLM on UNIX.) If you use IWA for a UNIX workspace server that makes
outbound Kerberos requests, the service principal account in Active Directory must have
the trusted for delegation to all services privilege.
For additional information about Integrated Windows Authentication, refer to SAS® 9.4 Platform
Intelligence: Security Administration Guide.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N
Exercises
1. Exploring Initial Connection to the Metadata Server

This exercise demonstrates the initial authentication process to the metadata server.
a. On the client machine, select Start  All Programs  SAS  SAS Enterprise Guide 7.1.
Close the Welcome to SAS Enterprise Guide window. Place the mouse pointer on the words My
c .
In
Server in the lower right of the application interface. Who is logged in?
b. Click My Server. With the My Server profile highlighted, click Modify.
t e
c. Clear the Save login in profile check box.
u
t i t
d. Delete Jacques as the user and enter sas. Delete the asterisks for the password and enter
.
s
Student1.

I n i o n
This is the SAS install account, but this account is not linked to a metadata identity.
e. Click Save.
S u t
f.
A tri b
Click Yes to continue.
S
h t
g. Click Close.
i s
An Error window appears. Click Show Details. How is SAS identified by the metadata server?
r i g
r e d
At initial deployment, the implicit group, PUBLIC, is denied access to all metadata
p y o r
through the Repository ACT. The authorization layer of the SAS environment is
discussed in Chapter 4.
C o f
h. Click Close.
t
N o
i.
j.
Click Modify to change the login back to Jacques. You can choose to select Save login in profile.
Click Save. Click Set Active. Click Close.
k. Use SAS Environment Manager or SAS Management Console to look at the properties of
Jacques.
1) Open Internet Explorer and select SAS Environment Manager on the Favorites toolbar.
2) On the Sign In to SAS page, enter Ahmed in the User ID field and Student1 in the
Password field. Click SIGN IN.
3) Click the Administration tab, which opens in another browser.
4) Select the Side Menu button in the upper left of the page.
5) Select Users.
6) Select to bring up a drop-down list on which you can filter. Choose User.
7) Double-click Jacques to see the metadata definition.

8) Click the drop-down arrow next to Basic Properties and select Accounts to see the ID that is
used and stored with the metadata identity for initial authentication to the metadata server.
9) Click Close in the upper right to close out of the metadata properties for Jacques.

c .
1) Start SAS Management Console, if it is not already open. (Select Start  All Programs 
e
SAS  SAS Management Console 9.4.) If you are already logged on, go to step 4. In
u t
2) In the Connection Profile window, click OK.
t
t i .
3) When prompted, enter Ahmed in the User ID field and Student1 in the Password field.
Click OK.
s n
I n t i o
4) After you are connected, you can see the name of the user logged on, the machine that hosts
the metadata server, and the port in the lower right corner of SAS Management Console.
 S
A tri b u
Ahmed is an unrestricted user of the metadata.
t S
5) On the Plug-ins tab, select the User Manager plug-in. The User Manager plug-in is where
s
i
SAS identities are viewed, created, and modified. SAS metadata identities can be an
i g hindividual user or a group. Metadata roles are also listed in this plug-in. Most SAS identities
d
have stored, external IDs as part of their metadata definitions. The external IDs are used for
y r r e
authentication to the SAS Metadata Server. The identities use these credentials when logging
r
on to SAS applications, such as SAS Enterprise Guide, SAS Web Report Studio, or SAS
o p f
Information Delivery Portal.
o
C o t You can deselect the Show Groups and Show Roles options to see only a list of
users.
N  You can use the User Manager plug-in’s Options dialog box to change your default
view from View All to Search, which then becomes your default view. This is useful
if you have many user identities.
6) Right-click Jacques and select Properties.
7) Go to the Accounts tab to see the ID that is used for initial authentication to the metadata
server.
8) Click Cancel.
2. Exploring Connection Profiles
Connection profiles are stored in files on the user’s desktop, but stored passwords are encrypted.
Examine an existing connection profile.
a. On the client machine, use Windows Explorer to navigate to
C:\Users\student\AppData\Roaming\SAS\MetadataServerProfiles. View the contents
of sasserver.swa, using a text editor such as Notepad.
What is the value of AllowLocalPasswords?
 If the AppData folder is hidden, you can enter the path into Windows Explorer or
unhide the folder. To unhide it, in Windows Explorer, select Organize  Folder 
Search options. On the View tab, select Show hidden files, folders, and drives.
On the View tab, clear the Hide extensions for known file types check box.
Click OK.
b. Open SAS Enterprise Guide. Select File  New  Program. In the Program window, enter the
following code:
c .
In
proc pwencode in="Student1";
run;
c. Click Run.
u t e
t t
d. On the Log tab, locate the value that begins with {sas002}. Does the value match the password
i
value in the sasserver.swa file?
.

n s n
A password string beginning with {sas002} is encoded using the SAS Proprietary
I
algorithm.
i o
S
e. Close SAS Enterprise Guide.
u t
f.
A tri b
View the metadata server log. Verify the SAS Enterprise Guide initial connection to the metadata
S
server.
h t i s
1) Open the most recent metadata server log.
r i g r e d For Windows Server
p y o r
D:\SAS\Config\Lev1\SASMeta\MetadataServer\Logs
C o t f For Linux Server
N o /opt/sas/config/Lev1/SASMeta/MetadataServer/Logs
2) Scroll down closer to the bottom and look for the name of the user ID that was used to log
on to SAS Enterprise Guide. (Otherwise, you can simplify the search by using the Find tool
for the name. Hold down the Ctrl key and press F.)
3. Exploring the omaconfig.xml File
The omaconfig.xml file is the start-up file for the SAS Metadata Server. You can specify changes
to standard features of the SAS Metadata Server, the repository manager, and policies related to
internal users in this file.
a. Open the omaconfig.xml file.
For Windows Server
Use Windows Explorer to navigate to

D:\SAS\Config\Lev1\SASMeta\MetadataServer.
For Linux Server
Navigate to /opt/sas/config/Lev1/SASMeta/MetadataServer.
b. What is the setting in this file that governs saving a password in a connection profile?
 For a few solutions desktop clients (for example, SAS Model Manager, SAS Enterprise
Miner, and SAS Forecast Studio), the ability to store credentials in client-side connection
profiles is instead controlled by the Policy.AllowClientPasswordStorage property. To
access this property, open the Plug-ins tab of SAS Management Console and navigate to
c .
In
Application Management  Configuration Manager  SAS Application
Infrastructure  Right-click and select Properties  Settings  Policies Allow
u t e
client password storage.
c. What is the default value? What other values are possible?

t i t .
To find the possible values, go to support.sas.com and search Reference Information
I s
for omaconfig.xml.
n i o n
d. If you make changes to this file, what steps need to be performed?
S u t
S A tri b
h t i s
r i g r e d
p y o r
C o t f
N o
3.2 Administering Users and Groups
Objectives
 Register users in the metadata.


Create group identities.
Import user and group information into the metadata.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
S
26
h t i s
r i g r e d
Registering Users
y
For accountability, each person who uses the SAS
o p o
identity.
f r
environment should have an individual SAS metadata
t
These are some of the benefits:
C o  control over a user’s access to application features

and resources
N  ability to audit individual actions in the metadata layer
 access for each user to a personal folder in the

repository
27
3.2 Administering Users and Groups 3-13
Registering Users
A user’s metadata identity includes a copy of the external
account that the user uses to log on to SAS applications.
c .
e In
t u t
s t i n .
28
I n t i o
S
A tri
3.01 Multiple Choice Pollb u
t S s
Which users in your environment do you need to register
i g h
in the metadata?
d i
y r r e
a. all users who need access to data
b. all users who need access to SAS applications
o p f o r
and metadata
c. all users in LDAP
C o t
d. You do not need to register users in the metadata.
N
29
Unique Names and IDs

The metadata server enforces certain identity-related
constraints.
 You cannot create a user definition that has the same
name as an existing user definition.
The display names do not have to be unique.
c .
e In
t u t
s t i n .
Avoid using spaces or special characters in names.
31
I n t i o continued...
S
A tri b u
Do not use spaces or special characters in the name of a user, group, or role. Not all components
S
support spaces and special characters in identity names.

t s
In SAS 9.4, you cannot change the name of an existing user, group, or role in SAS Management
h
Console.
i
r i g r e d
p y r
Unique Names and IDs
o
C o t f
The metadata server enforces certain identity-related
constraints.
N o  You cannot assign the same fully qualified external

account to two different identities.
32
All of the logons that include a particular ID must be owned by the same identity. This requirement
enables the metadata server to resolve each ID to a single identity. This requirement is case insensitive
and applies to the fully qualified form of the ID.
To enable multiple users to share an account, store the credentials for that account in a logon as part
of a group definition. Then add the users who share the account as members of that group definition.
If you give a user two logons that contain the same ID, the logons must be associated with different
authentication domains. Authentication domains are discussed later in this chapter.
Group Identities
For administration and ease of maintenance
c .
In
and accountability, you should create group identities.
Groups can be used to do the following:
 assign permissions
 share credentials
u t e
 populate roles
t i t . Groups
I n s i o n
S u t Sales
Marketing
S A tri b
33
h t i s
r i g r e d
p y Predefined Groups
o r
C o t f
The following groups are predefined:
PUBLIC Group with implicit membership that includes
N oSASUSERS
everyone who can access the metadata server
Group with implicit membership that includes

the members of the PUBLIC group who have
an individual metadata identity
PUBLIC
SASUSERS
34
Initial Connection to the SAS Metadata Server

Only the verification phase varies; the SAS identity phase
is always the same.
You need a well-formed user definition for each user who
is not a PUBLIC-only identity.
Verification phase
c .
PUBLIC
e In
t u t
s t i n .
Identification phase
SASUSERS
35
I n t i o
S
A tri
Identity Hierarchy b u
t S s
All of a user’s group memberships are part of the user’s
i g h
identity.
d i
y r r e
o p f o r
C o t
N
36
Creating Users and Groups

Here are two ways to define user and group identities:
 manually, using the User Manager plug-in
in SAS Management Console or the Administration
page in SAS Environment Manager
 using the user import macros supplied by SAS
to import identity information from an authentication
provider
c .
e In
t u t
s t i n .
37
I n t i o
S u
There are other programmatic methods that can be used to create metadata identities.
A tri b
t S
Importing User and Group Identities
s
g h d i
The user import macros enable the batch import and
i
y r r e
synchronization of user and group identity information
from a provider such as LDAP into the SAS metadata.
o p f o r
This process follows these general steps:
 Extract information from your authentication provider.
C o t
 Extract information from the SAS metadata.
 Compare the sets of tables and identify additions
N and updates that need to be made to the metadata.

 Validate the changes.
 Load the updates into the metadata.
38
Examples are provided for import and synchronization with an Active Directory server and UNIX
/etc/passwd files. Additional information is provided to help extrapolate to other authentication providers.
For more information about importing user and group information see SAS® 9.4 Intelligence Platform:
Security Administration Guide.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N
Back up the metadata before synchronizing user or group information.

The synchronization process performs two extractions (one from your authentication provider and another
from the SAS metadata), and the loads validate updates into the metadata.
External Identities
An external identity is a value used to map the user
information in the SAS metadata to the information from
the authentication provider.
An external identity
 must be unique to each user or group and unchanging
 must exist as a field in the user or group information

in the authentication provider and in the SAS metadata
c .
 is used during the synchronization process to compare
e
information stored in metadata to information from In
the authentication provider.
t u t
i
Example: An employee account name or employee ID
t .
is often used as the external identity value.
s n
39
I n t i o
S
A tri b u
If you need to perform periodic synchronization and want existing users and groups that you created
manually to be included in the process, add the appropriate external identity value to the user or group
t S
metadata identity.
s
g h d i
Administration Scenario
i
y r r e
The Finance and Shipping Departments of the Orion Star
o p r
Company need to be set up in the existing SAS
o
environment. You, as the SAS administrator, need
f
C o t
 create metadata identities
 set up SAS folder structure
N  add existing content such as stored processes
 secure the new folders
 verify users have sufficient access
 add data sources and verify access
40
Viewing SAS Environment Manager’s Administration Tab
This demonstration will illustrate using SAS Environment Manager to view and manage metadata users
and groups.
1. Open Internet Explorer and select SAS Environment Manager on the Favorites toolbar.
On the Sign In to SAS page, enter Ahmed in the User ID field and Student1 in the Password field.
c .
In
Click SIGN IN.
2. Click the Administration tab, which opens in another browser.
t e
3. Select the Side Menu represented by three bars in the upper left of the page.
u
t i t .
4. Select Users.
I n s i o n
S u t
S A tri b
h t i s
r i g r e d
p y o r
C o t f
N o
5. Select to bring up a drop-down list on which you can filter. Choose User.
6. Right-click Jacques and select Open.
This brings us to the metadata definition.
c .
e In
t u t
s t i n .
I n t i o
S b u
7. From the drop-down menu select Accounts. This is the ID that is used and stored with the metadata
A tri
identity for initial authentication to the metadata server.
t S s
i g h d i
y r r e
o p f o r
C o t
N
8. Click Close in the upper right to close out of the metadata properties for Jacques.
Exercises
4. Loading Users and Groups with User Import Macros

a. On the client machine, use SAS Management Console to perform an ad hoc backup.
1) Log on to SAS Management Console as Ahmed using the Student1 password.
c .
Run Backup Now.
e In
t
3) Provide a comment for the backup history and click OK.
t i t u
4) Click OK when the backup is complete.
.
b. Create the following folders on the server:
n s
For Windows Server
I i o n
S t
D:\Workshop\spaft\Metids
u
A tri b
D:\Workshop\spaft\Updates
S
D:\Workshop\spaft\Extids
h t 
i s
You can also run makefolders.bat in the same directory to create the folders.
r i g r e d
p y o
For Linux Server
r
/opt/sas/Workshop/spaft/Metids
C o t f /opt/sas/Workshop/spaft/Updates
N o /opt/sas/Workshop/spaft/Extids
 You can also run the makedir.sh located in the same directory to create the
folders.
c. Make sure permissions are set on these directories to allow for Full Control.
 On the Linux server, you can use WinSCP or the chmod command.
d. On the client machine, use SAS Enterprise Guide to open the LoadUsers.sas program.
1) Select File  Open  Program.
2) Navigate to My Computer  Local Disk (D:)  Workshop  spaft.
3) Select LoadUsers and click Open.
4) At the top of the program there is an OPTIONS statement. Verify that the values are the
following:
options metaserver="sasserver"
metauser="Ahmed"
metapass="Student1";
 The extids folder holds the tables of user and group information from the external source.
 The %mduimpc macro defines ‘canonical’ tables, and the DATA step is used to extract
data from an external source and append them to the tables. However, this program has the
data directly in the DATA step.
 Nine users will be added to metadata: Jennifer, Megan, Peter, Alex, Katie,
James, Cecily, Jim, Ray
c .
 All of the groups in the program will be added to metadata. (You can compare the
In
information in the group table to the groups currently listed in the User Manager
e

t u t
plug-in to see this.)
i
The group members table (&idgrpmemstbla) is adding users to groups based on

s t n .
the external identity.
The metids folder holds the tables of user and group information from the metadata.

I n i o
The %mduextr macro extracts identity information from metadata and adds them to user
t
and groups tables in the metids library.


S
A tri b u
The updates folder holds the user and group updates.
The %mducmp macro compares user and group information to metadata and will
tS populate the updates library with this information.
s
i g h d i
The %mduchgv macro validates changes from the tables in the metids library and the
updates library
y r

r e
The %mduchglb macro loads the changes into metadata.
o p 
f o r
e. Run the program. Review the log and search for errors.
You can disregard this warning: Character expression will be truncated when assigned to
C o t character column filter.

If no errors are found, close SAS Enterprise Guide.
N Use SAS Environment Manager or SAS Management Console to verify that the new users and
groups were created. Verify that the group membership is correct.
Group Name Members
Power Users Groups: Application Developers, Data Integrators,

Report Content Creators
Report Content Creators Ellen, Eric, Gloria, Harvey, Jacques, Kari, Stephanie
Data Integrators Barbara, Bruno, Kari, Marcel, Ole
Application Developers Anita, George, Sally, Samantha
Group Name Members
Orion Star Users Groups: Finance, Marketing, Sales, Shipping
Analysts Cecily, James
Finance Alex, Jennifer, Katie, Megan, Peter
Eric, Henri, Jacques, Lynn, Stephanie
.
Marketing
Sales
Shipping
Ellen, Gloria, Harvey, Linda, Mark, Robert, Susan
Ray, Jim
In c
f.
u t e
The usage of these import macros is well documented under “User Import Macros” in the
Appendix of SAS® 9.4 Intelligence Platform Security Administration Guide.
t i t .
The macros and sample programs importad.sas and importpw.sas are located under the SAS
I n s
installation directory.
i o n
t
For Windows Server
S u
Use Windows Explorer to navigate to the sample programs:
A tri b
t S
D:\Program Files\SASHome\SASFoundation\9.4\core\samples
s
Navigate to the macros:
i g h d i
D:\Program Files\SASHome\SASFoundation\9.4\core\sasmacro
y r r e
o p f o r
For Linux Server
Navigate to the sample programs:
C o t /opt/sas/SASHome/SASFoundation/9.4/samples/base
N Navigate to the macros:

/opt/sas/SASHome/SASFoundation/9.4/sasautos
5. Adding a User Manually into Metadata

Add Ben to metadata. Use the Administration page in SAS Environment Manager or the User
Manager plug-in in SAS Management Console.
a. Open Internet Explorer and select SAS Environment Manager on the Favorites toolbar. On the
Sign In to SAS page, enter Ahmed in the User ID field and Student1 in the Password field.
Click SIGN IN.
b. Click the Administration tab, which opens in another browser.
c. Click the Side Menu button in the upper left of the page.
d. Select Users.
e. Click the New user/group button located in the upper right toolbar.
f. Select New User  type Ben and click Save.

g. Add the following information under the appropriate drop-down menu categories:
 Use the Add button to add information for each property.
c .
e In

u t
Be sure to save your changes by clicking the Save button
t
in the upper right toolbar
s i
after every entry that you make. An asterisk to the left of the drop-down menu property is
t n .
shown if the values have not been saved.
Basic Properties:
Name I n t i o Ben
S
A tri
Display Name
b u Ben
t S
Job Title
s
Power User
i g h d i
External Identities:
y r e
External Identity Context
r
IdentityImport
o p f o r
External Identity Identifier
Accounts:
P110
C o t
Account User ID  Windows server: sasserver\Ben
 Linux server: Ben
N Account Authentication Domain
Contact Information:
DefaultAuth
E-mail Type Business
E-mail Address ben@example.com
Phone Type Office
Phone Number +19196775555
Address Type Office
Street 123 Orion Star Boulevard
City Cary
State/Province NC
ZIP/Postal Code 27513
Country USA
Member of:
Finance
.
Group
h. Save your changes by clicking the Save button in the upper right toolbar.
In c
u t e
t t
a. Right-click the User Manager plug-in and select New  User.
i
b. Add the following information:
.
Name
I n s i o n Ben
S
Display Name
u t Ben
A tri
Job Title
S b Power User
h t
E-mail Type
E-mail Address
i s
Business
ben@example.com
r i g r
Phone Type
e d Office
p y r
Phone Number
o
+19196775555
C o f
Address Type
t
Office
N o Street
City
123 Orion Star Boulevard
Cary
State/Province NC
Country USA
External Identity Context IdentityImport
External Identity Identifier P110
Group Finance
Account User ID  Windows server: sasserver\Ben

Account Authentication Domain DefaultAuth
6. Using the Administration Page in SAS Environment Manager to View Identity Hierarchy
a. Open Internet Explorer and select SAS Environment Manager on the Favorites toolbar.
b. On the Sign In to SAS page, enter Ahmed in the User ID field and Student1 in the Password
field. Click SIGN IN.
c. Click the Administration tab, which opens in another browser.
.
d. Click the Side Menu button in the upper left of the page.
e. Select Users.
f. Select to bring up a drop-down list on which you can filter. Select User.
In c
u t e
g. Right-click on Eric and select Open to see the metadata definition.
t i t .
h. From the drop-down menu select Member of.
I n s i o n
Which groups is Eric directly a member of?
S u t
Which groups is Eric indirectly a member of?
Which groups is Eric implicitly a member of?
i.
S A tri b
Click Close in the upper right to close out of the metadata properties for Eric.
h t i s
r i g r e d
p y o r
C o t f
N o
3.3 Exploring Other Authentication

Mechanisms and Managing
Credentials
Objectives
c .
 Explore SAS internal service accounts.
e In
t
 Explore SAS internal authentication.
u
 Explore SAS Token Authentication.

t i t
Examine the process of authentication to SAS servers
and third-party database servers.
.


I s i o n
Explore logins and single sign-on.
n
Identify when outbound logins are needed.
S u t
S A tri b
h t i s
45
r i g r e d
p y o r
C o f
SAS Administrator Identity
t
N oIn default installations, the SAS Administrator is an
internal user account, created during the deployment.
SAS Administrator sasadm@saspw
 Has access to all SAS Management Console

application capabilities
 Has access to all SAS Environment Manager
application capabilities
 Has all capabilities provided by the metadata server
regardless of metadata permission settings, due to
membership of the Metadata Server: Unrestricted role
 Can perform all user management functions and
metadata administration tasks
46
3.3 Exploring Other Authentication Mechanisms and Managing Credentials 3-29
Other Service Accounts

SAS Trusted User A service identity that can act on
sastrust@saspw behalf of other users.
SAS Environment This account is required for
Manager Service communications between the SAS
Account
sasevs@saspw
Environment Manager agent and
the SAS Environment Manager
c .
In
server. It also enables SAS
Environment Manager plug-ins to
SAS Anonymous
u e
access the SAS Metadata Server.
t
A service identity that functions as
Web User
webanon@saspw
t i t a surrogate for users who connect
.
without supplying credentials.
47
I n s i o n
S u t
The SAS Anonymous Web User (webanon) is an optional account that can be used to grant web clients
A tri b
anonymous access to certain SAS Web Infrastructure Platform applications (SAS BI Web Services and
S
SAS Stored Process Web Application). This anonymous account is configured with the SAS Deployment
h t
Wizard and is applicable only when SAS authentication is being used. If web authentication is used, the
i s
web application server processes authentication requests, and this anonymous account has no effect.
r i g r e d
For more information, see “Public Access and Anonymous Access” in SAS® 94 Intelligence Platform:
Security Administration, Second Edition.
p y o r
C o f
SAS 9.4 Authentication Mechanisms
t
N o
External  Host authentication (credential-based)

 Direct LDAP authentication
 Integrated Windows authentication
 Web authentication
Internal  SAS internal authentication
 SAS token authentication
48
A supporting feature of internal authentication mechanisms unifies the SAS realm and provides a degree
of independence from your general computing environment.
Internal Accounts
 Internal accounts are primarily used to connect
to the metadata server and exist only in the metadata.


They are authenticated by the metadata server.
They are created by the SAS Deployment Wizard and
c .
by the User Manager plug-in in SAS Management
Console or Administration page in SAS Environment
e In
Manager.
t u t
s t i n .
I n t i o
49 S
A tri b u
t S s
By initial policy, these server-level settings for internal account policies are in effect.
i g h d i
 Accounts do not expire and are not suspended due to inactivity.
 Passwords must be at least six characters, do not have to include mixed case or numbers, and do not expire.
r r e
 The five most recent passwords for an account cannot be reused for that account.
y
o f o r
 There is no mandatory time delay between password changes.
p
 After three failed attempts to log on, an account is locked. If an account is locked because of logon
C t
failures, further log on attempts cannot be made for one hour.
o
 For an account that has a password expiration period, there is a forced password change on the first use
N
after the password is reset by someone other than the account owner.
 An internal account has the format userID@saspw.
If you need to unlock an internal account and you have the necessary host access, do the following:
1. Edit the adminUsers.txt file to create a new unrestricted user by adding the fully qualified user ID
preceded by an asterisk. Restart the metadata server for the change to take effect.
2. Log on to SAS Management Console with the new unrestricted user and unlock the account.
3. Verify that the account is unlocked by logging on to SAS Management Console with the account.
Remove the unrestricted user that you added from the adminUsers.txt file and restart the metadata server.
SAS Internal Authentication
c .
e In
t u t
s t i n .
50
I n t i o
S
Internal Authentication
A tri b u
S
1. At a logon prompt, sasadm@saspw and password are entered. The client sends those credentials
to the metadata server for verification.
h t i s
2. The metadata server recognizes that the ID is for an internal account (because the ID has the @saspw
i g d
suffix), so the metadata server checks the credentials against its list of internal accounts.
r r e
y
3. After validating the ID and password, the metadata server accepts the client connection.
o p f o r
The connection is accepted using the SAS identity associated with the internal account.
Internal authentication alone is not sufficient to allow a user access to a standard workspace server
C t
because a host account is required.
o
N Internal accounts are not designed to be used as end users.
SAS 9.4 Authentication Mechanisms

External  Host authentication (credential-based)

 Direct LDAP authentication
Integrated Windows authentication
.

 Web authentication
Internal 

SAS internal authentication
SAS token authentication
In c
u t e
t i t .
51
I n s i o n
S u t
A tri
SAS Token Authentication
S b
h t i s
SAS token authentication is when the metadata server
generates and validates a single-use identity token for
r i g r e d
each authentication event. This enables the following
SAS processing servers to accept users who are already
p y o r
connected to the metadata server:
 OLAP server
C o t f
 stored process server
 pooled workspace server
N oThe workspace server can also use SAS Token

Authentication.
 SAS Token Authentication is covered in Chapter 6.

52
SAS Token Authentication
c .
e In
t u t
s t i n .
53
I n t i o
S
A tri b u
SAS Token Authentication is when the metadata server generates and validates a single-use identity token
for each authentication event. This enables participating SAS servers to accept users who are already
t S
s
i
1. The user initiates a request that requires access to a target server (for example, a request in SAS
i g h
Enterprise Guide to open a cube associated with the OLAP server). Using the existing connection
d
to the metadata server, the client requests an identity token for the target server.
y r r e
2. The metadata server generates the token and returns it to the client.
p o r
3. The client sends the token to the target server.
o f
C t
4. The target server sends the token back to the metadata server for validation.
o
5. The metadata server validates the token and returns an acceptance message and a representation
6.
N
of the user to the target server.
The target server accepts the connection.
How Logons Are Used (Review)

Purpose
1. To enable the metadata server to match an incoming user ID

with a particular SAS identity (inbound use)
Joe: id &
password
Metadata
Server
id
c .
e In
Internal acct:
sasadm@saspw
& password
t u t Metadata
Server
Id & pw
s t i n .
54
I n t i o
S
A tri b u
Joe’s logon is only for inbound use to determine his metadata identity. His password is available (cached
in the user context, not stored in the metadata) but is not used to determine his identity. This logon should
t S
be in DefaultAuth, but that relationship is not used in determining his metadata identity.
s
g h d i
How Logons Are Used
i
y r r e Purpose
o p o r
2. To designate one host account as the account under which a
f
particular server runs and to make that account's ID and
C o t
password available to the spawner
(SAS Token Authentication)
N SAS General Servers group’s

logins:
Stored Process
Server
Pooled Workspace
sassrv & password Server
Workspace Server
(standard using SAS
Token Authentication)
55
The designated launch credential for each of the depicted processing servers is stored on the SAS General
Servers group definition. In this example, the servers all use the same credentials. Logons that contain
designated launch credentials are usually in the DefaultAuth authentication domain, because these
processing servers are usually in DefaultAuth. However, those logons are directly paired with each server,
not looked up by authentication domain. Because the authentication domain assignment for these logons
is not used, the figure does not depict that assignment.
How Logons Are Used

Purpose
3. To enable clients to seamlessly obtain user credentials for

disparate systems, for outbound use, logins are stored in
Metadata: User ID, Password, Authentication domain.
JoeOra &
password
c .
In
OracleAuth Oracle DBMS
GroupOra &
e
password
t u t
t i
 An example of outbound use is a DBMS or workspace
.
server on a machine with separate authentication from
s
where the metadata server resides.
n
56
I n t i o
S
A tri b u
Joe’s second logon provides seamless access to Oracle using an individual account. This logon includes a
password and must be in the Oracle server's authentication domain. The ETL group's logon is a shared

t S
logon for the Oracle server. Joe’s personal Oracle logon has a higher priority.
s
i g h d i
If you choose to store passwords for the workspace server, the relationships would be comparable
to the depiction of the Oracle DBMS, OracleAuth authentication domain, and Oracle logons. For
y r r e
example, you might put the workspace server in WorkspaceAuth and create individual and group
logons in that authentication domain.
o p f o r
Outbound Logons
C o t
Outbound logons can be defined on the Accounts tab
N of individual and group identities and must include these

items:
 a fully qualified external account
 password
 authentication domain
57
Clients use authentication domain assignments to determine which credentials are valid for which servers.
The target server validates the client-supplied credentials against its authentication provider.
In most deployments of the platform for SAS Business Analytics, passwords for external accounts need
to be stored in the metadata to support these types of access only:
 seamless access to an external database
 seamless access to the standard workspace server in a mixed provider environment where Integrated
Windows Authentication and SAS token authentication is not applicable
c .
Authentication Domains
e In
u t
An authentication domain is a SAS metadata object
that pairs logons with the server definitions where those
t
i
credentials are correctly authenticated.
s t n .
I n t i o
S
A tri b u
t S s
i g h d i
58
y r r e
o p f o r
For example, an Oracle server definition and the SAS copies of Oracle credentials (outbound logons)
have the same authentication domain value (for example, “OracleAuth”) if those credentials authenticate
C o t
on that Oracle Server. Authentication domains can be managed using the Server Manager plug-in
or the User Manager plug-in. Right-click the plug-in and select Authentication Domains.

How many authentication domains do you need to define
in the metadata?
a. one for each registered user
b. one for each registered server
c. one for each metadata server
d. one for each server that requires different credentials
c .
e In
t u t
s t i n .
59
I n t i o
S
A tri
Password Management b u
t S s
Passwords for a few service accounts require special
i g h d i
coordination because these passwords are included in
configuration files. To update these passwords, use the
y r r e
o p f o r
C o t
N
61
In order to run the SAS Deployment Manager, you need to run it on each machine that hosts affected
components. If you have servers on multiple machines, run the utility on each host, beginning with the
metadata server machine. Stop all SAS servers and services. Restart the metadata server, the SAS Web
Infrastructure database (usually the SAS Web Infrastructure Platform Data Server), and any SAS solution-
specific data servers. Do not restart other servers or services. For more information, see “Update a
Managed Password” in SAS® 9.4 Intelligence Platform: Security Administration Guide, Second Edition.
 The procedure to update the SAS Environment Manager identity password is different from the
process detailed here. For more information, see “Updating Passwords for SAS Environment
Manager Metadata Identities” in SAS® Environment Manager: User's Guide.
Exercises
7. Accessing Deployment Manager

You will access the SAS Deployment Manager and review the tasks, as well as view the internal
service accounts that would be updated with this application. However, you will not be updating
passwords at this time.
c .
In
a. On the server machine, navigate to the SAS Deployment Manager.
e
For Windows Server
u t
Navigate to D:\Program Files\SASHome\SASDeploymentManager\9.4
t
i
and run sasdm.exe.
s t n .
n o
For Linux Server
I t i
Navigate to /opt/sas/SASHome/SASDeploymentManager/9.4 and run
S
sasdm.sh
A tri b u
S
b. Select OK when prompted for language.
h t
c. Scroll through the list of tasks that are performed in SAS Deployment Manager.
i s
d. With Update Passwords selected, click Next.
r i g e d
e. Click Next to move through the selection of configuration directory and level.
r
p yf. Enter Student1 as the password for sasadm@saspw. Click Next.
o r
g. Enter Student1 as the password for ShareServices. Click Next.
C o t f
h. Review the list of internal service accounts that were created at SAS deployment. Click Cancel as
o
no passwords need to be updated.
Ni.

Click Yes when prompted to verify that you want to cancel.
Passwords for any service accounts that you introduce in SAS Management Console are not
managed by this tool. For example, if you designate a new logon as the launch credential for
a server, that launch credential is not automatically added to the list of accounts that the SAS
Deployment Manager can update.
8. Maintaining Passwords for End Users in Metadata
If users have logons to third-party database servers, their IDs and passwords are stored in metadata.
They will need to update their passwords according to company security policy. This can be done
through the following applications: SAS Personal Login Manager and SAS Enterprise Guide.
Maintaining Passwords SAS Personal Login Manager:
a. Select Start  All Programs  SAS  SAS Personal Login Manager 9.4.
b. Log on with the My Server connection profile as Marcel using the Student1 password.
c. Where in SAS Management Console can you find what is displayed in the SAS Personal Login
Manager?______________________ In SAS Environment Manager? _____________________
d. Can Marcel modify an existing login?
e. Can Marcel add a new login?
f. Can Marcel add a new authentication domain?
.
Maintaining Passwords with SAS Enterprise Guide:
a. Connect to SAS Enterprise Guide as Marcel.
b. Select Tools  SAS Enterprise Guide Explorer. In SAS Enterprise Guide Explorer, select
In c
File  Manager Logins.
u t e
c. Can Marcel modify an existing login?
t i
d. Can Marcel add a new login?t .
I n s i o n
e. Can Marcel add a new authentication domain?
S u t
S A tri b
h t i s
r i g r e d
p y o r
C o t f
N o
3.4 Administering Roles and

Administrative Identities
Objectives
 Explore metadata roles and their key features.
c .
In
 Explore differences between roles and groups.
 Explore predefined roles.

u t e
Explore administrative identities.
Create administrators and unrestricted users.
t i t .
I n s i o n
S u t
S A tri b
65
h t i s
r i g r e d
p y What Are Metadata Roles?
o r
C o t f
Roles determine which user interface elements (such as
buttons, tabs, and menu items) are visible to which users.
o
For example, role memberships determine who can see
the Server Manager plug-in in SAS Management
N Console, or see the Compare Data Task as a menu

choice in SAS Enterprise Guide.
Applications that support roles
include the following:
 SAS Add-In for Microsoft Office
 SAS Enterprise Guide
 SAS Studio
 SAS Web Report Studio
 Visual Analytics
66
Roles can be accessed and managed from the Administration page in SAS Environment Manager or the
User Manager plug-in in SAS Management Console.
Not all applications have roles.
3.4 Administering Roles and Administrative Identities 3-41
Role Capabilities
The various features in applications that are under role
management are called capabilities. Each role has
application capabilities that are assigned to it.
no capabilities selected
c .
e
some capabilities selected
In
t u t all capabilities selected
s t i n .
67
I n t i o
S
A tri b u
Not all application features are under role management. Each application that supports roles provides a
fixed set of capabilities. You cannot convert a feature that is not a capability into a capability.
t S
You can add existing roles to a current role under the Contributing Roles tab. Capabilities from
s
i
a contributing role cannot be removed individually.
i g h d
y r r
Role Features e
o p o r
Below are some key points of metadata-based roles.
f
 Roles do not protect data or metadata. Roles control
C o t
which features in a particular application are available
to which users.
N  Having a certain capability is not an alternative

to meeting permission requirements.
 Capabilities are additive. There are no negative
capabilities (capabilities that limit what a user can do).
It is not possible to deny a capability (capabilities are
either granted or not granted). For example, if a group
is in two roles, that group has all the capabilities from
both roles.
68
Differences between Roles and Groups

Roles and groups serve distinct purposes.
 The identity hierarchy is relevant for groups, but not for
roles. If you are a member of a role, you have all of
that role’s capabilities, regardless of whether you are a
direct member of that role and what your other
memberships are.
 A group’s permissions are not displayed as part of a
c .
group definition, but a role’s capabilities are displayed
as part of a role definition.
e In
u t
 A group can be a member of another group, but a role
cannot be a member of another role. Instead, one role
t
t i
can contribute its capabilities to another role.
.
 You cannot assign permissions to a role. You cannot
s
assign capabilities to a group.
n
69
I n t i o
Roles
S
A tri b u
t S s
The initial configuration of the software includes some
i g h
predefined roles.
d i
e
 If these roles meet your needs, assign the correct
y r r r
membership.
 If these roles do not meet your needs, create new
o p f o
roles, assign appropriate membership, and explicitly
select application capabilities and designate
C o t
contributing roles.
Do not change the name of predefined roles.
N
70
SAS Management Console Roles

There are two predefined roles:
Management Console:  Provides access to the Folders tab
Advanced and all of the plug-ins under role
management.
 Default member:
Management Console: 
SAS Administrators
Provides access to the Folders tab,
c .
In
Content Management User Manager, Library Manager, and
Authorization Manager plug-in.

u t e
Default member: SASUSERS
t i t .
71
I n s i o n
S u t
The capabilities for the SAS Management Console roles also affect controlling access to modules on the
A tri b
Administration page of SAS Environment Manager:
S
 Data Library Manager controls access to the Libraries module
h t i s
 Folders View controls access to the Folders module
 Server Manager controls access to the Servers module
r i g r e d
 User Manager controls access to the Users module
p y o r
In order to control which SAS Management Console plug-ins (and the Folders tab) are under role
management, select Tools  Plug-in Manager. Only unrestricted users can access the Plug-in Manager.
C o t f
N o
Administrative Roles
In addition to the client application roles, the following
implicit metadata server roles are defined at installation:
Metadata Server: All capabilities provided by the metadata
Unrestricted server regardless of metadata permission
settings
Metadata Server: Create, update, and delete users; groups,
c .
In
User roles, internal accounts, logins, and
Administration authentication domains
Metadata Server:
Operation
t e
Administration of the metadata server
(monitor, stop, pause, resume, quiesce) and
u
t
its repositories (add, initialize, register,
s t i
unregister, delete)
n .
72
I n t i o
S
A tri b u
The metadata server roles have implicit capabilities. This means that the default capabilities for these
roles cannot be viewed or modified. However, additional capabilities can be added to these roles.
t S
Unrestricted users can use only those logons that are assigned to them (or to groups to which they
s
i
belong). They do not automatically have implicit capabilities that are provided by components other than
i g h
the metadata server.
d
y r r e
o p f o r
Two Levels of Administrative Users
Administrative users have special abilities and privileged
C o t
access to metadata based on their assignments to roles.
There are two basic levels of administrative users.
N Administrators 

Have metadata access capabilities that a
typical end user does not have.
Are subject to metadata layer access
controls.
Unrestricted  Have unrestricted access to metadata.
Users  Can perform tasks when the metadata
server is paused for administration.
73
Administrative Tasks
Many administrative tasks have permission requirements
in addition to capability requirements. For example,
to operate servers other than the metadata server,
you need the Administer permission.
.
If a user needs to function as both an administrator
c
and as a non-administrator, create two user definitions
as follows:
 one definition that is based on an internal account
e
and is a member of the SAS Administrators group, In
t u t
and if needed, the Metadata Server: Unrestricted role
 another definition based on an external account
t i .
and not a member of the SAS Administrators group
s n
74
I n t i o
S
A tri b u
Controlling Access to Environment Manager
t S s
Environment Manager controls access and permissions
i g h d i
within the application with its own registry of users and its
own system of roles and permissions.
y r r e
Group name in SAS metadata Role in Environment Manager
o p f o
Super Userr
SAS Environment Manager Super user role
t
SAS Environment Manager Guest Guest role
C o
SAS Environment Manager App SAS App Tier role
N
Server Tier Users
SAS Environment Manager Data (not used)
Mart Administrators
SAS Environment Manager Data (not used)
Mart Users
75
Although native user definitions are internal to SAS Environment Manager, they are mapped to user
definitions created in SAS metadata. Native users are created by first creating the user definition in
metadata and then synchronizing the user information with SAS Environment Manager. You cannot
create or edit native user definitions in SAS Environment Manager directly.
Native roles enable you to grant capabilities and permissions for actions in SAS Environment Manager to
selected users. For example, an administrator role could be granted full permissions for all resource types
and the ability to acknowledge and fix alerts, while a guest role could be denied the ability to fix or
acknowledge alerts and have only Read permission for resources. Assigning a native role to a native user
determines the actions that the user can perform in SAS Environment Manager.
Each native role also has its own unique Dashboard page. Each user has access to their own personal
Dashboard page and the Dashboard pages of all native roles of which they are a member.
Authentication to Environment Manager

Environment Manager controls access and permissions
within the application with its own registry of users and its
own system of roles and permissions.
c .
In
SASServer1_1 SAS Metadata
Server
/SASLogon
application
u t e Group: SAS EV
Super Users
(sasadm@saspw)
t i t .
s
SAS EV Server
I n i o n Role: Super
User (contains
S u t
URL: http:<machine>:7080
user sasadm )
76
S A tri b
t s
Step 1: User accesses http://<machine>:7080 in browser
h i
d
Step 2: Request is redirected to the SAS Logon Manager application for authentication
r i g r e
Step 3: User is authenticated by the metadata server
p y r
Step 4: Request is passed on to SAS Environment Manager Server
o
C o t f
Step 5: User is again authenticated in SAS Environment Manager, and his/her Role membership
determines what he/she can do in SAS Environment Manager
N o
Exercises
9. Exploring SAS Enterprise Guide Roles

You can use SAS Environment Manager or SAS Management Console for this exercise.
c .
a. In SAS Environment Manager on the Administration page, select the Side Menu
e In
 Users.
b. Select
t u t
to bring up a drop-down list on which you can filter. Select Role.
c. Open the properties of the Enterprise Guide: Advanced role by right-clicking the role and
selecting Open.
s t i n .
d. Remove PUBLIC as the current member. From the drop-down menu, select Members .
I n
e. Select the Edit button
t i o
in the upper right toolbar. Highlight PUBLIC and move the identity to
S u
the left by selecting the arrow pointing to the left. Click OK.
A tri b
f.
t S
Click the Save button
s
in the upper right toolbar. Click Close.
i g h d i
g. Right-click on the Enterprise Guide: Analysis role and select Open.
h. Add Gloria to the Current Members by selecting Members in the drop-down menu.
y r r e
o p
i.
j.
f o r
Select the Edit button in the upper right toolbar.
Enter Gloria in the search field. Highlight Gloria on the left and move her to the right by
t
selecting the arrow pointing to the right. Click OK.
C o
k. Click the Save button in the upper right toolbar. Click Close.
Nl. Open SAS Enterprise Guide and connect as Marcel using the password Student1.
m. On the status bar, select Functions. Which capabilities does Marcel have?
n. Change the connection to connect as Gloria. On the status bar, select Functions. Compare the list
of authorized functions to the list of capabilities in the Enterprise Guide: Analysis role.
Do the lists match?
o. Close SAS Enterprise Guide.
p. In SAS Environment Manager, open the properties of the Enterprise Guide: Advanced role and
add PUBLIC back to the Current Members. Save the changes.
q. Open the properties of the Enterprise Guide: Analysis role. Remove Gloria from the Current
Members. Save the changes.

a. In SAS Management Console’s User Manager plugin, open the properties of the Enterprise
Guide: Advanced role. Remove PUBLIC as the current member. Click OK.
b. Open the properties of the Enterprise Guide: Analysis role. Add Gloria to the Current Members
list box. Click OK.
.
c. Open SAS Enterprise Guide and connect as Marcel using the password Student1.
d. On the status bar at the bottom, select Functions. Which capabilities does Marcel have?
e. Change the connection to connect as Gloria. On the status bar, select Functions. Compare the list
In c
e
f.
Do the lists match?
t
Close SAS Enterprise Guide.
u t
t i .
g. In SAS Management Console’s User Manager plugin, open the properties of the Enterprise
Guide: Advanced role.
s n
I n i o
Add PUBLIC to the Current Members list box. Click OK.
t
S
Members list box. Click OK.
A tri b u
h. Open the properties of the Enterprise Guide: Analysis role. Remove Gloria from the Current
t S
10. Creating a Dual User
s
i
a. Christine needs to connect to the metadata server as an unrestricted user sometimes and as a
h d
regular user other times. In the Administration page in SAS Environment Manager, or the User
i g e
Manager plug-in in SAS Management Console, create the following two metadata identities:
y r Name:
r r Christine AdminChristine
o p f o
Display Name: Christine Administrator | Christine
C o t
Groups and Roles: Data Integrators SAS Administrators
N
Orion Star Users Metadata Server: Unrestricted
Accounts: User ID: Internal User ID:

AdminChristine@saspw
Windows Server: sasserver\Christine
Password: Student1
Linux Server: Christine
Do not store the password!
Authentication Domain: DefaultAuth
b. Log on to SAS Management Console. Use the external Christine account with the Student1
password. Open a second instance of SAS Management Console and log on using the
AdminChristine@saspw account.
How are the two instances of SAS Management Console similar? How are they different?
11. (Optional) Creating a Role

Create a role that enables the Data Integrators group to have access to the BI Lineage plug-in
and permission to view scan results. There are three steps:
 Enable role-based access for the BI Lineage plug-in.
 Create the role so that the Data Integrators group can see a limited number of plug-ins
in SAS Management Console, including the BI Lineage plug-in.
 Give the group permission to view scan results.
a. Log on to SAS Management Console as Ahmed. The BI Lineage plug-in by default is not under
c .
In
role management. Select Tools  Plug-in Manager. Enable role-based access for the BI Lineage
plug-in by selecting the box next to the plug-in. Click OK. Click Yes in the pop-up box to save
changes.
u t e
b. In the User Manager plug-in, create the following role:
 Name: BI Lineage Scan
t i t .
s
 Members: Data Integrators
I i o n
 Description: Members of this role can view scan results.
n
S u t
 Capabilities (expand Management Console 9.4  Plug-ins): Select Data Library Manager,
User Manager, BI Lineage, and Folder View.
A tri b
 Click OK to save new role.
S
c. You must update the BI Lineage repository’s Default ACT to grant ReadMetadata permissions.
h t i s
 On the Plug-ins tab, select BILineage from the Repository drop-down list.
r g r e d
 Expand the Authorization Manager plug-in. Expand the Access Control Templates folder.
i Access the properties window for the Default ACT.
p y  Click the Permission Pattern tab. Click Add and select the Data Integrators group. When
o r
you add the group, the Authorization Manager automatically grants the group the
C o t f
ReadMetadata permission.
 Click OK.
N o
d. Verify that a member of the Data Integrators group can see the BI Lineage plug-in in SAS
Management Console and can view scan results. Log on to SAS Management Console as Kari, a
member of the group.
3.5 Solutions
1. Exploring Initial Connection to the Metadata Server
This exercise demonstrates the initial authentication process to the metadata server.
a. On the client machine, select Start  All Programs  SAS  SAS Enterprise Guide 7.1.
c .
In
Close the Welcome to SAS Enterprise Guide window. Place the mouse pointer on the words My
Server in the lower right of the application interface, and you see the user who is logged on.
u t e
t i t .
I n s i o n
S u t
b. Click My Server. With the My Server profile highlighted, click Modify.
S A tri b
h t i s
r i g r e d
p y o r
C o t f
N o
c. Clear the Save login in profile check box.
d. Delete Jacques as the user and enter sas. Delete the asterisks for the password and enter
Student1.
 This is the SAS install account. But this account is not linked with a metadata identity.
3.5 Solutions 3-51
e. Click Save.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
f.
t S
Click Yes to continue.
s
i g h d i
y r r e
o p f o r
C o t
g. Click Close.
N An Error window appears. Click Show Details. How is sas identified by the metadata server?
 At initial deployment, the implicit group, PUBLIC, is denied access to all metadata
through the Repository ACT. The authorization layer of the SAS environment is
discussed in Chapter 4.
c .
e In
t u t
s t i n .
I n t i o
S
A tri
h. Click Close.
b u
i.
S
Click Modify to change the login back to Jacques. You can choose to select Save login in profile.
t s
i g h d i
y r r e
o p f o r
C o t
N
3.5 Solutions 3-53
j. Click Save. Click Set Active. Click Close.
c .
e In
t u t
s t i n .
k. Use SAS Environment Manager or SAS Management Console to look at the properties of
Jacques.
I n t i o
S
A tri b u
t S
1) Open Internet Explorer and select SAS Environment Manager on the Favorites toolbar.
s
i
2) On the Sign In to SAS page, enter Ahmed in the User ID field and Student1 in the Password
i g h d
y r r e
3) Click the Administration tab, which opens in another browser.
o p f o r
4) Select the Side Menu button in the upper left of the page.
C o t
N 5) Select Users.
6) Select to bring up a drop-down list on which you can filter. Choose User.
7) Double-click Jacques to see the metadata definition.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
8) Click the drop-down arrow next to Basic Properties and select Accounts to see the ID that is
o p f o r
used and stored with the metadata identity for initial authentication to the metadata server.
C o t
N
9) Click Close in the upper right to close out of the metadata properties for Jacques.
1) Start SAS Management Console, if it is not already open. (Select Start  All Programs 
SAS  SAS Management Console 9.4.) If you are already logged on, go to step 4.
3.5 Solutions 3-55
2) In the Connection Profile window, click OK.
3) When prompted, enter Ahmed in the User ID field and Student1 in the Password field.
c .
Click OK.
e In
t u t
s t i n .
I n t i o
S
A tri b u
4) After you are connected, you can see the name of the user logged on, the machine that hosts
t S
the metadata server, and the port in the lower right corner of SAS Management Console.
s
i g h d i
y r 
r e Ahmed is an unrestricted user of the metadata.
o p f o r
5) Click the Plug-ins tab and select the User Manager plug-in. The User Manager plug-in is
where SAS identities are viewed, created, and modified. SAS metadata identities can be an
individual user or a group. Metadata roles are also listed in this plug-in. Most SAS identities
C o t have stored, external IDs as part of their metadata definitions. The external IDs are used for
authentication to the SAS Metadata Server. The identities use these credentials when logging
N on to SAS applications, such as SAS Enterprise Guide, SAS Web Report Studio, or SAS
Information Delivery Portal.
 You can deselect the Show Groups and Show Roles options to see only a list of
users.
 You can use the Options dialog box in the User Manager plug-in to change your
default view from “View All” to Search. This will be your default view. This is
useful if you have many user identities.
6) Right-click Jacques and select Properties.
7) Go to the Accounts tab to see the ID that is used for initial authentication to the metadata
c .
In
server.
u t e
t i t .
I n s i o n
S u t
S A tri b
h t
8) Click Cancel.
i s
2. Exploring Connection Profiles
r i g e d
Connection profiles are stored in files on the user’s desktop, but stored passwords are encrypted.
r
p yExamine an existing connection profile.
o r
a. On the client machine, use Windows Explorer to navigate to
C o t f
C:\Users\Student\AppData\Roaming\SAS\MetadataServerProfiles. View the contents
of sasserver.swa, using a text editor such as Notepad.
N o What is the value of AllowLocalPasswords?
 If the AppData folder is hidden, you can enter the path into Windows Explorer or
unhide the folder. To unhide it, in Windows Explorer, select Organize  Folder 
Search options. On the View tab, select Show hidden files, folders, and drives.
On the View tab, clear the Hide extensions for known file types check box.
Click OK.
b. Open SAS Enterprise Guide. Select File  New  Program. In the Program window, enter the
following code:
proc pwencode in="Student1";
run;
c. Click Run.
d. On the Log tab, locate the value that begins with {sas002}. Does the value match the password
value in the sasserver.swa file?
3.5 Solutions 3-57
 A password string beginning with {sas002} is encoded using the SAS Proprietary
algorithm.
e. Close SAS Enterprise Guide.
f. View the metadata server log. Verify the SAS Enterprise Guide initial connection to the metadata
server.
1) Open the most recent metadata server log.
For Windows Server

c .
D:\SAS\Config\Lev1\SASMeta\MetadataServer\Logs
e In
u t
For Linux Server
t
t i .
/opt/sas/config/Lev1/SASMeta/MetadataServer/Logs
s n
2) Scroll down closer to the bottom and look for the name of the user ID that was used to log
I n t i o
on to SAS Enterprise Guide. (Otherwise, you can simplify the search by using the Find tool
for the name. Hold down the Ctrl key and press F.)
S b
3. Exploring the omaconfig.xml File
A tri u
t S
The omaconfig.xml file is the start-up file for the SAS Metadata Server. You can specify changes
to standard features of the SAS Metadata Server, the repository manager, and policies related to
s
i g h d i
internal users in this file.
a. Open the omaconfig.xml file.
y r r e
For Windows Server
o p f o r
Use Windows Explorer to navigate to
D:\SAS\Config\Lev1\SASMeta\MetadataServer.
C o t
N
For Linux Server
Navigate to /opt/sas/config/Lev1/SASMeta/MetadataServer
b. What is the setting in this file that governs saving a password in a connection profile?
SASSEC_LOCAL_PW_SAVE="1 | Y | T | 0 | N | F" - specifies whether users of desktop
applications can save their user IDs and passwords in a local metadata connection profile.
 For a few solutions desktop clients (for example, SAS Model Manager, SAS Enterprise
Miner, and SAS Forecast Studio), the ability to store credentials in client-side connection
profiles is instead controlled by the Policy.AllowClientPasswordStorage property. To
access this property, open the Plug-ins tab of SAS Management Console and navigate to
Application Management  Configuration Manager  SAS Application
Infrastructure  right-click and select Properties  Settings  Policies 
Allow client password storage.
c. What is the default value? What other values are possible?
 To find the possible values, go to support.sas.com and search Reference Information

for omaconfig.xml.
d. If you make changes to this file, what steps need to be performed?
1) Make sure there is a backup of the file.
2) The Metadata Server needs to be restarted.
4. Loading Users and Groups with User Import Macros
a. On the client machine, use SAS Management Console to perform an ad hoc backup.
c .
1) Log on to SAS Management Console as Ahmed using the Student1 password.
e In
Run Backup Now.
t u t
t i .
3) Provide a comment for the backup history and click OK.
s n
I n t i o
4) Click OK when the backup is complete.
b. Create the following folders on the server:
S
A tri b
For Windows Server u
t S
D:\Workshop\spaft\Metids
s
i g h d i
D:\Workshop\spaft\Updates
D:\Workshop\spaft\Extids
y r r e
o p f o r
C o t  You can also run makefolders.bat in the same directory to create the folders.
3.5 Solutions 3-59
For Linux Server

opt/sas/ Workshop/spaft/Metids
/opt/sas/ Workshop/spaft/Updates
/opt/sas/Workshop/spaft/Extids
Use WinSCP. Right-click in /opt/sas/Workshop/spaft and select New  Directory.
c .
e In
t u t
t i .
Or, the mkdir command in MRemoteNG.
s n

I n o
You can also run the makedir.sh located in the same directory to create the
folders.
t i
S u
c. Make sure permissions are set on these directories to allow for Full Control.
A tri b

t S On the Linux server, you can use WinSCP or the chmod command.
s
i g h d i
y r r e
o p f o r
C o t
N
Or, on the command line:
chmod 777 /opt/sas/Workshop/spaft/Metids/
Repeat for the Updates and Extids directories.
d. On the client machine, use SAS Enterprise Guide to open the LoadUsers.sas program.
1) Select File  Open  Program.
2) Navigate to My Computer  Local Disk (D:)  Workshop  spaft.
3) Select LoadUsers and click Open.
4) At the top of the program there is an OPTIONS statement. Verify that the values are the
following:
metauser="Ahmed"
 The extids folder holds the tables of user and group information from the external source.
 The %mduimpc macro defines “canonical” tables and the DATA step is used to extract
data directly in the DATA step.

c .
data from an external source and append them to the tables. However, this program has the

In
Nine users will be added to metadata: Jennifer, Megan, Peter, Alex, Katie,
e
James, Cecily, Jim, Ray

t u t
All of the groups in the program will be added to metadata. (You can compare the
s t i
information in the group table to the groups currently listed in the User Manager
.
plug-in to see this.)
n

I n t i o
The group members table (&idgrpmemstbla) is adding users to groups based on
the external identity.

 S
A tri b u
The metids folder holds the tables of user and group information from the metadata.
The %mduextr macro extracts identity information from metadata and adds them to user

t Sand groups tables in the metids library.
s
i
The updates folder holds the user and group updates.
i g h
d
The %mducmp macro will compare user and group information to metadata and will
y r 
r e
populate the updates library with this information.
The %mduchgv macro will validate changes from the tables in the metids library and the
o p f
o rupdates library
The %mduchglb macro will load the changes into metadata.
C t
e. Run the program. Review the log and search for errors.
o
N  There will be warnings that you can disregard: Character expression will be truncated
when assigned to character column filter.
If no errors are found, close SAS Enterprise Guide.
Use SAS Environment Manager or SAS Management Console to verify that the new users and
groups were created. Verify that the group membership is correct.
Group Name Members

Report Content Ellen, Eric, Gloria, Harvey, Jacques, Kari, Stephanie

Creators
3.5 Solutions 3-61
Group Name Members
Orion Star Users Groups: Finance, Marketing, Sales, Shipping
Analysts Cecily, James
Finance Alex, Jennifer, Katie, Megan, Peter
.
Marketing
Sales
Shipping
Ellen, Gloria, Harvey, Linda, Mark, Robert, Susan
Ray, Jim
In c
t e
f. The usage of these import macros is well documented under “User Import Macros” in the
u
Appendix of SAS® 9.4 Intelligence Platform Security Administration Guide.
t i t .
The macros and sample programs importad.sas and importpw.sas are located under the SAS
I n s
installation directory.
i o n
t
For Windows Server
S u
Use Windows Explorer to navigate to the sample programs:
A tri b
t S
D:\Program Files\SASHome\SASFoundation\9.4\core\samples
s
Navigate to the macros:
i g h d i
D:\Program Files\SASHome\SASFoundation\9.4\core\sasmacro
y r r e
o p f o r
For Linux Server
Navigate to the sample programs:
C o t /opt/sas/SASHome/SASFoundation/9.4/samples/base
N Navigate to the macros:

/opt/sas/SASHome/SASFoundation/9.4/sasautos
5. Adding a User Manually into Metadata

Add Ben to metadata. Use the Administration page in SAS Environment Manager or the User
Manager plug-in in SAS Management Console.
a. Open Internet Explorer and select SAS Environment Manager on the Favorites toolbar. On the
Sign In to SAS page, enter Ahmed in the User ID field and Student1 in the Password field.
Click SIGN IN.
b. Click the Administration tab, which opens in another browser.
c. Click the Side Menu button in the upper left of the page.
d. Select Users.
c .
e In
t u t
s t i
e. Click the New user/group button
n . located in the upper right toolbar.
I n t i o
S
A tri b u
t S
f. Select New User  type in Ben  click Save.
s
i g h d i
y r r e
o p f o r
C o t
N
3.5 Solutions 3-63
g. Add the following information under the appropriate drop-down menu categories:
c .
e In
t u t

s t i
Use the Add button
n . to add information for each property.
I n t i o
S
A tri b u

t S Be sure to save your changes by clicking the Save button
s
in the upper right toolbar
after every entry that you make. An asterisk to the left of the drop-down menu property is
i g h d i
shown if the values have not been saved.
e
Basic Properties:
y r Name
r r Ben
o p f o
Display Name Ben
C o tJob Title Power User
External Identities:
c .
Accounts:
e  Windows server: sasserver\Ben In

Account User ID
t u t  Linux server: Ben
t i
Account Authentication Domain
s n . DefaultAuth
I n t i o
S
A tri b u
t S s
i g h d i
Contact Information:
y r e
E-mail Type
r
Business
o p f o r
E-mail Address
Phone Type
ben@example.com
Office
C o tPhone Number +19196775555
N Address Type
Street
Office
123 Orion Star Boulevard
City Cary
State/Province NC
Country USA
3.5 Solutions 3-65
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
S
Member of:
t
Group
h i sFinance
r i g r e d
p y o r
C o t f
N o
h. Save your changes by clicking the Save button in the upper right toolbar.
a. Right-click the User Manager plug-in and select New  User.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
b. Add the following information:
e
Name Ben
y r r
Display Name
r
Ben
o p f o
Job Title Power User
C o tE-mail Type Business
N E-mail Address
Phone Type
ben@example.com
Office
Phone Number +19196775555
Address Type Office
Street 123 Orion Star Boulevard
City Cary
State/Province NC
Country USA
3.5 Solutions 3-67

Finance
Group
 Windows server:
Account User ID
sasserver\Ben
DefaultAuth
.
Account Authentication Domain
6. Using the Administration Page in SAS Environment Manager to View the Identity Hierarchy
a. Open Internet Explorer and select SAS Environment Manager on the Favorites toolbar.
In c
t e
b. On the Sign In to SAS page, enter Ahmed in the User ID field and Student1 in the Password
u
t i t .
c. Click the Administration tab, which opens in another browser.
n s
d. Click the Side Menu button
I i o n in the upper left of the page.
S u t
S A tri
e. Select Users. b
h t i s
r i g r e d
p y o r
C o t f
N o
f. Select to bring up a drop-down list on which you can filter. Choose User.
g. Right-click on Eric and select Open to see the metadata definition.
h. From the drop-down menu select Member of.
c .
e In
t u t
s t i n .
Creators
I n t i o
Which groups is Eric directly a member of? Marketing, Marketing Managers, Report Content
S b u
Which groups is Eric indirectly a member of? Orion Star Users, Power Users
A tri
t S
Which groups is Eric implicitly a member of? PUBLIC, SASUSERS
s
i g h d i
y r r e
o p f o r
C o t
Ni. Click Close in the upper right to close out of the metadata properties for Eric.
7. Accessing Deployment Manager
You will access the SAS Deployment Manager and review the tasks, as well as view the internal
service accounts that would be updated with this application. However, you will not be updating
passwords at this time.
a. On the server machine, navigate to the SAS Deployment Manager.
3.5 Solutions 3-69
For Windows Server
Navigate to D:\Program Files\SASHome\SASDeploymentManager\9.4

and run sasdm.exe.
c .
e In
t u t
s t i n .
n
For Linux Server
I t i o
Navigate to /opt/sas/SASHome/SASDeploymentManager/9.4 and run
S
sasdm.sh.
A tri b u
b. Select OK when prompted for language.
t S
c. Scroll through the list of tasks that are performed in SAS Deployment Manager.
s
i g h d i
y r r e
o p f o r
C o t
N
d. With Update Passwords selected, click Next.
c .
e In
t u t
s t i n .
I n t i o
S u
e. Click Next to move through the selection of configuration directory and level.
A tri b
t S s
i g h d i
y r r e
o p f o r
C o t
N
f. Enter Student1 as the password for sasadm@saspw. Click Next.
3.5 Solutions 3-71
c .
e In
t u t
s t i n .
I n t i o
S u
g. Enter Student1 as the password for ShareServices. Click Next.
A tri b
t S s
i g h d i
y r r e
o p f o r
C o t
N
h. Review the list of internal service accounts that were created at SAS deployment. Click Cancel as
no passwords need to be updated.
c .
e In
t u t
s t i n .
I n t i o
S u
i. Click Yes when prompted to verify that you want to cancel.
A tri b
t S s
i g h d i
y

r e
Passwords for any service accounts that you introduce in SAS Management Console are not
r
managed by this tool. For example, if you designate a new logon as the launch credential for
o p f o r
a server, that launch credential is not automatically added to the list of accounts that the SAS
Deployment Manager can update.
C t
8. Maintaining Passwords for End Users in Metadata
o
N
If users have logons to third-party database servers, their IDs and passwords are stored in metadata.
They will need to update their passwords according to company security policy. This can be done
through the following applications: SAS Personal Login Manager and SAS Enterprise Guide.
Maintaining Passwords SAS Personal Login Manager:
a. Select Start  All Programs  SAS  SAS Personal Login Manager 9.4.
3.5 Solutions 3-73
c .
e In
t u t
s t i n .
b. Log on with the My Server connection profile as Marcel using the Student1 password.
I n t i o
c. Where in SAS Management Console can you find what is displayed in the SAS Personal Login
S
A tri b u
Manager? On the Accounts tab of a user definition In SAS Environment Manager? On the
Accounts properties of a user definition in the Administration page.
t S
d. Can Marcel modify an existing login? Yes
s
i g h d i
e. Can Marcel add a new login? Yes
e
f. Can Marcel add a new authentication domain? No
y r r
Maintaining Passwords with SAS Enterprise Guide:
r
o p o
a. Connect to SAS Enterprise Guide as Marcel.
f
C t
b. Select Tools  SAS Enterprise Guide Explorer. In SAS Enterprise Guide Explorer, select
o File  Manager Logins.
Nc. Can Marcel modify an existing login? Yes

d. Can Marcel add a new login? Yes
e. Can Marcel add a new authentication domain? No
9. Exploring SAS Enterprise Guide Roles
You can use SAS Environment Manager or SAS Management Console for this exercise.
a. In SAS Environment Manager Administration page, select the Side Menu  Users.
b. Select to bring up a drop-down list on which you can filter. Select Role.
c .
e In
t u t
s t i n .
I n t i o
S
c. Open the properties of the Enterprise Guide: Advanced role by right-clicking on the role and
select Open.
A tri b u
t S s
i g h d i
y r r e
d. Remove PUBLIC as the current member. From the drop-down menu, select Members .
o p f o r
C o t
N
e. Select the Edit button in the upper right toolbar.
Highlight PUBLIC and move the identity to the left by selecting the arrow pointing to the left.
Click OK.
3.5 Solutions 3-75
c .
e In
t u t
f. Click the Save button
s t i .
n
g. Right-click on the Enterprise Guide: Analysis role and select Open.
I n t i o
S
A tri b u
t S s
h. Add Gloria to the Current Members by selecting Members in the drop-down menu.
i g h d i
y r r e
o p f o r
C o t
i. Select the Edit button in the upper right toolbar.
N
j. Enter Gloria in the search field. Highlight Gloria on the left and move her to the right by
selecting the arrow pointing to the right. Click OK.
c .
e In
t u t
k. Click the Save button
s t i .
n
I n t i o
S
A tri b u
t S
l. Open SAS Enterprise Guide and connect as Marcel using the password Student1.
s
i
m. On the status bar, select Functions. Which capabilities does Marcel have?
i g h d
y r r e
o p f o r
C o t
N
n. Change the connection to connect as Gloria. On the status bar, select Functions. Compare the list
Do the lists match? Yes
3.5 Solutions 3-77
c .
e In
o. Close SAS Enterprise Guide.
t u t
t i .
p. In SAS Environment Manager, open the properties of the Enterprise Guide: Advanced role and
s n
add PUBLIC back to the Current Members. Save the changes.
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
q. Open the properties of the Enterprise Guide: Analysis role. Remove Gloria from the Current
N
Members. Save the changes.
a. In SAS Management Console’s User Manager plugin, open the properties of the Enterprise
Guide: Advanced role. Remove PUBLIC as the current member. Click OK.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
b. Open the properties of the Enterprise Guide: Analysis role. Add Gloria to the Current Members
y r r e
list box. Click OK.
o p f o r
C o t
N
c. Open SAS Enterprise Guide and connect as Marcel using the password Student1.
3.5 Solutions 3-79
d. On the status bar at the bottom, select Functions. Which capabilities does Marcel have?
c .
e In
t u t
s t i n .
e. Change the connection to connect as Gloria. On the status bar, select Functions. Compare
I n o
the list of authorized functions to the list of capabilities in the Enterprise Guide: Analysis role.
Do the lists match? Yes
t i
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
Nf. Close SAS Enterprise Guide.
g. In SAS Management Console’s User Manager plugin, open the properties of the Enterprise
Guide: Advanced role. Add PUBLIC to the Current Members list box. Click OK.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S
h. Open the properties of the Enterprise Guide: Analysis role. Remove Gloria from the Current
Members list box. Click OK.
s
i g h d i
y r r e
o p f o r
C o t
N
3.5 Solutions 3-81
10. Creating a Dual User

a. Christine needs to connect to the metadata server as an unrestricted user sometimes
and as a regular user other times. In the Administration page in SAS Environment Manager, or
the User Manager plug-in in SAS Management Console, create the following two metadata
identities:
Name: Christine AdminChristine
Display Name: Christine Administrator | Christine
c .
In
Groups and Roles: Data Integrators SAS Administrators
e
Orion Star Users Metadata Server: Unrestricted
Accounts:
t u t
User ID: Internal User ID:
i
AdminChristine@saspw
t .
Windows Server: sasserver\Christine
s n
Password: Student1
Linux Server: Christine
I n t i o
Do not store the password!
S
Authentication
Domain:
A tri b u DefaultAuth
t S s
i g h d i
1) In SAS Environment Manager, go to Administration page  Side Menu  Users.
y r r e
o p f o r
C o t
N
2) Click the Add User/Group/Role button in the upper right toolbar and select New User.
3) Enter Christine in the Name and Display Name fields and click Save.
c .
e In
t u t
s i
4) From the drop-down menu, select Member of.
t n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
5) Click the Edit button in the upper right toolbar.
C o t
N 6) Enter Orion in the search field. Highlight Orion Star Users and use the arrow pointing to the
right to move the identity to the Direct member of pane.
Enter Data I in the search field. Highlight Data Integrators and use the arrow pointing to the
right to move the identity to the Direct member of pane.
3.5 Solutions 3-83
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S
7) Click OK.
s
i g h d i
8) Click the Save button.
y r r e
o p f o r
t
9) From the drop-down menu, select Accounts.
C o
N
10) Click the Add button in the upper right toolbar.
11) Enter the User ID that is appropriate for the server. Click the Save button.
For Windows Server
sasserver\Christine
c .
e In
u t
For Linux Server
t
t i
Christine
s n .
I n t i o
S
A tri b u
t S s
i g h d i
12) Click Close.
y r r e
o p f o r
13) Click the Add User/Group/Role button in the upper right toolbar and select New
C o t User.
3.5 Solutions 3-85
14) Enter AdminChristine in the Name field and Administrator | Christine in the Display
Name field and click Save.
c .
e In
t u t
s t i n .
15) From the drop-down menu, select Member of.
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
16) Click the Edit button in the upper right toolbar.
N
17) Enter SAS Administrators in the search field. Highlight SAS Administrators and use the
arrow pointing to the right to move the identity to the Direct member of pane.
Enter Metadata in the search field. Highlight Metadata Server: Unrestricted and use the
arrow pointing to the right to move the identity to the Direct member of pane.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h
18) Click OK.
d i
19) Click the Save button.
y r r e
o p f o r
t
20) From the drop-down menu, select Accounts.
C o
N
3.5 Solutions 3-87
22) Click the button to the right of Internal Account to create an internal account.
c .
e In
t u t
23) Enter Student1 in the New Password field and again in the Confirm field. Click Save.
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N 24) Click Close.
1) Right-click User Manager and select New  User.

2) Enter Christine in the Name and Display Name fields.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
3) Click the Accounts tab and click New.
N 4) Enter Christine as the user ID for the LNX server.
3.5 Solutions 3-89
5) Enter sasserver\Christine for the user ID for the WIN server.
c .
e In
t u t
s i
6) Verify that the authentication domain is DefaultAuth. Click OK  OK.
t n .
7) Right-click User Manager and select New  User.
Name field.
I n t i o
8) Enter AdminChristine in the Name field. Enter Administrator | Christine in the Display
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N
9) Click the Groups and Roles tab. Hold down the Ctrl key. Select Metadata Server:
Unrestricted and SAS Administrators. Click to move these to the Member of list box.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
10) Click the Accounts tab and click Create Internal Account. This is located at the bottom.
Verify that the internal user ID is AdminChristine@saspw. Enter Student1 in the New
C t
Password and Confirm Password fields. Click OK twice.
N o
3.5 Solutions 3-91
b. Log on to SAS Management Console. Use the external Christine account with the Student1
password. Open a second instance of SAS Management Console and log on. Use the
AdminChristine@saspw account.
How are the two instances of SAS Management Console similar? There are some of the same
plug-ins.
How are they different? There are many more available plug-ins for AdminChristine@saspw.
11. (Optional) Creating a Role
c .
In
Create a role that enables the Data Integrators group to have access to the BI Lineage plug-in
and permission to view scan results. There are three steps:
t e
 Enable role-based access for the BI Lineage plug-in.
 Create the role so that the Data Integrators group can see a limited number of plug-ins
u
t t
in SAS Management Console, including the BI Lineage plug-in.
i .
 Give the group permission to view scan results.
n s o n
a. Log on to SAS Management Console as Ahmed. The BI Lineage plug-in by default is not under
I i
role management. Select Tools  Plug-in Manager. Enable role-based access for the BI Lineage
S t
plug-in by selecting the box next to the plug-in. Click OK. Click Yes in the pop-up box to save
changes.
u
S A tri b
h t i s
r i g r e d
p y o r
C o t f
N o
b. In the User Manager plug-in, create the following role:

 Name: BI Lineage Scan
 Description: Members of this role can view scan results.
 Member: Data Integrators
 Capabilities (expand Management Console 9.4  Plug-ins): Data Library Manager, User
Manager and BI Lineage plug-ins, and Folder View
c .
e In
t u t
i
Add Data Integrators to the Current Members list box. Click OK.
s t n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N
3.5 Solutions 3-93
c .
e In
t u
 Click OK to save new role. t
t i .
c. You must update the BI Lineage repository’s Default ACT to grant ReadMetadata permissions.
s n
I n o
1) On the plug-ins tab, select BILineage from the Repository drop-down list.
t i
S
A tri b u
t S s
i g h d i
e
2) Expand the Authorization Manager plug-in. Expand the Access Control Templates folder.
y r r
Open the properties window for the Default ACT.
r
o p f o
C o t
N
3) Click the Permission Pattern tab. Click Add and select the Data Integrators group. When
you add the group, the Authorization Manager automatically grants the group the
ReadMetadata permission.
c .
e In
t u t
s t i n .
I n t i o
S
4) Click OK.
A tri b u
d. Verify that a member of the Data Integrators group can see the BI Lineage plug-in in SAS
t S
Management Console and can view scan results. Log on to SAS Management Console as Kari,
a member of the group.
s
i g h d i
y r r e
o p f o r
C o t
N
3.5 Solutions 3-95

Which users in your environment do you need to register
in the metadata?
a. all users who need access to data
c .
In
b. all users who need access to SAS applications
and metadata
c. all users in LDAP
u t e
d. You do not need to register users in the metadata.
t i t .
I n s i o n
S u t
30
S A tri b
h t i s
r i g r e d
p y o r
C o t f
N o
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N
Chapter 4 Securing Metadata
4.1 Reviewing Metadata Security.......................................................................................4-3
Demonstration: Exploring the Repository ACT ................................................................... 4-11
.
Exercises .............................................................................................................................. 4-19
c
4.2 Exploring Metadata Permissions and ACTs ..............................................................4-24
e In
t
Demonstration: Identifying Applicable Permissions ............................................................. 4-34
4.3
t i t u
Exercises .............................................................................................................................. 4-37
.
Customizing SAS Folders ..........................................................................................4-44
I n s i o n
Demonstration: Securing Folders with ACTs ....................................................................... 4-55
S u t
Exercises .............................................................................................................................. 4-62
4.4
A tri b
Solutions .....................................................................................................................4-73
S
Solutions to Exercises .......................................................................................................... 4-73
h t i s
Solutions to Student Activities (Polls/Quizzes) ................................................................... 4-145
r i g r e d
p y o r
C o t f
N o
4-2 Chapter 4 Securing Metadata
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N
4.1 Reviewing Metadata Security 4-3
4.1 Reviewing Metadata Security
Objectives
 Identify how the metadata authorization layer interacts
.
with other security layers.


Identify where metadata permissions are assigned.
Identify to whom metadata permissions are assigned.
Explore how metadata authorization decisions
In c
are made.
u t e
t i t .
I n s i o n
S u t
3
S A tri b
h t i s
r i g r e d
Metadata Authorization
SAS provides a metadata-based authorization layer that
p y o r
supplements protections from the host environment
and other systems.
C o t f
 In order to access a resource, a user must have
sufficient access in all layers that are relevant.
N o
Database
System
WebDAV Metadata
Operating
System
4
Authorization is the process of determining which users have which permissions for which resources.
Metadata Authorization Layer
c .
e In
t u t
s t i n . Database
WebDAV
System
n
Metadata
o
Operating
I i
System
S u t
Across authorization layers, protections are cumulative. In order to perform a task, a user must have
A tri b
sufficient access in all applicable layers.
S
Some clients enable power users to create and run SAS programs that access data directly, bypassing
controls.
h t
metadata-layer controls. It is essential to manage physical layer access in addition to metadata-layer
i s
r i g r e d
p y Access Management
o r
o
You can use the metadata authorization layer to manage
C t f
access to the following resources:
N o
 The metadata authorization model is object-centric,

6 not identity-centric.
To manage access interactively, use SAS Environment Manager, a web application, or use SAS
Management Console, a desktop application.
To programmatically define or query authorization settings, use either batch tools or DATA step functions.
Metadata Permissions
In the metadata layer, the following permissions are
always enforced:
 ReadMetadata (RM), which controls the ability to see
an object or navigate past a folder
 WriteMetadata (WM), which controls the ability to edit,
delete, rename, or change permissions on an item
c .
e In
t u t
s t i n .
7
I n t i o
S
A tri b u
Other permissions are specialized and affect only certain types of items.
To examine a user’s permissions, do not begin by finding the user definition. Instead, begin by navigating
t S
to the object that you want to examine.
s
g h d i
Three Levels of Granularity
i
y r r e
You can set permissions at the following levels
o p f o r
of granularity:
 Repository-level controls act as a gateway and as
C t
parent-of-last-resort.
N o  Object-level controls manage access to a specific

object.
 Fine-grained controls affect access to subsets
of data within a resource.
Repository-level controls are managed from the permission pattern of the repository ACT (Default ACT).
You can define object-level controls individually (as explicit settings) or in patterns (by applying access
control templates).
To establish fine-grained controls, you add constraints called permission conditions to explicit grants
of the Read or Select permission. Fine-grained controls are supported for only some objects, including
SAS Information Maps, SAS OLAP cubes, and metadata-bound data sets.
Repository ACT
Repository-level controls are managed from the permission
pattern of the repository ACT (Default ACT).
 A user must have
ReadMetadata and
WriteMetadata in the
repository ACT to navigate
and create an object
c .
In
anywhere in the metadata.
u t e
t i t .
9
I n s i o n
t
continued...
S
A tri
Repository ACT b u
t S s
The repository ACT is a template that is designated
i g h d i
to provide repository-level controls.
 Permissions on the repository ACT are applied
y r r e
indirectly to all objects in the metadata.
– If there are no direct settings on the object
o p f o r
or on any of that object’s parents, then the
repository ACT determines the outcome.
C o t – If the repository ACT’s pattern neither grants nor

denies the permissions, then the permission
N is denied.
– If there is no repository ACT, all permissions
are granted.
10
You should always have a designated repository ACT.
Two Relationship Networks

Permission settings are conveyed across two distinct
relationship networks:
 Identity relationships network
 Object inheritance
c .
e In
t u t
s t i n .
11
I n t i o
S
A tri b u
Identity Relationships Network
t S s
In the identity relationships network, permissions that you
i g h d i
assign to one identity can affect many other identities.
y r r e
o p f o r
C o t
N
12
From top to bottom, the elements in the diagram are ordered as follows:
 from highest precedence (hardest to override) to lowest precedence (easiest to override)
 from narrowest impact (most specific) to broadest impact (least specific)
For example, if you grant a group access to a report, that grant applies to everyone who is a member
of the group. This relationship network is governed by a precedence order that starts with the primary
(usually individual) identity, can incorporate multiple levels of nested group memberships, and ends with
implicit memberships in SASUSERS and then PUBLIC.
c .
e In
t u t
i
To avoid introducing unnecessary complexity, do not make PUBLIC or SASUSERS a member of another
t
group. This is not an issue for roles.
s n .
Object InheritanceI n t i o
S
A tri b u
In object inheritance, permissions that you set
t S
on one object can affect many other objects.
Explicit controls and ACTS have priority over settings
s
i g h d i
on the object’s parent (inheritance).
y r r e
o p f o r
C o t
13
N
From top to bottom, the elements in the diagram are ordered as follows:
 from highest precedence (hardest to override) to lowest precedence (easiest to override)
 from narrowest impact (most specific) to broadest impact (least specific)
For example, a report inherits permissions from the folder in which the report is located. This network
is a simple folder tree, with exceptions such as the following:
 The root folder is not the ultimate parent. This folder inherits from the repository (through
the permission pattern of the repository ACT).
 The root folder is not a universal parent. Some system resources (such as application servers, identities,
and ACTs) are not in the folder tree. For these items, the repository ACT is the immediate and only
parent.
 Inheritance within a table or cube follows the data structure. For example, neither table columns nor
cube dimensions have folders as immediate parents. Instead, a column inherits from its parent table
and a dimension inherits from its parent cube.
 Inheritance does not flow through specialty folders such as favorites folders, virtual folders, or search
folders.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S
The diagram depicts a separated view of the object inheritance paths. The arrows on the slide flow from
s
i g h
child to parent.
d i
In the metadata layer, parent objects convey their effective permissions to child objects. Children inherit
r r e
the net effect of their parents’ access controls, not the access controls themselves.
y
o p f o r
C o t
N
Below is the integrated view of the object inheritance paths. The arrows in the diagram below flow from
parent to child. For example, a folder conveys its effective permissions to the items that it contains.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N
Exploring the Repository ACT

This demonstration illustrates how to use SAS Environment Manager and SAS Management Console to
view the Repository ACT and identify the security applied to objects coming from the Repository ACT’s
permission pattern.
1. Sign in to SAS Environment Manager as Ahmed with the password Student1, if you are not already
signed in.
2. Click the Administration tab  Side Menu  Folders.
c .
e In
t u t
s t i n .
I n t i o
3. Expand SAS Folders  System  Security Access Control Templates.
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N
4. Right-click Default ACT and select Open. This brings you to the metadata properties.
5. The Basic Properties are displayed. Open the drop-down menu by clicking the down arrow next to
Basic Properties and select ACT: Usage.
c .
e In
t u t
s t i n .
I n t i o
6. The box is checked to signify that this ACT is used for the Repository ACT.
S
A tri b u
t S s
7. From the drop-down menu, select ACT: Pattern.
i g h d i
y r r e
o p f o r
C o t
N
8. The repository ACT is a template that is designated to provide repository-level controls.

 A user must have RM and WM permission in the repository ACT to create an object anywhere
in the metadata. This is SASUSERS.
 Anyone who has a metadata identity is automatically in PUBLIC and also a member of
SASUSERS. (SASUSERS is a subset of PUBLIC.) ReadMetadata and WriteMetadata are denied
for PUBLIC. When you log on to SAS Enterprise Guide with an account that was not associated
with a metadata identity, the person logged on is recognized as belonging to PUBLIC and denied
access to all metadata.
 Permissions on the repository ACT are applied indirectly to all objects in the metadata.
c .
e In
t u t
s t i n .
the page. I n t i o
 You can check the Use abbreviations box to abbreviate the permission in order to see more across
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
9. From the drop-down menu, select ACT: Pattern Summary.
C o t
N
10. This gives a listing view of the pattern.
c .
e In
t u t
s t i n .
permission.
I n t i o
11. A drop-down menu in the upper right enables you to change the summary view to Group by
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N
12. Look at the permissions on this object. From the drop-down menu, select Authorization.
c .
e In
t u t
s t i n .
I n t i o
13. The Authorization screen shows the security on this object. Every metadata object will have the
Authorization screen as part of its properties.
S
A tri
applied to the object.
b u
 The hollow square next to the permission represents that the permission is coming from an ACT
t S
 The filled in diamond represents that this is an explicit denial. So PUBLIC has an explicit denial of
WriteMetadata, which means that due to identity hierarchy, SASUSERS also has a denial of
s
g h d i
WriteMetadata on this object. SAS Administrators would have a denial of WriteMetadata as well
if there was not a direct control of a grant, either by an ACT applied to this object or an explicit
i
y
grant.
r r e
o p f o r
C o t
N
14. To find out what ACT is applied to this object, the Default ACT, select Apply ACT from the drop-
down menu.
15. The SAS Administrator Settings is applied to the Default ACT.
c .
e In
t u t
t i .
16. Look at the properties of the repository ACT in SAS Management Console. Log on to SAS
s n
Management Console as Ahmed and Student1, if not already logged on.
I n t i o
SAS Management Console can be used to manage ACTs in the Authorization Manager plug-in.
S u
Click the Plug-ins tab. Expand Authorization Manager  Access Control Templates.
A tri b
t S s
i g h d i
y r r e
o p f o r
C o t
17. Right-click Default ACT. Notice that the box next to Repository ACT is selected, which signifies
N
that this ACT is used for the Repository ACT.
18. Select Properties.
19. Click the Permission Pattern tab. This is the template of permissions that is automatically applied
to all of the metadata. Highlight PUBLIC. Notice that ReadMetadata and WriteMetadata are denied.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N
20. Highlight SASUSERS. Anyone who has a metadata identity is automatically in PUBLIC and also
a member of SASUSERS. SASUSERS is a subset of PUBLIC, but this group has ReadMetadata
and WriteMetadata permissions coming from the repository ACT.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C 
o t The types of permissions and how they are represented in the interfaces are discussed in the
N next section.
21. Click Cancel.
Exercises
1. Exploring Identity Hierarchy and Object Inheritance on a Folder
 You have the option of using the Administration Page of SAS Environment Manager or SAS
Management Console for the exercises in Chapter 4. There are step-by-step instructions.
However, the solutions offer more steps and screen shots.
Verify that you are logged on to SAS Management Console as Ahmed. Run an ad hoc backup, with
c .
In
the following comment: Backup Before Adding Security on Chocolate Enterprises
u t e
t i t
.
Manager on the Favorites bar. Sign in to SAS Environment Manager as Ahmed and password
Student1.
I n s i o n
u t
b. Click the Administration tab. The Folders page is the initial view. If you are already on the
S
Administration page and another view, select Side Menu  Folders. Right-click the Chocolate
Enterprises folder and select Open to get to the metadata properties.
S A tri b
c. From the drop-down menu, select Authorization.
h t i s
Can you remove any of the groups listed under Users and Groups? Why or why not?
r i g
button
r e d
Click the square to the left of the identity to highlight the identity. Click the Remove Identities
in the upper right toolbar.
p y r
d. Add the following three group identities: Application Developers, Data Integrators, and
o
C o t f
Report Content Creators.
1) Click the Add button in the upper right toolbar to open the Add Identities Window.
N o 2) You can enter a few letters of the group name and press Enter, or click the Search button
. Highlight the group and move it over to the Identities to Add pane.
3) Do this for all three groups before clicking OK.
4) Save the changes by clicking the Save button in the upper right toolbar.
What permission is automatically granted to an identity when added?
 You can click a permission field and a window will appear displaying the type of
permission and from where it comes.
e. Right-click Data Integrators and select Open. From the drop-down menu, select Member of.
What group is Data Integrators a member of?
f. Right-click Power Users and select Open to go to the properties of this group identity.
g. From the drop-down menu, select Members.
Who are members of the Power Users?
h. Click the Previous Level button in the upper left of the page to go back to the
Authorization properties of Data Integrators and click the Previous Level button again to
go back to the Authorization properties of the Chocolate Enterprises folder.
i. Remove the three group identities (Application Developers, Data Integrators, and Report Content
Creators) from the Authorization properties.
1) Click in the square to the left of the identity to highlight it.
c .
e In
t u t

at once.
s i
You can hold the Ctrl key while selecting all three group identities and delete all three
t n .
I n t i o
2) Click the Remove Identities button in the upper right toolbar.
S
3) Click Yes when prompted in the pop-up window.
A tri b
4) Click the Save button u in the upper right toolbar
t S
5) Repeat for the other two group identities.
s
j.
i g h d i
Add Power Users to the Authorization of the Chocolate Enterprises folder.
y r r e
2) Type Power in Available identities and press Enter. Move Power Users over to Identities to
o p f r
Add pane. Click OK.
o
3) Click the Save button in the upper right toolbar.
C o t
k. The ReadMetadata permission is automatically granted. You need to give grants for the
N WriteMemberMetadata, CheckInMetadata, and Read permissions.

1) Click within the permission field and select Grant from the list. Do the same for the other
two permissions.
2) Save your changes.

l. Use the Permissions Inspector to look up the effective permissions for any identity. The
Permissions Inspector is represented by the button in the upper right toolbar of the
Authorization page of the object that you are inspecting, in this case the Chocolate Enterprises
folder.
m. Enter Kari in the field and select Kari from the drop-down list.
Kari’s effective permissions for this object (Chocolate Enterprises folder) are displayed. She is a
member of the Data Integrators group, which is a member of the Power Users group. The same
permissions are applied indirectly for Kari through her identity hierarchy.
n. Click Close to exit the Permissions Inspector and return to the folder tree by clicking the arrow
next to Chocolate Enterprises in the upper left of the page.
o. Go to the Authorization page of the Data folder under the Chocolate Enterprises folder.
 You might need to refresh the view or close out completely of the Administration page
to see the permission changes that you made in previous steps.
Right-click Data and select Open. From the drop-down menu select Authorization.
p. Highlight Power Users.
Where do these permissions come from?
 There is also an indirect grant of WriteMetadata. A grant (or deny) of WMM on a folder
becomes an inherited grant (or deny) of WM on the objects in that folder. This is further
c .
discussed in Section 4.2.
e
q. Can you remove the Power Users group from the Authorization page of the Data folder? In
Why not?
t u t
t i
r. (Optional) If you do not want Power Users to modify or delete these folders below the Chocolate
.
Enterprises folder, select Deny for WriteMetadata (notice that WriteMemberMetadata switches
s n
automatically to indirect deny) and then select Grant for WriteMemberMetadata. Be sure to save
your changes.
I n t i o
S
A tri b u
a. Go to the Authorization tab of the Chocolate Enterprises folder. (Right-click Chocolate
t S
Enterprises and select Properties.)
s
i g h d i
b. Add the following three groups to the Authorization tab: Application Developers, Data
y r e
Integrators, and Report Content Creators.
r
o p

f o r You can hold down the Ctrl key and highlight all three at once, and then select the single
arrow to move them over to the Selected Identities list.
C o t
c. Highlight Data Integrators and select Properties. This accesses the properties of the Data
N Integrators group, but as Read-only.

d. Click the Groups and Roles tab.
e. Highlight Power Users and select Properties.
f. Click Cancel and then Close to return to the Chocolate Enterprises folder Properties.
g. Remove the three groups (Application Developers, Data Integrators, and Report Content Creators)
from the Users and Groups window.
h. Add Power Users to the Authorization tab.
i. The ReadMetadata permission is automatically granted and you need to give grants for the
WriteMemberMetadata, CheckInMetadata, and Read permissions. Do not click OK. You need to
stay on the Authorization tab to get to the Advanced button referenced in j.
j. Click the Advanced button.
k. Click the Explore Authorizations tab. Enter Kari in the Name or Display Name field.
Click Search Now. Kari’s effective permissions for this item are displayed. She is a member of
the Data Integrators group, which is a member of the Power Users group. The same permissions
are applied indirectly for Kari through her identity hierarchy.
l. Click OK twice to return to the Chocolate Enterprises folder.
m. Go to the Authorization tab of the Data folder under the Chocolate Enterprises folder.
n. Highlight Power Users.
c .
In
o. Can you remove the Power Users group from the Authorization tab of the Data folder?
Why not?

t e
There is also an indirect grant of WriteMetadata. A grant (or deny) of WMM on a folder
u
i t
t .
I s i o n
p. (Optional) If you do not want Power Users to modify or delete these folders below the Chocolate
n
automatically to indirect deny) and then select Grant for WriteMemberMetadata.
S u t
S A tri b
h t i s
r i g r e d
p y o r
C o t f
N o

What would happen if you remove the repository ACT?
a. All permissions are denied.
b. Nothing, permissions will come from somewhere else.
c. All permissions are granted.
d. Permissions come from the SAS Folders authorization
tab.
c .
e In
t u t
s t i n .
17
I n t i o
S
A tri
Setup for the Poll b u
t S s
Given the Authorization tab for the Marketing Department
g h d i
folder, which identities are on the Authorization tab of any
item stored directly under that folder?
i
y r r e
o p f o r
C o t
N
19

a. only the identities that need access to the item
b. only the identities added on the specific item
c. only the identities from the Marketing Department
c .
In
Authorization tab
d. the identities from the Marketing Department folder
t e
and any added on that specific item
u
t i t .
20
I n s i o n
t
.
4.2 Exploring Metadata

A S Permissions
i b u and
ACTs
t S s t r
i g h d i
y rObjectives
r e
o p 

f o r
Identify how metadata permissions are assigned.
Define ACTs and how they are used.
C o

t Explore the use and enforcement of the different
metadata permissions.
N  Review the metadata authorization layer.
23
4.2 Exploring Metadata Permissions and ACTs 4-25
How Are Permissions Set?

The check box color on the Authorization tab on the
properties of a metadata object in SAS Management
Console indicates how the permission was assigned.
c .
Direct control: explicit
(WHITE)
Control set directly on the target object
e
and assigned directly to identity In
Direct control: ACT
(GREEN)
t u t
Control set directly on the target object
and assigned directly to identity
Indirect setting
(GRAY)
s t i Comes from someone else (a group that
.
has an explicit or ACT setting)
n
or from somewhere else (a parent object,
24
I n t i o
repository ACT)
S
A tri b u
The Search tab in SAS Management Console returns results based on the individual user’s permissions
on individual objects and ignores the permissions on the folder navigation to the object. In other words,
if the user is denied RM on the metadata folder path to the object but granted RM on the object,
t S
the Search tab returns the object even though the user cannot access it through the metadata folders.
s
i g h d i
How Are Permissions Set?
y r r e
o p o r
The shape on the Authorization properties of a
metadata object in SAS Environment Manager
f
indicates how the permission was assigned.
C o t
Direct control: ACT Direct control: explicit
N Indirect Setting
(no shape)
25
Icon Meaning
Deny from an explicit control
Deny from an applied ACT
Deny from an indirect source (such as a parent group or parent object)
Grant from an explicit control

c .
Grant from an applied ACT
e In
t u t
Grant from an indirect source (such as a parent group or parent object)
ACTs s t i n .
I n t i o
Each ACT consists of a pattern of grants and denials that
S
A tri b u
are assigned to different users and groups.
 In SAS Management Console, ACTs are created and
t S
managed using the Authorization Manager plug-in.
s
i g h d i
y r r e
o p f o r
C o

t In SAS Environment Manager, ACTs are created and

managed from the Folders module on the
Administration page: SAS Folders  System 
26
N Security  Access Control Templates.
Do not confuse an ACT’s Authorization tab with its Permission Pattern tab in SAS Management
Console. Authorization tabs control who can modify the item in question. The Authorization tab
on an ACT controls who can modify the ACT, including the permission pattern.
4.03 Quiz
 Sign in to SAS Environment Manager.
 Go to Administration Page  Side Menu  Folders.
 Expand System Folder  Security Folder 
Access Control Templates Folder.
What are the predefined ACTs in the environment?

c .
 Right-click and select Open on Rigel Analysts ACT.
e In

t u t
From the drop-down menu, select Apply ACT.
s i
What ACTs are applied to this ACT?
t n .
27
I n t i o
Default ACT
S
A tri b u
Acts as the repository ACT initially. This ACT provides registered users
RM and WM permission at the repository level.
t S s Applied automatically to each user’s personal folder in conjunction with

Private User Folder
ACT
i g h d i explicit settings to grant the user RM, WMM, CM, and R permission.
r
SAS Administrator
y r e Used to grant the SAS Administrators group and SAS System Services
Settings ACT
o p f o r group access to metadata.

If you have SAS Information Delivery Portal at your site, you will have the Portal ACT. You might need
C 
o t
to alter the membership of the Portal ACT.
The permission patterns of these predefined ACTs should not be modified.

N If you need to modify the repository ACT, a best practice is to not change the current repository
ACT. Create a new ACT with the settings that you want, and designate it as the repository ACT.
This enables you to revert to the previous repository ACT, if needed.
Applying an ACT
When you apply an ACT to an object, the ACT settings
are added to the object’s protections.
c .
e In
t u t
s t i n .
29
I n t i o
S
A tri b u
Metadata Permissions (Review)
t S s
The permissions list on each Authorization tab includes
i g h d i
at least two permissions:
y r r e
ReadMetadata (RM) Controls the ability to view an
item or navigate past a folder
o p o r
WriteMetadata (WM) Controls the ability to edit,
f delete, rename, or changes
C o t permissions on an item
Other permissions are specialized and affect only
N certain types of items.
30
Only permissions relevant to the item are displayed on the Authorization tab.
WriteMemberMetadata Permission
The WriteMemberMetadata (WMM) permission affects
only metadata folders.
WriteMemberMetadata Provides control for adding

(WMM) and removing objects from
a folder.
c .
A grant (or deny) of WMM on a folder becomes an
inherited grant (or deny) of WM on the objects in that
e In
t u t
folder. WMM is not inherited from one folder to another.
s t i n .
31
I n t i o

 S
A tri b u
Anyone who has a grant of WM on a folder should not be denied WMM on that same folder.
If WMM is not set directly on a folder, the WMM setting mirrors the WM setting. WMM is never
t S
inherited from a parent object.
s
i g h d i
CheckInMetadata Permission
y r r e
r
Change management is a SAS Data Integration Studio
o p o
feature.
f
C o t
CheckInMetadata (CM) Check in and check out items
in a change-managed area.
N In any change-managed areas of a foundation repository,

change-managed users should have CM instead of WM
and WMM.
32
Administer Permission
Administer (A) Monitor an OLAP server; stop, pause,
resume, refresh, or quiesce a server
or spawner.
For the metadata server, the ability to stop, pause,

resume, and quiesce is managed by the Metadata Server:
c .
In
Operation role, not by the Administer permission.
u t e
t i t .
33
I n s i o n
S
New permissions in SAS 9.4M2:
u t
A tri b
Implicit capabilities enable a member of the MetadataServer: User Administration role to manage
S
the membership of groups and roles and the accounts of users and groups. These tasks can now
h t
be delegated to additional users:
i s
 ManageMemberMetadata (MMM): Alter the membership of a group or role. This permission applies
r g e d
only to groups and roles. Any user or group that is granted this permission will have the ability
i
to change membership of the group or role to which it is applied. Granting the WriteMetadata
r
p y
permission indirectly grants the ManageMemberMetadata permission. This permission can also be
r
explicitly granted independent of the WriteMetadata permission.
o
C o t f
 ManageCredentialsMetadata (MCM): Alter the account information for a user or group. This
permission applies only to users and groups. Any user or group that is granted this permission will have
o
the ability to administer the logon information for the user or groups to which it is applied. Granting the
WriteMetadata permission can also be explicitly granted independent of the WriteMetadata permission.
Data Permissions
Read (R) Read data via certain objects, for
example: cubes, information maps,
LASR tables, or data accessed via the
metadata LIBNAME engine (MLE).
Create (C) Add data via metadata LIBNAME
engine.
c .
Write (W) Update data via certain objects: data
accessed via publishing channels
e In
Delete (D)
t t
or the metadata LIBNAME engine.
u
Delete data via metadata LIBNAME
t
engine.
s i n .
34
I n t i o
S
A tri b u
Some clients such as SAS Data Integration Studio and SAS Enterprise Guide enable users to
create and run SAS programs that access data directly, and bypass metadata layer controls. Using
t S
metadata-bound libraries will disable these users by passing metadata library controls.
s
i g h d i
Data Permissions for Metadata-Bound Libraries
permissions:
y r e
For secured library objects and secured table objects, SAS enforces the following special metadata-layer
r
p
Select (S)
o f o r Read rows within a physical table.
C Delete (D)
o t Delete rows in a physical table.
N
Insert (I)
Update (U)
Add rows to a physical table.
Update rows in a physical table.
Create Table (CT) Create new physical table.
Drop Table (DT) Delete a physical table.
Alter Table (AT) Replace a physical table.
Relative Precedence of Access Controls
c .
e In
t u t
s t i n .
35
I n t i o
S u
Explicit and ACT settings on an object always have priority over settings on the object’s parent.
A tri b
t S
Authorization Decision Flowchart
s
i g h d i
y r r e
o p f o r
C o t
N
36
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
r r e
Permission conditions constrain explicit grants of the Read permission on OLAP dimensions (limiting
y
p o r
access to members) or information maps (limiting access to rows). On the Authorization tab, the presence
of an Edit Condition or Edit Authorization button indicates that a permission condition is assigned
o f
to the currently selected user or group.
C o t
N
Identifying Applicable Permissions

This demonstration illustrates how to use SAS Management Console to identity the applicable
permissions for an item.
1. In SAS Management Console, on the Plug-ins tab, expand Server Manager.
2. Right-click SASApp and select Properties.
c .
e In
t u t
s t i n .
I n t i o
S u
3. Click the Authorization tab. Only the RM, WM, CM, and A permissions are listed.
A tri b
t S s
i g h d i
y r r e
o p f o r
C o t
N
4. Click Cancel.
5. Click the Folders tab.
6. Expand System and select Types.
c .
e In
t u t
s t i n .
I n i o
7. Right-click Application server and select Properties.
t
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N
8. Click the Advanced tab. The ApplicablePermissions property identifies the permissions that
are applicable to this type of item.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h
9. Click Cancel.
d i
y r r e
o p f o r
C o t
N
Exercises
2. Assigning WriteMetadata and WriteMemberMetadata Permissions
Log on to SAS Management Console as Ahmed. Run an ad hoc backup, with a comment of Before
adding parent and child folders.
c .
a. On the Administration page, select Side Menu  Folders.
e In
and click OK.
t u t
b. Right-click Chocolate Enterprises folder and select New Folder. Name the new folder Parent
s t i
c. Right-click the Parent folder and select Open.
n .
d. From the drop-down menu, select Authorization.
I n t i o
e. Add an explicit grant of WM permission for PUBLIC. Click in the WriteMetadata field for
S
A tri b u
PUBLIC and select Grant from the list. How does this affect WMM permission for PUBLIC?
f. Click in the WriteMemberMetadata field for PUBLIC and select Show Origins.
t S s
i g h d i
y r r e
o p f o r
C o t
g. Change the explicit grant of WriteMetadata for PUBLIC back to ‘no explicit control’ by clicking
N the WriteMetadata field and selecting the option. How does this affect WMM permission for
PUBLIC?
h. Add an explicit grant of WMM permission for PUBLIC. How does this affect WM permission for
PUBLIC?
i. Remove the explicit WMM permission grant for PUBLIC. How does this affect WM permission
for PUBLIC?
j. Add Alex to the Authorization for the Parent folder with an explicit denial of WM permission and
an explicit grant of WMM permission.

2) Type Alex in the Available Identities and press Enter. Move Alex to Identities to Add pane.
Click OK.
3) Select Deny for WriteMetadata and Grant for WriteMemberMetadata.
4) Click the Save button to save the changes.

5) Click Close.
k. Right-click the Parent folder and select New Folder. Name the new folder Child and click OK.
l. Right-click the Child folder and select Open.
m. From the drop-down menu, select Authorization.
c
n. On the Authorization page of the Child folder, what are the settings for WM permission and .
WMM permission for Alex?
e
o. Do not log off from SAS Environment Manager. In
u t
p. Log on to SAS Management Console as Alex using the password Student1. (You cannot do steps
t
t i
q-s in SAS Environment Manager because Alex is not a member of any role in SAS Environment
.
Manager and thus cannot authenticate to the Environment Manager Server.)

s n
I n
You can open another SAS Management Console session by selecting Start 
t i o
SAS Management Console. Or you can disconnect as Ahmed in the current session
by selecting File  Connection Profile and reconnecting as Alex.
S
A tri
q. Right-click My Folder.
b u
t S
Are the following actions available or dimmed: New Folder, New Stored Process, Rename,
and Delete?
s
i g h d i
r. Right-click the Chocolate Enterprises folder. Are the following actions available or dimmed:
New Folder, New Stored Process, Rename, or Delete?
y r r e
s. Right-click the Parent folder. Are the following actions available or dimmed: New Folder, New
o p f o r
Stored Process, Rename, or Delete?
t. In SAS Environment Manager, delete the Parent folder. However, you must first delete the Child
C o t
folder.
1) Right-click the Child folder and select Delete.
N 2) Click Yes to confirm the delete request.

3) Right-click the Parent folder and select Delete.
4) Click Yes to confirm the delete request.
a. On the Folders tab, right-click Chocolate Enterprises and select New Folder. Create
a new folder named Parent.
b. Right-click the Parent folder. Select Properties and click the Authorization tab. Select PUBLIC
and add an explicit grant of WM permission. How does this affect WMM permission for
PUBLIC?
c. Select the grant WriteMetadata box for PUBLIC again to clear the explicit setting. How does
this affect WMM permission for PUBLIC?
d. Add an explicit grant of WMM permission for PUBLIC. How does this affect WM permission
for PUBLIC?
e. Remove the explicit WMM permission grant for PUBLIC. How does this affect WM permission
for PUBLIC?
f. Add Alex to the permissions list for the Parent folder with an explicit denial of WM permission
and an explicit grant of WMM permission.
g. Right-click the Parent folder and select New Folder. Create a new folder named Child.
h. On the Authorization tab of the Child folder, select Alex. What are the settings for WM
and WMM permissions?
c .
i. Log on to SAS Management Console as Alex using the password Student1.
e In

u t
You can open another SAS Management Console session by selecting Start 
t
s i
t n .
j. Right-click My Folder. Are the following actions available or dimmed: New Folder, New Stored
I n
Process, Rename, and Delete?
t i o
k. Right-click the Chocolate Enterprises folder. Are the following actions available or dimmed:
S
A tri b u
New Folder, New Stored Process, Rename, and Delete?
l. Right-click the Parent folder. Are the following actions available or dimmed: New Folder, New
t S
Stored Process, Rename, and Delete?
s
m. Delete the Parent folder. You will need to log on as Ahmed to delete the Parent folder, since Alex
i g h d i
does not have the authorization to do so.
y r e
3. Adjusting Conflicting Permission Settings
r
You can use SAS Environment Manager or SAS Management Console to do the exercise. Refer to the
o p f o r
solutions for step-by-step instructions.
a. Create a new metadata group named Group A. Assign Harvey as a member.
C t
b. Create a new metadata group named Group B. Assign Harvey as a member.
o
Nc. Create an ACT named Allow Group A, which grants an RM permission to Group A.
d. Apply the Allow Group A ACT to the Shared Data folder (on the Authorization tab in SAS
Management Console, or the Apply ACT property in SAS Environment Manager).
e. Add Group B to the Authorization of the Shared Data folder and deny RM permission.
f. What is the effective permission for Harvey on the Shared Data folder?
 Use the Permissions Inspector in SAS Environment Manager.
 Use the Advanced option on the Authorization tab in SAS Management Console.

What is the effect of explicitly denying PUBLIC RM?
a. Only PUBLIC is affected and the settings for the other
users and groups remain unchanged.
b. Only PUBLIC and SASUSERS are affected
and the settings for the other users and groups
remain unchanged.
c .
In
c. PUBLIC is denied RM, which overrides all explicit,
ACT, and indirect settings for the other users
and groups.
u t e
d. PUBLIC is denied RM, which overrides all indirect
t t
settings for the other users and groups but does
i .
not override explicit or ACT settings for other users
40
and groups.
I n s i o n
S u t
A tri b
S
h t i s
If an ACT includes settings for Ellen and you apply
the ACT to an object that already lists Ellen on the
r g
permissions?
r e d
Authorization of an object, what happens to Ellen’s
i
p y o r
a. The settings from the ACT take precedence.
b. The settings from the ACT are ignored.
C o t f
c. Explicit settings are not affected and indirect settings
are changed to ACT settings.
N o d. The settings from the groups in her identity hierarchy

take precedence.
42
Setup for the Poll

Given only the following settings on the Authorization
of an object and Eric’s identity hierarchy:
User or Group Permission Setting
HR Explicit grant RM
Report Creator
SASUSERS
ACT deny RM
Indirect grant RM
c .
PUBLIC Indirect deny RM
e In
u t
 There are no other groups listed
on the Authorization properties.
t
s t i n .
44
I n t i o
S
A tri b
4.06 Multiple Choice Poll u
t S
What is Eric’s effective permission?
s
g h d i
a. Grant RM because explicit settings take precedence
i
y r
over ACTs
r e
b. Deny RM because ACT settings take precedence
o p f o r
over explicit settings
c. Deny RM because when there is a conflict
t
at the same level of an identity hierarchy,
C o
the outcome is a denial
d. Grant RM because when there is a conflict
N at the same level of an identity hierarchy,

the outcome is a grant
45
Setup for the Poll

HR ACT grant RM
Report Creator
SASUSERS
ACT deny RM
Indirect grant RM
c .
e In
u t
t
s t i n .
47
I n t i o
S
A tri b
t S
s
g h d i
a. Grant RM because grants take precedence
i
y r r e
over denials
b. Deny RM because denial settings take precedence
o p f o r
over grants
t
at the same level of an identity hierarchy and both
C o
permissions are ACTs (or both are explicit),
N d. Grant RM because when there is a conflict

48
Setup for the Poll

Finance Explicit grant RM
Report Creator
SASUSERS
ACT deny RM
Indirect grant RM
c .
e In
u t
t
s t i n .
50
I n t i o
S
A tri b
t S
s
g h d i
a. Grant RM because explicit grants always take
i
y r r e
precedence over denials
b. Deny RM because the denial setting is coming from
o p f o r
a direct group and take precedence over grants from
an indirect group
t
c. Deny RM because grants coming from an ACT always
C o
take precedence
d. Grant RM because the HR group inherits the Explicit
N grant of RM from the Finance Group
51
4.3 Customizing SAS Folders
Objectives
 Understand the SAS Folders structure.


Explore custom SAS Folders.
Review user and group identities.
c .
In
 Continue with exercise scenario.
 Promote content in metadata.
u t e
t i t .
I n s i o n
S u t
54
S A tri b
h t i s
r i g r e d
Creating Custom Folders
Administrators can use the folder view to do the following:
p y r
 set up a custom folder structure for users
o
o f
 import and export metadata and associated files
C o t
 set permissions on folders and their content
N  SAS Folders inherit security permissions from parent

folders if no object-level controls are applied.
55
SAS Folders are used to organize and secure SAS metadata.

SAS Folders exist only in SAS metadata. There is no corresponding representation, such
as a directory/folder structure in the operating system.
4.3 Customizing SAS Folders 4-45

Guidelines for setting up the SAS Folders structure:
 Keep the folder structure as simple as possible.
 Develop a folder structure that reflects the
organization of your work.
.
 Develop a folder structure that reflects the access
c
rules that you want to enforce.
Example: Business Unit Separation
e In
t
PUBLIC
SASUSERS
u
SAS Administrators
i t
SAS System Services
t .
Marketing Sales
56
I n s i o n
t
continued...
S
A tri b u
Your folder structure could reflect the following:
 your company’s internal organization. For example, each division or department could have its own
t S
high-level folder.
 types of business activities. For example, you could have separate folders for human resources,
s
g h d i
sales, research and development, and marketing.
 geography. For example, each country, sales region, or regional office could have its own folder.
i
r r e
 categories of products. For example, each product line or product group could have its own folder.
y
p o r
 time periods. For example, you could have a folder for each year, quarter, or month.
 categories of users. Generally, this type of folder structure is necessary only in large organizations that
o f
have a clear separation of responsibilities (for example, separate teams for data preparation, map
C t
creation, and report creation).
o
 change-control status. If you have just one deployment of the SAS Intelligence Platform (instead
N
of separate deployments for development, test, and production), then you might want to use folders
to separate production-status content from content that is in the development or testing stage.
To do so, you can set up separate sets of folders for development, test, and production. Then you can
use the promotion tools to move content from development to test and from test to production.
 Do not set up folders based on SAS client applications. It is not necessary or desirable to organize
objects based on which SAS client applications were used to create them. Organizing folders
on this basis can complicate administration tasks such as the assignment of permissions.
 Do not set up folders based on object types unless it is necessary for access control. Organizing
folders based on object types can complicate administration tasks such as the assignment
of permissions. As a general rule, you should avoid setting up folders on this basis.

Example: Regional Separation, Designated
Content Creators
c .
Example: Functional Separation
e In
t u t
s t i n .
57
I n t i o
S
A tri b u
Folders enable you to easily restrict access to content. For example:
 If you want to prevent departments from accessing each other’s content, then you can create
t S
a high-level folder for each department and apply different permissions to each of the folders.
 If you want to restrict access to sensitive content (for example, content related to a sensitive product
s
g h d i
line or a business activity such as human resources), then you can create a separate folder for that
content and apply a restrictive access control template (ACT).
i
y r r e
 If your organization requires a clear separation of content among different categories of SAS users,
then you can create separate folders for each group. Generally, this type of folder structure is necessary
o p f o r
only in large organizations that have separate teams of SAS users with different job responsibilities.
For example, suppose you have one group of users that works on data preparation tasks (such
C t
as creating libraries, tables, and cubes) and another group creates information maps, stored processes,
and reports). To ensure that the groups do not interfere with one another’s work, you can create
o
a separate folder for each group and apply different permissions to each of the folders.
 N If you have separate environments for development, test, and, production, then use the same
folder structure across environments. Using a uniform folder structure will make it easier to
promote objects from one environment to another.
Metadata Users and Groups

PUBLIC
Initial users
SASUSERS
SAS Administrator
sasadm@saspw
SAS Environment
c .
In
Manager Service
Account
SAS Trusted User
e
sasev@saspw
sastrust@saspw
t u t SAS Demo User
s t i .
external account
n
58
I n t i o ...
S
A tri b u
SAS Trusted User: This is a privileged service account that can act on behalf of other users on a
connection to the metadata server. No user should log on directly as a trusted user, except to perform
S
certain administrative tasks associated with the SAS Information Delivery Portal.
h t
SAS Administrator: In default installations, it is an internal user account that is known only to SAS
i s
and that is authenticated internally in metadata. When internal authentication is used, it is not necessary
r g e d
for this user to have a local or network account. The SAS Administrator user account has privileges that
i
are associated with the Metadata Server: Unrestricted role. In addition, the SAS Administrator account
r
y
is initially a member of the SAS Administrators group.
o p f o r
SAS Environment Manager Service Account: Effective with the first maintenance release for SAS 9.4,
the SAS Environment Manager Service Account is required for communications between the SAS
C t
Environment Manager agent and the SAS Environment Manager server. The account also enables
o
SAS Environment Manager plug-ins to access the SAS Metadata Server.
N
This account is an internal user account that is known only to SAS and that is authenticated internally
in metadata. The account has privileges that are associated with the Metadata Server: Unrestricted role
and is initially a member of the SAS Administrators group and the SAS Environment Manager Guests
group.
Optional Accounts
SAS Demo User: Serves as a generic end user when you are testing any of the SAS client applications.
The default user ID is sasdemo, and the user’s account is defined in metadata and in the operating system
of the metadata server machine and the workspace server machine.
SAS Anonymous Web User: Is used to grant clients access to applicable SAS Web Infrastructure
Platform components. When web clients request access to web services, they are not prompted for
credentials but instead are granted access under this user account. In default installations, this user
is an internal user.

PUBLIC Initial
Initial users
groups
SASUSERS
SAS Administrator
sasadm@saspw
SAS
SAS Environment
Manager Service Account System
.
sasev@saspw SAS
Services
Administrators
c
SAS Trusted User
sastrust@saspw SAS Trusted User
In
SAS EV App
SAS Administrator
Server Tier Users
SAS EV Service
SAS EV Service
Account
e
Account
t
SAS EV Super Users
SAS General
u
SAS Administrator
Servers
t i tSAS EV Guests
.
SAS Administrator
sassrv and pw
SAS Trusted User
59
I n s i o n
t
...
S
A tri b u
SAS Administrators: a standard group for metadata administrators. By default, this group is granted
broad access to the metadata and has all roles other than the Metadata Server: Unrestricted role.
t S
SAS System Services: a standard group for service identities that need to read server definitions or other
system resources.
s
i g h d i
SAS General Servers: a standard group whose members can be used for launching stored process servers
and pooled workspace servers.
y r r e
SAS Environment Manager User groups: standard groups for SAS Environment Manager users. These
p o r
groups are new with the first maintenance releases for SAS 9.4. The groups include SAS Environment
Manager Guests, SAS Environment Manager App Server Tier Users, and SAS Environment Manager
o f
Super Users. Users that are members of these groups are mapped to user definitions in SAS Environment
C t
Manager with corresponding SAS Environment Manager roles. For more information, see “Controlling
o
Access to SAS Environment Manager” in SAS® Environment Manager: User’s Guide.
N
There might be other initial groups depending on your SAS software and solutions.

PUBLIC Initial
Initial users
groups
SASUSERS
SAS Administrator SAS
sasadm@saspw Administrators
SAS System
SAS Environment Manager SAS Administrator
Services
Service Account
SAS EV Service
sasev@saspw
SAS Trusted User Account
.
SAS Trusted User SAS General
sastrust@saspw Servers
c
sassrv and pw
SAS EV App
In
Server Tier Users SAS Trusted User
SAS EV Super Users
Data Integrators
SAS EV Service
SAS Administrator Account
Report Content
e
Application
Creators
t
Developers
t i u
SAS EV Guests
t
SAS Administrator
.
Analysts
Orion Star
Users
Marketing
Sales
…
60
I n s i o n
Managers
custom groups
S u t
A tri
Custom Groups
S b
t s
Custom groups can be based on the following:
h i
d
Organization Marketing, Acquisitions, Shipping, Finance
r i g
Function
r e Power users, ETL developers, data modelers,
y
report creators, analysts, information
o p f o r
Data Access
consumers
Oracle group - group with shared credentials
to access third-party database
C o t
Special Projects ProjectA, ProjectB - members are across
organizations
N Executive
Oversight
Group that needs limited or complete access
across all groups
61
 Groups can be synchronized with groups from your authentication provider, such as LDAP.
Baseline ACTs
Most of the metadata that needs to be secured is stored
in folders and inherits permissions from folders. One
approach to securing folders is to create and apply some
general-use ACTs.
The ACTs can be applied to folders in combination with
 explicit permissions granting access back to particular
groups
c .
 additional ACTs that grant access back to particular
groups.
e In
t u t
s t i n .
62
I n t i o
S
A tri
Baseline ACTs b u
t S s
The Hide ACT prevents visibility for users who are
g h d i
not in the SAS Administrators group and gives SAS
administrators and service identities exclusive Read
i
y r e
access to metadata.
r
o p PUBLIC
f o r RM WM WMM CM

A R W C D
t

C
SAS Administrators
N o SAS System Services 
63
Baseline ACTs
The Protect ACT prevents updates, deletions,
and contributions by users who are not in the SAS
Administrators group and gives SAS administrators
exclusive Write access to metadata.
.
RM WM WMM CM A R W C D
PUBLIC
SAS Administrators *










In c
u t e
t i t .
64
I n s i o n
S u t
These grants ensure that administrators can manage all metadata. If you need to separate administration
A tri b
privileges, this approach is not granular enough. If you do not want the SAS Administrators group to have
universal access, consider creating parallel sets of baseline ACTs. For example, to separate administration
S
for an East region and a West region, you might create ACTs such as Hide_East, Hide_West. In each
h t i s
baseline ACT pattern, you would replace the SAS Administrators group with a narrower administrative
group (for example, East_Admins, West_Admins). The denials to PUBLIC and grants to the SAS System
i g d
Services group would not change. Any unrestricted users can still access everything.
r r e
p y r
Project Folders
o
C o t f
If you choose to create project folders, you need
N oto decide the following:

 who should be able to create and modify the project
folders themselves
 who should be able to create and modify content
within the folders
65
Securing Project Folders

You can enable all members of the organizational group
to access the project folders and create and modify
the content within those folders.
c .
e In
t u t
s t i n .
66
I n t i o
S
A tri b u
Securing Organizational Folders
t S s
If you have a central group that creates all content,
i g h d i
you could secure the organizational folders as follows:
y r r e
o p f o r
C o t
N Power Users: + RM, +R, +WMM
Power Users: + RM, +R, +WMM
67
Securing Functional Folders

If your organization includes custom groups that represent
users who perform similar job functions, you can create
and secure subfolders as follows:
c .
e
Power Users: + RM, +R
In
t u t (Member of Power Users)
s t i n .
(Member of Power Users)
(Member of Power Users)
68
I n t i o (Member of Power Users)
S
A tri b
Securing Functional Folders u
t S s
The exercise scenario follows this security model.
i g h d i
y r r e Orion Star Users: +RM
Power Users: + RM, +R
o p f o r Hide
Power Users: +RM, +R, +WMM
C o t Orion Star Users: +RM
(Members of PowerUsers)
N

(Members of Power Users)

69
Administration Scenario
The Finance and Shipping Departments of the Orion Star
Company need to be set up in the existing SAS
environment. You, as the SAS administrator, need
 create metadata identities
 set up SAS folder structure
c .
In
 add existing content such as stored processes
 secure the new folders
t e
 verify users have sufficient access
 add data sources and verify access
u
t i t .
70
I n s i o n
S u t
S A tri b
h t i s
r i g r e d
p y o r
C o t f
N o
Securing Folders with ACTs

This demonstration illustrates the application of ACTs to folders. General use ACTs are applied to folders
in conjunction with additional ACTs that grant access back to groups.
1. In SAS Environment Manager, click the Administration tab  select Side Menu  Users.
c .
e In
t u t
s t i .
2. Type Rigel into the name field to see the list of identities that begin with Rigel. These are groups
n
I n
within Rigel Company that are based on job functionality.
t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C t
3. There is also a folder in metadata for the company. Select Side Menu  Folders.
o
N
4. Expand Rigel folder. This is specific to a data management environment, using data management
applications such as Data Integration Studio.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S
5. Right-click Rigel folder and select Open to view the authorization settings.
s
i g h d i
y r r e
o p o r
6. From the drop-down menu, select Authorization.
f
C o t
N
7. Two Rigel group identities are on the Authorization of this folder. Can they be removed? Click in the
square to the left of the identity and click the Remove Identities button.
c .
The hollow square next to the permission signifies that this is a direct control coming from an ACT (it
would be a solid diamond if it were coming from an explicit direct control, meaning that the identity
e In
u t
was added to the authorization of this object). An ACT that has these group identities addressed in its
permission pattern is applied to the object.
t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o
Show Origins.r
8. Click in the Rigel DI Developers ReadMetadata field. In the drop-down list there is an option to
C o t
N
9. The name of the ACT is listed.
10. From the drop-down menu, select Apply ACT.
c .
e In
t u t
11. Four ACTs are applied to this folder.
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N
12. Right-click Rigel PUBLIC and SASUSERS Denied ACT and select Open to look at the properties
of the ACT.
13. From the drop-down men, select ACT: Pattern.
c .
e In
t u t
s t i n .
14. This is like the HIDE ACT and PROTECT ACT all in one, a general use ACT that is denying access
I n t i o
to implicit groups. With this ACT alone, no one but unrestricted users would be able to access this
folder. Administrators and System Services will need to be granted access back as well as any group
S u
identities that need access to this Rigel folder.
A tri b
t S s
i g h d i
y r r e
15. Go back and look at the other ACTs applied. As you open object definitions in the modules, the object
o p f r
counter icon in the toolbar keeps track of the definitions that are open and provides easy access to an
o
open definition. The counter on the icon indicates the number of object definitions that are open.
Click the icon to display a menu of all open definitions. Select an item in the menu to go to that
C t
definition.
o
N An asterisk beside an entry in the menu indicates that the definition has been changed but not
yet saved.
16. Select Rigel folder from the list. You are back to the Apply ACT properties. The SAS
Administrator Settings ACT is in use, which will grant the necessary access back to SAS
Administrators and System Services Group.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S
17. Look at the Rigel DI Developers ACT. Instead of opening up the properties of the ACT, you go to
s
return to Folders.
i g d i
the folder where ACTs can be viewed. Click the arrow to the left of the Rigel folder at the top to
h
y r r e
p o r
18. Navigate to System  Security  Access Control Templates.
o f
C o t
N
19. Right-click Rigel DI Developers ACT and select Open.
20. From the drop-down menu, select ACT: Pattern.
c .
e In
t u t
s t i n .
I n t i o
21. The Rigel DI Developers ACT includes only the Rigel DI Developers group. This ACT is also
applied to the Rigel folder to grant access back to this group. This is an example of creating ACTs
S
A tri b u
that will include groups to grant access back, instead of adding the group identity directly to the
authorization settings of the folder.
t S s
i g h d i
y r r e
o p f o r
C t
Security Best Practices regarding ACTs:
o
1) Add only groups to ACT patterns.
N 2) ACTs with explicit groups (not PUBLIC or SASUSERS) are to grant access, never deny.
3) Deny access on ACTS patterns only for implicit groups (PUBLIC or SASUSERS).
4) Apply the SAS Administrator Settings ACT when SASUSERS/PUBLIC have been denied
access.
5) Design and document first and implement early!
22. Click Close in the upper right toolbar.
Exercises
Exercise scenario: The Finance and Shipping Departments of the Orion Star Company need
to be set up in the existing SAS environment.
 Metadata identities were added in the previous chapter with the import macros.
 Exercise 4: Custom folders will be created under the Orion Star folder representing the departments.
 Exercise 5 and 6: Content will be imported into the new folders.
 Exercise 7: Group identities will be added to the appropriate folders with explicit grants.
c .
 Exercise 8: A baseline ACT will be created and applied to the folders.
e In
t
Use the Metadata Manager Plug-in in SAS Management Console to run an ad hoc backup of metadata,
with the comment Backup before adding folder content and security on Orion Star.
t u
4. Creating Custom Folders
s t i n .
You can use SAS Environment Manager or SAS Management Console to create new folders. Refer to
 n t i o
the solutions for step-by-step instructions.
I
You can use the sas-make-folder batch tool to create the folders. See solution step 4b.
S u
a. Create the Finance Department and Shipping Department folders under the Orion Star folder.
A tri b
t S
b. Create Payables and Receivables folders under Finance Department.
5. Importing a Package of Folders
s

i g h d i
The import and export tools are available only in SAS Management Console, or as batch
y r r e
tools.
a. Import Folder Set.spk into Orion Star  Finance Department  Payables.
o p f o r
Right-click the Payables folder and select Import SAS Package.
In the first step, navigate to D:\Workshop\spaft and select Folder Set.spk to import. Click OK.
C o t
Follow the wizard window steps without making any changes.
b. Import the same package, Folder Set.spk, but this time import it into Orion Star  Finance
N Department  Receivables.
6. Creating a Package
 The import and export tools are available only in SAS Management Console, or as batch
tools.
a. Use the Export SAS Package Wizard to create a package from the Orion Star  Marketing
Department  Stored Processes folder. Save the package in
D:\Workshop\spaft\export_sp.spk. Also, on the first step in the Wizard, select Include
dependent objects when retrieving initial collection of objects.
b. Import export_sp.spk in the Orion Star  Shipping Department folder.
7. Adding Groups to Folders
You can use SAS Environment Manager or SAS Management Console to add identities to folders and
set permissions on folders. Refer to the solutions for step-by-step instructions.
Below is a table that can be used as reference for the exercises.
Group Name Members

Report Content Ellen, Eric, Gloria, Harvey, Jacques, Kari, Stephanie

Creators

c .
e In
Orion Star Users
Analysts
t u t Groups: Finance, Marketing, Sales, Shipping
Cecily, James
Finance
s t i .
Alex, Ben, Jennifer, Katie, Megan, Peter
n
Marketing
I n t i o
Sales
Shipping S
A tri b u Ellen, Gloria, Harvey, Linda, Mark, Robert, Susan
Ray, Jim
t S
a. Verify the members of the Orion Star Users and Power Users groups, based on the table above.
s
i g h d i
(This was done with the import macro in the previous chapter.)
b. Add Power Users and Orion Star Users to the Orion Star folder’s Authorization. By doing this,
y r r e
the groups will be automatically added to the subfolders’ authorization and the groups will be
given an automatic grant of ReadMetadata.
o p o r
c. Add group identities to folders based on the table below. Also, grant Power Users the
f
WriteMemberMetadata, CheckInMetadata, and Read permissions on each of the folder’s
C o t
authorization.
 There is an automatic grant of ReadMetadata for any identity that is added to the
N Authorization of an object.
Group Name Folder Grant Permissions
Finance Finance Department RM, R
Marketing Marketing Department RM, R
Sales Sales Department RM, R
Shipping Shipping Department RM, R
8. Creating and Applying Baseline Access Control Template (ACT)

One approach to setting permissions on folders is to create general-use ACTs, and apply one or more
of those ACTs to each folder that you need to secure. To grant access back to a particular group,
supplement the ACT settings by adding explicit controls on the target folder.
In the previous exercise, you added Orion Star Users and Power Users to the Orion Star folder, and
gave the group explicit grants on the folder. But currently SASUSERS have RM as well. So in this
exercise, you will create a baseline ACT that will remove visibility for the SASUSERS group on the
Orion Star folder and therefore any subfolders. You will also need to deny ReadMetadata to Orion
Star Users at the Department folders so that only a department group can see its own department
folder (for example, only the Finance group can see the Finance folder, and the other department
groups cannot.)
c .
In
a. Create the Hide ACT.
The Hide ACT is designed to prevent visibility for users who are not in the SAS Administrators
or SAS System Services groups.
u t e
1) In SAS Environment Manager, make sure you are signed in as Ahmed. On the
i t
Administration page, select Side Menu
t .
 Folders. Expand System  Security.
2) Right-click Access Control Templates and select New Access Control Templates.
n s n
3) Enter Hide ACT in the Name field and add a description if you choose. Click OK.
I i o
S u t
4) Right-click Hide ACT and select Open.
5) From the drop-down menu, select ACT: Pattern.
S A tri b
6) Click Add Identities button in the upper right toolbar to add PUBLIC, SAS System
h t
Services, and SAS Administrators.
i s
7) Search PUBLIC and move the identity to the Identities to add: pane. Repeat for SAS
r i g 
r e d
System Services and SAS Administrators. Click OK.
In order to see the entire Add Identities window, you might need to maximize the
p y o r Administration page.
C o t f
8) Click in ReadMetadata field for Public and select Deny.
Verify that SAS System Services is granted RM.
N o Verify that SAS Administrators is granted RM.

b. Secure the Hide ACT.
1) From the drop-down menu, select Authorization.
2) Change the indirect Deny of ReadMetadata for PUBLIC to a direct Deny. Notice how this
affects the other identities on the Authorization of this object.
3) Save your changes .

4) Apply the SAS Administrator Settings ACT to this object to grant back ReadMetadata to
SAS Administrators and SAS System Services. From the drop-down menu, select
Apply ACT.
5) Check SAS Administrators Settings ACT and click Save .

6) From the drop-down menu, select Authorization to see the effects.
c. Apply Hide ACT to the Orion Star folder.
1) Select Side Menu  Folders.

2) Right-click Orion Star folder and select Open.
3) From drop-down menu, select Apply ACT.
4) Check Hide ACT and click Save .

d. Review the authorization settings of the Orion Star folder and the Department folders.
1) View the authorization settings of the Orion Star folder (Side Menu  Folders  right-click
Orion Star folder  Open). From the drop-down menu, select Authorization.
c .
In
Do you need to modify any permissions for the SAS Administrators and System Services
groups? Why or why not?
2) Click Close
u t e
in the upper right toolbar to return to the Folders view.
t t
3) View the authorization settings of the Finance Department folder. (Or you can choose to view
i .
the authorization settings of any Orion Star Department folder.)
s
select Authorization.
I i o n
Right-click the Finance Department folder and select Open. From the drop-down menu,
n
S u t
The group identity for each department was already added to the Authorization of its
department folder in a previous exercise. (For example, the Finance group was added to the
A tri b
Authorization of the Finance Department folder.) What effect did adding Hide ACT have on
S
the department group’s effective permission of ReadMetadata?
t s
4) What effect did adding Hide ACT have on the Orion Star Users group? Why?
h i
r i g e d
What effect did it have on the Power Users group? Why?
5) Are the other permissions granted to Power Users affected? Why or why not?
r
p y o r
Are the other permissions granted to Power Users affected? Why or why not?
C o t f
6) Give an explicit Deny of ReadMetadata to Orion Star Users on the Authorization page of
Orion Star Department folders (Finance Department, Marketing Department, Sales
Department, Shipping Department)
N o On the Authorization page of the Finance Department folder, click in the ReadMetadata
field for Orion Star Users and select Deny. Repeat for the Marketing Department, Sales
Department, and Shipping Department folders.

1) Expand the Authorization Manager plug-in. Right-click the Access Control Templates
folder and select New Access Control Template.
2) Enter Hide ACT in the Name field on the General tab.
3) Move to the Permission Pattern tab. Click Add next to Users and Groups. Clear the Show
Users check box to list only groups. Hold down the Ctrl key and click the desired groups:
PUBLIC, SAS System Services, and SAS Administrators. Click to move them to the
Selected Identities pane.
4) Click OK.
5) Highlight PUBLIC and deny RM.
.
6) Highlight SAS System Services and verify that RM is granted.
7) Highlight SAS Administrators and verify that RM is granted.
8) Click OK to create the ACT.
In c
u t e
1) Right-click Hide ACT and select Properties. Click the Authorization tab.
t i t
2) Apply the SAS Administrator Settings ACT. On the Authorization tab of the Hide ACT,
.
select Access Control Template. Move the SAS Administrators Settings ACT from
I s i o n
Available to Currently Using and click OK.
n
3) Select PUBLIC and explicitly deny RM, changing the indirect deny of RM to explicit. This
S t
will affect SASUSERS because of identity hierarchy. SASUSERS now have an indirect deny
u
of RM, whereas prior they had indirect grant of RM coming from the Repository ACT.
S A tri b
h t i s
1) Right-click the Orion Star folder and select Properties.
2) On the Authorization tab, select Access Control Templates.
r i g e d
3) Move Hide ACT from the Available pane to the Currently Using pane. Click OK.
r
p yd. Review the Authorization Settings of the Orion Star folder and the Department folders.
o r
1) On the Orion Star folder’s Authorization tab, do you need to modify any permissions for the
C o t fSAS Administrators and System Services groups? Why or why not?
N o 2) The group identity for each department was already added to the Authorization of its
5) Give an explicit Deny of ReadMetadata to Orion Star Users on the Authorization tab of
Department, and Shipping Department).
9. (Optional) Verifying Access
a. Verify the access of someone who is a power user, such as Kari, who is a member of the Data
Integrators group. She should be able to add and modify content in any subfolders of the Orion
Star folder.
b. Verify the access of someone who is in a department group, and not in Orion Star Users (the
power user group), such as Lynn. She is in the Marketing group, so verify her access to the
Marketing Department folder, as well as her access to one of the other department folders, such as
Finance Department.
c. Impersonating an end user, log on to a client application such as SAS Enterprise Guide.
1) Open SAS Enterprise Guide. Click My Server in the bottom right of the interface to modify
c .
In
the connection profile. Click Modify. Enter Kari as the user. No other changes are needed.
(Student1 is the password for everyone.)
t e
2) Can Kari rename, delete, and add a new folder to the Finance Department folder? If so, she
u
has the appropriate permissions for a power user.
i t
3) Click My Server and modify the connection profile, but this time log on as Lynn.
t .
I s i o n
4) Can Lynn see any folders under the Orion Star folder, other than her own department folder
n
of Marketing Department? Can she rename, delete, and add a new folder to the Marketing
S
Marketing group.
u t
Department folder? If not, she has the appropriate permissions for a report consumer in the
A tri b
10. (Optional) Reporting on Security
S
SAS provides a macro, %Mdsecds, to help you extract, filter, and format authorization data
h t i s
for a specified set of identities, permissions, and objects. This macro is documented in
SAS® 9.4 Intelligence Platform: Security Administration Guide.

r i g e d
In SAS 9.4, the sas-show-metadata-access batch tool can generate the same information
r
as the %Mdsecds macro. For information about the batch tool, refer to SAS® 9.4 Intelligence
p y o r
Platform: Security Administration Guide.
C o 
t f The output of the %Mdsecds macro is SAS data sets. You can create your own reports
from these data sets (through SAS programming or an information map and a web report).
N o A sample reporting program is provided with your software in the following location:
For Windows Server
SAS-installation-directory\SASFoundation\9.4\core\sample\secrpt.sas
For Linux Server
SAS-installation-directory/SASFoundation/9.4/samples/base/secrpt.sas
a. In SAS Enterprise Guide, use the %Mdsecds macro to identify the permissions that are set
on the Finance folder. (If you did not do the previous exercises from this chapter, use the
Marketing folder.)
 For example, if you want to identify the permissions on the Marketing Department folder,
use the following syntax:
options metaserver=sasserver metauser="Ahmed"
%mdsecds(folder="\Orion Star\Marketing Department",

includesubfolders=no);
b. Use the %Mdsecds macro to identify the effective permissions of a Finance member
on the Finance folder.
 For example, if you want to identify the effective permissions of Ellen on the Marketing
Department folder, use the following syntax:
c .
includesubfolders=no, identitynames="Ellen",
e In
t u t
identitytypes="Person");
c. Use the %Mdsecds macro to identify the effective permissions of a Finance member

s t i
and the PUBLIC group on the Finance folder.
n .
For example, if you want to identify the effective permissions of Ellen and PUBLIC
I n o
on the Marketing Department folder, use the following syntax:
t i
S
A tri b u
t S includesubfolders=no, identitynames="Ellen,PUBLIC",
identitytypes="Person,IdentityGroup");
s
i g h d i
d. Refer to the %Mdsecds macro documentation to answer the following questions:
y r r e
Hint: Refer to the %Mdsecds macro syntax in SAS® 9.4 Intelligence Platform: Security
o p f o r
 If you do not specify the Folder option, what is the default starting point?
 What option would you use to limit the types of objects that are searched?
C o t
 What option would you use to limit the permissions that are included?
Setup for the Poll
c .
e In
t u t
s t i n .
74
I n t i o
S
A tri b
t S s
What do the settings on the Authorization tab in SAS
g h d i
Management Console or the Authorization Page in
SAS Environment Manager of the ACT affect?
i
y r r e
a. The settings are applied where the ACT is applied.
o p f o r
b. The settings control who can access and modify
the ACT itself.
t
c. The settings control who can access and modify
C o
the repository.
d. The settings are ignored and have no effect.
N
75
Setup for the Poll
c .
e In
t u t
s t i n .
77
I n t i o
S
A tri b
t S s
The Private User Folder ACT does not include
g h d i
permissions for individual users such as Barbara.
How is Barbara granted access to her My Folder?
i
y r r e
a. Barbara is a member of PUBLIC, so the ACT settings
o p o r
for PUBLIC determine Barbara’s access.
b. Barbara is explicitly granted access on the
f
Authorization tab of her My Folder.
C o t
c. Barbara is explicitly granted access on the
Authorization tab of the Barbara folder and the
N settings are inherited.

d. Users with the same name as the parent folder
are implicitly granted access.
78

What should the setting for PUBLIC for RM
be on the Protect ACT?
a. Deny
b. Grant
c. nothing, because the context in which the ACT
is applied should determine the setting
c .
e In
t u t
s t i n .
80
I n t i o
S
A tri
Discussion
b u
t S
General Guidelines and Considerations for Security Model
s
i g h d i
General Guidelines
y r r e
When you assign permissions:
o p o r
 All users with a metadata identity should have RM
f
and WM permissions in the foundation repository ACT.
C o t
 To enable someone to interact with a folder’s contents
but not with the folder itself, grant WMM and deny WM.
N  Before you deny RM on a folder, consider

the navigational consequences.
For simplifying your metadata security implementation and
maintenance, consider following these guidelines:
 In general, it is not necessary to add protection
to predefined folders.
 Do not deny access to SAS administrators, and
do not deny RM permission to SAS System Services .
continued...
83
General Guidelines
 To hide a subfolder branch, apply the Hide ACT
to a particular folder and grant back RM permission
to any groups who should have access.
 Use PUBLIC as the broadest group to deny access
and then grant access back to the appropriate group.
 Secure resources with a combination of inherited
settings and ACTs. Use explicit permission settings
c .

sparingly.
e
Apply security to groups, not users, Include explicit In
u t
groups on an ACT only to grant access, never deny.
You can deny access to implicit groups on ACTs.
t

s i
Always have a designated repository ACT.
t n .
84
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N
4.4 Solutions 4-73
4.4 Solutions
1. Exploring Identity Hierarchy and Object Inheritance on a Folder
 You have the option of using the Administration Page of SAS Environment Manager or SAS
Management Console for the exercises in Chapter 4. There are step-by-step instructions, but
the solutions offer more steps and screen shots.
c .
In
Verify that you are logged on to SAS Management Console as Ahmed. Run an ad hoc backup, with
the following comment: Backup Before Adding Security on Chocolate Enterprises
u t e
t i t .
Student1.
I s i o n
Manager on the Favorites bar. Sign in to SAS Environment Manager as Ahmed and password
n
S t
b. Click the Administration tab. The Folders page is the initial view. If you are already on the
u
Administration page and another view, select Side Menu  Folders. Right-click the Chocolate
A tri b
Enterprises folder and select Open to get to the metadata properties.
S
h t i s
r i g r e d
p y o r
C o t f
N o
c. From the drop-down menu, select Authorization.
Click the square to the left of the identity to highlight the identity. Click the Remove Identities
button in the upper right toolbar toolbar.
The four groups listed cannot be removed because they are coming from the Repository
ACT.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
d. Add the following three group identities: Application Developers, Data Integrators, and
o p f o r
Report Content Creators.
C o t
N 2) You can enter a few letters of the group name and press Enter, or click the Search button
. Highlight the group and move it over to the Identities to Add pane.
3) Do this for all three groups before clicking OK.
4) Save the changes by clicking the Save button in the upper right toolbar.
The newly added groups are automatically given a grant of ReadMetadata.
4.4 Solutions 4-75
 You can click a permission field and a window will appear displaying the type of
permission and from where it comes.
c .
e. Right-click Data Integrators and select Open. From the drop-down menu, select Member of.
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
Power Users
C o t
Nf. Right-click Power Users and select Open to go to the properties of this group identity.
g. From the drop-down menu, select Members.

c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N
h. Click the Previous Level button in the upper left of the page to go back to the
Authorization properties of Data Integrators and click the Previous Level button again to
go back to the Authorization properties of the Chocolate Enterprises folder.
4.4 Solutions 4-77
c .
e In
t u t
s t i n .
i. Remove the three group identities (Application Developers, Data Integrators, and Report
I n t i o
Content Creators) from the Authorization properties.
1) Click in the square to the left of the identity to highlight it.
S
A tri b u
t S s
i g h d i
y r 
r e You can hold the Ctrl key while selecting all three group identities and delete all three
at once.
o p f o r
2) Click the Remove Identities button in the upper right toolbar.
C o t
N 3) Click Yes when prompted in the pop-up window.

5) Repeat for the other two group identities.
j. Add Power Users to the Authorization of the Chocolate Enterprises folder.
2) Type Power in Available identities and press Enter. Move Power Users over to Identities to
Add pane. Click OK.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S
3) Click the Save button
s
i g h d i
y r r e
k. The ReadMetadata permission is automatically granted. You need to give grants for the
o p f o r
WriteMemberMetadata, CheckInMetadata, and Read permissions.
C o t
N
4.4 Solutions 4-79
1) Click within the permission field and select Grant from the list. Do the same for the other
two permissions.
c .
e In
t u t
2) Save your changes.
s t i n .
l. Use the Permissions Inspector to look up the effective permissions for any identity. The
I n t i o
Permissions Inspector is represented by the button in the upper right toolbar of the
Authorization page of the object that you are inspecting, in this case the Chocolate Enterprises
folder.
S
A tri b u
m. Enter Kari in the field and select Kari from the drop-down list.
t S s
i g h d i
y r r e
o p f o r
C o t
N
Kari’s effective permissions for this object (Chocolate Enterprises folder) are displayed. She is a
member of the Data Integrators group, which is a member of the Power Users group. The same
n. Click Close to exit the Permissions Inspector and return to the folder tree by clicking the arrow
next to Chocolate Enterprises in the upper left of the page.
o. Go to the Authorization page of the Data folder under the Chocolate Enterprises folder.
 You might need to refresh the view or close out completely of the Administration page
to see the permission changes that you made in previous steps.
Right-click Data and select Open. From the drop-down menu, select Authorization.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S
p. Highlight Power Users.
s
i g h d i
y r r e
The group was added to the Chocolate Enterprises definition (the parent folder) and the
permissions set for this identity at that level are inherited.
o p 
f o r There is also an indirect grant of WriteMetadata. A grant (or deny) of WMM on a folder
C o t discussed in Section 4.2.

q. Can you remove the Power Users group from the Authorization page of the Data folder?
N Why not?
The group was added to the Chocolate Enterprises properties (the parent folder) and
therefore cannot be removed from lower objects.
r. (Optional) If you do not want Power Users to modify or delete these folders below the Chocolate
automatically to indirect deny) and then select Grant for WriteMemberMetadata. Be sure to save
your changes.
a. Go to the Authorization tab of the Chocolate Enterprises folder. (Right-click Chocolate

Enterprises and select Properties.)
4.4 Solutions 4-81
c .
e In
t u t
s t i n .
I n
t i o
The four groups listed cannot be removed because they are coming from the Repository
ACT.
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
Nb. Add the following three groups to the Authorization tab: Application Developers, Data
Integrators, and Report Content Creators.
 You can hold down the Ctrl key, highlight all three at once, and then select the single
arrow to move them over to the Selected Identities pane.
The newly added groups are automatically given a grant of ReadMetadata.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
g h d i
c. Highlight Data Integrators and select Properties. This displays the properties of the Data
i
y r e
Integrators group, but as Read-only.
r
o p f o r
C o t
N
4.4 Solutions 4-83
d. Click the Groups and Roles tab. What group is Data Integrators a member of?
c .
e
e. Highlight Power Users and select Properties. In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
Who are members of the Power Users group?
C o t
Data Integrators, Application Developers, and Report Content Creators are members
of Orion Star Users.
N
f. Click Cancel and then Close to return to the Chocolate Enterprises folder Properties.
g. Remove the three groups (Application Developers, Data Integrators, and Report Content
Creators) from the Users and Groups window.
Hold down the Ctrl key and highlight the three groups. Then select Remove.
c .
In
Click Yes to confirm the removal.
u t e
t i t .
I n s i o n
S u t
S A tri b
h t
h. Add Power Users to the Authorization tab.
i s
r i g r e d
p y o r
C o t f
N o
4.4 Solutions 4-85
i. The ReadMetadata permission is automatically granted and you need to give grants for the
WriteMemberMetadata, CheckInMetadata, and Read permissions. Do not click OK. You need to
stay on the Authorization tab to get to the Advanced button referenced in j.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p o r
j. Click the Advanced button.
f
C o t
N
k. Click the Explore Authorizations tab. Enter Kari in the Name or Display Name field.
Click Search Now. Kari’s effective permissions for this item are displayed. She is a member
of the Data Integrators group, which is a member of the Power Users group. The same
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p o r
l. Click OK twice to return to the Chocolate Enterprises folder.
m. Go to the Authorization tab of the Data folder under the Chocolate Enterprises folder.
f
C o t
Right-click the Data folder under the Chocolate Enterprises folder and select Properties.
4.4 Solutions 4-87
n. Highlight Power Users. Where do these permissions come from?

The permissions that were given on the parent folder, Chocolate Enterprises, are inherited
by the Data folder, a subfolder. The gray background of the Grant and Deny boxes means
that they are indirect settings, coming from somewhere else. In this case, that is the parent
folder: Chocolate Enterprises.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o. Can you remove the Power Users group from the Authorization tab of the Data folder?
o p Why not?
f o r
The group was added to the Chocolate Enterprises properties (the parent folder) and
C o t
therefore cannot be removed from lower objects.
 There is also an indirect grant of WriteMetadata. A grant (or deny) of WMM on a folder
N becomes an inherited grant (or deny) of WM on the objects in that folder. This is further
p. (Optional) If you do not want Power Users to modify or delete these folders below the Chocolate
automatically to indirect deny), and then select Grant for WriteMemberMetadata.
2. Assigning WriteMetadata and WriteMemberMetadata Permissions
Log on to SAS Management Console as Ahmed. Run an ad hoc backup, with a comment of Before
adding parent and child folders.
c .
a. On the Administration page, select Side Menu  Folders.
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
b. Right-click the Chocolate Enterprises folder and select New Folder. Name the new folder
Parent and click OK.
y r r e
o p f o r
C o t
N
c. Right-click the Parent folder and select Open.
4.4 Solutions 4-89
d. From the drop-down menu, select Authorization.
c .
e. Add an explicit grant of WM permission for PUBLIC. Click in the WriteMetadata field for
e In
t u t
PUBLIC and select Grant from the list. How does this affect WMM permission for PUBLIC?
It changes the WMM permission to a Grant.
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p o r
f. Click in the WriteMemberMetadata field for PUBLIC and select Show Origins.
f
C o t
N
g. Change the explicit grant of WriteMetadata for PUBLIC back to ‘no explicit control’ by clicking
the WriteMetadata field and selecting the option.
c .
e In
u t
How does this affect WMM permission for PUBLIC?
t
t i .
It changes both WM and WMM permission back to indirect Deny.
s n
I n t i o
S
A tri b u
t S
h. Add an explicit grant of WMM permission for PUBLIC.
s
i g h d i
How does this affect WM permission for PUBLIC?
y r r e
No change for WM
o p f o r
C o t
N
4.4 Solutions 4-91
i. Remove the explicit WMM permission grant for PUBLIC.

How does this affect WM permission for PUBLIC? No change for WM permission
c .
e In
t u t
j. Add Alex to the Authorization page for the Parent folder with an explicit denial of WM permission
s t
1) Click the Add button
i n .
I n t i o
2) Type Alex in the Available Identities and press Enter. Move Alex to Identities to Add pane.
S
Click OK.
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N
3) Select Deny for WriteMetadata and Grant for WriteMemberMetadata.
c .
5) Click Close .
e
to save the changes.
In
t u t
k. Right-click the Parent folder and select New Folder. Name the new folder Child and click OK.
s t i n .
I n t i o
S
A tri b u
t S s
g h d i
l. Right-click the Child folder and select Open.
i
y r r e
o p f o r
C o t
m. From the drop-down menu, select Authorization.
n. On the Authorization page of the Child folder, what are the settings for WM permission and
WMM permission for Alex?
Both WM and WMM permissions are granted indirectly. Because he was explicitly granted
WMM on the Parent folder, he indirectly will have WM on the child folder and any objects
below the Parent folder.
4.4 Solutions 4-93
o. Do not log off from SAS Environment Manager.

p. Log on to SAS Management Console as Alex using the password Student1. (You cannot do steps
q-s in SAS Environment Manager because Alex is not a member of any role in SAS Environment
Manager and thus cannot authenticate to the Environment Manager Server.)
 You can open another SAS Management Console session by selecting Start 
q. Right-click My Folder.
c .
In
and Delete?
t e
New Folder and New Stored Process are available. Rename and Delete are dimmed. Because
it is Alex’s own My Folder, he can add content, as he is implicitly given WMM on his own
u
t i t
folder, but implicitly denied WM (the ability to modify his My Folder definition itself).
.
I n s i o n
S u t
S A tri b
h t i s
r i g r e d
p y o r
r. Right-click the Chocolate Enterprises folder.
C o t f
or Delete?
N o None are available. This is because he does not have WMM on the Chocolate Enterprises
folder (the ability to add content in the folder) nor WM (the ability to modify the metadata
folder definition itself).
s. Right-click the Parent folder.
or Delete?
Alex can add a folder and stored process but cannot rename or delete this folder. This
is because he has WMM (the ability to add content in the folder) but not WM (the ability
to modify the metadata folder definition itself).
c .
e In
t u t
s t i n .
I n t i o
t. In SAS Environment Manager, delete the Parent folder. However, you must first delete the Child
folder.
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
1) Right-click the Child folder and select Delete.
C o t
N
4.4 Solutions 4-95
3) Right-click the Parent folder and select Delete.
c .
In
u t e
t i t .
I
n s i o n
S u t
a. On the Folders tab, right-click Chocolate Enterprises and select New Folder. Create a new
A tri
folder named Parent.
S b
1) On the Folders tab, right-click Chocolate Enterprises and select New Folder.
t i s
2) Enter the name Parent and click Finish.
h
r i g r e d
p y o r
C o t f
N o
b. Right-click the Parent folder. Select Properties, and click the Authorization tab. Select
PUBLIC and add an explicit grant of WM permission. How does this affect WMM permission
for PUBLIC?
It changes the WMM permission to Grant with an indirect background color.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i
c. Select the grant WriteMetadata box for PUBLIC again to clear the explicit setting. How does
h
this affect WMM permission for PUBLIC?
i g d
y r e
It changes both WM and WMM permission back to indirect Deny.
r
o p f o r
C o t
N
4.4 Solutions 4-97
d. Add an explicit grant of WMM permission for PUBLIC. How does this affect WM permission for
PUBLIC?
No change for WM
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r e
e. Remove the explicit WMM permission grant for PUBLIC. How does this affect WM permission
r for PUBLIC? No change for WM permission
o p f o r
C o t
N
f. Add Alex to the permissions list for the Parent folder with an explicit denial of WM permission
1) Click Add.
2) Select Alex from the list in the Available Identities list box. Click to move Alex
to the Selected Identities list box. Click OK to add Alex to the folder.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i h d i
3) Select Deny for WriteMetadata and Grant for WriteMemberMetadata. Click OK to save
g
y r r e
the changes.
o p f o r
C o t
N
4.4 Solutions 4-99
g. Right-click the Parent folder and select New Folder. Create a new folder named Child.
Click Finish to create the folder.
h. On the Authorization tab of the Child folder, select Alex. What are the settings for WM
permission and WMM permission?
Both WM and WMM permissions are granted indirectly.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p 
f r
i. Log on to SAS Management Console as Alex using the password Student1.
o You can open another SAS Management Console session by selecting Start 
C o t SAS Management Console. Or you can disconnect as Ahmed in the current session
Nj. Right-click My Folder. Are the following actions available or dimmed: New Folder, New Stored
Process, Rename, and Delete?
New Folder and New Stored Process are available. Rename and Delete are dimmed. Because
it is Alex’s own My Folder, he can add content, as he is implicitly given WMM on his own
folder, but implicitly denied WM (the ability to modify his My Folder definition itself).
k. Right-click the Chocolate Enterprises folder. Are the following actions available or dimmed:
New Folder, New Stored Process, Rename, and Delete?
None are available. This is because he does not have WMM on the Chocolate Enterprises
folder (the ability to add content in the folder) nor WM (the ability to modify the metadata
folder definition itself).
c .
e In
t u t
s t i n .
l. Right-click the Parent folder. Are the following actions available or dimmed: New Folder, New
I n i o
Stored Process, Rename, and Delete?
t
S
Alex can add a folder and stored process but cannot rename or delete this folder. This
u
is because he has WMM (the ability to add content in the folder) but not WM (the ability
A tri b
to modify the metadata folder definition itself).
t S s
i g h d i
y r r e
o p f o r
C o t
Nm. Delete the Parent folder. You will need to log on as Ahmed to delete the Parent folder, since Alex
does not have the authorization to do so.
1) Right-click the Parent folder and select Delete from the drop-down menu.
4.4 Solutions 4-101
3. Adjusting Conflicting Permission Settings

You can use SAS Environment Manager or SAS Management Console to do the exercise. Refer to the
solutions for step-by-step instructions.
c .
e
a. Create a new metadata group named Group A. Assign Harvey as a member. In
t u t
1) On the Administration page, select Side Menu  Users.
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
2) From the Filter select Group.
y r r e
o p f o r
C o t
N 3) Click the Add User/Group/Role button in the upper right toolbar and select New
Group.
4) Enter Group A as the name and click Save.
c .
e In
t u t
s i
5) On the drop-down menu, select Members.
t n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p o r
6) Select the Edit button
f
C o t
7) Search for Harvey and move the identity to the Direct Members pane.
Click OK.
8) Click the Save button and click Close .
4.4 Solutions 4-103
1) Click the Add User/Group/Role button in the upper right toolbar and select
New Group.
c .
In
2) Enter Group B as the name and click Save.
u t e
t i t .
I n s i o n
S u t
S A tri b
h t i s
r i g r e d
3) From the drop-down menu, select Members.
p y o r
C o t f
N o
4) Select the Edit button in the upper right toolbar.
5) Search for Harvey and move the identity to the Direct Members pane.
Click OK.
c .
e In
t u t
s t i
n .and click Close .
I n i o
c. Create an ACT named Allow Group A, which grants RM permission to Group A.
t
S u
A tri b
t S s
i g h d i
y r r e
o p f o r
C o t
2) Navigate to System  Security  Access Control Templates.
4.4 Solutions 4-105
3) Right-click Access Control Templates and select New Access Control Template.
4) Enter Allow Group A for the name. Click OK.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g d i
5) Right-click Allow Group A ACT and select Open.
h
y r r e
o p f o r
C o t
7) Add Group A by clicking the Add button in the upper right toolbar.
8) Search for Group A and move the identity to the Identities to add pane. Click OK.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S
9) Verify that Group A has a grant of RM.
s
i g h d i
y r r e
o p f o r
10) Click the Save button and click Close .
C o t
1) Right-click the Shared Data folder and select Open.
N
2) From the drop-down menu, select Apply ACT.
4.4 Solutions 4-107
3) Check the box next to Allow Group A ACT. Save the changes but do not close out.
c .
e In
t u t
s t i
2) Click the Add Identities button
n . in the upper right toolbar.
I n i o
3) Search for Group B and move the identity to the Identities to Add pane. Click OK.
t
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N
4) Click in the ReadMetadata field for Group B and select Deny.
5) Save the changes .
Harvey is denied all permissions.
1) Click the Permissions Inspector button in the upper right toolbar.

2) Type Harvey and select Harvey from the list.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N 3) Close out of the permissions inspector.
a. Create a new metadata group named Group A. Assign Harvey as a member.

1) Right-click User Manager and select New  Group.
2) Enter Group A as the name.
4.4 Solutions 4-109
3) Click the Members tab. Select Harvey and move it to the Current Members list box.
Click OK.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p o r
1) Right-click User Manager and select New  Group.
f
2) Enter Group B as the name.
C o t
3) Click the Members tab. Select Harvey and then click to move it to the Current Members
N list box.
4) Click OK.
c. Create an ACT named Allow Group A, which grants RM permission to Group A.
1) Expand Authorization Manager.
2) Right-click Access Control Templates and select New Access Control Template.
3) Enter Allow Group A for the name.
4) On the Permission Pattern tab, add Group A and grant RM permission.
5) Click OK.
1) Right-click the Shared Data folder and select Properties. Click the Authorization tab.
2) Click Access Control Templates.
3) Expand Foundation and select Allow Group A in the Available list box. Click to move
it to the Currently Using list box.
4) Click OK.
1) Click Add. Select Group B and then click to it move it to the Selected Identities list box.
2) Click OK.
3) Explicitly deny RM for Group B and make sure that the other permissions are indirectly
c .
In
denied.
4) Click OK.
t e
u

i t
Use the Permissions Inspector in SAS Environment Manager.
t .

I n s i o
Harvey is denied all permissions. n
Use the Advanced option on the Authorization tab in SAS Management Console.
4. Creating Custom Folders
S u t
A tri b
Use the Metadata Manager plug-in in SAS Management Console to run an ad hoc backup
of metadata, with the comment Backup before adding folder content and security on Orion Star.
S
h t i s
r i g r e d
p y o r
C o t f
N o
You can use SAS Environment Manager or SAS Management Console to create new folders. Refer to
the solutions for step-by-step instructions.
 You can use the sas-make-folder batch tool to create the folders. See solution steps 4b.
1) Under Side Menu  Folders. Right-click Orion Star folder and select New Folder.
4.4 Solutions 4-111
2) Enter Finance Department for Name and click OK.
c .
3) Repeat steps 1 and 2 for the Shipping Department.
e
b. Create the Payables and Receivables folders under Finance Department. In
Follow the steps in 4a.
t u t
s t i n .
I n o
t i
1) Right-click Orion Star folder and select New  Folder.
S
A tri b u
t S s
i g h d i
y r r e
o p o r
2) Enter Finance Department for Name and click Finish.
f
C o t
N
3) Repeat steps 1 and 2 for the Shipping Department.
b. Create the Payables and Receivables folders under Finance Department.

Follow the steps in 4a.
To use the sas-make-folder batch tool, do the following:
For Windows Server
1. Access the CMD window from the Start menu.
2. Navigate to D:\Program Files\SASHome\SASPlatformObjectFramework\9.4\tools.
c .
e In
t u t
s t i n .
I n t i o
3. S
A tri b u
Enter the following: sas-make-folder.exe -host “sasserver.demo.sas.com” -port 8561
t S -user “Ahmed” -password “Student1” “/Orion Star/Finance
s
Department/Payables” -makeFullPath
i g h d i
Repeat for Receivables under the Finance Department folder and the Shipping
Department.
y r r e
o p f o r
C o t
N
4.4 Solutions 4-113
For Linux Server
c .
e In
t u t
2.
s i
Enter the following: ./sas-make-folder -host “sasserver.demo.sas.com” -port 8561 -
t n .
user “Ahmed” -password “Student1” “/Orion Star/Finance
Department/Payables” -makeFullPath
I n
Department.
t i o
Repeat for Receivables under the Finance Department folder and the Shipping
S
A tri b u
t S s
i g h d i
r r e
5. Importing a Package of Folders
y
o p 
f o r
tools.
C t
a. Import Folder Set.spk into Orion Star  Finance Department  Payables.
o 1) Right-click the Payables folder and select Import SAS Package.
N In the first step, navigate to D:\Workshop\spaft and select Folder Set.spk to import. Click
OK.
Follow the wizard window steps without making any changes.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N
4.4 Solutions 4-115
2) Click Next.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
3) Click Next three more times and Finish.
b. Import the same package, Folder Set.spk, but this time into Orion Star  Finance
t S
Department  Receivables.
6. Creating a Package
s

i g h d i
y r e
tools.
r
o p f o r
a. Use the Export SAS Package Wizard to create a package from the Orion Star  Marketing
Department  Stored Processes folder. Save the package in
D:\Workshop\spaft\export_sp.spk.
C o t
1) Right-click Orion Star  Marketing Department  Stored Processes and select
Export SAS Package..
2) Navigate to the location D:\Workshop\spaft. Name the file export_sp.spk. Select Include
dependent objects when retrieving initial collection of objects. Click Next.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h
3) Click Next.
d i
y r r e
o p f o r
C o t
N
4) Click Next twice, and click Finish.
4.4 Solutions 4-117
b. Import export_sp.spk in the Orion Star  Shipping Department folder.

1) Right-click Orion Star  Shipping Department and select Import SAS Package.
c .
e In
t u t
t i
2) Browse the location of the export_sp.spk file that was just created. If you are doing this
.
in sequence, the location and file will automatically show up in the browse location.
Click Next.
s n
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N
3) No more changes are needed, so click Next four times. Click Finish.
c .
e In
t u t
7. Adding Groups to Folders
s t i n .
I n t i o
You can use SAS Environment Manager or SAS Management Console to add identities to folders and
set permissions on folders. Refer to the solutions for step-by-step instructions.
S
A tri
Group Name
b u
Below is a table that can be used as reference for the exercises.
Members
t S
Power Users
s Groups: Application Developers, Data Integrators,
i g h d i Report Content Creators
y r e
Report Content
Creators
r
Ellen, Eric, Gloria, Harvey, Jacques, Kari, Stephanie
o p o r
Data Integrators
f
Barbara, Bruno, Kari, Marcel, Ole
C o t
Application Developers
Orion Star Users

Anita, George, Sally, Samantha
Groups: Finance, Marketing, Sales, Shipping
N Analysts
Finance
Cecily, James
Alex, Ben, Jennifer, Katie, Megan, Peter
Marketing Eric, Henri, Jacques, Lynn, Stephanie
Sales Ellen, Gloria, Harvey, Linda, Mark, Robert, Susan
Shipping Ray, Jim
4.4 Solutions 4-119
a. Verify the members of the Orion Star Users and Power Users groups based on the table above.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
Nb. Add Power Users and Orion Star Users to the Orion Star folder’s Authorization. By doing this,
the groups will be automatically added to the subfolders’ authorization and the groups will be
given an automatic grant of ReadMetadata.
1) Under Side Menu  Folders, right-click Orion Star folder and select Open.
c .
e In
t u t
s t i
3) Click the Add Identities button
n .
4) Search Power Users and move the group identity to the Identities to add pane. Search
I n t i o
Orion Star Users and move to the group identity to the Identities to add pane. Click OK.
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N
5) Click the Save button in the upper right toolbar and click Close .
authorization.
Authorization of an object.
4.4 Solutions 4-121
1) Right-click Finance Department folder and select Open.

c .
e In
t u t
s t i n .
2) Under the drop-down menu, select Authorization.
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
3) Click the Add Identities button in the upper right toolbar.
C o t
4) Search Finance and move the group identity to the Identities to add pane. Click OK.
5) Click in the Read field for Finance and select Grant.
6) Click in the WriteMemberMetadata field for Power Users and select Grant.
c .
e In
t u t
s t i n .
I n i o
7) Repeat for CheckInMetadata and Read fields for Power Users.
t
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N 8) Save your changes in the upper right toolbar and click Close .
9) Repeat steps 1–8 for the other three folders, Marketing Department, Sales Department,
and Shipping Department.
a. Verify the members of the Orion Star Users and Power Users groups based on the table above.
4.4 Solutions 4-123
b. Add Power Users and Orion Star Users to the Orion Star folder’s Authorization. By doing this,
c .
an automatic grant of ReadMetadata.
e In
the groups will be automatically added to the subfolders’ authorization. The groups will be given
t u t
1) Click Add on the Authorization tab of the Orion Star folder.
2) Clear Show Users so that you show only a list of groups.
s t i n .
3) Select Power Users and Orion Star Users in the Available Identities list and click
move the identity to the Selected Identities list.
to
4) Click OK.
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N
authorization.
Authorization of an object.
1) Right-click Finance Department folder and select Properties.

c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
2) On the Authorization tab, click Add.
y r r e
o p f o r
C o t
N
4.4 Solutions 4-125
3) Clear Show Users if you want. Highlight the Finance identity and click to move the
identity to the Selected Identities side.
c .
e In
t u t
s t i n .
I n t i o
S
A tri
4) Click OK.
b u
t S
5) Explicitly grant Read for the Finance group.
s
i g h d i
y r r e
o p f o r
C o t
N
6) Explicitly grant Read, WriteMemberMetadata, CheckInMetadata to Power Users group.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
7) Repeat steps 1–6 for the other three folders, Marketing Department, Sales Department,
N and Shipping Department.

23. Creating and Applying Baseline Access Control Template (ACT)
One approach to setting permissions on folders is to create general-use ACTs, and apply one or more
of those ACTs to each folder that you need to secure. To grant access back to a particular group,
supplement the ACT settings by adding explicit controls on the target folder.
In the previous exercise, you added Orion Star Users and Power Users to the Orion Star folder, and
gave the group explicit grants on the folder. But currently SASUSERS have RM as well. So in this
exercise, you will create a baseline ACT that will remove visibility for the SASUSERS group of the
Orion Star folder and therefore any subfolders. You will also need to deny ReadMetadata to Orion
Star Users at the Department folders so that only a department group can see its own department
folder (for example, only the Finance group can see the Finance folder, and the other department
groups cannot.)
4.4 Solutions 4-127

1) In SAS Environment Manager, make sure you are signed in as Ahmed. On the
Administration page, select Side Menu  Folders. Expand System  Security.
c .
e In
t u t
s t i n .
I n t i o
2) Right-click Access Control Templates and select New Access Control Templates.
S
A tri b u
t S s
i g h d i
y r r e
o p o r
3) Enter Hide ACT in the Name field and add a description if you choose. Click OK.
f
C o t
N
4) Right-click Hide ACT and select Open.
c .
6) Click Add Identities button
e in the upper right toolbar to add PUBLIC, SAS System In
t u t
Services, and SAS Administrators.
t i
7) Search PUBLIC and move the identity to the Identities to add pane. Repeat for SAS System
.
Services and SAS Administrators. Click OK.
 s n
I n i o
In order to see the entire Add Identities window, you might need to maximize the
Administration page.
t
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N
4.4 Solutions 4-129
8) Click in ReadMetadata field for PUBLIC and select Deny.

Verify that SAS System Services is granted RM.
Verify that SAS Administrators is granted RM.
c .
e In
t u t
s t i n .
n
I
t i o
S u
A tri b
t S s
i g h d i
y r r e
o p f o r
C o t
N 2) Change the indirect Deny of ReadMetadata for PUBLIC to a direct Deny. Notice how this
affects the other identities on the authorization of this object.
4) Apply the SAS Administrator Settings ACT to this object to grant back ReadMetadata to
SAS Administrators and SAS System Services. From the drop-down menu select Apply
ACT.
c .
e In
t u t
s t i n .
I n t i o
5) Check SAS Administrators Settings ACT and click Save .
S
A tri b u
t S s
i g h d i
y r r e
o p o r
6) From the drop-down menu, select Authorization to see the effects.
f
C o t
N
2) Right-click Orion Star folder and select Open.
4.4 Solutions 4-131
3) From drop-down menu, select Apply ACT.
c .
e In
t u t
4) Check Hide ACT and click Save .
t i .
d. Review the authorization settings of the Orion Star folder and the Department folders.
s n
I n t i o
1) View the authorization settings of the Orion Star folder (Side Menu  Folders  right-click
Orion Star folder and select Open). From the drop-down menu, select Authorization.
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N
Do you need to modify any permissions for the SAS Administrators and System Services
groups? Why or why not?
No, these groups were added to the permission pattern of the Hide ACT to guarantee
that they would continue to have the necessary RM permission. The other permissions
for SAS Administrators are inherited from somewhere else.
2) Click Close in the upper right toolbar to return to the Folders view.
3) View the authorization settings of the Finance Department folder. (Or you can choose to view
the authorization settings of any Orion Star Department folder.)
Right-click Finance Department folder and select Open. From the drop-down menu, select
Authorization.
c .
e In
t u t
s t i n .
The group identity for each department was already added to the Authorization of its
I n t i o
S
A tri b u
Nothing, because explicit settings take precedence over ACT settings.
t S
s
i g d i
5) What effect did it have on the Power Users group? Why?
h The Orion Star Users group has an indirect grant of RM. The Hide ACT denied Public
y r r e
RM, which gave SASUSERS an indirect deny of RM for all folders below the Orion Star
folder. However, Orion Star Users and Power Users were given an explicit grant of RM
o p f o r
at the Orion Star folder, which in turn is an indirect grant of RM at the subfolders for
both of the groups.
C o t Are the other permissions granted to Power Users affected? Why or why not?
No, those permissions are inherited from the parent folder because we added Orion Star
N Users to the Orion Star folder and granted permissions there. The Hide ACT that was
applied addresses the RM permission.
6) Give an explicit Deny of ReadMetadata to Orion Star Users on the Authorization page of
Department, Shipping Department)
On the Authorization page of the Finance Department folder, click in ReadMetadata field
for Orion Star Users and select Deny. Repeat for the Marketing Department, Sales
Department, and Shipping Department folders.
4.4 Solutions 4-133
c .
e In
t u t
s t i n .
I n
t i o
S
A tri b u
1) Expand the Authorization Manager plug-in. Right-click the Access Control Templates
S
folder and select New Access Control Template.
h t i s
r i g r e d
p y o r
C o t f
2) Enter Hide ACT in the Name field on the General tab.
N o
3) Move to the Permission Pattern tab. Click Add next to Users and Groups. Clear the Show
Users check box to list only groups. Hold down the Ctrl key and click the desired groups:
PUBLIC, SAS System Services, and SAS Administrators. Click to move them to the
Selected Identities pane.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h
4) Click OK.
d i
5) Highlight PUBLIC and deny RM.
y r r e
o p f o r
C o t
N
4.4 Solutions 4-135
6) Highlight SAS System Services and verify that RM is granted.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
7) Highlight SAS Administrators and verify that RM is granted.
y r r e
o p f o r
C o t
N
8) Click OK to create the ACT.

1) Right-click Hide ACT and select Properties. Click the Authorization tab.
2) Apply the SAS Administrator Settings ACT. On the Authorization tab of the Hide ACT,
select Access Control Template. Move the SAS Administrators Settings ACT from the
Available to Currently Using and click OK.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
3) Select PUBLIC and explicitly deny RM, changing the indirect deny of RM to explicit. This
y r r e
will affect SASUSERS because of identity hierarchy. SASUSERS now have an indirect deny
o p f o r
of RM, whereas prior they had indirect grant of RM coming from the Repository ACT.
C o t
N
4.4 Solutions 4-137

1) Right-click the Orion Star folder and select Properties.
c .
e In
t u t
t i .
2) On the Authorization tab, select Access Control Templates.
s n
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
3) Move Hide ACT from the Available pane to the Currently Using pane. Click OK.
d. Review the Authorization Settings of the Orion Star folder and the Department folders.
1) On the Orion Star folder’s Authorization tab, do you need to modify any permissions for the
SAS Administrators and System Services groups? Why or why not?
No, these groups were added to the permission pattern of the Hide ACT to guarantee
that they would continue to have the necessary RM permission. The other permissions
for SAS Administrators are inherited from somewhere else.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N 2) The group identity for each department was already added to the Authorization of its
Nothing, because explicit settings take precedence over ACT settings.
4.4 Solutions 4-139
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
The Orion Star Users group has an indirect grant of RM. The Hide ACT denied Public
C o t RM, which gave SASUSERS an indirect deny of RM for all folders below. However,
Orion Star Users and Power Users were given an explicit grant of RM at the Orion Star
N Folder, which in turn is an indirect grant of RM at the subfolders for both of the groups.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
No, those permissions are inherited from the parent folder because we added Orion Star
Users to the Orion Star folder and granted permissions there. The Hide ACT that was
applied addresses only the RM permission.
C o t
N
4.4 Solutions 4-141
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
5) Give an explicit Deny of ReadMetadata to Orion Star Users on the Authorization tab of
o p f o r
Department, and Shipping Department).
C t
24. (Optional) Verifying Access
o
a. Verify the access of someone who is a power user, such as Kari, who is a member of the Data
N Integrators group. She should be able to add and modify content in any subfolders of the Orion
Star folder.
b. Verify the access of someone who is in a department group, and not in Orion Star Users (the
power user group), such as Lynn. She is in the Marketing group, so verify her access to the
Marketing Department folder, as well as her access to one of the other department folders, such as
Finance Department.
c. Impersonating an end user, log on to a client application such as SAS Enterprise Guide:
1) Open SAS Enterprise Guide. Click My Server in the bottom right of the interface to modify
the connection profile.
2) Click Modify.
c .
e In
t u t
t i .
3) Enter Kari as the user. No other changes are needed. (Student1 is the password for
everyone.)
s n
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N
4) Click Save  Yes  OK  Close.
4.4 Solutions 4-143
5) Can Kari rename, delete, and add a new folder to the Finance Department folder? If so, she
has the appropriate permissions for a power user.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
6) Click My Server and modify the connection profile, but this time log on as Lynn.
t S
Repeat step a.
s
7) Can Lynn see any folders under the Orion Star folder, other than her own department folder
i g h d i
of Marketing Department? Can she rename, delete, and add a new folder to the Marketing
Department folder? If not, she has the appropriate permissions for a report consumer
y r r e
in the Marketing group.
o p f o r
C o t
N
25. (Optional) Reporting on Security
SAS provides a macro, %Mdsecds, to help you extract, filter, and format authorization data
for a specified set of identities, permissions, and objects. This macro is documented in
SAS® 9.4 Intelligence Platform: Security Administration Guide.
 In SAS 9.4, the sas-show-metadata-access batch tool can generate the same information
as the %Mdsecds macro. For information about the batch tool, refer to SAS® 9.4 Intelligence
Platform: Security Administration Guide.
 The output of the %Mdsecds macro is SAS data sets. You can create your own reports
from these data sets (through SAS programming or an information map and a web report).
A sample reporting program is provided with your software in the following location:
For Windows Server
SAS-installation-directory\SASFoundation\9.4\core\sample\secrpt.sas
For Linux Server
c .
In
SAS-installation-directory/SASFoundation/9.4/samples/base/secrpt.sas
u t e
a. In SAS Enterprise Guide, use the %Mdsecds macro to identify the permissions that are set
t t
i
.
n s
includesubfolders=no);
I i o n
S
u t
b. Use the %Mdsecds macro to identify the effective permissions of a Finance member
A tri b
S metapass="Student1";
h t
i s
includesubfolders=no, identitynames="Ellen",
r i g r e d
identitytypes="Person");
c. Use the %Mdsecds macro to identify the effective permissions of a Finance member
p y and the PUBLIC group on the Finance folder.
o r
C o t f metapass="Student1";
N o includesubfolders=no, identitynames="Ellen,PUBLIC",
identitytypes="Person,IdentityGroup");
d. Refer to the %Mdsecds macro documentation to answer the following questions:
Hint: Refer to the %Mdsecds macro syntax in SAS® 9.4 Intelligence Platform: Security
1) If you do not specify the folder option, what is the default starting point?
By default, the starting point is the server root (the SAS Folders node).
2) What option would you use to limit the types of objects that are searched?
MEMBERTYPES
3) What option would you use to limit the permissions that are included?
PERMS
4.4 Solutions 4-145

What would happen if you remove the repository ACT?
a. All permissions are denied.
b. Nothing, permissions will come from somewhere else.
c. All permissions are granted.
c .
d. Permissions come from the SAS Folders authorization
tab.
e In
t u t
s t i n .
I n t i o
18
S
A tri b u
t S s
i g h d i
y r r e
o p o r
a. only the identities that need access to the item
f
t
b. only the identities added on the specific item
C o
c. only the identities from the Marketing Department
Authorization tab
N d. the identities from the Marketing Department folder

and any added on that specific item
21

What are the predefined ACTs in the environment?
What ACTs are applied to this ACT?
c .
e In
t u t
s t i .
 The Default ACT is the acting repository ACT and is
n
n o
indirectly applied to all metadata.
28
S I t i
A tri b u
t S s
What is the effect of explicitly denying PUBLIC RM?
g h d i
a. Only PUBLIC is affected and the settings for the other
i
y r r e
users and groups remain unchanged.
b. Only PUBLIC and SASUSERS are affected
o p f o r
and the settings for the other users and groups
remain unchanged.
t
c. PUBLIC is denied RM, which overrides all explicit,
C o
ACT, and indirect settings for the other users
and groups.
N d. PUBLIC is denied RM, which overrides all indirect

settings for the other users and groups but does
not override explicit or ACT settings for other users
and groups.
41
4.4 Solutions 4-147

If an ACT includes settings for Ellen and you apply
the ACT to an object that already lists Ellen on the
Authorization of an object, what happens to Ellen’s
permissions?
.
a. The settings from the ACT take precedence.
b. The settings from the ACT are ignored.
c. Explicit settings are not affected and indirect settings
are changed to ACT settings.
In c
t e
d. The settings from the groups in her identity hierarchy
take precedence.
u
t i t .
 If there are conflicting ACT settings, the denial
43
settings are used.
I n s i o n
S u t
A tri b
S
h t
i s
r gover ACTs
r e d
a. Grant RM because explicit settings take precedence
i
y
b. Deny RM because ACT settings take precedence
o p f o r
over explicit settings
t
at the same level of an identity hierarchy,
C o
N at the same level of an identity hierarchy,

46

a. Grant RM because grants take precedence
over denials
b. Deny RM because denial settings take precedence
over grants
c .
In
u t e
t t
i .
49
I s
n i o n
S u t
A tri b
S
h t
i s
r g r e d
a. Grant RM because explicit grants always take
i precedence over denials
y
b. Deny RM because the denial setting is coming from
o p f o r
a direct group and take precedence over grants from
an indirect group
t
c. Deny RM because grants coming from an ACT always
C o
take precedence
d. Grant RM because the HR group inherits the Explicit
N grant of RM from the Finance Group
52
4.4 Solutions 4-149

What do the settings on the Authorization tab in SAS
Management Console or the Authorization Page in
SAS Environment Manager of the ACT affect?
a. The settings are applied where the ACT is applied.
b. The settings control who can access and modify
the ACT itself.
c .
In
c. The settings control who can access and modify
the repository.
t e
d. The settings are ignored and have no effect.
u
t i t .
76
I n s i o n
S u t
S A tri b
h t
i s
r g e d
The Private User Folder ACT does not include
i
permissions for individual users such as Barbara.
r
p y How is Barbara granted access to her My Folder?
o r
a. Barbara is a member of PUBLIC, so the ACT settings
C o t f
for PUBLIC determine Barbara’s access.
b. Barbara is explicitly granted access on the
N o Authorization tab of her My Folder.

c. Barbara is explicitly granted access on the
Authorization tab of the Barbara folder and the
settings are inherited.
d. Users with the same name as the parent folder
are implicitly granted access.
79

What should the setting for PUBLIC for RM
be on the Protect ACT?
a. Deny
b. Grant
c. nothing, because the context in which the ACT
is applied should determine the setting
c .
e In
t u t
s t i n .
81
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N
Chapter 5 Establishing
Connectivity to Data Sources
5.1 Registering Libraries and Tables in Metadata ............................................................5-3
Demonstration: Registering SAS Library and Table Metadata in SAS Environment
c .
e
Demonstration: Registering SAS Library and Table Metadata in SAS Management In
Manager ..................................................................................................... 5-14
t u t
Console (Optional) ...................................................................................... 5-23
Exercises .............................................................................................................................. 5-26
5.2
s t i n .
Setting Up Data Access ..............................................................................................5-29
I n i o
Exercises .............................................................................................................................. 5-38
t
5.3
S u
Solutions .....................................................................................................................5-45
A tri b
t S
Solutions to Student Activities (Polls/Quizzes) ..................................................................... 5-85
s
i g h d i
y r r e
o p f o r
C o t
N
5-2 Chapter 5 Establishing Connectivity to Data Sources
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N
5.1 Registering Libraries and Tables in Metadata 5-3
5.1 Registering Libraries and Tables in

Metadata
Objectives
 Identify two ways to access data.
c .
In
 Register a SAS library and tables in the metadata.
u t e
t i t .
I n s i o n
S u t
S A tri b
3
h t i s
r i g r
Data Sources e d
p y o r
SAS can access a wide variety of data sources, including
C o t f
 SAS data sets
o
 RDBMS tables
N
 ODBC data sources.
For each type of data source, SAS uses the appropriate

engine to access the data.
The BASE engine is used to access SAS data sets. SAS data sets (tables) are the default SAS storage
format. A SAS table contains data values that are organized as a table of rows and columns. A SAS data
set can be processed by SAS software.
You can use SAS/ACCESS Interface to Oracle or SAS/ACCESS Interface to ODBC to access Oracle
tables. SAS/ACCESS Interface to Oracle uses the Oracle engine. SAS/ACCESS Interface to ODBC uses
the ODBC engine.
Accessing Data
Accessing data can be done in these ways:
 writing SAS code to connect to the data source
c .
In
libname orion "d:\workshop\orion";
e
 referring to the metadata registration of the data
source
t u t
s t i n .
I n t i o
S
A tri b u
5
t S s
When you write SAS code, the LIBNAME statement, with the appropriate native engine, can be used
i g h d i
in SAS applications that offer a programmatic interface (for example, SAS Enterprise Guide), as well
as in stored processes and batch jobs. You can also include LIBNAME statements in autoexec files.
r r e
An alternative to the native engine is to use the META engine in the LIBNAME statement.
y
o p f o r
libname orstar meta library="Orion Star Library";
The META engine causes a lookup in the metadata for the connection information and metadata
C t
permission check. This is similar to having a user of a SAS application select a table from a list
o
of metadata-registered tables.
Accessing Data
By selecting a table registered
in metadata, users have to go
through metadata layer controls.
By submitting a LIBNAME
.
statement directly, users can
c
bypass metadata layer controls.
In
Regardless, host access
to the data is required.
u t e
t i t .
6
I n s i o n
t
6
are enforced. S
A tri b u
If a library is metadata bound, even if a user tries to access it directly, metadata layer permissions
t S s
Accessing Data without Metadata
i g h d i
y r r e
o p f o r
C o t
N
7
The data can be local to the workspace server machine or in a remote location that is accessed using
a network path. Data cannot be accessed via mapped drives on the SAS Application Server. You must use
the UNC path, such as \\dataserver\sourcetables.
Accessing Data with Metadata
c .
e In
t u t
s t i n .
8
I n t i o
S u
The appropriate LIBNAME statement is created from the information retrieved from the metadata.
A tri b
t S
Accessing Relational Data with Metadata
s
i g h d i
y r r e
o p f o r
C o t
N
9
SAS/ACCESS must be on the same machine as the SAS process that accesses the data. In a UNIX
environment, the configuration of SAS/ACCESS requires setting some environment variables.
The database client installation and configuration is typically done by a database administrator (DBA).
The DBA has access to tools that help test the configuration and connection to the database server.
Databases typically maintain credentials separate from other authentication providers.
Connection Information
For RDBMS libraries, additional connection information
is required and could be erroneous:
 server host
 database name
.
 schema name
 credentials
In c
u t e
t i t .
10
I n s i o n
t
10
S
A tri b u
Troubleshooting Data Access
t S s
The library metadata is converted to a LIBNAME
i g h d i
statement, which you can access from the Data Library
Manager. Copy the LIBNAME statement from SAS
y r e
Management Console and submit it in a SAS session.
r
o p f o r
C o t
N
11
For troubleshooting a SAS/ACCESS library configuration when registering tables fails, perform
the following steps:
1. From SAS Management Console, right-click the library icon and select Display LIBNAME
Statement.
2. Start SAS on the SAS server host, or use a client application such as SAS Enterprise Guide, which
includes a Program Editor, and issue the LIBNAME statement displayed from SAS Management
Console.
3. If the SAS log indicates failure, check the following items:

a. If this is UNIX environment, check your UNIX environment variables:
http://support.sas.com/documentation/cdl/en/bidsag/67493/HTML/default/viewer.htm#p1w3
v98qca3sfzn1rzty2tngrfyq.htm
b. Check and revise the LIBNAME statement. For more information about LIBNAME statements
for SAS/ACCESS engines, see SAS/ACCESS® for Relational Databases: Reference. If you are
successful at this stage, then use the Properties tab of the library to reconfigure the library.
c
Center at http://support.sas.com/documentation/installcenter/94 and use the operating system .
c. Confirm that SAS/ACCESS is installed correctly. For installation information, go to the Install
In
and SAS version to locate the appropriate SAS Foundation Configuration Guide.
4. If the connection succeeds, run the DATASETS procedure:
t
PROC DATASETS LIBRARY=libref;
u e
QUIT;
t i t .
I n s
If no members are returned, then check the schema value by performing the next step or contacting
your database administrator.
i o n
u t
5. Log on with the user account to the host where the SAS server is running, and use the native database
S
client to connect to the database. If this fails, confirm that the user account has file system privileges
to the database client binaries and libraries.
S A tri b
t s
Connection to External Database Server
h i
r i g(Review)
r e d
Providing access to a third-party database such as Oracle
p y o r
or DB2 usually requires maintaining a SAS copy of
external credentials in the metadata (outbound login).
C o t f
The outbound login can be associated with the following:
 an individual metadata identity if each user has unique
N o database credentials
 a group metadata identity if a collection of users
shares database credentials
12
12
An authentication domain is a SAS metadata object that pairs logins with the server definitions where
those credentials are correctly authenticated.
For example, an Oracle server definition and the SAS copies of Oracle credentials (outbound logins)
have the same authentication domain value (for example, “OracleAuth”) if those credentials authenticate
on that Oracle Server. Authentication domains can be managed using the Server Manager plug-in
or the User Manager plug-in. Right-click the plug-in and select Authentication Domains.
Registering Libraries and Tables

in the Metadata
Table registrations rely on other information in the
metadata, including library and server definitions.
The following applications can be used to register
tables and libraries in the metadata:
c .
In
 SAS OLAP Cube Studio
 SAS Data Integration Studio
u t e
t i t .
13
I n s i o n

S u t
You can no longer register libraries in SAS Enterprise Guide 7.1. In previous versions of SAS
A tri b
Enterprise Guide, you could use SAS Enterprise Guide Explorer to register libraries in SAS
S
Enterprise Guide. Access to SAS Enterprise Guide Explorer is a capability under role
t
management. You can use the Update Library Metadata task to register tables in SAS Enterprise
i s
Guide. Access to the Update Library Metadata task is a capability under role management.
h
r g r e d
Setting up a connection from SAS to a database management system is a two-step process:
i
1. Register the database server. This can be done within the New Library Wizard when specifying the
p y o r
server and connection information. Or it can be registered through the Server Manager Plug-in.
2. Register the database library.
C o t f
N o
Registering Libraries and Tables in Metadata

The library object contains the connection
information (engine, location of data, additional
information as needed) and the libref.
The table object is a description of the table

including column information (names, types,
attributes), indexes, name of physical table, and
c .

the library that holds the connection information.
e In
t
There are some uniqueness requirements when
u
you register libraries and tables in the metadata.
t i t .
14
I n s i o n
t
14
S
A tri
application server.
b u
The same library name cannot be used multiple times in the same metadata folder or for the same
t S
The same table name cannot be used multiple times in the same metadata folder or for the same library.
s
 To associate a library with an application server, you need WM permission for the server and WMM for
i g h
the parent folder.
d i
 To associate a table with a library, you need WM permission for the library and WMM for the parent
r
folder.
y r e
o p
data.
f o r
 For a table accessed via the metadata LIBNAME engine, you need Read permission in order to access
 For a table accessed via a native engine (that is, BASE, ORACLE, TERADATA), the Read permission
C t
in Metadata is ignored, so Grant or Deny has no effect. This is also true for the Write, Create, and
o
Delete permissions.
Metadata-Bound Libraries and Tables

Enforcement for a metadata-bound library originates from
the physical data.
c .
e In
t u t
s t i n .
15
15
I n t i o
S
A tri b u
When accessing a traditional table, a user can bypass metadata-layer controls by making a direct request.
When accessing a metadata-bound table, a user cannot completely bypass metadata-layer controls. Even
data from SAS.

t S
on a direct request, UserA is always subject to a metadata-layer permissions check before accessing SAS
s
i g h d i
For each metadata-bound table, information within the table header identifies a corresponding metadata
object (a secured table object). Metadata-layer permissions on each secured table object affect access
r r e
from SAS to the corresponding physical table.
y
p o r
For the metadata-bound table, UserB is subject to two metadata-layer authorization checks against two
different metadata objects. The first check is against a traditional table object. The second check is against
o f
a secured table object.
C o t
N
Metadata-Bound Libraries
c .
e In
t u t
s t i n .
16
16
I n t i o
S
A tri b u
Only Base SAS data, SAS tables, and SAS views can be bound to metadata. Binding data to metadata
does not prevent the use of operating system commands against files or directories.
t S
Setting up a metadata-bound library involves the following:
s
1. In the SAS metadata, below the /System/Secured Libraries/ folder, identify or create an appropriately
i g h d i
secured folder for the data.
r e
2. Use either SAS Management Console or SAS code to bind the physical library to metadata. For SAS
r
code, submit a CREATE statement with the AUTHLIB procedure. The options in the AUTHLIB
y
o p f o r
procedure reference your physical data directory and the metadata folder that you identified in step 1.
3. If you want to support access from clients that use metadata in order to locate data, make sure that
C o t
the physical library and tables are also registered in metadata.
For more information, refer to SAS® Guide to Metadata Bound Libraries.
Data Permissions for

Metadata-Bound Libraries
For secured library objects and secured table objects,
SAS enforces the following special metadata-layer
permissions:
Select (S)
Delete (D)
Read rows within a physical table.
Delete rows in a physical table.

c .
Insert (I) Add rows to a physical table.
e In
Update (U)
Create Table (CT)
t u t
Update rows in a physical table.
Create new physical table.
Drop Table (DT)
s t i .
Delete a physical table.
n
n
Alter Table (AT) Replace a physical table.
17
17
I t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N
Registering SAS Library and Table Metadata in SAS

Environment Manager
This demonstration illustrates how to use SAS Environment Manager to register a SAS library and tables
in the metadata.
 For the current release of SAS Environment Manager, you can browse any type of library that has
been defined in SAS metadata. You can create and edit definitions for Base SAS libraries and
SAS LASR Analytic libraries.
1. Sign in to SAS Environment Manager as Ahmed using the Student1 password.
c .
2. Select the Administration tab. To open the Libraries module, click Side Menu
e
SAS Environment Manager banner and select Libraries.
in the
In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
3. The Libraries view displays a table of all library definitions in the SAS Metadata Server. You can
g h d i
filter by library type, as well as search the table, sort the table by a selected column and choose which
columns appear in the table.
i
y r r e
o p f o r
C o t
N
4. To register a new library, click the New Library button in the upper right toolbar.
c .
e In
u t
5. Enter Orion Gold ship1 for the metadata library name. (The libref is included in the metadata library
t
s i
object name as an example of an access structure that you can use for SAS Enterprise Guide users.)
t n .
6. Select Browse to navigate to the SAS Folder location.
I n t i o
S
A tri b u
7. Navigate to SAS Folders  Orion Star  Shipping Department and click OK.
t S s
i g h d i
y r r e
o p f o r
C t
8. For Type, select SAS Base Library.
o
N
9. Enter ship1 as the libref. Keep Engine as Base.
 A libref is a nickname or short reference to the physical location of the data. It is a
best practice to use unique librefs in the metadata. Uniqueness of librefs is not
enforced.
10. Check the box next to the path of the physical storage of the data.
c .
For Windows D: \Workshop\OrionStar\orgold
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
For Linux /opt/sas/Workshop/OrionStar/orgold
C o t
You will need to add the path for Linux.
Na. Click the Add button in the upper right toolbar.
b. Enter /opt/sas/Workshop/OrionStar/orgold. Click OK.
c .
e In
u t
The path will automatically be added to the list and checked.
t
s t i n .
I n t i o
S
A tri b u
11. Click OK.
t S s
i
12. After the definition is created, it automatically opens to basic properties to enable you to specify any
h
non-required options.
i g d
y r r e
o p f o r
C o t
N
13. To register tables in metadata to this library, from the drop-down menu select Tables.
c .
e In
t u t
s t i n .
I n
14. Click the Register Tables button
t i o in the toolbar.
S
A tri b u
t S s
i g h d i
y r r e
p o r
15. You cannot register tables until the library is assigned to a SAS server context. Click Close.
o f
C o t
N
16. From the drop-down menu, select Assign SAS Servers.
c .
e In
17. Check the box next to SASApp.
t u t
s t i n .
I n t i o
 S
A tri b u
This assignment makes the library available to the servers in the SASApp application server
t S
context.
s
i g h d i
If you do not assign a library to an application server, the library is not available in some
client applications including SAS Enterprise Guide. Unless you want to intentionally limit
y r r e
the accessibility of a library by this method, you should assign each library to an application
server. It is a best practice to use metadata-layer and operating-system-layer permissions
o p f o r
to control access to data.
C t
18. Click the Save button
o
19. From the drop-down menu, select Tables to register tables.
c .
e In
t
20. Click the Register Tables button
u t in the toolbar.
s t i n .
I n t i o
S
A tri b u
t S s

i g h d i
If you are signed in as sasadm@saspw, you will receive an error because that account is
internal and does not have access to a SAS Workspace Server.
y r r e
o p f o r
C o t
N
21. Change the location to /Orion Star/Shipping Department by using the Browse button. Select
CUSTOMER_DIM, GEOGRAPHY_DIM, ORGANIZATION_DIM, and TIME_DIM.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
22. Click OK.
t S s
23. Select Show details. (The METALIB procedure is used to register these tables. The METALIB
i g h d i
procedure is discussed in the next section.)
y r r e
o p f o r
C o t
N
24. Click Close.
 You can register tables from the Libraries module. Right-click the library and select Register
Tables from the pop-up menu. The Register Tables dialog box appears.
 You can register tables from the Folders module. Navigate to the library and right-click the
library and select Register Tables from the menu.
25. The library and tables are stored in the Orion Star  Shipping Department folder. Click the
Side Menu button and select Folders.
26. Expand Orion Star  Shipping Department.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N
Registering SAS Library and Table Metadata in

SAS Management Console (Optional)
This demonstration illustrates how to use SAS Management Console to register a SAS library and tables
in the metadata.
1. Log on to SAS Management Console 9.4 as Ahmed using the Student1 password.
2. On the Plug-ins tab, expand Data Library Manager  Libraries.
3. Right-click Libraries and select New Library.
c .
e In
t u t
s t i n .
I n
4. Select SAS BASE Library and click Next.
t i o
S
A tri b u
5. Enter the name Orion Gold ship1 and click Browse. (The libref is included in the metadata library
t S
object name as an example of an access structure that you can use for SAS Enterprise Guide users.)
s
i g h d i
6. Navigate to SAS Folders  Orion Star  Shipping Department and click OK.
y r r e
o p f o r
C o t
N
7. Click Next.
8. Move SASApp to the Selected servers list box and click Next.
 This assignment makes the library available to the servers in the SASApp application server
context.
If you do not assign a library to an application server, the library is not available in some
client applications including SAS Enterprise Guide. Unless you want to intentionally limit
the accessibility of a library by this method, you should assign each library to an application
server. It is a best practice to use metadata-layer and operating-system-layer permissions
to control access to data.
9. Enter ship1 as the libref.
 A libref is a nickname or short reference to the physical location of the data. It is a
best practice to use unique librefs in the metadata. Uniqueness of librefs is not
c .
In
enforced.
10. Move the following path over.
For Windows
t e
D: \Workshop\OrionStar\orgold
u
For Linux
t i t
/opt/sas/Workshop/OrionStar/orgold
.
I n s i o n
S u t
S A tri b
h t i s
r i g r e d
p y o r
C o t f
N
o If the path to the data source location is not in the available items, click New and navigate to
the location.
11. Click Next.
12. Review the settings and click Finish.
13. Right-click Orion Gold ship1 and select Register Tables.
14. Verify the library settings and click Next.
 If you are prompted for credentials, you are probably logged on as an unrestricted user with
only an internal account.
15. Hold down the Ctrl key and select CUSTOMER_DIM, GEOGRAPHY_DIM,
ORGANIZATION_DIM, and TIME_DIM. Click Next.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h
16. Click Next.
d i
r
17. Click Finish.
y r e
o p f o r
18. The tables are registered in the metadata and now appear in SAS Management Console.
C o t
N
Exercises
1. Registering a SAS Library and Tables

a. Perform an ad hoc backup named Library Example in SAS Management Console. Log on as
Ahmed using the password Student1.
You can use SAS Environment Manager or SAS Management Console to register a SAS library.

c .
1) Make sure you are signed on to SAS Environment Manager as Ahmed and password
e In
t u t
Student1. Go to Administration page  Side Menu and select Libraries.
s t i
2) Select New Library button
n .
3) Create a library with the following characteristics:
Name
I n t i o
Customer orders ordetail
S
Folder location
A tri b u /Orion Star/Shipping Department
t S
Library Type
s
SAS Base Library
i g h Libref
d i ordetail
y r r e
Engine BASE
o p f o r
Path specification  On the Windows server: D:\Workshop\OrionStar\ordetail
 On the Linux server: /opt/sas /Workshop/OrionStar/ordetail
C o t  You will need to add the path to the existing list.
N Assigned SAS
Servers
SASApp
 Be sure to save your changes after assigning a SAS Server.

4) Register the following tables in the Customer Orders ordetail library and store the metadata
in the same folder as the library:
CUSTOMER, ORDERS, ORDER_ITEM, PRICE_LIST, PRODUCT_LIST
1) Make sure you are logged on as Ahmed using the password Student1. On the Plug-ins tab,
expand Data Library Manager. Right-click Libraries and select New Library.
Library Type SAS Base Library
Name Customer Orders ordetail
Folder location /Orion Star/Shipping Department
Server SASApp
Libref ordetail

c .
In
 On the Linux server: /opt/sas /Workshop/OrionStar/ordetail

u t e You will need to add the path to the existing list in the wizard.
i t
t .
I n s
i o n
2. Verifying Library and Table Metadata in SAS Enterprise Guide
S u t
a. Perform an ad hoc backup named Before denying Shipping group Read on Shipping Folder in
SAS Management Console. Log on as Ahmed using the password Student1.
A tri b
b. Use SAS Environment Manager or SAS Management Console to deny Shipping the Read
S
permission on the Shipping Department folder.
t i s
c. Log on to SAS Enterprise Guide as Ray. (He is a member of the Shipping group, so he will
h
r i g e d
be able to see the Shipping Department folder and the folders below.)
d. Select the Server list in the Resources pane. Expand Servers  SASApp  Libraries. Through
r
p y the Server list, you can see the metadata libraries and the tables that are registered to those
r
libraries.
o
C o 
t f Only SAS Enterprise Guide and SAS Add in For Microsoft Office have a Server list
display.
N o
e. Right-click Customer Orders ordetail and select Properties. What is the libref? Click Close.
f. Enter the following LIBNAME statement in the Program Editor and run the program:
libname ordetail meta library='Customer Orders ordetail';
 To get to the Program Editor, select Program  New Program. Or you can select
File  New  Program.
Check for errors in the log.
If it was successfully assigned, you will see that under the server list, the library icon for
Customer Orders ordetail has changed to yellow because it has been assigned. (You will need
to refresh the view by right-clicking SASApp under the Server List and selecting Refresh.)
 The five tables that were registered in the previous exercise are listed under the library
in the Server list.
g. Select the Folders list in the resource pane in the bottom left of the interface. Expand
Orion Star  Shipping Department. Do you see the library? Do you see any tables?
 If you did the demonstration, you will also see the registered tables from that library.
h. Open one of the tables. (You can right-click and select Open or double-click the table.) Are you
able to open the table?
i. In the log, the physical location of the data is specified. Enter the following LIBNAME statement
into the Program Editor:
For Windows Server

libname ordetail 'D:\Workshop\OrionStar\ordetail';
For Linux Server

c .
libname ordetail '/opt/sas/Workshop/OrionStar/ordetail';
e In
t u t
This LIBNAME statement is not referencing the library in metadata. How many tables appear
under the Customer Orders ordetail library under the server list? (You will need to refresh the
s t i
view by right-clicking SASApp under the Server List and selecting Refresh.)
n .
How many tables appear in the Folders list, Orion Star  Shipping?
I n t i o
j. Use SAS Environment Manager or SAS Management Console to grant back to Shipping the
Read permission on the Shipping Department folder. Or, you can recover from the backup that
S
you performed in step a.
A tri b u
t S s
i g h d i
3. Listing Libraries, Librefs, and Their Server Contexts
y r r e
Metadata DATA step functions provide a programming-based interface to create and maintain
o p o r
metadata on the SAS Metadata Server. This program uses metadata DATA step functions to return
more detailed information about the libraries. The results are returned to a libraries data set in the
f
Work library. The requested data includes the library metadata ID, the library name, the libref, the
C t
engine, the path on the file system (or if DBMS data, the DBMS path), and the server contexts
o
to which the library is associated.
Na. In SAS Enterprise Guide, open the program extractlibrefandserverapp.sas that is located
on the client machine. Select Program tab Open Program. Navigate to D:\Workshop\spaft.
b. Verify the connection information to the metadata server in the OPTIONS statement at the top
of the program.
metaport=8561
metauser="sasadm@saspw"
metapass="Student1"
metarepository="Foundation";
c. Run the program. Are there any duplicate librefs?
 Sample programs and more information about using DATA step functions to extract
metadata information can be found in the following documentation: SAS® 9.4 Language
Interfaces to Metadata, Second Edition.
5.2 Setting Up Data Access 5-29
5.2 Setting Up Data Access
Objectives
 Identify how libraries can be assigned.


Pre-assign a library.
Examine considerations for how to make data
c .
In
available.
u t e
t i t .
I n s i o n
S u t
23
S A tri b
h t i s
r i g r e d
Library Assignment
Assigning a library to a SAS server enables
p y r
 the SAS server to access the library
o
o f
 the library to be visible to users of the SAS server
C o t
 control over which SAS engine is used by the SAS
server to access data, if the library is pre-assigned.
N By default, libraries are assigned by the client

applications, but not until a user tries to access a library.
In other words, library assignment is deferred until
it is needed.
24
Assigning a library to a SAS server means letting the SAS server session know that a libref (a shortcut
name) is associated with the information that a SAS session needs to access a data library.
Pre-Assigned Libraries
Pre-assigned libraries
 are assigned when the server starts.
 require the administrator to configure the environment
so that the SAS server finds out about the libref
and the SAS engine to use for data access at server
start-up. So the connection information is established
before any code that uses that libref is submitted.
c .
 mean that the libraries do not become available
e
to the user until all pre-assigned libraries are In
assigned.
t u t
s t i n .
25
I n t i o
S
A tri b u
Pre-assigned libraries are assigned using the server’s identity. For servers that run under shared
credentials, such as the Stored Process Server, this means that the library is assigned using the shared
identity, not an individual user identity.

t S s
The disadvantage of pre-assigning libraries is that pre-assigning an excessive number of libraries
i g h d i
can slow the execution of SAS jobs for all users.
y r r e
Pre-Assigning Libraries
o p f o r
You can pre-assign a library in these ways:
C o t
 in the metadata
 in a server autoexec file
N Libraries assigned by an autoexec file take precedence

over same-named libraries that are pre-assigned
in the metadata.
 The best practice when pre-assigning libraries

is to use only one method if possible. If you have
configuration information in two places, maintenance
increases.
26
Pre-Assigning Libraries in the Metadata

To pre-assign libraries in metadata, use SAS
Management Console, or SAS Environment Manager.
c .
e In
t u t
s t i n .
27
I n t i o
S
A tri b u
By native library engine: The library is assigned through the METAAUTORESOURCES options. You use
the library engine defined for the library.
t S
By metadata LIBNAME engine: The library is assigned through the METAAUTORESOURCES options.
You use the metadata LIBNAME engine (MLE). Using the MLE ensures that access controls that are
s
i g h d i
placed on the library and its tables and columns are enforced in metadata.
By external configuration: The library is assigned through an external definition or by an autoexec file.
y r r e
o p f o r
Pre-Assigning Libraries in an Autoexec File
C o t
1. Add the LIBNAME statement to the autoexec file.
libname orstar
N "S:\Workshop\OrionStar\orstar";
libname orstar meta

library="Orion Star Library";
2. Restart the object spawner and any server processes

whose autoexec files were modified.
28
 You cannot see the LIBNAME statement in the properties of the metadata library if the library is
pre-assigned.
The LIBDEBUG option reports to the SAS log the LIBNAME statement, which is generated behind
the scenes when the META engine is used.
libname orstart meta library="Orion Star Library" libdebug;
c .
Metadata LIBNAME Engine
e In
u t
The metadata LIBNAME engine points to metadata,
t
rather than referencing the actual physical data.
t i
The engine does the following:
s n .
 retrieves library connection information from
I n o
the metadata (physical location of data, credentials
if required, and so on)
t i
S
A tri b u
 enforces additional metadata permissions
(Read, Write, Create, Delete)
t S
 uses the access engine (such as Base or Oracle)
in the library definition to read values from tables
s
i g h d i
in the library
y r r e
o p
29
f o r
You can use the appropriate METAOUT option value on your META LIBNAME statement in your
C t
autoexec file for pre-assignment.
o
METAOUT=ALL
N
*default
You can read, create, update, and delete observations in physical tables
that exist and are registered in metadata. You cannot create or delete
entire tables.
You can read, create, update, and delete physical tables.
METAOUT=DATA
METAOUT=DATAREG You can read, update, and delete physical tables that are defined in
metadata. You can create a table, but you cannot read, update, or delete
the new table until it is defined in metadata.
If you want to use the META engine and do not need to create or delete tables, do the following:
1. Register the library in the metadata.
2. Flag the library as pre-assigned by the metadata LIBNAME engine.
 Using this option results in using the metadata engine with the METAOUT=ALL option.
This LIBNAME option specifies that you can read, create, update, and delete observations
in physical tables that exist and are registered in metadata. You cannot create or delete entire
tables.
If you want to use the META engine and need to create or delete tables, do the following:
1. Register the library in the metadata.
2. Flag the library as pre-assigned by external configuration.
3. Add the metadata LIBNAME statement to an autoexec file. You can use the appropriate METAOUT=
c .
In
option value. For example:
libname meta library="Orion Star Library" metaout=data;

t e
Omitting the METAOUT= option in your LIBNAME statement or flagging the
u
t t
pre-assignment in metadata with the metadata engine results in using the metadata engine
i
with the METAOUT=ALL option.
.
I s i o n
4. Restart the object spawner and any server processes whose autoexec files were modified.
n
For the SAS/CONNECT server and the SAS DATA Step Batch server, modify the server’s
S u
-metaautoresources 'SASApp' t
sasv9_usermods.cfg file by adding the following SAS system option:
S A tri b
t s
Default Engines Used
h i
r i g r e d Library
Minimum
Metadata
y
Application
Engine Used Authorizations
o p f o r
SAS Add-In for Microsoft Office META
Required
Library:
t
SAS Enterprise Guide ReadMetadata
C o
Table:
ReadMetadata
N
Read
SAS Data Integration Studio Native engine Library:
SAS OLAP Cube Studio ReadMetadata
SAS Information Map Studio Table:
ReadMetadata
30
30
When libraries are not pre-assigned, each SAS application accesses data with the SAS engine that makes
the most sense for that application. Applications typically used for queries and reporting are designed
to use the metadata engine. Applications typically used to update or create tables are designed to use
the native engine.
 The metadata authorization layer supplements operating system and RDBMS security. It does not
replace it. Operating system and RDBMS authorization should always be used as the first means
of securing access to tables.
Metadata LIBNAME Engine Used Metadata LIBNAME Engine Not Used
Library not SAS Enterprise Guide SAS Data Integration Studio

pre-assigned SAS Add-In for Microsoft Office SAS OLAP Cube Studio
SAS Information Map Studio
Library  in metadata with meta engine  in metadata with native engine
pre-assigned  in autoexec file with meta engine  in autoexec file with native engine
c .
SAS Enterprise Guide and SAS Add-In
e In
for Microsoft Office
t u t
If you administer only SAS Enterprise Guide and SAS Add-
s t i
Should users be permitted to
n .
In for Microsoft Office, consider the following questions:
I n
create new tables or modify
t i o
existing tables in the library?

S
Do you want metadata
A tri b u
permissions enforced on
S
tables?

h t
Should the library connection
i s
be deferred until needed or
r i g r e d
made when the server starts
(pre-assignment)?
31
p y31
o r
C o t f
N o Library Metadata and AssignMode
Anytime that SAS Enterprise Guide or SAS Add-In
assigns a library, the library’s value of AssignMode
is used, if present, to determine the assignment behavior.
For libraries assigned with the META engine, the value
of AssignMode is also used to set the value for
the METAOUT= option.
With an AssignMode value of 0, data is accessed through

the underlying engine and no metadata permissions
on tables or columns are enforced. Tables can be seen
only through the Server list.
32
 This would have the same effect as pre-assigning a library with the native LIBNAME statement.
You risk permanently corrupting the library metadata if you do not enter a valid name and value
for the extended attribute.
AssignMode Values
0 The library is assigned using SAS Enterprise Guide. Data is accessed through the underlying
engine and no metadata permissions on tables or columns are enforced.
c .
1 The library is assigned using the META engine with the METAOUT=ALL option (the
default META engine behavior). Metadata permissions are enforced and the user only sees
e
registered tables. The metadata and physical tables are prevented from becoming out of In
t u t
sync, even if the user has permissions such as Write and Delete on tables in the library.
s t i n .
The library is assigned using the META engine with the METAOUT=DATA option.
Metadata permissions are enforced for all registered tables, but the user sees all physical
I n t i o
tables in the library. The user can change, create, and delete registered tables
if he has appropriate permissions in the metadata. This can cause the metadata and the
4
S
physical tables to become out of sync.
A tri b u
The library is assigned using the META engine with the METAOUT=DATAREG option.
t S
Metadata permissions are enforced and the user only sees registered tables. In this mode, the
s
users can change, create, and delete the tables if they have appropriate permissions in the
i g h d i
metadata. This can cause the metadata and the physical tables to become out of sync. If the
user creates a table, he cannot read, update, or delete the newly created table until it is
y r r e
registered in metadata.
o p f o r
Other applications, such as SAS Data Integration Studio, ignore the AssignMode extended attribute when
you assign libraries.
C o t
Access to Data in Stored Processes
N You have several options to make data available
to a stored process:
 include the LIBNAME statement using the native
engine in the code
 include the LIBNAME statement using the META
engine in the code
 pre-assign the library
33
33
If you include a LIBNAME statement in the code:

 The library is assigned when the code runs.
 Metadata layer permissions for the user running the code are checked.
 Operating system access is based on the account under which the server runs.
 RDBMS access is based on the credentials used to make the connection.
If you choose to include the LIBNAME statement using the native engine in the code, you need
 include RDBMS credentials for RDBMS data or include the AUTHDOMAIN= option so that
credentials can be retrieved from the metadata for the connecting user
c .
 maintain connection information included in the LIBNAME statements in the code
e In
t u t
If you choose to include the LIBNAME statement using the META engine in the code, you need
s i
 maintain RDBMS credentials in the metadata
t n .
 maintain the connection information in the metadata
I n
Updating Table Metadata t i o
S
A tri b u
Updating table metadata synchronizes the physical data
t S
with the metadata definitions of the data. The following
s
methods are available:
i g h d i
 update Metadata task in SAS Management Console
and Data Integration Studio
y r r e
 update Library Metadata task in SAS Enterprise Guide
o p f o r
 custom code using the METALIB procedure
C o t
34
N
Updating table metadata enables you to:
 Add table metadata for tables that exist in the physical library but have no metadata in the repository.
 Delete metadata for table definitions that exist in the metadata repository but do not have a
corresponding table in the physical library.
 Update table definitions to match corresponding physical tables, including changes to the table’s
columns and indexes.
PROC METALIB provides options for maintaining your table metadata that are not available in SAS
Management Console.
 The Update Library Metadata task in SAS Enterprise Guide uses PROC METALIB.
 The Update Library Metadata task is available from the Task List, under the Tools category,
or by selecting Tools  Update Library Metadata.
 The METALIB procedure gives you the most control over the updating features and can be run in
batch.
The METALIB procedure can produce “duplicate” table registrations in the same metadata folder.
These are two tables with the same name but registered to different libraries. SAS Data
Integration Studio table properties highlight the differences.
The METALIB procedure syntax is as follows:
PROC METALIB;
OMR <=> (LIBID = <">identifier<"> | LIBRARY = <">name<">
c .
In
| LIBRARY = "/folder-pathname/name" |
| LIBURI = "URI-format"
<server-connection-arguments>);
t e
<EXCLUDE <=> (table-specification <table-specification-n>);> |
u
<SELECT (table-specification <READ = read-password>
t i t
< table-specification-n <READ = read-password-n>>);>
.
I n s
<FOLDER <=> "/pathname";> |
i
<IMPACT_LIMIT = n;>
o n
<FOLDERID <=> "identifier.identifier";>
S <NOEXEC;>
u t
S A tri b
<PREFIX <=> <">text<">;>
<REPORT <<=> (report-arguments)>;>
h t i s
<UPDATE_RULE <=> (<DELETE> <NOADD> <NODELDUP>
<NOUPDATE> <STATS_AUTH>);>
r i g
RUN;
r e d
p y
For more information about the METALIB procedure, refer to SAS® 9.4 Language Interfaces
to Metadata.
o r
C o t f
N oSecurity
Access to a table requires access to the following:
 server metadata for a server that opens data
 credentials for a server (or multiple servers)
 table metadata
 a table in an operating system.
 The level of metadata security for tables depends

on whether the metadata LIBNAME engine is used.
35
Exercises
4. Looking at Metadata LIBNAME Engine and Metadata Permission Implications

a. Perform an ad hoc backup named Before adding library assignment example in
b. Register a library and tables in metadata. You can use SAS Environment Manager or
SAS Management Console to register a SAS library.
c .
e In
t
1) Make sure you are signed in to SAS Environment Manager as Ahmed and password
u
Student1. Go to Administration page  Side Menu
t
and select Libraries.
t i
2) Select the new library button
s n . in the upper right toolbar.
I n t i o
S
Name
A tri b
Folder location u Library Assignment Example libdata
/Orion Star/Shipping Department
t S s
i g h d
Librefi libdata
y r r e
Engine BASE
o p f o r Path specification  On the Windows server: D:\Workshop\OrionStar\orstar
C o t  On the Linux server: /opt/sas/Workshop/OrionStar/orstar
N Assigned SAS
Servers
SASApp
4) Register the following tables in the Library Assignment Example libdata library and store
the metadata in the same folder as the library:
NEWHIRES, PRODUCT_DIM
Name Library Assignment Example libdata
Server SASApp
Libref libdata
Path specification  On the Windows server: D:\Workshop\OrionStar\orstar

 On the Linux server: /opt/sas/Workshop/OrionStar/orstar
c .
e
c. Add Jacques to the Authorization of the Shipping Department folder. Verify that he has In
u t
a grant of ReadMetadata and deny all other permissions. You can use SAS Environment
Manager or SAS Management Console.
t
t i .
d. Log on to SAS Enterprise Guide as Jacques using the password Student1. Submit the following
code:
s n
run;
I n t i o
proc print data=libdata.NEWHIRES (obs=10);
 S
A tri b u
You get the following error: ERROR: Libref LIBDATA is not assigned.
A solution would be to do the following:
t S 1) Right-click Library Assignment Example libdata and select Assign but coders do
s
i g h d i
not like this.
2) Provide a LIBNAME statement, but that is more difficult to maintain/administer.
y r r e
3) Pre-assign a library.
o p f o
libdata.r
e. Navigate to Server List  Servers  SASApp  Libraries  Library Assignment Example
C o t


The library icon is white (unassigned).
There are two tables (NEWHIRES and PRODUCT_DIM).
Nf. Open the NEWHIRES table. Are you successful?

 SAS Enterprise Guide assigns libraries by default, using the metadata LIBNAME engine.
The metadata LIBNAME engine enforces the Read permission in metadata.
g. Navigate to Servers  SASApp. Right-click SASApp and select Disconnect. Click Yes in the
pop-up window.
h. Log on to SAS Data Integration Studio as Jacques using the password Student1. Navigate
to Folders  Orion Star  Shipping Department. Right-click NEWHIRES and select Open.
 No error was generated, and Jacques is able to view the data because SAS Data
Integration Studio uses the native engine by default (BASE, ORACLE, R3, and so on.),
so the Read, Write, Create, and Delete permissions in metadata are ignored.
i. Exit SAS Data Integration Studio.
5. Pre-Assigning a Library in the Metadata

a. Pre-assign Library Assignment Example libdata in metadata, using SAS Environment Manager
or SAS Management Console.
1) Go to the Administration page  Side Menu and select Libraries. Right-click Library
Assignment Example libdata and select Open.
2) From the drop-down menu, select Options. In the left pane, select Pre-assign.
c .
3) Pre-assign the library using By metadata library engine.
4) Save your changes

e . In
5) Click Close.
t u t
t
s i n .
I n
and select Properties.
t i o
1) Under the Data Library Manager plug-in, right-click Library Assignment Example libdata
S u
2) On the Options tab, click the Advanced Options button.
A tri b
t S
3) Pre-assign the library using: By metadata library engine. Click OK twice.
s
b. In SAS Enterprise Guide, verify that you are logged on as Jacques. Under the Servers list,
i g h d i
expand SASApp. (This establishes the connection or session.)
c. Expand Library Assignment Example libdata.
y r 
r e
The Library icon is yellow, which means it is assigned.
o p 
f o r You see the two registered tables (NEWHIRES and PRODUCT_DIM).
t
d. Open Program Editor. Edit and submit the following code:
C o
run;
N  The code runs, but there is an authorization error. The library assigns but cannot read
data. (The metadata LIBNAME engine enforces Read, Write, Create, and Delete.)
e. Disconnect from the workspace server by right-clicking SASApp under the Servers list and select
Disconnect.
f. Log on to SAS Data Integration Studio as Jacques using the password Student1. On the Folders
tab, navigate to Orion Star  Shipping Department. Right-click NEWHIRES and select
Open.
 There is an error indicating that Read permission is required because this library was pre-
assigned with the metadata LIBNAME engine.
g. Exit SAS Data Integration Studio.
6. Pre-Assigning a Library in Metadata Using Native Engine
1) Go to the Administration page  Side Menu and select Libraries. Right-click

Library Assignment Example libdata and select Open.
2) From the drop-down menu, select Options. In the left pane select Pre-assign.
3) Pre-assign the library using By native library engine.
4) Save your changes .Click Close.
c .
e In
t u t
t i .
s n
3) Pre-assign the library using: By native library engine. Click OK twice.
I n t i o
b. In SAS Enterprise Guide verify that you are logged on as Jacques. Under the Servers list, expand
SASApp. (This establishes the connection or session.)

S
A tri b u

t S The Library icon is yellow, which means it is assigned.
s
i
All tables show up regardless of whether they are registered in metadata, based on
i g h Jacques’ operation system permissions on the table.
d
y r r e
d. Open the Program Editor. Enter and submit the following code:
o p 
run;
f o r The code runs, and a list report is produced with 10 rows displayed.
C o t
 There were no metadata permissions enforced on the table. When you pre-assign with
N
the native engine, SAS Enterprise Guide displays all tables in the server list, regardless
of whether they are registered in metadata.
 To have the native LIBNAME engine used without pre-assigning the library,
use the AssignMode option with value of 0.
e. Exit out of SAS Enterprise Guide.
f. Remove Jacques from the Authorization tab of the Shipping Department folder
using SAS Environment Manager or SAS Management Console.
7. Updating Table Metadata with SAS Enterprise Guide
a. Open SAS Enterprise Guide and log on as Ray using the password Student1.
b. Select Tools  Update Library Metadata.
c. Select SASApp as the server and Customer Orders ordetail. Click Next.
d. Select Report on the differences between physical tables and the metadata repository.
e. View the results. Do any tables need to be updated?

Do any tables need to be added?
Do any tables need to be deleted?
f. In the project tree, under the process flow, right-click Update Metadata for "Customer Orders
ordetail" and select Modify Update Metadata for "Customer Orders ordetail".
Keep the same server and library, but update and add table definitions in the metadata with
the actual tables and columns.
For which actions can you override the default credentials?
c .
What are the default credentials?
e
Why or when might you want to override the default credentials? In
Are any new tables defined?
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N
5.01 Quiz
The unrestricted user can see the Sample Data
library and its tables registered in the metadata using
Marcel cannot see the Sample Data library and tables
in SAS Add-In for Microsoft Office or in SAS Data
Integration Studio.
What is the problem?
c .
e In
t u t
s t i n .
38
I n t i o
5.02 Quiz
S
A tri b u
t S s
g h d i
i
y r r e
Marcel can see the Sample Data library and tables in
SAS Add-In for Microsoft Office but cannot open the table.
o p o r
What is a possible cause of this problem?
f
C o t
N
40
5.03 Quiz
SAS Management Console and in SAS Data Integration
Studio. Marcel can open the table in SAS Data Integration
Studio.
in the SAS Add-In for Microsoft Office.
c .
e In
t u t
s t i n .
42
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N
5.3 Solutions 5-45
5.3 Solutions
1. Registering a SAS Library and Tables
a. Perform an ad hoc backup named Library Example in SAS Management Console. Log on as
Ahmed using the password Student1.
c .
e In
t u t
s t i n .
I n t i o
You can use SAS Environment Manager or SAS Management Console to register a SAS library.
S
A tri b
SAS Environment Manager u
t S
1) Make sure you are signed on to SAS Environment Manager as Ahmed using the password
s
i g h d i
Student1. Go to Administration page  Side Menu and select Libraries.
y r r e
2) Select New Library button in the upper right toolbar.
o p f o r
C o t
N
Name Customer orders ordetail
Libref ordetail
c .
In
Engine BASE
Path specification
u t e On the Windows server: D:\Workshop\OrionStar\ordetail

 On the Linux server: /opt/sas /Workshop/
t i t 
OrionStar/ordetail
. You will need to add the path to the existing list.
I n
Assigned SAS s i o n
SASApp
Servers
S u t
S A tri b
h t i s
r i g r e d
p y o r
C o t f
N o
a) Click the Add button to add the path of the physical location of the data to the list.
5.3 Solutions 5-47
b) Enter the path. Click OK.
c .
e In
t u t
s t i n .
I n t i o
S
A tri
c) Click OK.
b u
t S
d) From the drop-down menu, select Assigned SAS Servers.
s
i g h d i
y r r e
o p f o r
C o t
N e) Check SASApp.
f) Click Save button in the upper right toolbar.
a) From the drop-down menu, select Tables.
c .
e In
u t
b) Click the Register Tables button
t
in the toolbar.
s t i n .
 I n t i o
If you are signed in as sasadm@saspw you will receive an error, since that
S
A tri u
account is internal and does not have access to a SAS Workspace Server.
b
t S s
i g h d i
y r r e
o p f o r
C o t
N c) Change the location to /Orion Star/Shipping Department by using the Browse button.
5.3 Solutions 5-49
c .
e In
t u t
s t i n .
I n t i o
d) Click OK. Select CUSTOMER_DIM, GEOGRAPHY_DIM,
ORGANIZATION_DIM, and TIME_DIM.
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N
e) Click OK. Click Close in the pop-up window.
f) Click Close.
1) Make sure you are logged on as Ahmed using the password Student1. On the Plug-ins tab,
expand Data Library Manager. Right-click Libraries and select New Library.
c .
e In
t u t
s t i n .
I n i o
t
S
Library Type
A tri b u SAS Base Library
t S
Name
s
Customer Orders ordetail
i g h d i
y r r e
Server SASApp
o p f o r
Libref
Path specification
ordetail
 On the Windows server: D:\Workshop\OrionStar\ordetail
C o t  On the Linux server: /opt/sas/Workshop/OrionStar/ordetail
N  You need to add the path to the existing list in the wizard.
5.3 Solutions 5-51
a) Highlight SAS BASE Library. Click Next.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
b) Enter Customer Orders ordetail in the Name field. Select Browse and navigate to
t S Orion Star/Shipping Department. Click Next.
s
i g h d i
y r r e
o p f o r
C o t
N
c) Move SASApp to the Select Servers side. Click Next.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
d) Enter ordetail in the Libref field. Select New to add the data path to the Available items
y r r e
list.
o p f o r
C o t
N
5.3 Solutions 5-53
e) Navigate to the proper location.
For Windows Server
D:\Workshop\OrionStar\ordetail
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
For Linux Server
y r r e opt/sas/Workshop/OrionStar/ordetail
o p f o r
C o t
N
f) Click OK twice.
g) The path appears in the Selected items: pane. Click Next.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
h) Click Finish.
C o t
N
5.3 Solutions 5-55
a) Right-click the Customer Orders ordetail library under the Data Library Manager plug-
in and select Register Tables.
c .
e In
t u t
s t i n .
I n
b) Click Next.
t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S
c) Hold down the Ctrl key down while you select CUSTOMER, ORDERS,
ORDER_ITEM, PRICE_LIST, and PRODUCT_LIST. Verify that the folder location
s
i g h d i
in metadata is the same as where the library was registered. Click Next.
y r r e
o p f o r
C o t
N
d) Click Finish.
5.3 Solutions 5-57
2. Verifying Library and Table Metadata in SAS Enterprise Guide

a. Perform an ad hoc backup named Before denying Shipping group Read on Shipping Folder in
b. Use SAS Environment Manager or SAS Management Console to deny Shipping the Read
permission on the Shipping Department folder.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N
c. Log on to SAS Enterprise Guide as Ray. (He is a member of the Shipping group, so he is able
to see the Shipping Department folder and the folders below.)
d. Select the Server list in the Resources pane. Expand Servers  SASApp  Libraries. Through
the Server list, you can see the metadata libraries and the tables that are registered to those
libraries.
 Only SAS Enterprise Guide and SAS Add-in for Microsoft Office have a Server list
display.
c .
e In
t u t
s t i n .
Click Close.
I n t i o
e. Right-click Customer Orders ordetail and select Properties. What is the libref? ORDETAIL
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N
f. Enter the following LIBNAME statement in the Program Editor and run the program:
libname ordetail meta library='Customer Orders ordetail';
 To get to the Program Editor, select Program  New Program. Or you can select
File  New  Program.
Check for errors in the log.
5.3 Solutions 5-59
c .
e In
If it was successfully assigned, you will see that under the Server list, the library icon for
u t
Customer Orders ordetail has changed to yellow because it has been assigned. (You will need
to refresh the view by right-clicking SASApp under the Server List and selecting Refresh.)
t

t i .
The five tables that were registered in the previous exercise are listed under the library
s
in the Server list.
n
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
g. Select the Folders list in the resource pane in the bottom left of the interface. Expand
o p f o r
Orion Star  Shipping Department. Do you see the library?
No, the folder structure in SAS Enterprise Guide does not show library definitions.
C o t
Do you see any tables?
Yes, the registered tables to the Customer Orders ordetail are displayed.
N  If you did the demonstration, you will also see the registered tables from that library.
h. Open one of the tables. (You can right-click and select Open, or double-click the table.)
Are you able to open the table?
No.
c .
Authorization for accessing this table requires Read as well as ReadMetadata when opening
e
tables in SAS Enterprise Guide, because the metadata LIBNAME engine is used In
t u t
by default, which enforces the Read permission as well. In step a, we denied Shipping the
Read permission on the Shipping Department folder.
t i .
i. In the log, the physical location of the data is specified. Enter the following LIBNAME statement
s
into the Program Editor:
n
I n
For Windows Server
t i o
S u
libname ordetail 'D:\Workshop\OrionStar\ordetail';
A tri b
t S For Linux Server
s
i g h d i
libname ordetail '/opt/sas/Workshop/OrionStar/ordetail';
y r r e
This LIBNAME statement is not referencing the library in metadata. How many tables appear
under the Customer Orders ordetail library under the server list? (You will need to refresh the
o p f o r
view by right-clicking SASApp under the Server List and selecting Refresh.)
All the tables that the user logged on and has permission to see in the stored location in the
C o t
Operation System. When writing this native LIBNAME statement, the user is not going
through metadata for table metadata, so no metadata permissions are enforced.
How many tables appear in the Folders list, Orion Star  Shipping? Five tables that were
registered in metadata
5.3 Solutions 5-61
j. Use SAS Environment Manager or SAS Management Console to grant back to Shipping the
Read permission on the Shipping Department folder. Or, you can recover from the backup that
you performed in step a.
3. Listing Libraries, Librefs, and Their Server Contexts

Metadata DATA step functions provide a programming-based interface to create and maintain
c .
In
metadata in the SAS Metadata Server. This program uses metadata DATA step functions to return
more detailed information about the libraries. The results are returned to a libraries data set
e
in the Work library. The requested data includes the library metadata ID, the library name, the libref,
t
the engine, the path on the file system (or if DBMS data, the DBMS path), and the server contexts
u
to which the library is associated.
t i t .
a. In SAS Enterprise Guide, open the program extractlibrefandserverapp.sas that is located
n
D:\Workshop\spaft.
I s
on the client machine. Select Program tab  Open Program and navigate to
i o n
S u t
S A tri b
h t i s
r i g r e d
p y o r
C o t f
N o
b. Verify the connection information to the metadata server in the OPTIONS statement at the top
of the program.
metaport=8561
metauser="sasadm@saspw"
metapass="Student1"
metarepository="Foundation";
c. Run the program. Are there any duplicate librefs? No.
 Sample programs and more information about using DATA step functions to extract
c .
Interfaces to Metadata, Second Edition.
e In
metadata information can be found in the following documentation: SAS® 9.4 Language
t u t
4. Looking at Metadata LIBNAME Engine and Metadata Permission Implications
a. Perform an ad hoc backup named Before adding library assignment example in SAS
t i .
Management Console. Log on as Ahmed using the password Student1.
s n
b. Register a library and tables in metadata. You can use SAS Environment Manager or
I n o
SAS Management Console to register a SAS library.
t i
S
A tri b u
t S
1) Make sure you are signed in to SAS Environment Manager as Ahmed using the password
Student1. Go to Administration page  Side Menu
s
and select Libraries.
i g h d i
2) Select new library in the upper right toolbar.
y r r e
o p f o r
C o t
N Name
Folder location
Library Assignment Example libdata
/Orion Star/Shipping Department
Libref lidbata
Engine BASE

 On the Linux server: /opt/sas/Workshop/OrionStar/ordetail
Assigned SAS SASApp

Servers
5.3 Solutions 5-63
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
a) Check the box next to:
For Windows server: D:\Workshop\OrionStar\orstar
t S For Linux server: /opt/sas/Workshop/OrionStar/orstar
s
i g h d i
y r r e
o p f o r
C o t
N b) Click OK.
c) From the drop-down menu, select Assigned SAS Servers.
d) Check SASApp.
e) Click Save button in the upper right toolbar.
c .
e
a) From the drop-down menu, select Tables. In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
b) Click the Register Tables button in the toolbar.
y r r e
o p f o r  If you are signed in as sasadm@saspw you will receive an error, because that
C o t account is internal and does not have access to a SAS Workspace Server.
5.3 Solutions 5-65
c) Change the location to /Orion Star/Shipping Department by using the Browse button.
c .
d) Click OK.
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
e) Select NEWHIRES, PRODUCT_DIM. Click OK.
o p f o r
C o t
N
f) Click Close in the pop-up window.
g) Click Close
c .
e In
t u t
t i .
s n
Name I n
Library Type
t i
SAS Base Library
o
Library Assignment Example libdata
S
A tri
Folder location
b u /Orion Star/Shipping Department
t S
Server
s
SASApp
i g h Libref
d i libdata
y r r e
Path specification  On the Windows server: D:\Workshop\OrionStar\orstar
o p f o r  On the Linux server: /opt/sasinside/DemoData/Workshop/

OrionStar/orstar
C o t a) In the Data Library Manager Plug-in, right-click Libraries and select New Library
5.3 Solutions 5-67
b) Select Base Library. Click Next.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h i
c) Enter Library Assignment Example libdata in the Name field. Make sure that the
metadata location is /Orion Star/Shipping Department. Click Next.
d
y r r e
o p f o r
C o t
N
d) Move SASApp to the Selected servers list and click Next.
e) Enter libdata in the Libref field and highlight:
For Windows Server
D:\Workshop\OrionStar\orstar
For Linux Server
opt/sas/Workshop/OrionStar/orstar
f) Move it to the Selected items list. Click OK.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N
5.3 Solutions 5-69
g) Click Finish.
Right-click Library Assignment Example libdata under the Data Library Manager Plug-in
and select Register Tables. Click Next. With the Ctrl key held down, select NEWHIRES
and Product_DIM. Verify that the metadata location is the same folder as the library. Click
Next. Click Finish.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
Nc. Add Jacques to the Authorization of the Shipping Department folder. Verify that he has
a grant of ReadMetadata and deny all other permissions. You can use SAS Environment
Manager or SAS Management Console.
1) Make sure you are signed in to SAS Environment Manager as Ahmed using the password
Student1. Go to Administration page  Side Menu and select Folders.
2) Expand Orion Star folder. Right-click Shipping Department folder and select Open.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r e
4) Click the Add Identities button in the upper right toolbar.
r
o p f o r
C o t
5) Enter Jacques and press Enter. Move Jacques over to the Identities to add pane. Click OK.
5.3 Solutions 5-71
6) He will be given an automatic grant of ReadMetadata. Select Deny for all other permission
that he has as indirect grants.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
7) Click the Save button in the upper right toolbar. Click Close.
o p f o r
C o t
1) Right-click the Shipping Department folder and click the Authorization tab. Click Add
next to the Users and Groups window. Add Jacques to the Selected Identities list. Click OK.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S
He will be given an automatic grant of ReadMetadata. Select Deny for all other permission
s
i g h d i
that he has as indirect grants.
y r r e
o p f o r
C o t
N
5.3 Solutions 5-73
d. Log on to SAS Enterprise Guide as Jacques using the password Student1. Submit the following
code:
proc print data=libdata.NEWHIRES(obs=10);
run;
You get the following error: ERROR: Libref LIBDATA is not assigned.
c .
e In
t u t

s i
A solution would be to do the following:
t n .
1) Right-click Library Assignment Example libdata and select Assign, but coders do not like
this.
I n t i o
2) Provide a LIBNAME statement, but that is more difficult to maintain/administer.
S
A tri b
3) Pre-assign a library.
u
t
libdata
S
e. Navigate to Server List  Servers  SASApp  Libraries  Library Assignment Example
s
i

g h i
The library icon is white (unassigned).
d
y r 
r e
There are two tables (NEWHIRES and PRODUCT_DIM).
o p o r
f. Open the NEWHIRES table. Are you successful? No, an Error window appears, indicating
that Read permission is required.

f
C t
SAS Enterprise Guide assigns libraries by default, using the metadata LIBNAME engine.
o
The metadata LIBNAME engine enforces the Read permission in metadata.
N Right-click the NEWHIRES table in the server list and select Open.
Error message:
g. Navigate to Servers  SASApp. Right-click SASApp and select Disconnect. Click Yes
in the pop-up window.
c .
e In
u t
h. Log on to SAS Data Integration Studio as Jacques using the password Student1. Navigate
to Folders  Orion Star  Shipping Department. Right-click NEWHIRES and select Open.
t
s t i n .
I n t i o
S
A tri b u
t S s
i g
 h d i
No error was generated, and Jacques is able to view the data because SAS Data
y r r e
Integration Studio uses the native engine by default (BASE, ORACLE, R3, and so on.),
so the Read, Write, Create, and Delete permissions in metadata are ignored.
o p o r
i. Exit SAS Data Integration Studio.
f
5. Pre-Assigning a Library in the Metadata
C o t
N SAS Environment Manager
1) Go to Administration page  Side Menu and select Libraries. Right-click Library

5.3 Solutions 5-75
c .
e In
t u t
2) From the drop-down menu, select Options. In the left pane select Pre-assign.
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
3) Pre-assign the library using: By metadata library engine.
o p f o r
C o t
N
5) Click Close.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
3) Pre-assign the library using the metadata library engine.
Click OK twice.
b. In SAS Enterprise Guide, verify that you are logged on as Jacques. Under the Servers list,
expand SASApp. (This establishes the connection or session.)
5.3 Solutions 5-77
c .
e In
t


t i t u
.
You see the two registered tables (NEWHIRES and PRODUCT_DIM).
I n s i o n
S u t
S A tri b
h t i s
r i g r e d
p y o r
C o t f run;
N o  The code runs, but there is an authorization error. The library assigns but cannot read data
(The metadata LIBNAME engine enforces Read, Write, Create, and Delete.)
e. Disconnect from the workspace server by right-clicking SASApp under the Servers list and select
Disconnect.
c .
e In
u t
f. Log on to SAS Data Integration Studio as Jacques using the password Student1. On the Folders
t

s t i
tab, navigate to Orion Star  Shipping. Right-click NEWHIRES and select Open.
n .
There is an error indicating that Read permission is required because this library was
I n t i o
pre-assigned with the metadata LIBNAME engine.
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N
g. Exit SAS Data Integration Studio.
6. Pre-Assigning a Library in Metadata using Native Engine
1) Go to Administration page  Side Menu and select Libraries. Right-click Library

5.3 Solutions 5-79
c .
e In
t u t
2) From the drop-down menu, select Options. In the left pane, select Pre-assign.
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
3) Pre-assign the library using By native library engine.
o p f o r
C o t
N
4) Save your changes . Click Close.
3) Pre-assign the library using: By native library engine.
c .
e In
t u t
s t i n .
I n t i o
S
Click OK twice.
A tri b u
b. In SAS Enterprise Guide, verify that you are logged on as Jacques. Under the Servers list, expand
t S
SASApp. (This establishes the connection or session.)
s
i

g h d i
y r 
r e
All tables show up regardless of whether they are registered in metadata, based
o p f o r on Jacques’ operating system permissions on the table.
C o t
N
run;
 The code runs and a list report is produced with 10 rows displayed.
5.3 Solutions 5-81
 There were no metadata permissions enforced on the table. When you pre-assign with
the native engine, SAS Enterprise Guide displays all tables in the server list, regardless
of whether they are registered in metadata.
 To have the native LIBNAME engine used without pre-assigning the library,
use the ASSIGNMODE= option with value of 0.
e. Exit out of SAS Enterprise Guide.
.
f. Remove Jacques from the Authorization tab of the Shipping Department folder
c
using SAS Environment Manager or SAS Management Console.
In
7. Updating Table Metadata with SAS Enterprise Guide
a. Open SAS Enterprise Guide and log on as Ray using the password Student1.
t e
b. Select Tools  Update Library Metadata.
u
t i t .
I n s i o n
S u t
S A tri b
h t i s
r i g r e d
p y o r
C o t f
c. Select SASApp as the server and Customer Orders ordetail. Click Next.
N o
d. Select Report on the differences between physical tables and the metadata repository.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
g h d i
e. View the results. Do any tables need to be updated? Yes, one table
i
y r e
Do any tables need to be added? Yes, 17 tables
r
o p f o r
Do any tables need to be deleted? No
C o t
N
5.3 Solutions 5-83
f. In the project tree, under the process flow, right-click Update Metadata for "Customer Orders
ordetail" and select Modify Update Metadata for "Customer Orders ordetail".
c .
In
Keep the same server and library, but update and add table definitions in the metadata with
the actual tables and columns.
t e
For which actions can you override the default credentials? The Update and Delete selections
u
t t
What are the default credentials? The user who is currently logged on, Ray/Student1
i .
Why or when might you want to override the default credentials? If the user that you used
s
libraries and tables
I i o n
to log on to SAS Enterprise Guide does not have the appropriate permissions to update
n
S u t
S A tri b
h t i s
r i g r e d
p y o r
C o t f
N o
Are any new tables defined? Yes, 17 tables
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N
5.3 Solutions 5-85

in SAS Add-In for Microsoft Office or in SAS Data
c .
Integration Studio.
e In
t u t
Marcel was denied access to the Sample Data library
t
via metadata permissions.
s i n .
I n t i o
39
S
A tri b u
t S s
i g h d i
y r r e
o p o r
f
SAS Add-In for Microsoft Office but cannot open the table.
C o t
What is a possible cause of this problem?
N Marcel does not have sufficient access to the table

metadata or access to the physical table in the
operating system or database where it resides.
41

SAS Management Console and in SAS Data Integration
Studio. Marcel can open the table in SAS Data Integration
Studio.
in the SAS Add-In for Microsoft Office.
c .
e
The Sample Data library was not assigned In
to an application server.
t u t
s t i n .
43
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N
Chapter 6 Monitoring the SAS®
Environment with SAS® Environment
Manager
c .
6.1 Operating SAS Servers and Spawners ........................................................................6-3
e In
t u t
Demonstration: Using SAS Environment Manager to Operate Servers and Spawners ...... 6-10
s i
Exercises .............................................................................................................................. 6-12
t n .
n
6.2 Monitoring a SAS Environment with SAS Environment Manager ...........................6-13
I t i o
Demonstration: Viewing Analyze Pages and Creating an Alert in SAS Environment
S
A tri b u
Manager ..................................................................................................... 6-13
Exercises .............................................................................................................................. 6-13
t S s
6.3
i g h d i
Exploring SAS Environment Manager Service Architecture....................................6-13
Demonstration: Changing Report Parameters in SAS Management Console .................... 6-13
y r r e
Exercises .............................................................................................................................. 6-13
o p
6.4
f o r
Solutions .....................................................................................................................6-13
C o t Solutions to Exercises .......................................................................................................... 6-13
N
6-2 Chapter 6 Monitoring the SAS® Environment with SAS® Environment Manager
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N
6.1 Operating SAS Servers and Spawners 6-3
6.1 Operating SAS Servers and Spawners
Objectives
 Explore the recommended start-up order for
.
the SAS servers and spawners.


Examine the recommended method of starting
up the SAS servers and spawners.
Use SAS Environment Manager to operate
In c
the servers and spawners.
u t e
t i t .
I n s i o n
S u t
3
S A tri b
h t i s
r i g
Required Servers
r e d
y
In order for clients to access the SAS environment, the
o p o r
following components must be running on network-
accessible machines:
f
C 1
o t 2
SAS Object Spawner
(and other SAS Servers)
N
SAS Metadata
Server
SAS Web 3 4
Infrastructure
An instance of SAS Environment
Platform Data SAS Middle- Manager Agent on each server-tier
Server Tier Servers and middle-tier machine
5
SAS Deployment Agent
4
The SAS object spawner acts as a listener for SAS Workspace Servers, SAS Pooled Workspace Servers,
and SAS Stored Process Servers.
You might also have the following components on network-accessible machines: a SAS OLAP Server, a
SAS/SHARE server, a SAS/CONNECT spawner, and SAS Distributed In-Process Scheduler Job Runner,
a SAS Deployment Tester server, which is used to run the SAS Deployment Tester utility.
SAS middle-tier servers include the SAS Web Application Server, SAS Web Server, SAS Environment
Manager Server, and the supporting JMS Broker and Cache Locator components.
 Because of dependencies, it is important to start the servers in the correct order. Processes on the
server tier need to be started before the middle tier. The recommended order is described on the
following slides.
Recommended Start-Up Order: Server Tier

c .
In
Start Order Server or Service
e
1 SAS Metadata Server
2
t
SAS Web Infrastructure Platform Data Server
t u
3
4 t i
SAS OLAP Server
s
SAS Object Spawner
n .
5
I n
SAS/SHARE Server
t i o
6
7 S
A tri b u
SAS/CONNECT Spawner
SAS Deployment Tester Server
t S SAS Distributed In-Process Scheduler Job Runner
s
5
i g h d i

y r r e
All of the servers except the SAS Web Infrastructure Platform Data Server depend
o
 p f r
on the metadata server.
o
In clustered configurations, make sure that all the metadata server nodes are running before
C o tyou start dependent components.
N
By default, the SAS Web Infrastructure Platform Data Server is backed by PostgreSQL and is provided
as an alternative to using a third-party DBMS. The server cannot be used as a general purpose data store.
OLAP cubes are logical sets of data that are organized and structured in a hierarchical multidimensional
arrangement. Cubes are queried by using the multidimensional expression (MDX) language.
The SAS object spawner is a process that runs on workspace server, pooled workspace server, and stored
process server host machines. It listens for requests for these servers, authenticates clients, and launches
server processes as needed. In a pooled workspace server configuration, the object spawner maintains
a collection of re-usable workspace server processes that are available for clients. If server load balancing
is configured, the object spawner balances workloads between server processes. The object spawner
connects to the metadata server to obtain information about the servers that it manages.
The SAS/SHARE server provides concurrent Read and Write access to tables.
SAS/CONNECT servers provide computing resources on remote machines where SAS Integration
Technologies is not installed.
The SAS Deployment Tester Server is a diagnostic tool used for assessing a SAS deployment. After
an installation or upgrade, you can use the Deployment Tester to ensure that your SAS software
and critical components have been installed and configured correctly. The Deployment Tester Server
is installed on each server tier machine in the SAS deployment.
The Job Execution Service provides a common, standardized way for web applications to create, submit,
store, retrieve, and queue jobs for SAS servers. The SAS Distributed In-Process Scheduler Job Runner
can be used for running these scheduled jobs.
c .
In
Recommended Start-Up Order: Middle Tier
9
Start Order
JMS Broker
u t eServer or Service
10
t i t
Cache Locator
.
11
12
I s
SAS Web Server
n i o n
13
S u t
SAS Environment Manager Server
14
15
S A tri b
SAS Environment Manager Agent
SAS Deployment Agent
h t i s
6
r i g r e d
p y o r
The SAS Web Application Server depends on the Cache Locator.
C o t f
The SAS Environment Manager Server depends on the SAS Web Infrastructure Platform Data Server
o
and the SAS Web Application Server, but it can start without these components. However, the SAS
Environment Manager application requires these components in order to provide full functionality.
Start-Up Parameters
Start-up parameters for SAS servers are stored
in sasv9 configuration files. These SAS system options
take effect each time you invoke SAS.
If you want to specify different values for system

options, or if you want to specify additional
c .
options, then enter your updates and additions
in sasv9_usermods.cfg, which is located in the
e In
u t
same directory as sasv9.cfg. You must restart
the server in order for the changes to take effect.
t
s t i n .
7
I n t i o
S
A tri b u
Running Servers as Windows Services
t S s
On Windows, the SAS servers and services are installed
i g h d i
as Windows services that have these features:
e
 start automatically when you restart the machines
y r r r
 are named
SAS [deployment-name-and-level] <server-context -> server-name
o p 
f o
can be managed from a command line using
SAS provided batch scripts:
C o 
t net start|stop|pause|continue “service-name”
have built-in dependencies to ensure that they start
N up in the correct order on each machine
8
8
 In a typical deployment, the Windows services would have a start-up type of Automatic.
The classroom image uses a batch file to start services and has a start-up type of Manual.
 Service dependencies are not set up by the SAS Deployment Wizard for the SAS Web
Application Server. See Installation Note 52100: http://support.sas.com/kb/52/100.html.
Using the sas.servers Script on UNIX or z/OS

The SAS Deployment Wizard creates a sas.servers script
during installation. The script enables you to use a single
command to do any of the following:
 start, stop, or restart all of the SAS servers and
spawners on the machine in the correct order
 display the status of all the SAS servers and spawners
on the machine
c .
 The script does not include the SAS Deployment
e
Agent. Use the SAS Deployment Manager to start
In
u
t t
and stop the SAS Deployment Agent, or
s t i n .
9
9
I n t i o
S u
On UNIX systems to start and stop the SAS Deployment Agent, you can use:
A tri b
S
1. SAS Deployment Manager.
t s
2. SAS Environment Manager.
h i

r g r e d
3. The command, located in /opt/sas/SASHome/SASDeploymentAgent/9.4.
i The sas.servers script does not include the SAS Deployment Tester or the SAS Deployment
p y r
Agent.
o
C o t f
Using the sas.servers Script on UNIX or z/OS
N o The script is located in the top level of the configuration

directory (for example, SAS-configuration-directory/Lev1).
To use the sas.server script, perform the following steps:
1. Log on as the SAS Installer user.
2. Go to the configuration directory where the sas.server
script is stored.
./sas.servers start|stop|restart|status
You can also install the sas.servers script as a boot script.
10
10
Some servers are started directly by the sas.servers script. Other servers are started by the sas.servers.pre
and sas.servers.mid scripts, which are called by sas.servers. The table below shows the script names,
the components that are included in each script, and the order in which the components are started.
Beginning with the first maintenance release for SAS 9.4, the sas.servers.mid script starts the SAS Web
Server before the SAS Web Application Server. This start-up order helps ensure optimum performance
when web applications are initialized.
Script Tier Start-up Order
sas.servers.pre (called by
sas servers)
server tier SAS Web Infrastructure Platform Data Server
c .
sas.servers server tier
e
SAS Metadata Server, SAS OLAP Server, SAS object
In
t
spawner, SAS/SHARE server, SAS/CONNECT spawner,
and SAS Distributed In-Process Scheduler Job Runner
sas.servers.mid (called by
sas.servers)
t i t u
middle tier
.
JMS Broker, Cache Locator, SAS Web Server, SAS Web
Application Server, and SAS Environment Manager server
sas.servers.mid (called by
sas.servers)
I n s i o n
server and
middle tier
SAS Environment Manager Agent
S u t
If needed, you can use the sas.servers.pre or sas.servers.mid script to start a subset of servers. However,
A tri b
make sure that you follow the start-up order that is shown in the preceding table.
S
Other servers might also be included in the scripts, depending on which SAS applications you configured.
h t i s
r i g r e d
You should not directly update the sas.servers script. If the script needs to be updated
(for example, to add new servers or remove servers), then regenerate the script by using
generate_boot_scripts.sh. For details, see “Regenerating a sas.servers Script” in
p y r
SAS® 9.4 Intelligence Platform: System Administration Guide.
o
C o t f
N o You can start and stop the following servers from

SAS Environment Manager:
 SAS Metadata Server
 SAS OLAP Server
 SAS Object Spawner
 SAS/CONNECT Spawner
 SAS Web Application Server
 SAS Web Server
 SAS Deployment Agent
11
11
 In SAS Environment Manager, SAS Web Application Server appears as sasserver.demo.sas.com

tc Runtime SASServer[instance number].
Available Methods for Operating Servers
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N
Using SAS Environment Manager to Operate Servers and

Spawners
This demonstration uses SAS Environment Manager to operate SAS servers and spawners.
1. On the client machine, access Internet Explorer and select SAS Environment Manager from
the Favorites bar.
c .
In
2. Log on as Ahmed using the Student1 password.
3. Click the Resources tab.
4. Click Servers.
u t e
t i t .
I n s i o n
S u t
S A tri b
h t i s
r i g r e d
p y o r
C o t f
N o
5. In the list of servers, click sasserver.demo.sas.com Object Spawner - sasserver. You will need to go
to the next page for the Object Spawner.
6. Click Control.
7. You can issue control commands from this location. You can schedule a control action. An example of
this is if you need to recycle a SAS Web Application Server at a low usage time.
Under Quick Control, change Control Action to Stop and click .
c .
e In
u t
After the control action is complete, a message is presented.
t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p o r
8. Check the status of that server from the main monitoring page. Select Resources  Browse 
Servers and verify that the Stop control action worked properly. The status of the object spawner
f
changes to not available. However, the change in status will not show up immediately.
C o t
NOr you can see a bubble at the bottom of the monitoring page of the Object Spawner, which signifies
an event just occurred. Clicking on it shows the event.
9. Start the Object Spawner. (You can either use the Quick Control action in SAS Environment Manager
or perform the appropriate action on the server machine.)
Exercises
1. Operating the SAS Servers

a. Check the status of the SAS Servers.
For Windows Server
c .
In
1. On your Windows Server machine, it is fastest to use the Windows Services application to
check status, stop and start SAS servers. Click the Services icon in the system tray. With
e
Services selected, scroll down to the SAS services. Verify that the status for all the SAS
services is Started.
t u t
i
2. Check the built-in Windows Service dependencies for the SAS Metadata Server.
s t .
Right-click SAS[Config-Lev1] SASMeta-Metadata Server and select Properties.
n

I n t i o
In a typical deployment, the Windows services would have a start-up type of
3. S
A tri b u
Click the Dependencies tab.
t S
s
The dependencies do not include any middle-tier servers. It is not recommended
i
that you include them in the dependencies. However, it is possible. See
i g h d
Installation Note 52100: http://support.sas.com/kb/52/100.html
y r r e
For Linux Server
o p 1.
f o rOn UNIX systems, scripts are designed to enforce the correct order of stopping and
starting SAS Servers. They are called sas.servers.pre, sas.servers, and sas.servers.mid.
C o t Some servers are started directly by the sas.servers script. Other servers are started by the
N
sas.servers.pre and sas.servers.mid scripts, which are called by sas.servers. The table on
page 6-8 of your Course Notes shows the script names, the components that are included
in each script, and the order in which the components are started. For Linux Server
SAS servers: ./sas.servers status. (The valid commands are stop, start, restart, and
status.)
b. Review the start-up order of the SAS servers.
For Windows Server

Navigate to D:\thirdparty\scripts. Right-click StartSAS.bat and select Edit. Review the
start-up order of the servers.
How much time is built in for the web server to wait for the cache locator to start up?
What is being read before it starts up?
c .
In
You might use a script similar to this one in your environment. However, be aware
that this script deletes log files, which you would not want for a SAS Environment
e
outside of the classroom.
t u t
i
For Linux Server
s t n .
Use gedit, vi, or WinSCP to open the sas.servers script. Review the start-up order of the
n o
SAS servers.
I t i
2. (Optional) Stopping and Starting Servers in the Correct Order
S
A tri b u
It is important to start servers in the correct order. When shutting down, use the reverse order
t S
that is used when starting up.
s
1.
i g h
 i
For Windows Server
d
y r r e You would use the Windows Services application to shut down and then restart all of
the servers in the correct order in a typical deployment.
o p f o r
The classroom image uses a batch file to start and stop Windows Services.
t
In order to make sure that servers in our environment are started up in the correct order, first
C o
use the stopSAS script. The scripts are located here: D:\thirdparty\scripts.You can monitor
the stopping and then starting of the servers via the command window.
N 2.
This displays the services being stopped. A message is displayed when the script is done.
Start the servers with the startSAS script.

The services are displayed as they are starting. (You can start the Task Manager to watch the
CPU activity.)
For Linux Server

1. On the Linux server, use the sas.servers script.
Issue the following command to restart the servers because you did restart the SAS Web
Server in the previous exercise: ./sas.servers restart
(You could also issue a command of stop, wait for the servers to go down, and then issue a
start command.)
 The SAS Web Application Servers takes from 20 to 30 minutes to start, depending on how
c .
and verify that everything started successfully.
e In
many SAS applications are deployed. You can examine the log files to monitor its progress
t u t
3. Validating the Servers in SAS Management Console
password.
s i
a. On the client machine, log on to SAS Management Console as Ahmed using the Student1
t n .
I n t i o
b. Expand Server Manager  SASApp  SASApp - Logical Workspace Server 
SASApp - Workspace Server. Right-click sasserver.demo.sas.com and select Validate.
S u
Was the validation successful? If not, verify that the object spawner is running.
A tri b

t S
c. View the details of the validation. What autoexec file was executed at server initialization?
s
i
An autoexec file contains SAS statements that are executed immediately after
i g h SAS initializes the server.
d
y r r e
o p f o r
C o t
N
6.2 Monitoring a SAS Environment with SAS Environment Manager 6-15
6.2 Monitoring a SAS Environment with

Objectives
 Identify operating system monitoring tools.
c .
In
 Examine tools used to monitor the SAS environment.
 Use SAS Environment Manager to create and monitor
a SAS server event.
u t e
t i t .
I n s i o n
S u t
S A tri b
16
h t i s
r i g r e d
p y Windows Operating System Monitoring Tools
o r
C o t f
The Windows platform provides these built-in applications
to help you monitor your SAS deployment:
N o Windows Services application
 Windows Task Manager/Process Explorer
 Windows Event Viewer
 Windows Explorer/editors
17
The most valuable tools are often the Windows explorer and simple text file editors. With these two tools,
you can search for and monitor server logs.
The Windows Services application provides an interface to start, stop, and configure Windows services. It
also:
 Allows the administrator to list and review installed applications that do not require a login
 Obtain status on what applications are currently running (no history) and what identity is running them
 Determine the Start up type of the application (Automatic, Manual, Disabled, or Automatic (Delayed
Start)
 Set dependencies for start-up order for processes. By default, all SAS server processes running on
Windows are installed as services.
c .
In
In contrast to the Windows Services application, the Task Manager provides an additional level of detail:
It shows all running processes (foreground AND background) and the name of the executable. An
e
application might involve more than one individual process. It also indicates system resource utilization
u t
(CPU, memory, and disk I/O) for each process, and the Process ID (PID) - for each process. It also
provides a 1-minute timeline of resource usage in real time.
t
t i .
The Process Explorer is similar but provides more detail—it shows the entire executable with all
s n
parameters, and it shows parent/child process relationships. The Process Explorer also highlights
I n t i o
processes that are just starting up, and those that have recently shut down. Note that the process explorer
must be downloaded and installed separately; it is not a default part of Windows.
S
A tri b u
The Windows Event viewer can be useful for a system administrator, since it provides hardware-level
information, and requires systems administration knowledge—an example might be a failure to write to a
t S
file because the user running the application does not have Write permissions to that directory.
s
g h d i
UNIX Operating System Monitoring Tools
i
y r r e
The UNIX platform has built-in monitoring commands that
o p f o r
provide a variety of functions that are oriented toward the
system administrator. For example:
C o t
 ps, top, vmstat, lsof, tcpdump, netstat, ss, iostat,
strace, free, mpstat, df, du
18
The built-in UNIX monitoring commands provide a wide variety of functions that are oriented toward the
UNIX system administrator. These tools can provide information at the operating system, application, or
the individual process level.
The top command produces a list of all the currently running processes listed in order of CPU usage. The
top CPU users appear at the top of the list, leading to the name of this command. The list is continuously
updated at five second intervals by default, and there are options to shorten or lengthen the update period.
The administrator can specify which fields to display, their order, filter the output on a variety of fields,
and sort the output by various fields.
Once a process ID is identified, you can use the ps command to find the complete command line, thus
identifying the specific server (SAS or otherwise) of interest.
There are two commands that are useful in evaluating disk space utilization. The Linux df command
displays the amount of free space on all mounted file systems. A related commend, du, provides disk
c .
In
usage (in Kb) of each directory and its subdirectories.
u t e
The SAS Environment Manager gathers many of its metrics from some of these UNIX tools.
t i t
Developing a Monitoring Plan
.

n s o n
Who is responsible for monitoring and addressing
problems?
I i

S u t
What resources need to be checked, and how often?

S A tri b
Which resources are most critical?
Which metrics are most useful?

h t
What happens when an issue or problem arises?
i s
Are there scheduled tasks that should be regularly
r i g

checked?
e d
What reports are most helpful in identifying trends and
r
p y potential problems?
o r
C o t f
19
N o
19
A performance monitoring plan ensures that administrators always have up-to-date information about
how their servers are operating. Knowing what questions to ask will usually lead to what data is needed to
provide answers to those questions, and can provide guidance when developing a performance monitoring
plan.
Establishing a performance baseline establishes a reference point that makes it easier to identify problems
when, or before they occur. When administrators have performance data for their systems that cover
multiple activities and loads, they can define a range of measurements that represent normal performance
levels under typical operating conditions for each server. In addition, when troubleshooting system
problems, performance data gives information about the behavior of the various system resources when
the problem occurs.
SAS Monitoring Tools
c .
e In
t u t
s t i n .
20
I n t i o
S
A tri b u
In addition to the OS-provided tools mentioned, SAS has several tools that allow the administrator to
examine, monitor, and manipulate a SAS installation. Most are highly specialized and are used for a
t S
small number of specific tasks.
s
i
SAS Management Console is the heart of a SAS installation, providing authentication, authorization,
i g h
configuration metadata, and other services. Using SAS Management Console, you can validate basic
d
functionality of SAS servers and examine object spawner connections, server options and properties, and
r
logging levels.
y r e
o p f o r
SAS also provides some scripting tools to start, stop, and determine the status of the SAS servers and
applications. In an earlier chapter of this course, we used the sas.servers script on UNIX to check the
t
status of SAS servers. In addition, most SAS servers have their own start/stop/status scripts that can be
C executed either individually or as a part of a larger script.
o
N
In addition, there are some monitoring tools that are a part of some SAS solutions. For example, the SAS
Visual Analytics Administrator provides reports in the SAS Visual Analytics environment. Platform RTM
and SAS Grid Manager Module provide grid administrators the capability to graphically view the status
of devices and services within a SAS Grid environment.
SAS Environment Manager (Review)

SAS Environment Manager provides a framework for
SAS administrators to monitor the performance, health,
and operation of their SAS deployments.
 A comprehensive view of all resources related to SAS
is displayed.
 It provides drill-down into different levels of detail on
resources.
c .
 It provides a flexible alerting function to warn
administrators of problems.
e In
t u t
s t i n .
21
I n t i o
S
A tri b u
SAS Environment Manager is based on VMware’s Hyperic application monitoring framework with
customizations and plug-ins to optimize the product specifically for a SAS environment.
t S
SAS Environment Manager connects a SAS environment with the underlying data services and operating
s
i
system information. Having this information connected and correlated provides a single, consistent view
i g h
of the operating environment.
d
y r r e
SAS Environment Manager also provides proactive monitoring capabilities. Through a series of events
and alerts, you can notify designated personnel when a threshold is exceeded and run designated resource
o p f o r
control operations when an alert is triggered.
The SAS Environment Manager Service Architecture provides functions and capabilities that enable SAS
C t
Environment Manager to fit into a service-oriented architecture (SOA). The package implements best
o
practices for resource monitoring, and automates the application’s auditing and user monitoring
N
capabilities.
SAS Operational Monitoring Continuum

Real Time Operational Operational Capacity Planning/
(Detailed) (Summary) Forensics
Focus: Usage & Process SAS Environment Manager

Monitoring Service Architecture Framework
Consumption
(not persisted)
SAS IT Resource Management
(Performance Database)
Focus: OS Metrics
and Events SAS Environment Manager
Goals/Tasks/Uses • Dynamic
visualization of
• Monitor health of
the environment
• Provide “context”
for operational
• Understanding usage
patterns of SAS
content and data
• Audit security
c .
In
real-time activity • Alerting activities
• Review logs • Configuration changes
change control • Capacity planning
• Hardware maintenance
e
Time Scale < 1 minute 1 minute to 3 days 3 days to 10 days > 10 days
t u t
s t i n .
22
22
I n t i o
S
A tri b u
Each SAS system administrator or IT operations specialist is faced with the challenging task of
monitoring, managing and forecasting the needs of software, hardware and systems. So much so that even
the language of discussing a problem, event, or analysis can become rather complex. This diagram depicts
t S
the monitoring “continuum” over time: dynamic monitoring, which is typically not persisted; recent
s
monitoring, to include less than 3 days review of system usage via SAS Environment Manager; and
i g h d i
longer term “forensics” type of usage and capacity planning offered by the SAS Environment Manager
Service Architecture and the SAS IT Resource Management solution.
r r e
 “Monitoring 101: New Features in SAS 9.4 for Monitoring Your SAS Intelligence Platform”
y
o f o r
SAS Global Forum paper (http://support.sas.com/resources/papers/proceedings13/463-2013.pdf)
p
C o t
N
Monitoring Resources: The Analyze Pages

The Analyze pages contain the following:
 Alert Center
 Event Center
 Operations Center
 Environment Snapshot
 Report Center
c .
e In
t u t
t i .
These pages enable you to quickly view and work with
s
alerts, events, system status, and performance and
n
n
usage reporting throughout your system.
23
23
I t i o
S u
The Report Center is included only if you have enabled SAS Environment Manager Service Architecture
A tri b
t S
Events
s
i g h d i
An event is generated when there is a change in a
y r r e
resource’s state or a change in a resource’s threshold
value for one of these items:
o p f o r
 messages written to a log file associated with a
monitored resource
C o t  changes made to monitored configuration files or

directories
N  control actions: server start/stop/restart
 alerts
 event importer
Analyze Event Center
24
24
SAS Environment Manager provides the capability to monitor metrics, scan log files, manage
configuration changes, and monitor availability. When there is a change in a resource’s threshold value
for one of these items, an event is recorded in SAS Environment Manager’s event message system.
Events are also automatically created for certain types of entries in SAS server logs, and you can specify
other criteria that will create events based on SAS server logs.
Alerts
Alerts are a predefined or user-defined type of event that
indicates a critical condition in a selected resource.
c .
e In
t u t
s t i n .
25
25
I n t i o Analyze Alerts
S
A tri b u
When an alert occurs, it must be acknowledged, and alerts are listed until they are marked as being fixed.
You can define escalation schemes to identify the actions that happen if an alert is not fixed within a
specified time.
t S s
i
If you initialize SAS Environment Manager Extended Monitoring, a set of alerts is automatically created.
i g h d
y r r e
Environment Snapshot
o p o r
Environment Snapshot contains a comprehensive listing
f
of the system information in the SAS Environment
C o t
Manager database.
Analyze Environment Snapshot
26
26
Environment Snapshot was originally designed to provide SAS Technical Support with a method for
quickly diagnosing system issues, but it also provides you with valuable information about your system. It
collects and displays the most current performance measures and configuration parameters from the SAS
Environment Manager database, and also executes and gathers real-time usage information.
Operations Center
The Operations Center lists resources that are down or
have active alerts.
c .
e In
t u t
s t i n .
n
Analyze Operations Center
27
27
I t i o
S
A tri b u
You can use filters to find resources and problem types of interest. This concise view displays the current
number of unavailable resources and active alerts, and a one line problem summary for each resource.
t S s
i g h d i
SAS Environment Manager Service Architecture
y r r e
The SAS Environment Manager Extended Monitoring
package implements best practices for SAS Environment
o p f o r
Manager. The framework consists of two components:
 predefined alerts, groups, logging, and metric
C t
configurations
N o  Data mart infrastructure, which provides empty data

tables, stored processes, and reports that are populated
by data that is provided by APM or ACM ETL processes
Extended Monitoring Data Mart
VA auto-load Feed
Audit, Performance
Best Practices
Report Center
Measurement Data(APM)
• Predefined alerts
• Automate resource configuration
• Additional resource groups Agent-Collected
• Metric collection adjustments Metrics (ACM)
• Additional resources
• Event importing and exporting
Kits Data
28
 Extended monitoring components are not active until you initialize the service architecture.
Viewing Analyze Pages and Creating an Alert in

This demonstration illustrates using SAS Environment Manager’s Analyze Pages and creating an alert for
SAS Work Disk space.
1. Open Internet Explorer from the client machine using the taskbar. Click SAS Environment Manager
on the Favorites bar.
c .
 To access SAS Environment Manager, use your web browser to go to
e In
t
http://<localhost>:7080, where localhost is the machine on which the SAS Environment
u
Manager server is installed.
t i t .
2. Sign in as Ahmed using the password Student1.
I s
Report Center, and Event Center.
i o n
3. The Analyze tab contains these selections: Environment Snapshot, Operations Center, Alert Center,
n
S u t
S A tri b
h t i s
r i g e d
4. Select Analyze  Alert Center.
r
p y r
The Alert Center page provides a deployment-wide view of alerts and alert definitions.
o
C o 
t f An alert is a type of event that acknowledges a critical condition in a selected resource. You
can configure SAS Environment Manager to also log events for log messages and resource
N o configuration changes.
You can use the filter controls to filter by criteria such as status, type, and priority. Clicking an entry
in the Alert Definition column in the table displays detailed information about the alert.
You can select the check box next to an alert and click Fixed to identify the problem as having been
corrected. A pop-up window enables you to enter a note regarding the resolution of the alert.
5. Click an entry in the Alert Definition column in the table. Detailed information about
the alert is displayed and you can also mark the alert as fixed, as well as enter information about the
resolution of the alert.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
r e
6. Select Analyze  Alert Center to go back to the Alert Center page.
y r
o p r
7. Click the Definition tab. The Definition tab in the Alert Center contains a table that lists all
o
of the defined alerts. Clicking an alert takes you to the definition page for the alert, where you can
f
view more detailed information or edit the alert. These alerts were created when Extended Monitoring
C t
was enabled.
o
N
8. Select Analyze  Event Center.
The Event Center page provides a deployment-wide view of all events that have been logged for
resources. Alerts are automatically logged as events. You can configure SAS Environment Manager
to also log events for log messages, resource configuration changes, and resource metric triggers.
 An event is any sort of activity in a resource that you are monitoring.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
9. Select Analyze  Operations Center.
t S
The Operations Center lists resources that are down or have active alerts. You can use filters to find
s
i
resources and problem types of interest.
i g h d
y r r e
o p f o r
C o t
N
10. Now that you have explored the Analyze tab, set up an alert to be triggered whenever the SAS Work
Disk space reaches 40% of its capacity. The alert should be issued once every two hours until the
condition is cleared. When the alert is triggered, users with the Super User Role should be notified.
11. Select Resources  Services. Using the Keyword Search facility, search for the string home
directory and click .
12. There are three icons on the left of the entry for the resource , which will bring you to the
Monitor page, Inventory page, or Alerts page for this resource.
13. Select sasserver.demo.sas.com SAS Home Directory 9.4 SAS work directory service.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
Notice the name of the default SAS work directory.
14. Build a new alert. From the sasserver.demo.sas.com SAS Home Directory 9.4 SAS work directory
t S
screen, select Alert. (Notice that the SAS Work Directory location is specified and is a different path
for Windows and Linux servers.)
s
i g h d i
y r r e
o p f o r
C o t
N
15. Select Configure to display the Alert Configuration page.
There are already two alerts defined. These were installed and configured as a part of the SAS
Environment Manager Extended Monitoring package.
16. Click New to display the New Alert Configuration page.
c .
e In
t u t
t i
17. Name the alert, select the priority, and specify that the alert should be active.
.
 In the Name field, enter SASWork Disk Use % > 40
s n
 In the Description field, enter Alert SASWork Disk use % > 40 %
I n t i o
 Accept the default Priority of Medium.
S u
 Verify that the Active button is set to Yes.
A tri b
t S s
i g h d i
18. In the If Condition area, select the Metric option, then select Use Percent in the Metric field.
y r r e
To specify 40% capacity, enter .4 in the absolute value field. To specify that the alert is triggered
o p menu.
f o r
whenever the used capacity exceeds 90%, specify and select > (Greater than) from the comparison
C o t
N
19. In the Enable Action(s) field, specify 1 for the number of times the alert is issued, 2 for the time
period, and select hours for the time period units. These values specify that the alert is issued one
time every two hours while the alert conditions are met.
20. Click OK to define the alert and display the Configuration page for the new alert.
21. Create the notification. Select Notify Roles, and then select Add to List.
22. Select the check box beside Super User role in the Roles list and use the arrow control to move the
role to the Add Role Notification list.
c .
e In
t u t
t i
23. Click OK to close the Role Selection page.
s n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
24. Click Return to Alert Definitions to complete the process of defining the alert.
Exercises
4. Setting Up a Monitor for the SASWork Disk Space Usage

The SAS Work directory stores temporary files that are created during SAS processing of code. This
directory is automatically cleaned up by default. However, the SAS Work directory might not be
cleaned up properly due to unexpected errors in processing or termination of SAS sessions. It might
be necessary to monitor the SAS Work directory to avoid a buildup of disk usage.
c .
a. Sign in to SAS Environment Manager as Ahmed using the password Student1.
e In
t u t
b. Locate the resource for the SAS Work directory by selecting Resource  Services.
s t i
c. Enter work directory in the Search field and click the arrow to the far right of the row
n .
d. Click sasserver.demo.sas.com SAS Home Directory 9.4 SAS work directory. Where is the
.
I n
SAS Work directory located?
t i o
S
You can confirm the location by opening a SAS session through SAS Studio or SAS Enterprise
A tri b u
Guide and submitting the following code:
proc options option = work;
run;
t S s
i g h d i
y r r e
For Windows Server
o p f o r
C o t
N
For Linux Server
 The Use Percent is one of the metrics available for this resource.
The Metric Viewer portlet does not provide a resource type of SAS Work directory; it has only
SAS Home Directory and SAS Config Level Directory. Therefore, SAS Work metrics cannot be
displayed directly. The workaround is to create a platform service of type FileServer Directory,
which will give the metrics that we want and then point this new platform service to the OS
directory where SAS Work is located.
e. Select Resources  Platforms. Click sasserver.demo.sas.com.

f. From the Tools Menu, select New Platform Service.
g. Enter the following information:
Name: SAS Work directory
Description: Storage area for SAS intermediate and temporary files
Service Type: Select FileServer Directory
h. Click OK.
c .
i. Click Configuration Properties to configure the resource.
e In
For Windows Server
t u t
j. Enter the Path to Directory and click OK.
s t i n .
Enter: C:\Windows\Temp\SAS Temporary Files
I n t i o
S
For Linux Server
A tri
Enter: /tmp
b u
t S
k. Create a new Metric Viewer portlet on the Dashboard page. Click the Dashboard tab.
s
h d i
l. On the right side at the bottom of the Dashboard page, select Metric Viewer in the Add Content
i g e
to this column field and click the button.
y r r r
m. Click the Configure button to display the Dashboard Settings page for the portlet.
o p f o
C o t
n. On the Dashboard Settings page, specify the following information:
N Description: SAS Work disk space

Resource Type: Select FileServer Directory
Metric: Select Disk Usage
o. Click Add to List.
p. Select the SAS Work resource that you just defined and click the arrow pointing to the right to
move the resource to the right side. Click OK.
q. Click OK.
In most cases, the Metric Viewer portlet will provide the resource types that you want and
therefore you can get the metrics that you want to view directly. In this case, we had to use an OS
level resource type to view those metrics.
5. Creating an Environment Snapshot

The Environment Snapshot contains a comprehensive listing of the system information in the SAS
Environment Manager database. It collects and displays the most current performance measures
and configuration parameters and also executes and gathers real-time usage information.
a. Select Analyze  Environment Snapshot.
b. In the Summary table, select Select a System and select sasserver.demo.sas.com.
.
c. There are a series of tabs at the top of the Environment Snapshot window. Select the SAS tab.
This display shows information about the SAS servers that is stored in the SAS Environment
Manager database.
In c
d. Select the Mid Tier Servers tab.
u t e
This tab shows configuration values for the middle tier servers. Note that this is a display-only
i t
screen, no changes can be made to the configuration from this screen.
t .
I s o n
e. Create a snapshot of your sasserver machine. On the left side of the Environment Snapshot screen,
n
under the Create a Snapshot window, select Include Events and Include Alerts. Select Snapshot
i
Environment.
S u t
Because the plug-in queries the SAS Environment Manager database, taking a snapshot might
A tri b
take several minutes. This depends on the size of the installation and the number of machines
S
being monitored by your environment.
h t i s
f. After you create a snapshot file, the location of the file is displayed in the plug-in.
i g d
g. Select the Snapshots tab on the Environment Snapshot tab menu to view the snapshot.
r r e
p yh. Select the snapshot file in the Snapshot Summary screen.
o r
6. Defining an Alert for a SAS Server Log File
C o t f
Log file entries are one type of event that can be configured and customized using SAS Environment
N o
Manager’s log file tracking. For each SAS server, a special file called
sev_logtracker_plugin.properties is automatically set up by the SAS Deployment Wizard. They can
be configured to trap various log entries and capture them as events.
You can add to this file to create events for criteria of your choosing. Since each SAS server has its
own properties file, logging events can be created for specific server types.
In this exercise, you will set up an alert to be triggered whenever a warning message for the I/O
Subsystem appears in the log of the SAS Metadata Server.
a. On the server machine, navigate to the metadata server’s sev_logtracker_plugin.properties file.

For Windows Server
Navigate to D:\SAS\Config\Lev1\SASMeta\MetadataServer.
For Linux Server

b. Make a backup copy of sev_logtracker_plugin.properties.
c. Open sev_logtracker_plugin.properties.
c .
e In
t u t
s t i n .
The entries in this file use the format:
I n t i o
level. [level_of_message] . [sequential_number] = [regular_expression]
S u
All sev_logtracker_plugin.properties files contain the following two entries by default:
A tri b
S
#All fatal
t
level.fatal.1=.*
h
#All errors
g d i s
y r i level.error.1=.*
r e
These entries specify that an event is created whenever a message appears in the SAS log with a
o p f o r
level of Fatal or Error. The message can contain any text. (The period represents any character
and the asterisk says zero or more of the preceding character, which is a period, so any and all
t
characters.)
C o level.warn.1=.*Access to this account.*is locked out.* specifies that an event is created
N whenever a message with a level of Warn appears that also contains the words: Access to this
account and is locked out. Any or no characters can be before, in between, or after these words.
Multiple entries for messages at the same log level must have an incremental number. In the
metadata server properties’ file the next warn message to be captured would be:
level.warn.3=.*message text here.*
d. Add the entry level.warn.3=.*I/O Subsystem.* to the file.
c .
e In
t
e. Save and close the file.
t i t u
f. In SAS Environment Manager, locate the server SASMeta – SAS Metadata Server on the
.
Resource page and click it to bring up the Resource Detail page for the server.
I n s i o n
g. On the Detail page, select Alert  Configure to display the Alert Configuration page.
S u t
h. Click New to display the New Alert Configuration page.
i. Name the alert, select the priority, and specify that the alert should be active.
Name:
S A tri
Alert Properties:
b
I/O Subsystem
h t
Priority:
i s Medium
r i g
Description:
r e d I/O subsystem warnings in the server log

Condition Set: Select the Event/Logs Level radio button and then select Warn in the
p y o r Event/Logs Level field.
C o t f In the substring to match field, enter I/O Subsystem.

These values specify that an alert is issued whenever an event is found for a Warn message from
N o the log containing the string I/O Subsystem.

In the Enable Actions(s) area, select the Each time conditions are met radio button. An alert is
triggered each time an I/O Subsystem warning appears in the log.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
j. Click OK.
C o t
7. Searching on the Web for SAS Usage Note on I/O Subsystem
Na. Open a new tab in Internet Explorer and click the Home button
b. In the Search field, enter I/O Subsystem.

in the upper right.
c. Select the Usage Note 53874.

d. There are many papers from SAS that can help you with various troubleshooting techniques.
 For a complete list of papers useful for troubleshooting system performance problems,
see Usage Note 42197.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N
6.3 Exploring SAS Environment Manager Service Architecture 6-37
6.3 Exploring SAS Environment Manager

Service Architecture
Objectives
 Explore the SAS Environment Manager Service
c .
In
Architecture.
 Display examples of generated reports.
u t e
t i t .
I n s i o n
S u t
S A tri b
33
h t i s
r i g r e d
p y SAS Environment Manager Service Architecture
o r
C o t f
The SAS Environment Manager Extended Monitoring
package implements best practices for SAS Environment
o
Manager. The framework consists of two components:
 predefined alerts, groups, logging, and metric
N configurations
 Data mart infrastructure, which provides empty data
tables, stored processes, and reports that are populated
by data that is provided by APM or ACM ETL processes
Extended Monitoring Data Mart
VA auto-load Feed
Audit, Performance
Best Practices
Report Center
Measurement Data(APM)
• Predefined alerts
• Automate resource configuration
• Additional resource groups Agent-Collected
• Metric collection adjustments Metrics (ACM)
• Additional resources
• Event importing and exporting
Kits Data
34
You must enable Extended Monitoring to use the SAS Environment Manager Data Mart. Instructions to
do this are found:
 under the SAS Environment Manager configuration directory:
<configdir>/Lev1/Web/SASEnvironmentManager/emi-framework/
SAS_Environment_Manager_Service_Architecture_Quickstart.pdf
 “Initializing and Enabling the Service Architecture” in SAS® Environment Manager 2.5: User’s Guide.
 Enabling the APM ETL process causes a separate log to be created for each spawned SAS
Workspace Server. You must plan for the large number of log files that this process could create.
c .
A best practice is to create a daily archive file of the day’s log files, and then to copy the file to
archive storage.
e In
u t
SAS Environment Manager Data Mart
t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C
35
o t
SAS Environment Service Architecture consists of the following components:
N
SAS Environment Manager Data Mart: The data mart is the key component of the Service Architecture
and is created if you enable either one or both of the ETL processes in the service architecture. The data
mart consists of a set of tables that hold the data collected by the ETL processes. The collected data is
stored in a standard format, which makes it easy to run reports and perform analysis. The stored processes
in the Report Center use the data in the data mart to produce predefined reports. Data is retained in the
data mart for 60 days.
Audit, Performance, and Measurement (APM) ETL: When this component is initialized, it collects
information from various log files (including those generated by SAS servers and web application
servers), standardizes it, and stores it in the data mart. A log discovery process runs approximately every
15 minutes to locate all of the logs that need to be included in the APM ETL. After the data is stored in
the data mart, you can use it to produce reports in the Report Center or to perform custom reporting and
analysis.
Agent-Collected Metrics (ACM) ETL: When this component is initialized, it uses information that was
collected by the SAS Environment Manager agent from the computing resources and components in your
deployment. The data is processed and loaded into the data mart. After the data is stored in the data mart,
you can use it to produce reports in the Report Center or to perform custom reporting and analysis.
Report Center: The Report Center provides a convenient access point for the reports that are provided as
part of the Service Architecture. Once one or more of the ETL components have been initialized and
enabled, data is available in the data mart. This data is then used to feed the predefined reports in the
Report Center. The Report Center is not available until either one or both of the ETL processes is enabled.
Solution kit framework: The solution kit framework can extend the capabilities of SAS Environment
c .
In
Manager to support specific solutions or applications. The framework includes support for collecting and
storing operation information about the solution in the data mart and for using the associated reporting
capabilities.
u t e
t
SAS Visual Analytics data feed: Data from the data mart can be easily loaded into SAS Visual Analytics.
s t i
If the data feed option is enabled in SAS Environment Manager, selected data tables from the data mart
.
are copied to a specified drop zone directory. SAS Visual Analytics can then automatically load the tables
from the drop zone into the application.
n
I n t i o
Federated data mart: If you are using a data mart on multiple deployments in your organization, you
S
A tri b u
can create a federated data mart to consolidate analysis and monitoring for all of the deployments. The
federated data mart collects into one location the ACM data from the data marts of each deployment. Each
deployment still retains its own data mart, but the federated data mart enables you to easily compare the
t S
metric data across your organization.
s
i g h d
Report Center
i
y r r e
o p o r
The Report Center is a collection of stored processes that
produce reports from data in SAS Environment Manager
f
Data Mart. The reports provide a view of the performance
C o t
and status of your SAS environment and its resources.
36
36
The Report Center has three main folders:

Products: contains most of the stored processes to generate reports based on APM or ACM ETL
processes.
System: contains stored processes for ad hoc reports.
User folders: contains any custom reports that you have created and saved in your user folder.
 The stored processes are based on standard procedures from Base SAS and ODS.
When you select a nightly report, the report is generated using the data currently in the SAS Environment
Manager Data Mart and the report is then cached. If you select the same report again, the cached report is
displayed, rather than a new report being generated. All of the reports in the Report Center expire at
midnight and the ETL processes that load data in the SAS Environment Manager Data Mart also run at
midnight. Reports that you run after midnight use the most current data (from the previous day).
You can find a complete listing of Report Center bundled reports here:
c .
In
http://support.sas.com/rnd/emi/SASEnvMgr/EVSAF/Report_Center_Report_Listings.pdf
Data Mart Reports
u t e
These stored processes generate reports that display information about the content of the SAS
t i t
Environment Manager Data Mart tables, the resources that support the data mart, and the alerts that are
.
defined in the data mart. Some example reports include:
 All Alert Definitions
I n s
 ACM Data Mart Server Resources
i o n
S
 Data Mart Proc Contents Full Listing
u t
A tri b
The reports are located at Stored Processes  Products  SAS Environment Manager 
S
Dynamic Reports  Datamart.
h t i
Metadata Inventory Reports
s
r i g r e d
These stored processes generate reports that display information about the metadata that is stored on the
SAS Metadata Server. Some example reports include:
p y
 Groups Roles and Users
o r
 Metadata Content
C o f
 Server Properties
t
N o
Dynamic Reports  Metadata Inventory.
ACM Reports
These stored processes generate reports that display and chart detailed metrics for the computing
resources in your environment. They are generated by data from ACM ETL processes. Some example
reports include:
 File Mounts Summary Report
 Metadata Server Total Clients per Minute
 Platform Workload 1 Min Average
Nightly Reports  ACM Reports.
ARM Reports
These stored processes generate reports that display and chart detailed metrics and information for SAS
jobs and processes. They are generated by data from APM ETL processes. Some example reports include:
 Resource – Procedure Usage
 User – Server Activity by User
 Workspace Server – Top Users by Memory Consumption
Nightly Reports  ARM Performance Reports.
c .
 In ARM reports, time metrics are charted in seconds and memory capacity metrics are charted in
kilobytes.
e In
Metadata Audit Reports
t u t
t i .
These stored processes generate reports that display events recorded in SAS logs. They are generated by
s
data from APM ETL processes. Some example reports include:
n
 Access Activity Events
I
 Metadata Client Activity n t i o
 Group Changes
S
A tri b u
t S
Nightly Reports  Audit Reports (Log Forensics).
s
i g h d i
SAS Environment Manager Service Architecture ETL Process Reports
r e
These stored processes generate reports that display information and metrics about the APM ETL
r
processes. Some example reports include:
y
o f o r
 ETL Logfile Analysis
p
 Logfile Analysis Overview Report
C t
 Proc Usage Summary
o
N
Nightly Reports  Service Architecture ETL Reports.
Event Reports
These stored processes generate reports that display information and metrics about the events that are
generated and recorded in the data mart. They are generated by data from ACM ETL processes. Some
example reports include:
 Event Summary Chart
 Event Summary Counts
 Log Event Details
Nightly Reports  Event and Alerts.
Solution Kit Reports

These stored processes generate reports that display information that was stored in the data mart by the
solution kit. Each kit contains its own set of stored processes and custom reports.
Nightly Reports  Kits  solution kit name.
Log File Job Reports
c
These stored processes generate reports that display information about the jobs and processes used to
.
In
analyze the SAS logs. They are generated by data from APM ETL processes. Some example reports
include:
 Logfile Analysis Overview
t
 Logfile Summary by Logfile and Jobname
u e
 Proc Usage Summary
t i t .
Nightly Reports  SASJobs.
I n s
i o n
Sample Reports
S u t
S A tri b
These stored processes generate reports that contain samples of different types of report styles. They are
generated by data from APM ETL processes. Some example reports include:
 Pie Chart CPU Usage Profile by Platform
h t i s
 Daily Resource Usage Summary
r i g r e d
 Top 5 Ranked on CPU Usage
y
r
Nightly Reports  Sample Gallery.
p o
C o t f
Report Center
N o Metadata Server:
 Metadata Server Client Activity
 Authentication errors
 Audit Report on Access Control Changes
 Access Activity by user ID
37
37
Report Center
Metadata Inventory:
 Duplications
 Groups, Roles, and Users
 Paths
.
 Portal Activity
In c
u t e
t i t .
38
I n s i o n
t
38
S
A tri
Report Center b u
t S
Server Activity:
s
i g h d i
 Workspace Server Top 10 Memory Users
y r r e
 Server Usage By User
 Data Usage
o p f o r
 Directory Usage
 Procedure Usage
C o t
N
39
39
Report Center
Data Mart Reports:
 Weekly events from SAS Environment Manager
 All Alert Definitions
 Data Mart PROC Contents Full Listing
.
ACM Reports:
 Daily Resource Usage Summary
 Top 5 Ranked on CPU Usage
In c
u t e
t i t .
40
I n s i o n
t
40
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N
Changing Report Parameters in SAS Management Console
This demonstration illustrates how to change report parameters and ETL configuration settings in
1. Log on to SAS Management Console as Ahmed using the password Student1 if not already logged
on.
c .
In
2. Under Plug-ins tab, expand Application Management  Configuration Manager.
u t e
t i t .
I n s i o n
S u t
S A tri b
h t i s
r i g r e d
3. Right-click EnvMgr Enablement Kit 2.2 and select Properties.
p y o r
C o t f
N o
4. Click the Settings tab. You can change some of the default configuration settings for the ETL
processes, as well as for the change global settings (such as font, graph style, and legend options) for
the reports in the Report Center.
Do not change ACM Number of Days of Raw Records or Delay Threshold values unless
instructed to by SAS Technical Support.
Be careful when changing report parameters. Specifying incorrect values might cause reports
to fail. Make a note of any value that you change so that you can return to the original value
in case of problems.
c .
e In
t u t
5. Click Cancel.
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N
Exercises
8. Locating Logs Created by Enabling and Initializing the APM ETL

If the APM ETL package is enabled and initialized, a potentially large volume of log files are created.
The ETL process extracts data from SAS logs and loads that data into the data mart so that the
applicable stored process reports have data to work with. Data is extracted from the SAS logs only
when the logs roll over (usually after midnight).
c .
Locate log files that are generated.
e In
1.
For Windows Server
t u t
Navigate to D:\SAS\Config\Lev1\SASApp\WorkspaceServer.
2.
s t i .
Open PerfLogs directory. Logging of this server causes a separate log file to be created in this
n
n
directory for each spawned SAS Workspace Server. This means that there is a log file for each
I i o
session of SAS Enterprise Guide or SAS Data Integration Studio users.
t

S u
With the enablement and initialization of the APM ETL package, the SAS Application
A tri b
server environment is modified to enable ARM (Application Response Measurement),
t S as well as the activation of SAS logging facility loggers and log appenders, to support
the ARM-enabled SASApp deployment. This is discussed in the next chapter.
s
3.
i g h d i
Be aware of the potential for the large number of log files that can be created in this
y r r e directory. You can create a daily archive of the logs in a .zip or .tar file and then copy
r
the daily archive to another storage location. This process enables you to manage the
o p f o
large number of log files while maintaining IT best practices for retaining usage logs.
N 1. Navigate to /opt/sas/config/Lev1/SASApp/WorkspaceServer.
For Linux Server
2. Open the PerfLogs directory. Logging of this server causes a separate log file to be created in
this directory for each spawned SAS Workspace Server. This means that there is a log file for
each session of SAS Enterprise Guide or SAS Data Integration Studio users.
 With the enablement and initialization of the APM ETL package, the SAS Application
server environment is modified to enable ARM (Application Response Measurement),
as well as the activation of SAS logging facility loggers and log appenders, to support
the ARM-enabled SASApp deployment. This is discussed in the next chapter.
3.
Be aware of the potential for the large number of log files that can be created in this
directory. You can create a daily archive of the logs in a .zip or .tar file and then copy
the daily archive to another storage location. This process enables you to manage the
large number of log files while maintaining IT best practices for retaining usage logs.
9. Running Stored Processes from the Report Center

Select Analyze  Report Center. The Report Center is displayed in a separate window or tab in
your browser. The Report Center uses the SAS Stored Process Web application, so the window is
titled Stored Processes.
To create a report, click on the stored process entry. The viewing pane of the Report Center
c .
window displays prompts for the information in the report. You can select the categories of inputs
on the left side of the display area to fully customize the report. Click Run to produce the report.
1) Select Products  SAS Environment Manager  Dynamic Reports  Metadata
Inventory.
e In
u t
Answer the following questions. You will find the answers from the referenced report.
t
Identity Report
s t i n .
Which users are SAS administrators?
I n t i o
Which users are Unrestricted Administrators?
S u
Which users can use SAS Studio? SASUSERS group?
A tri b
t S
Duplications
s
Are there any duplicate tables registered in metadata?
i g h d i
ID Artifact Mappings by Type
y r r e
How many cubes are in the environment?
o p f o r
2) Select Products  SAS Environment Manager  Nightly Reports  ARM Performance
Reports.
C o t Answer the following questions. You will find the answers from the referenced report.
N Resource Data Usage

How many tables has Jacques accessed?
User – Server Activity by User
How many SAS servers have been used and within what period of time?
3) Select Products  SAS Environment Manager  Nightly Reports  Audit Reports (Log
Forensic).
Authentication Errors
Are there any authentication errors by users?
Metadata Client Activity
Are any users currently connected to the metadata server?
4) To see a full listing of available reports, select Products  SAS Environment Manager 
Dynamic Reports  Datamart  Report Center Report Listings.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N
6.4 Solutions
1. Operating the SAS Servers
a. Check the status of the SAS Servers.
For Windows Server

c .
1.
In
On a Windows machine, it is fastest to use the Windows Services application to check
e
status, stop, and start SAS servers. Click the Services icon in the system tray. With
services is Started.
t u t
Services selected, scroll down to the SAS services. Verify that the status for all the SAS
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N 2. Check the built-in Windows Service dependencies for the SAS Metadata Server.
Right-click SAS[Config-Lev1] SASMeta-Metadata Server and select Properties.
 In a typical deployment, the Windows services would have a start-up type of

6.4 Solutions 6-51
3. Click the Dependencies tab.
c .
e In
t u t
s t i n .
I n t i o
 S
A tri b u
The dependencies do not include any middle-tier servers. It is not recommended
t S s
that you include them in the dependencies. However, it is possible. See
Installation Note 52100: http://support.sas.com/kb/52/100.html
i g h d i
y r r e
For Linux Server
o p
1.
f o rOn UNIX systems, scripts are designed to enforce the correct order of stopping and
starting SAS Servers. They are called sas.servers.pre, sas.servers, and sas.servers.mid.
C o t Some servers are started directly by the sas.servers script. Other servers are started by the
sas.servers.pre and sas.servers.mid scripts, which are called by sas.servers. The table on
N page 6-8 of your Course Notes shows the script names, the components that are included
in each script, and the order in which the components are started. For Linux Server
SAS servers: ./sas.servers status. (The valid commands are stop, start, restart, and
status.)
c .
e In
t u t
s t i n .
I n i o
b. Review the start-up order of the SAS servers.
t
S
For Windows Server
A tri b u
Navigate to D:\thirdparty\scripts. Right-click StartSAS.bat and select Edit. Review the
t S
start-up order of the servers.
s
i g h d i
y r r e
o p f o r
C o t
N
How much time is built in for the web server to wait for the cache locator to start up? What
is being read before it starts up?
You might use a script similar to this one in your environment. However, be aware
that this script deletes log files, which you would not want for a SAS Environment
outside of the classroom.
6.4 Solutions 6-53
For Linux Server

Use gedit, vi, or WinSCP to open the sas.servers script. Review the start-up order of the
SAS servers.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
r
2. (Optional) Stopping and Starting Servers in the Correct Order
o p f oIt is important to start servers in the correct order. When shutting down, use the reverse order
C o t that is used when starting up.
N
For Windows Server
1.  You would use the Windows Services application to shut down and then restart all
of the servers in the correct order in a typical deployment.
The classroom image uses a batch file to start and stop Windows Services.
In order to make sure that servers in our environment are started up in the correct order,
first use the stopSAS script. The scripts are located here: D:\thirdparty\scripts.You can
monitor the stopping and then starting of the servers via the command window.
This displays the services being stopped. A message is displayed when the script is done.
c .
e In
t u t
2.
s t i n .
Start the servers with the startSAS script.
I n
the CPU activity.)
t i o
The services are displayed as they are starting. (You can start the Task Manager to watch
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N
6.4 Solutions 6-55
For Linux Server

1. On the Linux server, use the sas.servers script.
Issue the following command to restart the servers because you did restart the SAS Web
Server in the previous exercise: ./sas.servers restart
(You could also issue a command of stop, wait for the servers to go down, and then issues a
start command.)

c .
The SAS Web Application Server takes from 20 to 30 minutes to start, depending on how
progress and verify that everything started successfully.
e In
many SAS applications are deployed. You can examine the log files to monitor its
t u t
3. Validating the Servers in SAS Management Console
password.
s i
a. On the client machine, log on to SAS Management Console as Ahmed using the Student1
t n .
I n t i o
b. Expand Server Manager  SASApp  SASApp - Logical Workspace Server 
SASApp - Workspace Server. Right-click sasserver.demo.sas.com and select Validate.
S u
Was the validation successful? If not, verify that the object spawner is running.
A tri b
t S s
i g h d i
y r r e
o p f o r
C o t
Nc. View the details of the validation. What autoexec file was executed at server initialization?
 An autoexec file contains SAS statements that are executed immediately after
SAS initializes the server.
c .
e In
t u t
t i .
4. Setting Up a Monitor for the SASWork Disk Space Usage
s n
I n t i o
The SAS Work directory stores temporary files that are created during SAS processing of code. This
directory is automatically cleaned up by default. However, the SAS Work directory might not be
S
A tri b u
cleaned up properly due to unexpected errors in processing or termination of SAS sessions. It might
be necessary to monitor the SAS Work directory to avoid a buildup of disk usage.
t S
s
i g d i
b. Locate the resource for the SAS Work directory by selecting Resource  Services.
h
y r r e
c. Enter work directory in the Search field and click the arrow to the far right of the row .
o p f o r
C o t
Nd. Click sasserver.demo.sas.com SAS Home Directory 9.4 SAS work directory. Where is the
SAS Work directory located?
For Windows:
For Linux:
6.4 Solutions 6-57
You can confirm the location by opening a SAS session through SAS Studio or SAS Enterprise
Guide and submitting the following code:
proc options option = work;
run;
For Windows Server
Enter: /tmp
c .
e In
t u t
s
For Linux Servert i n .
I
Enter: /tmp n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N
 The Use Percent is one of the metrics available for this resource.
The Metric Viewer portlet does not provide a resource type of SAS Work directory; it has only
SAS Home Directory and SAS Config Level Directory. Therefore, SAS Work metrics cannot be
displayed directly. The workaround is to create a platform service of type FileServer Directory,
which will give the metrics that we want and then point this new platform service to the OS
directory where SAS Work is located.
e. Select Resources  Platforms. Click sasserver.demo.sas.com.
f. From the Tools Menu, select New Platform Service.

c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
g. Enter the following information:
y r
Name:
r e
Description:
SAS Work directory
Storage area for SAS intermediate and temporary files
o p o r
Service Type:
f
Select FileServer Directory
C o t
N
h. Click OK.
6.4 Solutions 6-59
i. Click Configuration Properties to configure the resource.
c .
j. Enter the Path to Directory and click OK.
e In
For Windows Server
t u t
Enter: C:\Windows\Temp\SAS Temporary Files
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
For Linux Server
y r r e
Enter: /tmp
o p f o r
C o t
N
k. Create a new Metric Viewer portlet on the Dashboard page. Click the Dashboard tab.
l. On the right side at the bottom of the Dashboard page, select Metric Viewer in the Add Content
to this column field and click the button.
m. Click the Configure button to display the Dashboard Settings page for the portlet.
c .
e
n. On the Dashboard Settings page, specify the following information: In
Description:
u t
SAS Work disk space
t
Metric:
s t i
Resource Type: Select FileServer Directory
.
Select Disk Usage
n
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
o. Click Add to List.
t
p. Select the SAS Work resource that you just defined and click the arrow pointing to the right to
C o
move the resource to the right side. Click OK.
N
q. Click OK.
6.4 Solutions 6-61
In most cases, the Metric Viewer portlet will provide the resource types that you want and
therefore you can get the metrics that you want to view directly. In this case, we had to use an OS
level resource type to view those metrics.
5. Creating an Environment Snapshot
The Environment Snapshot contains a comprehensive listing of the system information in the SAS
Environment Manager database. It collects and displays the most current performance measures
and configuration parameters and also executes and gathers real-time usage information.
a. Select Analyze  Environment Snapshot.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
b. In the Summary Table, select Select a System and select sasserver.demo.sas.com.
t S s
i g h d i
y r r e
o p f o r
C o t
N
c. There are a series of tabs at the top of the Environment Snapshot window. Select the SAS tab.
This display shows information about the SAS servers that is stored in the SAS Environment
Manager database.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p o r
d. Select the Mid Tier Servers tab.
f
C o t
N
This tab shows configuration values for the middle tier servers. Notice that this is a display-only
screen; no changes can be made to the configuration from this screen.
6.4 Solutions 6-63
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S
e. Create a snapshot of your sasserver machine. On the left side of the Environment Snapshot
screen, under the Create a Snapshot window, select Include Events and Include Alerts. Select
s
i g h d i
Snapshot Environment.
y r r e
o p f o r
C o t
N
Because the plug-in queries the SAS Environment Manager database, taking a snapshot might
take several minutes. This depends on the size of the installation and the number of machines
being monitored by your environment.
f. After you create a snapshot file, the location of the file is displayed in the plug-in.
c .
e In
t u t
g. Select the Snapshots tab on the Environment Snapshot tab menu to view the snapshot.
s t i n .
I n i o
h. Select the snapshot file in the Snapshot Summary screen.
t
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N
6.4 Solutions 6-65
6. Defining an Alert for a SAS Server Log File

Log file entries are one type of event that can be configured and customized using SAS Environment
Manager’s log file tracking. For each SAS server, a special file called
sev_logtracker_plugin.properties is automatically set up by the SAS Deployment Wizard. They can
be configured to trap various log entries and capture them as events.
You can add to this file to create events for criteria of your choosing. Since each SAS server has its
own properties file, logging events can be created for specific server types.
In this exercise, you will set up an alert to be triggered whenever a warning message for the I/O
c .
In
Subsystem appears in the log of the SAS Metadata Server.
a. On the server machine, navigate to the metadata server’s sev_logtracker_plugin.properties file.
For Windows Server
u t e
t i t .
Navigate to D:\SAS\Config\Lev1\SASMeta\MetadataServer.
I n s
For Linux Server
i o n
S u t
A tri b
b. Make a backup copy of sev_logtracker_plugin.properties.
S
h t i s
r i g e d
c. Open sev_logtracker_plugin.properties.
r
p y o r
C o t f
N o
The entries in this file use the format:
level. [level_of_message] . [sequential_number] = [regular_expression]
All sev_logtracker_plugin.properties files contain the following two entries by default:
#All fatal
level.fatal.1=.*
#All errors
level.error.1=.*
These entries specify that an event is created whenever a message appears in the SAS log with a
level of Fatal or Warn. The message can contain any text. (The period represents any character
and the asterisk says zero or more of the preceding character, which is a period, so any and all
characters.)
level.warn.1=.*Access to this account.*is locked out.* specifies that an event is created
whenever a message with a level of Warn appears that also contains the words: Access to this
account and is locked out. Any or no characters can be before, in between, and after these words.
Multiple entries for messages at the same log level must have an incremental number. In the
metadata server properties’ file, the next warn message to be captured would be
c .
In
level.warn.3=.*message text here.*
u t e
d. Add the entry level.warn.3=.*I/O Subsystem.* to the file.
t i t .
I n s i o n
S u t
S A tri b
h t i s
i g d
e. Save and close the file.
r r e
p yf. In SAS Environment Manager, locate the server SASMeta - SAS Metadata Server on the
r
Resource page and click it to bring up the Resource Detail page for the server.
o
C o t f
N o
6.4 Solutions 6-67
g. On the Detail page, select Alert  Configure to display the Alert Configuration page.
c .
e In
t u t
s i
h. Click New to display the New Alert Configuration page.
t n .
I n t i o
S
A tri b u
i.
t S
Name the alert, select the priority, and specify that the alert should be active.
s
i g h
Name: i
Alert Properties:
d I/O Subsystem
y r r
Priority:
e Medium
o p f o r
Description: I/O subsystem warnings in the server log
Condition Set: Select the Event/Logs Level radio button and then select Warn in the
C o t Event/Logs Level field.
N
In the match substring field, enter I/O Subsystem.
These values specify that an alert is issued whenever an event is found for a Warn message from
the log containing the string I/O Subsystem.
In the Enable Actions(s) area, select the Each time conditions are met radio button. An alert is
triggered each time an I/O Subsystem warning appears in the log.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
j.
i h
Click OK.
g d i
r r e
7. Searching on the Web for SAS Usage Note on I/O Subsystem
y
o p f o r
a. Open a new tab in Internet Explorer and click the Home button
b. In the Search field, enter I/O Subsystem.

in the upper right.
C o t
c. Select the Usage Note 53874.
Nd. There are many papers from SAS that can help you with various troubleshooting
techniques.
 For a complete list of papers useful for troubleshooting system performance
problems, see Usage Note 42197.
6.4 Solutions 6-69
c .
e In
t u t
s t i n .
I n t i o
8. Locating Logs Created by Enabling and Initializing the APM ETL
S
A tri b u
If the APM ETL package is enabled and initialized, a potentially large volume of log files are created.
The ETL process extracts data from SAS logs and loads that data into the data mart so that the
t S
applicable stored process reports have data to work with. Data is extracted from the SAS logs only
when the logs roll over (usually after midnight).
s
i g h d i
a. Locate log files that are generated.
y r r e
For Windows Server
o p
1.
f o rNavigate to D:\SAS\Config\Lev1\SASApp\WorkspaceServer.
C o t
N
2. Open the PerfLogs directory. Logging of this server causes a separate log file to be created
in this directory for each spawned SAS Workspace Server. This means that there is a log
file for each session of SAS Enterprise Guide or SAS Data Integration Studio users.
c .
e In
t u t
s t i n .
I n t i o

S
A tri u
With the enablement and initialization of the APM ETL package, the SAS
b
Application server environment is modified to enable ARM (Application Response
t S s
Measurement), as well as the activation of SAS logging facility loggers and log
appenders, to support the ARM-enabled SASApp deployment. This is discussed in
h i
the next chapter.
r i g3.
r e d Be aware of the potential for the large number of log files that can be created in
p y o r
this directory. You can create a daily archive of the logs in a .zip or .tar file and
then copy the daily archive to another storage location. This process enables you to
C o t f manage the large number of log files while maintaining IT best practices for
retaining usage logs.
N o 1.
For Linux Server
Navigate to /opt/sas/config/Lev1/SASApp/WorkspaceServer.
r
Linux Server
2. Open the PerfLogs directory. Logging of this server causes a separate log file to be created
in this directory for each spawned SAS Workspace Server. This means that there is a log
file for each session of SAS Enterprise Guide or SAS Data Integration Studio users.
6.4 Solutions 6-71
 With the enablement and initialization of the APM ETL package, the SAS
Application server environment is modified to enable ARM (Application Response
Measurement), as well as the activation of SAS logging facility loggers and log
appenders, to support the ARM-enabled SASApp deployment. This is discussed in
the next chapter.
3.
Be aware of the potential for the large number of log files that can be created in
c .
this directory. You can create a daily archive of the logs in a .zip or .tar file and
then copy the daily archive to another storage location. This process enables you to
In
manage the large number of log files while maintaining IT best practices for
retaining usage logs.
t e
9. Running Stored Processes from the Report Center
u
i t
t .
I s i o n
Select Analyze  Report Center. The Report Center is displayed in a separate window or tab in
n
your browser. The Report Center uses the SAS Stored Process Web application, so the window is
t
titled Stored Processes.
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
To create a report, click on the stored process entry. The viewing pane of the Report Center
C o t
window displays prompts for the information in the report. You can select the categories of inputs
on the left side of the display area to fully customize the report. Click Run to produce the report.
N 1) Select Products  SAS Environment Manager  Dynamic Reports  Metadata

Inventory.
Identity Report
Which users are SAS administrators?
Which users are Unrestricted Administrators?
Which users can use SAS Studio? SASUSERS group?
Duplications
c .
Are there any duplicate tables registered in metadata?
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S
ID Artifact Mappings by Type
s
i g h d i
How many cubes are in the environment?
y r
3
r e
2) Select Products  SAS Environment Manager  Nightly Reports  ARM Performance
o p f o r
Reports.
t
C o Resource Data Usage
N How many tables has Jacques accessed?

Answers will vary
6.4 Solutions 6-73
User – Server Activity by User

How many SAS servers have been used and within what period of time?
Answers will vary
c .
e In
t u t
3) Select Products  SAS Environment Manager  Nightly Reports  Audit Reports (Log
Forensic).
s t i n .
I n
Authentication Errors
t i o
S u
Are there any authentication errors by users?
A tri b
t S
Answers will vary
s
i g h d i
y r r e
o p f o r
C o t
N
Metadata Client Activity
Are any users currently connected to the metadata server?
Answers will vary
c .
In
4) To see a full listing of available reports select Products  SAS Environment Manager 
Dynamic Reports  Datamart  Report Center Report Listings.
u t e
t i t .
I n s i o n
S u t
S A tri b
h t i s
r i g r e d
p y o r
C o t f
N o
Chapter 7 Managing SAS®
Compute Servers and Spawners
7.1 Understanding SAS Compute Servers ........................................................................7-3
Demonstration: Monitoring SAS Servers and Sessions from SAS Management
c .
e In
Console ...................................................................................................... 7-19
Exercises .............................................................................................................................. 7-21
7.2
t u t
Administering Server Logging ...................................................................................7-26
t i .
Demonstration: Viewing Metadata Server Logging in SAS Management Console ............. 7-36
s n
n
Exercises .............................................................................................................................. 7-40
I t i o
7.3
S u
Solutions .....................................................................................................................7-44
A tri b
t S s
i g h d i
y r r e
o p f o r
C o t
N
7-2 Chapter 7 Managing SAS® Compute Servers and Spawners
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N
7.1 Understanding SAS Compute Servers 7-3
7.1 Understanding SAS Compute Servers
Objectives
 Explore the functionality of a workspace server.
 Explore the functionality of a pooled workspace
server.
c .
In
 Explore the functionality of a stored process server.
 Identify the role of the object spawner.
u t e
t i t .
I n s i o n
S u t
3
S A tri b
h t i s
r
SAS Servers
i g r e d Whether users enter their own code,
p y o r execute a stored process, or enable

SAS applications to generate code
C o t f for them, the code is executed on

a SAS server. Each server type has
N o different capabilities.
4
4

Most code generated by SAS applications is executed
on a workspace server.
A workspace server is a SAS session that executes
SAS code to do the following:
 access data libraries
 perform tasks using the SAS language
c .
In
 retrieve results
u t e
t i t .
5
I n s i o n
t
5
S
A tri
SAS Workspace Server b u
t S s
By default, the following events occur:
i g h d i
 The object spawner launches a workspace server
under the user’s credentials.
y r r e
 The user’s credentials are authenticated by the host
r
operating system.
o p f o
 The workspace server is shut down when the client
application is shut down.
C o t
 You can convert a standard workspace server to use
SAS Token Authentication.
N  In some cases, you can convert a standard workspace

server to use Integrated Windows Authentication.
6
6
SAS token authentication is when the metadata server generates and validates a single-use identity token
for each authentication event.
Connecting to a SAS Workspace Server
c .
e In
t u t
s t i n .
14
14
I n t i o ...
S
A tri
b u
1. Using the established connection to the metadata server, SAS Enterprise Guide requests access
t S
2. The metadata server searches the metadata for the workspace server in question.
s
3. The metadata server retrieves the name of the machine hosting the workspace server, the port
i g h d i
on which the object spawner listens for request for this server, and the authentication domain
associated with the workspace server.
r r e
4. The connection information is returned to SAS Enterprise Guide.
y
o p f o r
5. SAS Enterprise Guide uses the connection information to make the request for a workspace server.
If the authentication domain for the server matches that of the initial inbound login, SAS Enterprise
C o t
Guide passes along the credentials as well.
 If the server is assigned a different authentication domain, SAS Enterprise Guide searches
N its in-memory list of credentials for Jacques for credentials with the appropriate authentication
domain. If none is found, SAS Enterprise Guide queries the metadata server for credentials for
Jacques for that particular authentication domain (outbound login). If none is found, Jacques
is prompted for credentials.
6. The object spawner sends Jacques’ credentials to its authentication provider. The default
authentication provider is the host.
7. The authentication provider verifies that the credentials are valid.
c .
e In
t u t
s t i n .
18
18
I n t i o ...
S
A tri b u
8. The object spawner launches the workspace server. It uses the launch command that was retrieved
from the metadata at start-up. The workspace server runs under the credentials provided
by SAS Enterprise Guide and authenticated by the host.
t S
9. The object spawner provides SAS Enterprise Guide with a TCP connection to the workspace server
s
session.
i g h d i
10. SAS Enterprise Guide communicates directly with the workspace server.
y r r e
o p f o r
C o t
N
19
19 ...
11. SAS Enterprise Guide submits one or more requests for processing. Results are returned
to SAS Enterprise Guide as appropriate.
c .
e In
t u t
s t i n .
20
20
I n t i o
 S
A tri b u
12. After Jacques closes SAS Enterprise Guide, the workspace server session ends.
The connection could close earlier if there is a TCP time-out.
t S s
i g h d i
Workspace Server Pooling
y r r e
In pooling, a set of workspace server processes are
r
 made available to process certain types of requests
o p f o
 reused for subsequent requests
 owned by a shared identity.
C o t
N
21
21
Workspace Server Pooling

The primary purpose of workspace server pooling
is to enhance performance by avoiding the time
associated with launching workspace servers on demand.
c .
In
In general, pooling is used when a relational information
map is queried, processed, opened, or used indirectly
through a report.
u t e
t i t .
22
I n s i o n
t
22
S
A tri b u
What Is a SAS Stored Process?
t S s
A SAS Stored Process has the following characteristics:
i g h d i
 is a SAS program that is hosted on a server
or in metadata and registered in metadata
y r r e
 can be executed by many of the platform
r
for SAS Business Analytics applications
o p f o
 consists of a SAS program along with a metadata
definition that describes how the stored process
C o t should execute
N
23
23
The stored process metadata properties determine which type of server the stored process is executed
on, where the source code is stored, and the type of output that is produced.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
Executing a Stored Process
C o t
Stored processes are typically executed on a stored
N process server but can also be executed on

a workspace server.
24
24

SAS Stored Process Servers interact with SAS
by executing stored processes.
Each stored process server
 handles multiple users
.
 is reused for subsequent requests
 is owned by a shared identity
 includes load-balancing settings that the object

spawner uses to distribute requests between
In c
the server processes.
u t e
t i t .
25
I n s i o n
t
25
S
A tri b u
Connecting to a SAS Stored Process Server
t S s
i g h d i
y r r e
o p f o r
C o t
N
35
35 ...
1. Using the established connection, SAS Enterprise Guide requests access to a stored process server.
2. The metadata server searches the metadata for the stored process server in question.
3. The metadata server retrieves the machine name hosting the stored process server, the port on which
the object spawner listens for request for this server, and a token.
 A SAS identity token is a single-use, proprietary software representation of an identity.
5. SAS Enterprise Guide uses the connection information and the token provided by the metadata server
to make the request for a stored process server.
6. The object spawner sends the token to the metadata server for verification.
7. The metadata server verifies that the token is valid.
8. If there is no stored process server currently available and more can be spawned, the object spawner
sends the shared credentials, typically sassrv, to the host for authentication.
 During its own start-up, the object spawner not only retrieves the launch command for the
stored process server from the metadata, but also the shared credentials, user ID, and password.
9. The authentication provider authenticates the credentials.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
40
o p
40
f o r ...
10. The object spawner launches the stored process server. It uses the launch command that it retrieved
C o t
from the metadata at start-up. The stored process server runs under shared credentials.
11. The object spawner provides SAS Enterprise Guide with a TCP connection to the stored process
N
server. During the execution of the stored process, metadata server requests are done as an individual
user, and operating system requests are done as the shared account.
12. SAS Enterprise Guide communicates directly with the stored process server. SAS Enterprise Guide
submits a request to execute a stored process.
13. The results from the stored process are returned to SAS Enterprise Guide as appropriate.
c .
e In
t u t
s t i n .
41
41
I n t i o ...
S
A tri b u
After the execution of the stored process is complete, the stored process server is available for reuse
by other requests from the same or a different user.
t S s
i g h d i
y r r e
o p f o r
C o t
N
49
49 ...
14. Using the established connection, SAS Enterprise Guide requests access to a stored process server.
15. The metadata server searches the metadata for the stored process server in question.
16. The metadata server retrieves the machine name hosting the stored process server, the port on which
the object spawner listens for request for this server, and a token.
 A SAS identity token is a single-use, proprietary software representation of an identity.
18. SAS Enterprise Guide makes the request for a stored process server. It uses the connection
information and the token provided by the metadata server.
19. The object spawner sends the token to the metadata server for verification.
20. The metadata server verifies that the token is valid.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
53
53
i g h d i ...
21. If there is an available stored process server, the object spawner provides SAS Enterprise Guide with
r e
a TCP connection to the stored process server.
y r
o p o r
22. SAS Enterprise Guide communicates directly with the stored process server to submit a request
to execute a stored process.
f
23. The results from the stored process are returned to SAS Enterprise Guide as appropriate.
C 
o tThe stored process server can be reused by the same user or by a different user.
c .
e In
t u t
s t i n .
54
54
I n t i o
by other requests. S
A tri b u
After the execution of the stored process is complete, the stored process server is available for reuse
t S s
Stored Process Server
i g h d i
e
By default, the stored process server is configured with
y r r
 one connection
r
p
 three multibridge connections.
o t f o This is the port on which an object spawner
C
listens for stored process server requests.
N o
Each multibridge connection maps to a stored
process server process and uses the specified
port to communicate with applications.
55
55
SAS Token Authentication (Review)
c .
e In
t u t
s t i n .
56
56
I n t i o
S
A tri b u
SAS Token Authentication is when the metadata server generates and validates a single-use identity token
for each authentication event. This enables participating SAS servers to accept users who are already
S
h t
1. The user initiates a request that requires access to a target server (for example, a request in SAS
i s
Enterprise Guide to open a cube associated with the OLAP server). Using the existing connection
r g r e d
to the metadata server, the client requests an identity token for the target server.
i
2. The metadata server generates the token and returns it to the client.
y r
3. The client sends the token to the target server.
p o
C o t f
4. The target server sends the token back to the metadata server for validation.
5. The metadata server validates the token and returns an acceptance message and a representation
6. o
of the user to the target server.
N The target server accepts the connection.

The benefits of SAS token authentication are listed here:
 Individual, external accounts for credential-based authentication are not required.
 SAS copies of individual, external passwords do not need to be stored in the metadata.
 Reusable credentials are not transmitted across the network.
 Metadata layer evaluations are based on the requesting user’s identity.
The limitations of using SAS token authentication are as follows:
 Host access is based on a shared login, if implemented for use on a standard workspace server.
 It is available only for metadata-aware connections to the target server.
 This authentication is not available for access to third-party database servers.
Because SAS token authentication essentially uses a shared login (typically, sassrv), host access
to resources is based on access rights associated with that account.
Converting a standard workspace server to use SAS token authentication requires some changes
to the server’s metadata.
In the Properties window for the logical workspace server, select SAS token authentication
on the Options tab.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
g h d i
In the Properties window for the physical workspace server, select Launch credentials on the
i
r
Options tab.
y r e
o p f o r
C o t
N
SAS Object Spawners

Workspace servers and stored process servers are
initialized by the SAS Object Spawner.
An object spawner does the following:
 runs on each machine where you want to run
a workspace server or stored process server
 listens for requests and launches servers, as
c .
In
necessary
u t e
t i t .
57
I n s i o n
t
57
S
A tri
SAS Object Spawners b u
t S s
When the object spawner starts, it uses the information
i g h d i
in its metadata configuration file to access the metadata
server. The file is named metadataConfig.xml, by default.
y r r e
o p f o r
C o t
N
58
58
If changes are made to the server or spawner configurations, the spawner can be refreshed in order
to pick up and apply these new changes. The refresh reinitializes the spawner and forces it to reread its
configuration in the metadata. As part of this refresh, the spawner quiesces any servers that it has started.
The servers shut down when their clients have completed their work.
To refresh an object spawner, follow these steps:
1. Expand the Server Manager node  Object Spawner then right-click the Object Spawner machine
name node.
2. From the pop-up menu, select Connect.
3. Right-click the Object Spawner node again. From the pop-up menu, select Refresh Spawner.
4. In the confirmation dialog box, click Yes.

 When an object spawner manages more than one SAS Application Server context, you can
refresh a specific application server by selecting Refresh Application Server.
SAS Object Spawners
.
During start-up, the object spawner retrieves, from the
c
metadata, information about how to launch the servers.
e In
t u t
s t i n .
I n t i o
S
A tri b u
59
59
t S s
i g h d i
y r r e
o p f o r
C o t
N
Monitoring SAS Servers and Sessions from

This demonstration illustrates how to monitor SAS servers and sessions from SAS Management Console.
1. In SAS Management Console, right-click the Server Manager plug-in and select Options.
Select Active, Inactive and Ended and click OK.
c .
e In
t u t
s t i n .
I n t i o
2. Expand the Server Manager plug-in and then select SASApp  SASApp - Logical Workspace
S
A tri b u
Server  SASApp - Workspace Server  sasserver.demo.sas.com. Right-click
sasserver.demo.sas.com and select Connect.
t S s
i g h d i
y r r e
o p f o r
C o t
N
3. Connect also to the stored process server. Expand SASApp - Logical Stored Process Server 
SASApp - Stored Process Server. Right-click sasserver.demo.sas.com and select Connect.
Notice that the tabs become active when you are connected.
4. On the Folders tab, navigate to Orion Star  Marketing Department  Stored Processes.
Right-click Analysis of Product Orders by Gender.
5. On the Execution tab, select Stored process server only. Click OK.
c .
e In
t u t
6. Start a SAS Enterprise Guide session, select Start  All Programs  SAS 
SAS Enterprise Guide 7.1. Close the Welcome window.
t i .
7. In the Server list, expand Servers  SASApp.
s n
I n
8. Locate the process running under Jacques’ credentials. What is the process ID?
t i o
9. In SAS Enterprise Guide, select File  Open  Stored Process. Navigate to Orion Star 
Click Open.
S
A tri b u
Marketing Department  Stored Processes. Select Analysis of Product Order by Gender.
t S
10. With the stored process highlighted in the Process Flow window, select Run  Run Analysis
of Product Order by Gender.
s
i g h d i
Switch back to SAS Management Console. What is the process ID? The process ID varies.
y r e
Who is the process owner? sassrv
r
11. Expand sasserver.demo.sas.com and select the process ID. Click the Sessions tab.
o p o r
Are any sessions listed? If not, why not? The session is listed while the stored process executes,
f
but that might be too fast to see.
C t
12. Return to SAS Enterprise Guide and rerun the stored process. While the stored process executes,
o
return to SAS Management Console and select the stored process server PID.
NWas a new process started? No, the process was reused.
Exercises
1. Exploring the Object Spawner

a. On the server machine, open the metadataConfig.xml file that the object spawner reads at
start-up.
For Windows Server

Use Windows Explorer to navigate to D:\SAS\Config\Lev1\ObjectSpawner.
c .
Open metadataConfig.xml with Notepad.
e In
For Linux Server
t u t
t i .
Use mRemoteNG or WINSCP to navigate to /opt/sas/config/Lev1/ObjectSpawner.
s n
Open metadataConfig.xml with gedit or vi in MRemoteNG, or use WINSCP.
I n t i o
What account does the object spawner use to connect to the metadata server?
S
A tri b u
b. Use SAS Environment Manager or SAS Management Console on the client machine to look at
the metadata properties of the Object Spawner. Use credentials of Ahmed with the password
t S
Student1.
s
i g h d i
y r r e
1) Go to Administration page  Side Menu  Servers.
2) Right-click Object Spawner - sasserver and select Open to view metadata properties.
o p o r
3) From the drop-down menu, select Servers.
f
C o t What servers is the object spawner responsible for starting?
N Expand Server Manager. Right-click Object Spawner - SASSERVER and select Properties.
Click the Servers tab.
What servers is the object spawner responsible for starting?
c. Use SAS Environment Manager to view metrics for the Object Spawner.
1) On the Resources tab, select sasserver.demo.sas.com Object Spawner - sasserver.
2) Find the following metrics:
Current Clients: shows how many clients are connected to the Object Spawner at the
moment.
Current Servers: shows how many servers of any type this Object Spawner has currently
launched.
Total Servers: shows how many servers of any type have been started by this Object
Spawner since it was launched.
3) You can use the up arrow ( ) to sequentially position the metrics next to each other on the
Monitor page. Click Apply button located at the top right of the Indicator Charts.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r e
d. Create a Server’s Launched by Object Spawner availability summary portlet.
r 1) On the left side of the Dashboard page, select Availability Summary in the Add content to
o p f o r
this column field and click the plus icon.
2) Click the Configure icon to display the Dashboard Settings page for the portlet.
C o t
3) Click Add to List in the selected Resources area.
4) In the View field, select Services and in the Filter By Name field, enter spawner and
N click .
5) Select all workspace servers, pooled workspace servers, and stored process servers. (You
should have selected six of the seven available.) Click to move them to the Add
Resources pane. Click OK.
6) Specify the name Spawned Servers in the Description field. Click OK.
7) Move the Spawned Servers availability summary portlet just below the OS and SAS Server
Tier availability summary portlet. Click the heading and drag it to the location.
c .
e In
t u t
s t i n .
Process Server I n t i o
2. Identifying the Command Line, Shared ID, and Port of the Workspace Server and Stored
S
A tri b u
Use SAS Environment Manager or SAS Management Console to look at metadata properties of the
servers.
t S s
i g d i
h
a. On Administration page  Side Menu  Servers. Expand SASApp  SASApp - Logical
y r r e
Workspace Server. Right-click SASApp - Workspace Server and select Open.
o p f o r
What command is used by the object spawner to start the workspace server?
What port does the object spawner listen on for requests for the workspace server?
C o t
 The information can be found on the properties pages. Use the drop-down menu next to
Basic Properties.
Nb. On Administration page  Side Menu  Servers. Expand SASApp  SASApp - Logical
StoredProcess Server. Right-click SASApp - Stored Process Server and select Open.
What command is used by the object spawner to start the stored process server?
What shared ID does the object spawner use to launch the stored process server?
What port does the object spawner listen on for requests for the stored process server?
 The information can be found on the properties pages. Use the drop-down menu next to
Basic Properties.
a. Under Server Manager, expand SASApp  SASApp - Logical Workspace Server.

Right-click SASApp - Workspace Server and select Properties. Click the Options tab.
What port does the object spawner listen on for requests for the workspace server?
b. Under Server Manager, expand SASApp  SASApp - Logical Stored Process Server.
Right-click SASApp - Stored Process Server and select Properties. Click the Options tab.
What port does the object spawner listen on for requests for the stored process server?
3. Locating the Shared ID Credentials
c .
a. Select Side Menu  Users.
e In
u t
b. In the Search field, type SAS General Servers.
t
s i
c. Right-click SAS General Servers and select Open.
t n .
What is the description of this group?
I n i
Who is the member of this group?
t o
 S
What account is attached to this group?
A tri b u
Members of a group can access credentials stored on a group. Because the object spawner
t S connects to the metadata server with the sastrust@saspw account, the object spawner
is a member of the SAS General Server group.
s
g h d i
i
y r r e
a. Expand User Manager.
o p f o r
b. Right-click SAS General Servers and select Properties.
What is the description of this group?
C o t
Who is the member of this group?
N  Members of a group can access credentials stored on a group. Because the object spawner
connects to the metadata server with the sastrust@saspw account, the object spawner
4. Adding a Saved Chart Portlet on the Dashboard in SAS Environment Manager
The Saved Chart portlet displays a rotation of all of the resource metric charts that you have saved.
The process of creating this type of portlet consists of navigating to the resources that you want
to chart, finding the metric charts that you want to display, and saving them to your dashboard. When
you create the portlet, all of your saved charts automatically appear.
a. Make sure you are logged on to SAS Environment Manager as Ahmed and using the password
Student1.
b. Create a Free Memory chart.
1) Select Resources  Browse.
2) On the Resources page, select Platforms.
3) Click sasserver.demo.sas.com.
4) Scroll down to the Free Memory chart.
5) Click Free Memory.
6) On the Metric Chart page, select Save Chart to Dashboards.
7) Select Ahmed and click Add.
8) Go to Dashboards to see the chart saved. It is displayed on the left side.
c. Create a Number of Spawned Servers chart.
c .
In
1) Select Resources  Browse  Servers.
2) In the All Server Types field, select SAS Object Spawner 9.4.
t e
3) Click the arrow at the right of the filter fields.
u
t i t
4) Click sasserver.demo.sas.com Object Spawner - sasserver.
.
5) Scroll down to the Current Servers chart.
n s
6) Click Current Servers.
I i o n
S u t
S A tri b
9) Go to Dashboards to see the chart saved. It is added to the charts list of the Saved Charts
portlet.

h t i s
You can toggle between the two saved charts or remove them from the pane on the left of
r i g r e d
the Saved Charts portlet.
d. Create a Metadata Server Clients Per Minute chart.
p y r
o
C o t f
2) In the All Groups field, select SAS Metadata Servers.
3) Click the arrow at the right of the filter fields.
N o 4) Click sasserver.demo.sas.com SASMeta - Metadata Server.

5) On the left side of the Resource Detail page, select All Metrics from the drop-down menu.
6) In the table of metrics, find Total Clients per Minute and position your mouse pointer
on the information icon ( ).
7) From the tooltip, select View Full Chart. The Metric Chart page appears.
portlet.
7.2 Administering Server Logging
Objectives
 Explore the SAS logging facility.


View logging in SAS Management Console.
Create audit logging on SAS data sets.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
S
64
64
h t i s
r i g r e d
SAS Server and Spawner Logging
The SAS servers and spawners generate messages
p y o r
as events occur. These messages can be of different
severity levels from informational to severe. They can
C o t f
be directed to a number of different locations, including
the following:
N o  log files
 operating system logs
65
65
The SAS Logging Facility is a flexible, configurable framework that you can use to collect, categorize,
and filter events and write them to a variety of output devices. The facility logs information in support
of the following:
 problem diagnosis and resolution
 performance and capacity management
 auditing and regulatory compliance.
7.2 Administering Server Logging 7-27
Configuring Server Logging

Logging for each server is enabled by a system option
and configured in an XML file.
 The LOGCONFIGLOC= system option is specified
in the server’s sasv9.cfg file and points to the logging
configuration file.
 The logging configuration file is an XML file that
configures what messages are captured and where
c .
they are sent.
e In
t u t
s t i n .
66
66
I n t i o
S
A tri b u
Initial logging settings for each SAS server are detailed in SAS® 9.4 Intelligence Platform: System
Administration Guide under System Monitoring and Logging  Administering Logging for
SAS Servers  Initial Logging Configuration for SAS Servers.
t S s
i g h d i
Loggers and Appenders
y r r e
Loggers and appenders define what messages are
o p f o r
captured and where they are sent.
Loggers Use a hierarchical system to categorize
C t
log events. They can be configured
o
to go to multiple appenders.
N Appenders Represent a specific output destination

for messages, including fixed files, rolling
files, operating system facilities, and
client applications.
67
67
Loggers
SAS server logger names begin with one of the following
categories, which process the following types of events:
Admin Relevant to systems administrators
and computer operators
App
Audit
Related to specific applications
Related to user authentication and security
c .
IOM
administration
e
For servers that use Integrated Object Model In
t u t
(IOM) workspace server interface
Perf
s i
Related to system performance
t .
Settings of the Root logger are inherited by all other
loggers by default.
n
68
68
I n t i o
S
A tri b u
The App loggers process logs events related to specific applications such as metadata servers, OLAP
servers, stored process servers, and workspace servers.
t S
The IOM interface provides access to SAS Foundation features such as the SAS language, SAS libraries,
the server file system, results content, and formatting services. IOM servers include metadata servers,
s
i g h d i
OLAP servers, stored process servers, and workspace servers.
Below is a list of some sample loggers that are useful for monitoring the metadata server and metadata.
r r e
App.Meta is the parent logger for metadata server events. Logging levels that are defined for this logger
y
o f o r
are inherited by its child loggers unless they are explicitly overridden. They include:
p
 App.Meta.CM, which logs change management events, including check-in and check-out.
C o t
 App.Meta.IO, which logs low-level input and output activity.
 App.Meta.Mgmt, which logs metadata server management activity such as server operation actions,
N
creating and deleting repositories, modifying repository access modes, and repository backup and
migration.
Audit.Meta.Security is the parent logger for metadata server security events. No events are written
directly to this logger. Logging levels that are defined for this logger are inherited by its child loggers
unless the levels are explicitly overridden. Examples are: Audit.Meta.Security.AccCtrlAdm,
Audit.Meta.security.GrpAdm, Audit.Meta.Security.UserAdm.
Perf.Meta.Expensive logs requests that take longer than a specified time threshold so that application
developers and administrators can identify high-cost metadata requests. The performance threshold is 30
seconds. (This is new in SAS 9.4.)
Admin.Operations processes log events that are related to server operations, such as starting, pausing,
and stopping an instance of a workspace server.
Audit.Authentication processes log events for server authentication requests.
Diagnostic Levels
Log events have an associated diagnostic level.
TRACE Fine-grained informational events intended for
SAS Technical Support
DEBUG Fine-grained informational events useful
.
in debugging an application and intended for
SAS Technical Support
INFO Informational events that highlight the process
of an application
In c
WARN
to the application
u t e
Warning events or minor problems that are external
ERROR
i t
Error events that might still enable the application
t
to continue running
.
69
FATAL
I s o
the application to end
i n
Very severe events that most likely cause
n t
69
S
A tri
WARN, ERROR, FATAL.
b u
The logging levels are listed from the lowest (most detailed) to the highest: TRACE, DEBUG, INFO,
t S
Appenders
s
i g h d i
e
SAS has several appender classes for processing
y r r
messages.
r
p
IOMServerAppender An IOM server appender to log
o t f o messages from any IOM server
C o
FileAppender
RollingFileAppender
File appenders for writing log
messages to a file on disk
N UNIXFacilityAppender Appenders to write to Windows, UNIX,

WindowsEventAppender and z/OS operating system logs
ZOSFAcilityAppender
ConsoleAppender Appenders to log messages to an
ZOSWtoAppender operating system
 Log files are not deleted from log directories by default.
70
70
Appender specifications can include additional parameters to specify the following:

 filename (fileNamePattern)
 file header information (HeaderPattern)
 layout of messages in file (ConversionPattern)
These parameters typically use conversion characters referenced with a preceding percent sign, including
the following:
Conversion Description
Character
d Date of logging event

The date conversion specifier, %d, can be followed by a set of braces that contains a date
t
and time pattern string such as %d{HH:mm:ss, SSS} or %d{DATE}.
Identifier for the thread that generated logging event

c .
m Application-supplied message lines associated with the logging event
e In
c
t
Used to output the logger name of the logging event
t u
p
S
s i
Used to output the level of the logging event
t n .
Used to output various pieces of system information and must be followed by the key for
I n o
the system information desired, placed between braces such as %S{os_name}
t i
Valid system information keys include the following:
S host_name
A tri
 os_name
b u
t S  os_version
s
i g h d i
 user_name: identity that owns the process and not client identity associated with
current thread
y r r e  startup_cmd
o p u
f o r Client identity associated with current thread
C o t IOMServerAppender and
N SAS Management Console
The IOM Server Appender writes log messages from
IOM servers to a volatile run-time cache. The contents
of the cache are available for display in SAS Management
Console.
Use the Server Manager options to specify a message
level or threshold filter level.
71
71
The option settings filter the events that are already generated, based on the server’s logging settings.
Message Level Specifies a specific level of messages to be displayed in

Threshold Level Specifies the lowest level of messages to be displayed in

How Did the Message Make It to the Log? c .

1. Event type is Audit, so send to Audit Logger. Audit
e In
t u t
Logger decides: level INFO >= threshold INFO
s t i n .
I n t i o
2. Event is passed to referenced Appender:
AuditTimeBasedRollingFile. Appender decides:
S u
level INFO >= THRESHOLD INFO
A tri b
t S s
i g h d i
72
y r
72
r e
3. Message is output to the log file.
p r
In addition to filtering log events based on thresholds that are assigned to loggers or appender definitions,
o
the logging facility enables you to use filter classes to filter log events based on one of the following: a
o f
character string in the message, a single threshold, a range of thresholds, and a combination of strings and
C t
thresholds.
o
Common Terminology
N
Log event:
Filter:
an occurrence that is reported by a program for possible inclusion in a log.
a set of character strings or thresholds, or a combination of strings and thresholds
that you specify. Log events are compared to the filter to determine whether they
should be processed.
Message category: a classification for messages that are produced by a SAS subsystem. Message
categories for the logging facility are administrative messages, application-specific
messages, audit messages, IOM messages, and performance messages.
Threshold: the lowest event level that is processed. Log events whose levels are below the
threshold
are ignored.
Logging Process
Stop Processing Stop Processing
Event Event
Log Event
Log Event
Log Event
< Threshold For
.
< Threshold
Appender or
For Logger
c
Filter
Route to
e
Log Event Log Event
In
t
Logger Based Logger >=Threshold Appender >=Threshold For
On Name For Logger Appender
t i t u .
73
I n s i o n Output Destination
t
73
S
A tri b u
1. A SAS process (for example, a SAS server process) issues a log event. Each event includes
the following attributes: name that indicates the message category, diagnostic level, and message .
t S
2. The log event is routed to a logger based on the event’s name.
3. The log event’s diagnostic level is compared to the threshold that is specified for the logger
s
g h d i
in the logging configuration. If the event’s level is at or above the specified threshold, then processing
continues. If the level is below the threshold, then the event is ignored.
i
y r r e
If no threshold is specified for the event’s logger, then the event inherits the threshold setting of the
nearest ancestor logger. For example, if an Audit.Meta.Security event is being processed, then
o p f o r
inheritance occurs as follows:
a. The event’s level is compared to the threshold for the Audit.Meta.Security logger.
C o t
b. If no threshold is specified for Audit.Meta.Security, then the threshold for Audit.Meta is applied.
c. If no threshold is specified for Audit.Meta, then the threshold for Audit is applied.
N d. If no threshold is specified for Audit, then the threshold for Root is applied.
If no threshold is assigned to the logger or its ancestors, then the event is ignored.
4. The log event is processed by the appenders that are assigned to the logger. Each appender
processes the log event. If the appender configuration includes a
a. threshold, the event’s level is compared to the threshold
b. filter, the event is compared to the filtering criteria.
5. If the log event passes the filter and threshold for the appender, it is written to the output
destination.
 Multiple appenders can be associated with a single logger. An event that passes the logger might
be written to one appender, but not to another. For example, a warning might be written
to a log file, but not to the terminal window.
Modifying Server Logging Configurations

The best practice is to use the initial logging configuration
files created by the SAS Deployment Wizard.
If necessary, you can use the following methods for
modifying server logging configurations:
 adjust logging levels dynamically using the Server
Manager plug-in
c .
In
 use alternative logging configuration files provided
for troubleshooting
u t e
 modify the server’s logconfig.xml file
t i t .
74
I n s i o n
t
74
S
A tri b u
Adjusting Logging Levels Dynamically
t S s
The dynamic changes affect all logging produced
i g h d i
by the server in question, but do not modify
the logconfig.xml file. The changes persist until
y r e
changed dynamically or the server is restarted.
r
o p f o r
C o t
N
75
75
By default, the Audit.Meta logger inherits the Information logging level from its parent, Audit. You can
assign a different level for this logger.
When the server is restarted, it rereads the logconfig.xml file.
Alternative Logging Configuration Files

To assist in troubleshooting, alternative logging
configuration files are provided for some servers,
including metadata servers, OLAP servers, pooled
workspace servers, stored process servers,
and workspace servers.
 The files are named logconfig.trace.xml.
 Messages are written to the server’s rolling log file.
c .
e
Performance issues can result from using these files. In
u t
Do not modify the logconfig.trace.xml logging
t
configuration files unless you are requested
t i .
to do so by SAS Technical Support.
s n
76
76
I n t i o

S u
Alternate logging configuration files named logconfig.apm.xml are provided and used if the SAS
A tri b
Environment Manager Service Architecture is enabled.
t S
Using Alternative Logging Configuration Files
s
g d i
To use an alternative logging configuration file, follow these steps:
h
1. Stop the server if it is running.
i
y r r e
2. Rename the server’s logconfig.xml file as logconfig_orig.xml.
3. Rename the server’s logconfig.trace.xml file
o p f o r
as logconfig.xml.
4. Restart the server if necessary.
C t
5. When troubleshooting is complete, stop the server if it is running. Rename logconfig.xml as
o
logconfig.trace.xml and logconfig_orig.xml as logconfig.xml. Restart the server if necessary.
N Make backup copies of any files that are modified.
Modifying logconfig.xml Files

The following are some examples of changes that you
might want to make to a server’s log configuration file:
 Configure the RollingFileAppender to use a different
log filename or to store the files in a different location.
 Configure a different message layout for an appender.
c .
In
If you choose to modify the server’s logconfig.xml
file, make a backup copy first.
u t e
t i t .
77
I n s i o n
t
77
S
A tri
and Programming Reference.
b u
For more information about the SAS logging facility, refer to SAS® 9.4 Logging: Configuration
t S s
i g h d i
y r r e
o p f o r
C o t
N
Viewing Metadata Server Logging in SAS Management

Console
This demonstration illustrates how to view logging for the metadata server under the Server Manager
plug-in.
1. In SAS Management Console, expand Server Manager plug-in  SAS Meta  SASMeta - Logical
Metadata Server. Right-click SASMeta - Metadata Server and select Connect.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
2. The tabs on the right are no longer grayed out. Click the Clients tab. The Clients tab lists the user,
host, and entry time for each client connected to the metadata server.
t S s
i g h d i
y r r e
o p f o r
C o t
N
3. Click the Options tab. The Options tab lists the name, description, value, and category for the server
and spawner options, counters, and properties.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
4. Click the Loggers tab. The Loggers tab lists the logging services that are in use for the server, as well
as the logging level that is captured, or inherited. This is configured for the IOM Server Appender in
the logconfig.apm.xml for the metadata server.

t S s
The logconfig.apm.xml is in use because Extended Monitoring has been enabled in this
i g h d i
environment.
y r r e
o p f o r
C o t
N
5. For example, Perf shows a level of <inherited>. It is inheriting the level from <Root> of Error. Right-
click Perf and select Properties.
6. You can assign a different diagnostic level here. The dynamic changes affect all logging produced by
The changes persist until changed dynamically or the server is restarted.

c .
the server in question, but do not modify the logging configuration file that is read at server start-up.
e In
t u t
s t i n .
I n t i o
S
A tri b u
t
7. Click Cancel.
S s
i g h d i
8. Click the Log tab. The Log tab displays the log for the server when configured to do so.
y r r e
o p f o r
9. Right-click the Server Manager plug-in and select Options.
C o t
N
10. Select the Logging tab.
11. Select Information for Threshold Level. Click OK.
c .
e
12. Right-click SASMeta and select Refresh. In
t u t
s t i n .
I n t i o
S u
13. Highlight again the SASMeta - Metadata Server and select the Log tab.
A tri b
t S s
i g h d i
y r r e
o p f o r
C o t
N
Exercises
5. Enabling Trace Logging for Object Spawner

a. Open Internet Explorer on the client machine. Go to the SAS Home page if not already there by
clicking the Home button in the upper right toolbar.
b. Type enable object spawner trace logging in the Search field and click Search.
c. Click Enable More Detailed Logging for SAS Object Spawner Troubleshooting, dated
c .
2015-07-16.

e In
You might need to click Date so that the most recent search results are at the top.
u t
d. (Optional) You can choose to temporarily increase the logging level dynamically in SAS
t
s i
Management Console (the second bullet).
t n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
6. Auditing Data Access
NA common request to SAS Administrators is to be able to log and report on which users are accessing
SAS tables. The relevant information needs to be captured, which is the user, the table and the date
and time that the table was accessed. The SAS Logging Facility includes a logger for auditing access
to SAS libraries, which supports the ability to ‘log’ who has accessed data in a SAS library, including
SAS tables and database tables accessed via a SAS LIBNAME. The AUDIT.DATA logger will
record who has opened, deleted, or renamed a table.
In this exercise you define a logger, Audit.Data.Dataset and a RollingFileAppender named
TimeBasedRollingFileAudit for the Stored Process Server. You could use the existing
RollingFileAppender, but instead you will write to a new directory location that will hold only data
access entries in its log files.
a. Open sasv9_usermods.cfg for the Stored Process Server to find which logconfig.xml file is being
read at server start-up.
 In this environment, the SAS Environment Manager service architecture framework is
configured so that the logging configuration points to logconfig.apm.xml.
For Windows Server

Navigate to D:\SAS\Config\Lev1\SASApp\StoredProcessServer. Open
sasv9_usermods.cfg and find the value for the locconfigloc system option.
For Linux Server

. Navigate to /opt/sas/config/Lev1/SASApp/StoredProcessServer. Open
c .
b. Rename logconfig.apm.xml to logconfig.apm.orig.xml.
e
c. For this exercise, there is a logconfig.apm.xml file located on the server that already has the new In
logger and appender.
t u t
Locate the file and copy it over to the Stored Process Server directory.
t i
For Windows Server
s n .
I n o
Navigate to D:\Workshop\spaft. Copy logconfig.apm.xml to
t i
D:\SAS\Config\Lev1\SASApp\StoredProcessServer.
S
A tri b
For Linux Server u
t SNavigate to /opt/sas/Workshop/spaft. Copy the logconfig.apm.xml to
s
i g h d i
/opt/sas/config/Lev1/SASApp/StoredProcessServer.
y r e
d. The Audit.Data.Dataset logger and the TimeBased RollingFileAudit appender was already
r added. Open the logconfig.apm.xml to view.
o p f o r
C o t
N The new logger will route Audit.Data.Dataset messages with a diagnostic level of TRACEand
above (TRACE, DEBUG, INFO, WARN, ERROR, and FATAL) to the appender named
TimeBasedRollingFileAudit.
The appender definition determines where the logger messages are written and what format is
used to output the messages. Note the following:
 The appender name matches the name specified in the appender tag of the logger definition
(TimeBasedRollingFileAudit).
 The ConversionPattern parameter values specifies the log message. This is the same as what is
written to an existing log file with the addition of LOGGER=%c. So the entry in the log file
will include the text LOGGER= and the name of the logger, Audit.Data.Dataset. (The %c is a
conversion character that writes out the logger name.)
the name of the log file will be.

c .
 The FileNamePattern parameter value specifies where the log file will be written out and what
For Windows Server
e In
name=“FileNamePattern”
t u t
value=“D:\SAS\Config\Lev1\SASApp\StoredProcessServer\AuditLogs
s t
For Linux Server
i n .
I n t
name= “FileNamePattern”
i o
S
A tri b
e. Close logconfig.apm.xml. u
value=“/opt/sas/config/Lev1/SASApp/StoredProcessServer/AuditLogs
t S
f. The AuditLogs directory needs to be created.
s
i g h d i
For Windows Server
y r e
Navigate to D:\SAS\Config\Lev1\SASApp\StoredProcessServer.
r
o p f o rCreate AuditLogs directory. Verify that SAS Users and the sassrv account can write to
this location.
N Navigate to /opt/sas/config/Lev1/SASApp/StoredProcessServer.
Create AuditLogs directory. Verify that SAS Users and the sassrv account can write to
this location.
g. Refresh the Object Spawner in SAS Management Console and validate that the Stored Process
Server is still operational.
1) Expand Server Manager plug-in  Object Spawner - sasserver. Right-click
2) Right-click sasserver.demo.sas.com and select Refresh Spawner.
3) Click OK to continue.
4) Expand SASApp  SASApp - Logical Stored Process Server  SASApp - Stored
Process Server. Right-click sasserver.demo.sas.com and select Validate.
5) Click OK.
h. Run a stored process and check the audit log.
1) Open Internet Explorer on the client machine and select SASWebReportStudio on the
Favorites bar. Log on as Ahmed using the password Student1.
2) Select Open on the Getting Started Page.
3) Navigate to Orion Star  Marketing Department  Stored Processes.
4) Highlight Analysis of Product Orders by Gender and click Open.
5) Check the log.
For Windows Server
c .
In
Navigate to D:\SAS\Config\Lev1\SASApp\StoredProcessServer\AuditLogs and open the
log file.
u t e
For Linux Server
t i t .
Navigate to /opt/sas/config/Lev1/SASApp/StoredProcessServer/AuditLogs and open the
log file.
I n s i o n
S u t
S A tri b
h t i s
r i g r e d
p y o r
C o t f
N o
7.3 Solutions
1. Exploring the Object Spawner
a. On the server, open the metadataConfig.xml file that the object spawner reads at start-up.
For Windows Server
c .
In
Use Windows Explorer to navigate to D:\SAS\Config\Lev1\ObjectSpawner.
Open metadataConfig.xml with Notepad.
u t e
For Linux Server
t i t .
Use mRemoteNG or WINSCP to navigate to /opt/sas/config/Lev1/ObjectSpawner.
I n s i o n
Open metadataConfig.xml with gedit or vi in MRemoteNG, or use WINSCP.
S u t
What account does the object spawner use to connect to the metadata server? sastrust@saspw
b. Use SAS Environment Manager or SAS Management Console on the client machine to look at
A tri b
the metadata properties of the Object Spawner. Use credentials of Ahmed using the password
S
Student1.
h t i s
r i g r e d
1) Go to Administration page  Side Menu  Servers.
p y o r
C o t f
N o
2) Right-click Object Spawner - sasserver and select Open to view metadata properties.
From the drop-down menu select Servers.
7.3 Solutions 7-45
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N
Expand Server Manager. Right-click Object Spawner - SASSERVER and select Properties.
Click the Servers tab.
c. Use SAS Environment Manager to view the metrics for the Object Spawner.
On the Resources tab, select sasserver.demo.sas.com Object Spawner - sasserver.
Find the following metrics:
Current Clients shows how many clients are connected to the Object Spawner at the moment.
Current Servers shows how many servers of any type this Object Spawner has currently
launched.
Total Servers shows how many servers of any type have been started by this Object Spawner
since it was launched.
c .
You can use the up arrow (
In
) to sequentially position the metrics next to each other on the
Monitor page. Click Apply button located at the top right of the Indicator Charts.
e
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
Nd. Create a Server’s Launched by Object Spawner availability summary portlet.
1) On the left side of the Dashboard page, select Availability Summary in the Add content to
this column field and click the plus icon.
2) Click the Configure icon to display the Dashboard Settings page for the portlet.
3) Click Add to List in the selected Resources area.
7.3 Solutions 7-47
4) In the View field, select Services and in the Filter By Name field, enter spawner and
click .
5) Select all workspace servers, pooled workspace servers, and stored process servers.
(You should have selected six of the seven available.) Click to move them to the
Add Resources pane. Click OK.
c .
e In
t u t
s t i n .
I n t i o
6) Specify the name Spawned Servers in the Description field. Click OK.
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N
7) Move the Spawned Servers availability summary portlet just below the OS and SAS Server
Tier availability summary portlet. Click the heading and drag it to the location.
c .
e In
t u t
s t i n .
I n t i o
Process Server
S
A tri b u
2. Identifying the Command Line, Shared ID, and Port of the Workspace Server and Stored
servers.
t S
Use SAS Environment Manager or SAS Management Console to look at metadata properties of the
s
g h d i
i
y r r e
a. On Administration page  Side Menu  Servers. Expand SASApp  SASApp - Logical
o p f o r
Workspace Server. Right-click SASApp - Workspace Server and select Open.
C o t
N
7.3 Solutions 7-49
1) From the drop-down menu, select Options.
c .
e In
t u t
s t i
On the Windows Server
n .
I n i o
"D:\SAS\Config\Lev1\SASApp\WorkspaceServer\WorkspaceServer.bat"
t
S
A tri b u
On the Linux Server
t S /opt/sas/ config /Lev1/SASApp/WorkspaceServer/WorkspaceServer.sh
s
i g h d i
What port does the object spawner listen on for requests for the workspace server? 8591
y r r e
2) From the drop-down menu select Connections.
o p f o r
C o t
N
b. On Administration page  Side Menu  Servers. Expand SASApp  SASApp - Logical

StoredProcess Server. Right-click SASApp - Stored Process Server and select Open.
c .
e In
t u t
t i .
1) From the drop-down menu, select Options.
s n
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N On the Windows Server
"D:\SAS\Config\Lev1\SASApp\StoredProcessServer\StoredProcessServer.bat"
On the Linux Server

/opt/sas/ config /Lev1/SASApp/StoredProcessServer/StoredProcessServer.sh
7.3 Solutions 7-51
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
sasserver\sassrv
t S s
On the Linux Server
i g h d i
sassrv
y r r e
What port does the object spawner listen on for requests for the stored process server? 8601
o p f o r
2) From the drop-down menu, select Connections.
C o t
N
a. Under Server Manager, expand SASApp  SASApp - Logical Workspace Server.

Right-click SASApp - Workspace Server and select Properties. Click the Options tab.

"D:\SAS\Config\Lev1\SASApp\WorkspaceServer\WorkspaceServer.bat"
On the Linux Server

/opt/sas/ config /Lev1/SASApp/WorkspaceServer/WorkspaceServer.sh
What port does the object spawner listen on for requests for the workspace server? 8591
c .
e In
t u t
t i
b. Under Server Manager, expand SASApp  SASApp - Logical Stored Process Server.
.
Right-click SASApp - Stored Process Server and select Properties. Click the Options tab.
s n
I n
t i o
S u
"D:\SAS\Config\Lev1\SASApp\StoredProcessServer\StoredProcessServer.bat"
A tri b
t S s
On the Linux Server
i g h d i
/opt/sas/ config /Lev1/SASApp/StoredProcessServer/StoredProcessServer.sh
y r r e
o p f o rOn the Windows Server

sasserver\sassrv
C o t
N On the Linux Server
sassrv
What port does the object spawner listen on for requests for the stored process server? 8601
3. Locating the Shared ID Credentials
a. Select Side Menu  Users.
7.3 Solutions 7-53
b. In the Search field, type SAS General Servers.
c. Right-click SAS General Servers and select Open.
c .
e In
t u t
s t i n .
I n o
What is the description of this group? Allows members to be used for launching stored process
t i
servers and pooled workspace servers
S
A tri b u
Who is the member of this group? SAS Trusted User
t S s
i g h d i
sasserver\sassrv
y r r e
o p f o rOn the Linux Server
sassrv
C o t
 Members of a group can access credentials stored on a group. Because the object spawner
N is a member of the SAS General Server group.
a. Expand User Manager.

b. Right-click SAS General Servers and select Properties.
What is the description of this group? Allows members to be used for launching stored process
servers and pooled workspace servers
Who is the member of this group? SAS Trusted User

sasserver\sassrv
On the Linux Server

sassrv
 Members of a group can access credentials stored on a group. Because the object spawner
4. Adding a Saved Chart Portlet on the Dashboard in SAS Environment Manager
c .
The Saved Chart portlet displays a rotation of all of the resource metric charts that you have saved.
In
The process of creating this type of portlet consists of navigating to the resources that you want
to chart, finding the metric charts that you want to display, and saving them to your dashboard. When
u t e
you create the portlet, all of your saved charts automatically appear.
a. Make sure you are logged on to SAS Environment Manager as Ahmed using the password
Student1.
t i
b. Create a Free Memory chart.t .
n s
1) Select Resources  Browse.
I i o n
S u t
2) On the Resources page, select Platforms.
3) Click sasserver.demo.sas.com.
S A tri b
h t i s
r i g r e d
p y o r
C o t f
N o 4) Scroll down to the Free Memory chart.
5) Click Free Memory.
7.3 Solutions 7-55
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N
8) Go to Dashboards to see the chart saved. It is displayed on the left side.
c .
e In
t u t
t i .
c. Create a Number of Spawned Servers chart.
s n
I n t i o
2) In the All Server Types field, select SAS Object Spawner 9.4.
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N 3) Click the arrow at the right of the filter fields.
4) Click sasserver.demo.sas.com Object Spawner - sasserver.
7.3 Solutions 7-57
5) Scroll down to the Current Servers chart.
c .
In
6) Click Current Servers.
u t e
t i t .
I n s i o n
S u t
S A tri b
h t i s
r i g r e d
p y o r
C o t f
N o
portlet.
c .
e In
t u t

s t i n .
You can toggle between the two saved charts or remove them from the pane on the
I n i o
left of the Saved Charts portlet.
t
S
A tri b u
d. Create a Metadata Server Clients Per Minute chart.
t S
2) In the All Groups field, select SAS Metadata Servers.
s
i g h d i
y r r e
o p f o r
C o t
N 3) Click the arrow at the right of the filter fields.
4) Click sasserver.demo.sas.com SASMeta - Metadata Server.
7.3 Solutions 7-59
5) On the left side of the Resource Detail page, select All Metrics from the drop-down menu.
c .
e In
u t
6) In the table of metrics, find Total Clients per Minute and position your mouse pointer
on the information icon ( ).
t
s t i n .
I n t i o
S
A tri b u
t S
7) From the tooltip, select View Full Chart. The Metric Chart page appears.
s
i g h d i
y r r e
o p f o r
C o t
c .
In
e
portlet.
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
5. Enabling Trace Logging for Object Spawner
C o t
clicking the Home button in the upper right toolbar.
Nb. Type enable object spawner trace logging in the Search field and click Search.
c. Click Enable More Detailed Logging for SAS Object Spawner Troubleshooting, dated
2015-07-16.
7.3 Solutions 7-61
 You might need to click Date so that the most recent search results are at the top.
d. (Optional) You can choose to temporarily increase the logging level dynamically in
SAS Management Console (the second bullet).
c .
e In
t u t
s t i n .
6. Auditing Data Access I n t i o
S
A tri b u
A common request to SAS Administrators is to be able to log and report on which users are accessing
SAS tables. The relevant information needs to be captured, which is the user, the table and the date
t S
and time that the table was accessed. The SAS Logging Facility includes a logger for auditing access
s
to SAS libraries that supports the ability to ‘log’ who has accessed data in a sas library, including SAS
g h d i
tables and database tables accessed via a SAS LIBNAME. The AUDIT.DATA logger will record who
has opened, deleted, or renamed a table.
i
y r r e
In this exercise you will define a logger, Audit.Data.Dataset and a RollingFileAppender named
o p o r
TimeBasedRollingFileAudit for the Stored Process Server. You could use the existing
RollingFileAppender, but instead you will write to a new directory location that will hold only data
f
access entries in its log files.
C t
a. Open sasv9_usermods.cfg for the Stored Process Server to find which logconfig.xml file is being
o read at server start-up.
N  In this environment, the SAS Environment Manager service architecture framework is

configured so that the logging configuration points to logconfig.apm.xml.
For Windows Server

Navigate to D:\SAS\Config\Lev1\SASApp\StoredProcessServer. Open
c .
e In
t u t
s t i n .
I n t i o
S
A tri b
For Linux Server
u
.
t SNavigate to /opt/sas/config/Lev1/SASApp/StoredProcessServer. Open
s
i g h d i
y r r e
o p f o r
C o t
b. Rename logconfig.apm.xml to logconfig.apm.orig.xml.
c. For this exercise, there is a logconfig.apm.xml file located on the server that already has the new
logger and appender.
Locate the file and copy it over to the Stored Process Server directory.
7.3 Solutions 7-63
For Windows Server

Navigate to D:\Workshop\spaft.
c .
e In
t u t
Copy the logconfig.apm.xml to D:\SAS\Config\Lev1\SASApp\StoredProcessServer.
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N
For Linux Server
Navigate to /opt/sas/Workshop/spaft. Copy the logconfig.apm.xml to
/opt/sas/config/Lev1/SASApp/StoredProcessServer.
d. The Audit.Data.Dataset logger and the TimeBased RollingFileAudit appender was already
added. Open the logconfig.apm.xml to view.
The new logger will route Audit.Data.Dataset messages with a diagnostic level of TRACEand
above (TRACE, DEBUG, INFO, WARN, ERROR, and FATAL) to the appender named
c .
TimeBasedRollingFileAudit.
e In
t u t
s t i n .
I n t i o
S
A tri b u
The appender definition determines where the logger messages are written and what format is
used to output the messages. Note the following:
t S
 The appender name matches the name specified in the appender tag of the logger definition
s
(TimeBasedRollingFileAudit).
i g h d i
 The ConversionPattern parameter values specifies the log message. This is the same as what is
y r r e
written to an existing log file with the addition of LOGGER=%c. So the entry in the log file
will include the text LOGGER= and the name of the logger, Audit.Data.Dataset. (The %c is a
o p o r
conversion character that writes out the logger name.)
 The FileNamePattern parameter value specifies where the log file will be written out and what
f
the name of the log file will be.
C o t For Windows Server
N name=”FileNamePattern”
value=”D:\SAS\Config\Lev1\SASApp\StoredProcessServer\AuditLogs
For Linux Server

name=”FileNamePattern”
value=”/opt/sas/config/Lev1/SASApp/StoredProcessServer/AuditLogs
e. Close logconfig.apm.xml.
f. The AuditLogs directory needs to be created.
7.3 Solutions 7-65
For Windows Server

Navigate to D:\SAS\Config\Lev1\SASApp\StoredProcessServer.
Create AuditLogs directory. Verify that SAS Users and the sassrv account can write to this
location.
c .
e In
For Linux Server
t u t
t i .
Navigate to /opt/sas/config/Lev1/SASApp/StoredProcessServer.
s n
I
location.
n
Create AuditLogs directory. Verify that SAS Users and the sassrv account can write to this
t i o
S
A tri b u
t S s
g. Refresh the Object Spawner in SAS Management Console and validate that the Stored Process
i g h d i
Server is still operational.
y r r e
1) Expand Server Manager plug-in  Object Spawner - sasserver. Right-click
o p f o r
C o t
N
2) Right-click sasserver.demo.sas.com and select Refresh Spawner.
c .
e In
3) Click OK to continue.
t u t
s t i n .
I n t i o
S
A tri b u
4) Expand SASApp  SASApp - Logical Stored Process Server  SASApp - Stored
Process Server. Right-click sasserver.demo.sas.com and select Validate.
t S s
i g h d i
y r r e
o p f o r
C o t
N 5) Click OK.
7.3 Solutions 7-67
h. Run a stored process and check the audit log.

1) Open Internet Explorer on the client machine and select SASWebReportStudio on the
Favorites bar. Log on as Ahmed using the password Student1.
2) Select Open on the Getting Started Page.
c .
e In
t u t
s t i n .
3) Navigate to Orion Star  Marketing Department  Stored Processes.
I n t i o
S
A tri b u
t S s
i g d i
4) Highlight Analysis of Product Orders by Gender and click Open.
h
y r r e
o p f o r
C o t
N
5) Check the log.
For Windows Server

Navigate to D:\SAS\Config\Lev1\SASApp\StoredProcessServer\AuditLogs and open the
log file.
c .
e In
t u t
For Linux Server
s t i n .
Navigate to /opt/sas/config/Lev1/SASApp/StoredProcessServer/AuditLogs and open
I n
the log file.
t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N
Chapter 8 Exploring SAS® Middle
Tier
8.1 Reviewing SAS Middle-Tier Architecture ....................................................................8-3
c .
Exercises .............................................................................................................................. 8-16
8.2
e
Monitoring SAS Middle Tier Servers .........................................................................8-23 In
u t
Exercises .............................................................................................................................. 8-30
t
8.3
t i .
High Availability, Authentication, and Secure Communication ...............................8-34
s n
8.4
I n i o
Solutions .....................................................................................................................8-45
t
S u
A tri b
t S s
i g h d i
y r r e
o p f o r
C o t
N
8-2 Chapter 8 Exploring SAS® Middle Tier
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N
8.1 Reviewing SAS Middle-Tier Architecture 8-3
8.1 Reviewing SAS Middle-Tier

Architecture
Objectives
 Explore middle-tier architecture.
c .
In
 Explore SAS middle-tier architecture.
 Identify the SAS middle-tier components.

u t
Identify the Content Server.
e
Identify the Web Infrastructure Platform Data Server.

t i t
Explore SAS Web Application Server clustering.
.
s
Explore high availability of middle-tier components.
n

I n t i o
S
A tri b u
t S s
3
i g h d i
y r r e
What Is a Middle-Tier Architecture?
o p o r
Middle-tier architecture refers to a three-tier model where
f
the browser is the client tier, the database is the back-end
C o t
tier, and the servers in the middle tier retrieve and
process data from the servers in the data tier for
N presentation to clients. The middle-tier server performs

the business logic. Middle Tier
Back-End DB
Server/SAS Servers
HTTP Server
WIP Data Server

Client PC Web Application
Server
Web Applications
Web Infrastructure
Web Server Platform
JMS Broker
Cache Locator
Web Browser Environment Manager
Clients access the servers in the web tier directly or through a firewall. They access the servers in the data
tier only through the servers in the web tier.
Definition comes from http://www.onjava.com/2003/10/01/middletier.html.
SAS 9.4 Middle Tier Architecture

In this scenario, all of the SAS middle-tier components are
installed on a single system. Middle Tier
Clients
SAS Environment
SAS Web Server Manager Agent
(http server)
.
Web Browser

SAS Web Infrastructure Platform
SAS Content Server
SAS Web Applications
Cache Locator
JMS Broker
In c
u t e SAS Servers
t
i
SAS Pooled Workspace Server
t .
SAS OLAP Server
SAS Metadata Server
s
SAS Web Infrastructure
n
Platform Data Server Cache Locator
I n t i o
S
A tri b u
The SAS Intelligence Platform architecture provides the flexibility to distribute these components
according to your organization’s requirements. For small implementations, the middle-tier software,
S
SAS Metadata Server, and other SAS servers (such as the SAS Workspace Server and SAS Stored
Process Server) can all run on the same machine. In contrast, a large enterprise might have multiple
t i s
servers and a metadata repository that are distributed across multiple platforms. The middle tier in such
h
an enterprise might distribute the web applications to many web application server instances on multiple
r i
machines.
g r e d
SAS 9.4 middle-tier software includes the following:
p y o r  It provides the execution environment for the SAS web applications.
o f
SAS Web
Application Server  SAS Deployment Wizard can automatically configure the web
C o t application server, or you can configure it manually.
 It is an HTTP server that is configured as a single connection point for

N
SAS Web Server
SAS web applications.
 It is automatically configured to perform load-balancing when the SAS
middle tier is clustered, as well as updated to route web sessions to SAS
Web Application Server instances
 automatically configured to cache static web content such as JavaScript
files, cascading style sheets,
and graphic files
 can be configured for HTTPS automatically
Cache Locator  It is used by applications on server-tier and middle-tier machines to

locate other members and form a data cache.
 The SAS Web Application Server uses a single locator instance. In a
clustered environment, each instance uses the one locator to learn about
the other server instances when forming the cache.
 A locator is also installed on the first server-tier machine that includes an
instance of SAS Web Infrastructure Platform Scheduling Services.
JMS Broker  SAS middle-tier software uses the broker for Java Messaging Services
(JMS). The JMS Broker provides distributed communication and acts as
c .
a message broker.
e
 An instance is configured as a server on the machine that is used for the In
t u t
SAS middle tier.
 Some SAS web applications use JMS connection factories, queues, and
s t i .
topics for implementing business logic, and use JMS for this
n
communication between middle tier applications and services.
I n t i o
The SAS middle-tier environment includes a Java Runtime Environment with SAS 9.4 software. You do
not need to install a separate Java environment for the middle-tier environment.
S
A tri b u
t S
Middle Tier Components
s
i g h d i
y r r e
o p f o r
C o t
N
6
Services and Applications in the SAS Web Infrastructure Platform
Application or Service Features
SAS Authorization This service is used by some SAS web applications that manage
Service authorization through web services.
SAS BI Web Services Can be used to enable your custom applications to invoke and obtain
for Java metadata about SAS Stored Processes. Web services enable distributed
applications that are written in different programming languages and that
run on different operating systems to communicate using standard web-
c .
In
based protocols. Simple Object Access Protocol (SOAP) is a common
protocol. SAS includes support for JSON and REST as well.
t e
The SAS BI Web Services for Java interface is based on the XML For
u
Analysis (XMLA) Version 1.1 specification.
SAS Content Server

t i t .
Stores digital content (such as documents, reports, and images) that can be
SAS Deployment
I n s i o n
created and used by the SAS web applications.
Enables deployment-wide backup and recovery services.

Backup and Recovery
Tool
S u t
S A tri
SAS Identity Services b Provides SAS web applications with access to user identity information.
t
SAS Logon Manager
h i s Provides a common user authentication mechanism for SAS web
d
applications. It displays a dialog box for user ID and password entry,
r i g r e
authenticates the user, and launches the requested application. SAS Logon
Manager supports a single sign-on authentication model. When this model
p y o r
is enabled, it provides access to a variety of computing resources (including
servers and web pages) during the application session without repeatedly
C o t f prompting the user for credentials.

You can configure SAS Logon Manager to display custom messages and to
N o
SAS Preferences
Manager
specify whether a logon dialog box is displayed when users log off.
Provides a common mechanism for managing preferences for SAS web

applications. The application enables administrators to set default
preferences for locale, theme, alert notification, time, date, and currency. In
the SAS Information Delivery Portal, users can view the default settings
and update their individual preferences.
SAS Principal Services Enables access to core platform web services for SAS applications.
SAS Shared Web Assets Contains graph applet JAR files that are shared across SAS web
applications. They display graphs in stored processes and in the SAS Stored
Process Web Application.
SAS Stored Process Provides a mechanism for web clients to run SAS Stored Processes and
Web Application return the results to a web browser. The SAS Stored Process Web
Application is similar to the SAS/IntrNet Application Broker, and has
similar syntax and debug options. Web applications can be implemented
using the SAS Stored Process Web Application, the Stored Process Service
API, or a combination of both. Here is how the SAS Stored Process Web
Application processes a request: A user enters information in an HTML
form using a web browser and then submits it. The information is sent to a
c .
In
web server, which invokes the first component, the SAS Stored Process
Web Application.
t e
The Stored Process Web Application accepts data from the web server, and
u
contacts the SAS Metadata Server for retrieval of stored process
t i t
information.
.
The stored process data is then sent by the Stored Process Web Application
I n s i o n
to a stored process server via the object spawner.
The stored process server invokes a SAS program that processes the
S t
information.
u
S A tri b The results of the SAS program are sent back through the web application
and web server to the web browser.
h t
SAS Notification
Template Editor
i s Enables administrators to create and edit messages that are sent as
notifications to end users of SAS applications.
r
SAS Web
i g r e d Provides features for monitoring and administering middle-tier components.
y
Administration Console This browser-based interface enables administrators to perform the
o p f o r following tasks: Monitor users who are logged on to SAS web applications,
and send email to them.
C o t View user-level audit information such as the number of users, successful

logons, unsuccessful logons, and find the time of a user’s last logon.
N Manage permissions for folders and documents that are managed by SAS
Content Services.
Manage templates and letterheads that are used as part of messages that are
sent as notifications to end users of SAS applications.
View configuration information for each middle-tier component.
SAS Web Infrastructure Enables administrators to set web-layer permissions on folders and
Platform Permission documents for SAS applications that use SAS Content Services for access
Manager to digital content. You can access the permissions manager with the SAS
Web Administration Console.
SAS Web Infrastructure Provides a common infrastructure for SAS web applications. The
Platform Services infrastructure supports activities such as auditing, authentication,
configuration, status and monitoring, email, theme management, and data
sharing across SAS web applications.
SAS Workflow Provides the web services that implement workflow management. The SAS
Workflow services are used by SAS applications and solutions for tightly
integrated workflow management.
SAS Content Server

The SAS Content Server stores digital content (such as
c .
documents, reports, and images) that is created and used
e
by SAS web applications, such as SAS Web Report In
u t
Studio and SAS Information Delivery Portal.
 It is part of the SAS Web Infrastructure Platform.
t
t i .
 Client applications use Web Distributed Authoring
s
and Versioning (WebDAV) protocols for access,
n
n
versioning, collaboration, security, and searching.
I t i o
 Content mapping is in place to ensure that report
S
content is stored using the same folder names and
A tri b u
permissions that the SAS Metadata Server uses
to store corresponding report metadata.
t S s
7
i g h d i
y r r e
The SAS Web Infrastructure Platform always installs and configures the SAS Content Server. By default,
the SAS Content Server uses file system storage located in the SAS configuration directory
o p f o r
Levn/AppData/SASContentServer/Repository.
The SAS Content Server is managed using the SAS Content Server Administration Console,
C t
https://server:port/SASContentServer/dircontents.jsp. You must be an unrestricted user to administer
o
content in the SAS Content Server.
SAS Web Infrastructure Platform Data Server

The SAS Web Infrastructure Platform data server is used
as transactional storage by SAS middle-tier software and
some SAS solutions.
 It is based on PostgreSQL 9.1.9 and configured
specifically to support SAS software.
 The server is configured to manage the following
databases:
c .
– Administration
– EVManager
e
• SAS Environment
Server Tier
In
t
Manager SAS WIP Data Server
• Content Server
– Shared Services
u
• SAS Visual Analytics
t
Transport Service
– transportsvcs_db
t i .
 The databases that are managed by the server are
s n
backed up and restored with the Backup and
8
I n
Recovery Deployment Tool.
t i o
S
A tri b u
The Administration database contains configuration information for the modules that SAS develops to
extend the features of SAS Environment Manager.
t S
The EVManager database is used by SAS Environment Manager. The database contains configuration
and metric information for the machines and servers that SAS Environment Manager manages in your
s
deployment.
i g h d i
The SharedServices database is used by the SAS web applications and middle-tier software. For example,
r r e
comments that are added through various web applications are stored in this database. Digital content that
y r
is stored with SAS Content Server is also stored in this database.

o p o
You can choose to use a third-party vendor database server for this database when you install and
f
configure software with the SAS Deployment Wizard. This database is identified as the SAS Web
C o t
Infrastructure Platform Database on the pages in the wizard.
N
This transportsvcs_db database is used by SAS Visual Analytics Transport Service. The database stores
mobile logon history information, as well as the device’s blacklist and whitelist data that is maintained
through SAS Visual Analytics Administrator. It is also used to support caching within the Transport
Service application.
If your deployment includes SAS solutions software that supports SAS Web Infrastructure Platform Data
Server, then more databases might be configured on the server.
Distributing Server Functions

 The SAS Web Application Server supports both
vertical and horizontal clustering.
 Workload distribution is managed by the SAS Web
Server. The SAS Web Server is configured as a
load-balancing HTTP proxy.
 The server instances in a cluster can coexist on the
same machine (vertical clustering), or the server
c .
instances can run on a group of middle-tier server
machines (horizontal clustering).
e In

and horizontal clusters.
t u t
Web applications can be deployed on both vertical
s t i n .
9
I n t i o
S
A tri b u
Session Affinity: For SAS web applications to be deployed into a clustered environment, the SAS Web
Server implements session affinity. Session affinity is an association between a web application server
and a client that requests an HTTP session with that server. This association is known in the industry
t S
by several terms, including session affinity, server affinity, and sticky sessions. With session affinity, after
s
a client is assigned to a session with a web application server, the client remains with that server for the
i g h d i
duration of the session. By default, session affinity is enabled.
r e
The Load Balancer Manager can be used to direct all requests to a single instance of the application,
r
thus “draining” the sessions associated with applications in the other cluster instance. When an instance is
y
o
 p f o r
drained, it can be stopped for maintenance without disrupting the service of clustered applications.
http://webservermachine.mycompany.com/balancer-manager
C o t
N
Vertical Clustering
of SAS Web Application Servers
Clients Middle Tier
SAS Web Server

Web Browser
(http server) SASServer1_1
SASServer1_2
c .
e
SAS Servers
SASServer1_3
In
t u t
SAS Metadata Server
SAS Web Application Servers
s t i
SAS Workspace Server…

Platform Data Server
n .
10
I n t i o
S
A tri b u
Vertical clustering can be configured automatically by the SAS Deployment Wizard. The custom
prompting level will be used in the SAS Deployment Wizard.
t S
If you configured multiple instances of a managed server, such as SASServer1_1 and SASServer1_2, then
the web applications that support clustering are deployed identically to each instance. Each of these
s
i g
Advantages: h d i
instances is a vertical cluster member.
r r e
 If the Java process that underlies one of the instances in the web application server cluster encounters
y
o p o r
problems that stop the functioning of the web applications, the applications in the other cluster instance
will still be able to respond. In this case, it would be possible to stop and restart the web application
f
server that is experiencing problems. Requests would still be serviced by the applications in the other
C t
cluster instance. Users who had sessions on the stopped server would lose session data, but an attempt
o
to reconnect to a clustered application would be successful.
N
 In some cases, the operating system can balance CPU load more effectively if separate Java processes
are used.
Disadvantages:
 If the single machine on which the vertical cluster is deployed experiences an outage, then
all the instances in the cluster will be affected. Therefore, the failure of a single machine would cause
the application to become unavailable.
 Some applications, such as SAS BI Dashboard Event Generator, and some SAS solutions
applications cannot be clustered. Those are examples of when the server instances and
applications are not identically configured.
Horizontal Clustering
of SAS Web Application Servers
Clients Middle Tier

SAS Web Application Servers
SAS Web Server
.
(http server)
Web Browser
c
SASServer1_1
e
SASServer1_2
In
t
SAS Servers
SAS Metadata Server
t
SAS Workspace Server…
i t u .
SASServer1_3
s n
11
I n t i o
S
A tri b u
In this topology, some deployments can implement a failover scheme, in which a server failure does not
interrupt a user’s session. The proxy server detects the failure and redirects the requests to a different
application server. That server can then retrieve the users’ session information and continue.
Advantages:
t S s
i g h d i
 The SAS web applications and the web application server cluster are protected by firewalls.
 The web application server and SAS web applications can be configured to perform web authentication
r r e
for single sign-on to the applications and other web resources in the network.
y
p o r
 Response time is improved because static content is cached by SAS Web Server.
 The greater computing capacity of the web application server cluster also improves performance.
o f
 After the cluster is established, additional server instances can be added to support larger numbers of
C o t
concurrent users.
 Clustering provides fault isolation that is not possible with a single web application server. If a machine
N
in the cluster fails, then only the users with active sessions on that machine are affected.
 You can plan downtime for maintenance by taking some servers offline. New requests are then directed
to the applications deployed on the remaining servers while maintenance is performed.
 Configuration and deployment of the cluster and the applications can still be automated with
the SAS Deployment Wizard.
Disadvantages:
 SAS Web Server remains a single point of failure. Software and hardware high-availability options
exist to mitigate this disadvantage.
 Some operations, such as redeploying web applications, can require more effort when more machines
are used.
Cluster Configurations
There are two general deployment topologies.
SASServer1_1
 Single server: SASServer1_2
SASServer1_3
– homogeneous cluster
– clustered nodes containing the same applications
that can be clustered
c .
In
SASServers2_1
 Multiple server: SASServer3_1
– heterogeneous cluster
e
SASServer3_2
u t
– specific applications that are
deployed to different server instances
t
s i
– can allocate additional resources to the
t .
applications and application groups that
n
n
are more heavily used
12
I t i o
S
A tri b u
Similar to clustering, the applications can be distributed to different managed servers. Distributing
the applications is similar to clustering in that additional web application server instances are used. It is
different in that the managed server profiles are different. That is, single instances of the applications are
t S
distributed to web application servers rather than redundant instances.
s
g h d i
Distributing the applications enables more memory availability for the applications that are deployed
on each managed server and also increases the number of users that can be supported.
i
r r e
Some SAS solutions are configured automatically with multiple servers by the SAS Deployment Wizard.
y
However, you can choose to configure multiple managed servers by running the wizard with the custom
o p f o r
prompting level and selecting this feature.
Whether the single or multiple server topology is selected, both vertical and horizontal clusters are still
C t
possible, as is a combination of both clustering techniques. The only difference is how the applications
o
are distributed to the server instances.
High Availability
Several middle-tier components can be configured for
high availability, with each having different requirements
and considerations.
SAS Web Server
SAS Web Server
SAS Web Server
c .
e
SAS Web Application Server SAS Web Application Server
In
t
SASServer1_1 SASServer1_1 SASServer1_1
u
Cache Locator JMS Broker Cache Locator JMS Broker Cache Locator JMS Broker
SAS Grid Manager
t i t .
s n
SAS Compute SAS Metadata SAS Content
SAS Metadata
Server SAS Content
Server SAS WIP Data
SAS Compute
Server SAS Metadata SAS Content Server
n
SAS Compute
Server Server Server
o
Server Server
I
Server

13
S u t i
Some components, such as SAS Web Application Server, can be configured in a cluster
A tri b
automatically. Other components, like JMS Broker, require manual configuration to enable high
S
availability.
h t
 SAS Metadata Server
i s
The following SAS Analytics Platform components can be deployed and configured for high availability:
r i g
 SAS Web Server
r e d
 SAS Web Application Server
p y r
 SAS Web Infrastructure Platform Data Server
o
C o t f
 SAS JMS Broker
 SAS Cache Locator
N o
 SAS Object Spawner
 SAS OLAP Server
 SAS Environment Manager Server
 SAS Environment Manager Agent
 SAS Deployment Agent
For more information, refer to the following:
 “High-Availability Features in the Middle Tier” in SAS® Intelligence Platform: Middle-Tier
 “Best Practices for Implementing High Availability for SAS 9.4,” SAS Global Forum Paper 305-2104.
http://support.sas.com/resources/papers/proceedings14/SAS305-2014.pdf
 “Managing SAS Web Infrastructure Platform data Server High-Availability Clusters,” SAS Global
Forum Paper SAS1776-2015. http://support.sas.com/resources/papers/proceedings15/SAS1776-
2015.pdf
Classroom Environment
In the classroom environment, four SAS Web Application
Server instances exist, but they are not clustered. Web
applications are deployed on only one instance.
Middle Tier
Clients SAS Web Application Servers
c .
In
SAS Web Server SASServer1_1
(http server)
Web Browser
e
SASServer2_1
SAS Servers
t u t SASServer12_1
i SASServer13_1
SAS Metadata Server
s t
SAS Compute Servers
n .
n o
14
S I t i
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N
Exercises
1. Finding Web Applications Deployed on SAS Web Application Server Instances
There are a few places that you can look to find out on which SAS Web Application Server instance
your web applications are deployed:
 It is documented in Instructions.html. This is the reference document for your SAS deployment. It
contains any manual configuration steps that must be performed. It provides an overview of your
deployment, including the web application URLs.
 SAS Environment Manager
c .
 Configuration directory for the SAS middle tier
e
a. Open Instuctions.html. It is located under the SAS configuration directory in the In
Levn/Documents subdirectory.
t u t
1.
s t i
For Windows Server
n .
Access Windows Explorer, and navigate to
I n t i o
D:\SAS\Config\Lev1\Documents\Instructions.html.
(Make sure you are on the Windows server and not the Windows client.)
2.
S u
Double-click Instructions.html to open the document in Internet Explorer.
A tri b
t S
s
You are opening Internet Explorer on the server machine.
i g h
3.
d i
Select Web Application Server in the Overview list. Review the configuration details.
What web application is not clusterable?
y r r e
What web app server instance is it deployed on?
o p f o rWhat web app server instance is SASStudio deployed on?
N 1.
2.
You can use WinSCP (there is a shortcut on your desktop) to access and view files
on the Linux server. Click Login to open the application. (No changes are needed.)
In WinSCP: Navigate to /opt/sas/config/Lev1/Documents.

(As an alternative, you can use MRemoteNG: Use the firefox
/opt/sas/config/Lev1/Documents/Instructions.html command to open the document.)
3. Right-click Instructions.html and select Open. (Double-clicking the file renders it in the
4. Select Web Application Server in the Overview list. Review the configuration details.
What web application is not clusterable?
What web app server instance is it deployed on?
What web app server instance is SASStudio deployed on?
b. Open SAS Environment Manager.

1) Open Internet Explorer on the client machine, located on the system tray.
2) Select SAS Environment Manager on the Favorites bar.
3) Connect as Ahmed, with a password of Student1.
4) Go to Resources  Browse  Servers.
5) Select a web application server, such as sasserver.demo.sas.com tc Runtime
SASServer2_1.
6) Select Views  Application Management.
c .
7) The deployed SAS web applications are listed. You can stop and start a web application from
this location as well.
e In
u t
c. Find the WAR files that are deployed on each web application server instance. They are located
t
s i
in the sas_webapps directory under the SAS Web Application Server configuration directory.
t
For Windows Server
n .
I n
Navigate to
t i o
D:\SAS\Config\Lev1\Web\WebAppServer\...serverinstancenumber\sas_webapps.
S
A tri b u
t SFor Linux Server
s
i g h i
Navigate to
/opt/sas/config/Lev1/Web/WebAppServer/…serverinstancenumber/sas_webapps.
d
y r 
r e You can use WinSCP or MRemoteNG.
o f o r
2. Setting Up a Basic Alert for SAS Web Server in SAS Environment Manager
p In this exercise, you create an alert indicating when the SAS Web Server is down and when it is back
C t
up (a recovery alert). An escalation scheme will also be created, which is a series of steps to be
o
executed when the alert fires.
Na. Sign in to SAS Environment Manager as Ahmed using the password Student1,
if not already signed in. (Open Internet Explorer on the client machine and select
SAS Environment Manager on the Favorites bar.)
b. Create an Escalation Scheme.
1) Click the Manage tab.
2) Click the Escalation Schemes Configuration link.
3) Fill in the form with the following information:
Name: WebServerScheme
Description: Web Server Status
If the alert is acknowledged: Allow user pause escalation for 5 minutes
If the alert state changed: Notify previously notified users
If the alert is not fixed when escalation ends: Repeat escalation actions
c .
e In
t u t
4) Click Next Step.
s t i
5) Click the Create Action button.
n .
I n o
6) Complete the following fields:
t i
Create an Action for this escalation: SMS
S
A tri b u
Select method to notify: Notify Roles
tS
In the pop-up box, select Super User Role  OK. Then select continue.
s
i g h d iAhmed is a member of the Super User Role. You might want all members of the role
to be notified when something as crucial as a server goes down.
y r e
Then: continue
r
o p f o r
7) Click Save.
c. Create the first alert that indicates that the web server is down.
C o t
1) Select Resources. Making sure that Servers list is selected, click sasserver.demo.sas.com
Pivotal Web Server 5.4 WebServer.
N 2) Select Alert  Configure.

3) On the Alert Definitions page, click New.
4) Enter the following information in the fields:
Name: NoWebServer
Description: SAS Web Server Down
Priority: High
Active: Yes
If Condition: Metric Availability is < 100% of Baseline Value
Enable Actions: Each time conditions are met
Enable Action Filters: Generate one alert and then disable alert definition until fixed
c .
e In
t u t
s t i n .
I n t i o
5) Click OK to save the alert definition.
S
A tri b u
d. You are now presented with an additional window that enables you to associate this alert with
an escalation scheme. Use the drop-down list to select the WebServerScheme scheme that was
t S
just created.
s
e. After the escalation scheme is selected, click Return to Alert Definitions to create the recovery
i g h
alert.
d i
y r r e
f. Create the second alert, the recovery alert, which indicates the server is back up.
1) Click New. A new alert definition window appears.
o p o r
2) Enter the following information:
f
C o t Name: YesWebServer
Description: SAS Web Server is back up!
N Priority: High
Active: Yes
If Condition: Metric Availability = 100% of Baseline Value
Recovery Alert for: NoWebServer
Enable Action: Each time conditions are met
Enable Action Filters: (blank)
c .
e In
t u t
s t i n .
I n t i o
3) Click OK to save the new recovery alert.
S
A tri b u
g. Select Analyze  Alert Center. Click the Definition tab. All defined alerts are listed, including
the two that you just defined.
t S
h. Test the new alerts. Go to Resource  Browse. Click sasserver.demo.sas.com Pivotal Web
s
Server 5.4 Web Server.
g h
i. Click Control.
i d i
y r r e
j. Select Stop from the drop-down list and click next to the Control Action field.
o p 
f o r It can take up to five minutes before the system detects that the SAS Web Server is down,
because the default collection interval for it is five minutes.
C t
k. Select Resources. With Servers selected, the SAS Web Server is displayed as Not Available on
o the Availability timeline.
N Various locations where alerts appear include the following:

 Dashboard  Recent Alerts or Problem Resources portlets
 on the header of the Environment Manager
 Analyze tab  Alert Center
 event bar for that resource (added automatically when an event is generated)
 if you set the alert (notify) to send an email
l. You can look at the other locations as well:
Recent Alerts Portlet on Dashboard Tab
SAS Environment Manager Header and Alert Center
c .
e In
t u t
s i
Event Bar for the SAS Web Server Resource
t n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N
 The default metric collection interval for the Pivotal Web Server is five minutes.
(This can be changed by selecting Manage  Monitoring Defaults. Scroll to Pivot Web
Server 5.4 Servers. Select Edit Metric Template to the far right of the entry.)
Therefore, you might wait as long as five minutes before the alert fires and you see
results on your interface.
m. Acknowledge the alert. This enables others on the system to be aware that an administrator is
aware of the problem. You can acknowledge an alert in two places:
 the dashboard Recent Alerts portlet
 Analyze  Alert Center  Alerts tab
1) On the dashboard, check the box next to the NoWebServer and click ACKNOWLEDGE.
2) You can add a note for the reason. It will show up as ‘acknowledged’ on the Alerts page. If it
is not fixed within five minutes (as specified when the alert was created), then it will request
acknowledgment again.
n. Restart the SAS Web Server, by issuing the control action. Go to Resources 
sasserver.demo.sas.com Pivotal Web Server 5.4 Webserver  Control. Select Start and the
arrow in the Quick Control area.
o. Within five minutes or less, you should see the recovery alert, called YesWebServer. It appears in
the same places, and indicates that the SAS Web Server is running again.
3. (Optional) Configuring the PostgreSQL Server Component to Interact with Your PostgreSQL
c .
In
RDBMS
There are three PostgreSQL database servers listed under Resources  Servers. None of these
t e
servers are currently being monitored because the resources are not fully configured. In this exercise,
u
you will modify the necessary information so that the SAS Web Infrastructure Platform Data
i t
Server resource can be monitored. (This is the PostgreSQL database server with listening port 9432.)
t .
s
a. Sign in to SAS Environment Manager as Ahmed and password Student1, if not already signed
Favorites bar.)
I i o n
in. (Open Internet Explorer on the client machine and select SAS Environment Manager on the
n
S t
b. Go to Resources  Browse  Servers.
u
A tri b
c. Find the PostgreSQL 9.x server resource in the list. (You can also go to the resource using
S
the Search bar. In the drop-down list, select PostgreSQL 9.x and click the arrow on the right.)
h t
d. The status of the PostgreSQL server is undetermined. Click the server link
i s
sasserver.demo.sas.com PostgreSQL 9.x localhost:9432.
i g d
e. You see that the server is not well configured. Click Configuration Properties.
r r e
p yf. Enter the required parameter values:
o r
PostgreSQL.user: dbmsowner
C o t f
PostgreSQL.pass: Student1
PostgreSQL.program or Windows Service:
N o For Windows Server

Use the Windows Service Name: SAS [Config-Lev1] Web Infrastructure Platform Data
Server
 To avoid typographical errors, go to the Windows Services application and copy
and paste the service name to the service name field.
For Linux Server

/opt/sas/config/Lev1/WebInfrastructurePlatformDataServer/webinfdsvrc.sh
g. Make sure that the Auto-Discover DataBases, Indexes, and other services? Check box
is selected. Then click OK.
h. Click Monitor. After a few minutes (or the required time for the agent to query the system), you
see the server availability, some server metrics, and two new services.
8.2 Monitoring SAS Middle Tier Servers 8-23
8.2 Monitoring SAS Middle Tier Servers
Objectives
 Describe performance and scalability.
 List the components that can be monitored
and modified for performance tuning.
c .
In
 Identify the location and contents of the SAS middle-
tier directory.
u t e
t i t .
I n s i o n
S u t
18
S A tri b
h t i s
r i g e
and Scalability
r d
SAS 9.4 Middle-Tier Tuning for Performance
p y 
r
transaction response time
o
o f
 number of transactions per second
C o


t throughput
resource utilization
N 


total cost per transaction
availability
increase the capacity for growth and the speed
of the component
 improve the efficiency
 shift or reduce the load on the component
19
For more information, refer to SAS® 9.4 Web Applications: Tuning for Performance and Scalability
documentation.
Monitoring in SAS Environment Manager

Monitoring data can be obtained from SAS Environment
Manager. The data can then be evaluated for tuning
purposes. Potential improvements can be made
to the following:
 SAS Web Application Server
 Java Virtual Machine
c .
In
 operating system
 SAS Web Infrastructure Platform Data Server
u t e
t i t .
20
I n s i o n
S u t
For further monitoring on performance of the SAS middle tier, see the following:
A tri b
 SAS 9.4 Web Applications: Tuning for Performance and Scalability documentation.
S
 “Monitoring 101: New Features in SAS 9.4 for Monitoring Your SAS Intelligence Platform”
t s
SAS Global Forum paper (http://support.sas.com/resources/papers/proceedings13/463-2013.pdf)
h i
r i g e d
 “SAS 9.4 Web Application Performance: Monitoring, Tuning, Scaling, and Troubleshooting”
SAS Global Forum paper (http://support.sas.com/resources/papers/proceedings14/SAS315-2014.pdf)
r
p y
 “Your Top Ten SAS Middle-Tier Questions”
o r
SAS Global Forum paper (http://support.sas.com/resources/papers/proceedings15/SAS1904-2015.pdf)
C o t f
N oTuning SAS Web Application Server
To improve the performance of any web application, make
sure that the server can create sufficient threads to
service incoming requests and limit the frequency with
which servers check for updated JavaServer pages and
servlets.
 The maxThreads option specifies the number of
threads in the executor thread pool that is used
to process incoming requests.
21
These options can be modified in the SAS-configuration-

directory\Levn\Web\WebAppServer\SASServer1_n\conf\server.xml file.
 If you have multiple instances of SAS Web Application Server, make the same changes in each
of the files for all the servers that you want to tune.
 If the number of active threads approaches the maximum value (within 5–10 percent), the value
should be increased.
Tuning SAS Web Application Server

c .
There are JDBC resources configured for the data
e In
u t
sources that the SAS web applications need to access. In
some cases, the workload on the system might benefit
t
i
from a larger pool of connections for a particular
database.
s t n .
 The maxPoolSize option specifies the maximum
I n t i o
number of pooled connections to the database that
is associated with a given data source reference.
S
A tri b u
t S s
i g h d i
22
y r r e
o f o r
The most commonly used data source is the SharedServices data source.
p
When the pool becomes exhausted, the SAS web applications log files (for example,
C example:
o t
SASWIPServices9.4.log and SASPrincipalServices9.4.log) might contain messages like the following
N
Could not get JDBC Connection; nested exception is
com.atomikos.jdbc.AtomikosSQLException: Connection pool exhausted - try
increasing 'maxPoolSize' and/or 'borrowConnectionTimeout' on the
DataSourceBean.
Tuning Java Virtual Machine

The goal is to improve performance in servers, in area
of memory usage and garbage collection cycles, and
maximize the number of clients that the SAS web
applications can support.
JVM Options Description
-Xms Specifies the minimum heap size.

c .
-Xmx
-XX:PermSize
Specifies the maximum heap size.
e
Specifies the initial permanent generation
In
t
storage size. Applies only to the Java Virtual
u
Machine on HP-UX, Linux, Solaris, and
t
Windows platforms.
t i .
-XX:MaxPermSize Specifies the maximum permanent generation
s n
size. Applies only to the Java Virtual Machine
n
on HP-UX, Linux, Solaris, and Windows
23
I
platforms.
t i o
S
A tri b u
Heap memory is one of the most important JVM parameters that might need to be adjusted. Setting it too
high wastes the resource and increases the potential of having a high garbage collection time. Setting
it too low can cause out-of-memory errors and increase the frequency of the garbage collection.
t S
SAS provides a set of JVM option settings in the Instructions.html file that is generated
s
i g h d i
by the SAS Deployment Wizard. Use those settings as a starting point for your tuning.
For Windows deployments, the JVM options are specified in the SAS-configuration-directory
r r e
\Lev1\Web\WebAppServer\SASServer1_1\conf\wrapper.conf file and the
y r
SAS-configuration-directory\Lev1\Web\WebAppServer\SASServer1_1\bin\setenv.bat file.
o p
If you have multiple instances of SAS Web Application Server, make the same changes in each of the
files.
f o
C t
For UNIX deployments, JVM options are specified in the SAS-configuration-directory
o
/Lev1/Web/WebAppServer/SASServer1_1/bin/setenv.sh file. If you have multiple server instances,
N
make the changes in each setenv.sh file.
The following table summarizes the general guidelines for tuning JVM options. These values are
recommended initial settings for the tunable arguments. However, individual usage patterns vary and
might benefit from additional tuning.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S
For more information see: “JVM Tuning Options” in SAS® 9.4 Web Applications: Tuning for
Performance and Scalability documentation.
s
i g h d i
y r r e
Tuning the Operating System
o p r
The following operating system resources should be
o
monitored, and the capacity increased if necessary. This
f
is accomplished by upgrading or adding hardware, or
C o t
even adding additional systems and configuring additional
middle-tier nodes (clustering) when needed:
N  CPU resource utilization

 memory resource utilization
 I/O resource utilization
 network interface resource utilization
24
For more information about operating system tuning for performance, see the following:
 “The Latest Tuning Guidelines for Your Hardware Infrastructure” SAS Global Forum paper
(http://support.sas.com/resources/papers/proceedings14/SAS107-2014.pdf)
 Usage Note 42197: A list of papers useful for troubleshooting system performance problems
(http://support.sas.com/kb/42/197.html)
Tuning SAS Web Infrastructure Platform

Data Server
SAS Web Infrastructure Platform Data Server provides a
transactional store that is used by SAS middle-tier
software. SAS configures a single server instance, and
SAS Web Application Server instances are configured
with JDBC data sources that access the server. Tuning
depends on the following:
c .
 database size and operating system supporting it
e
 initial configuration recommendations
In
 monitoring performance
t u t
 moving the Write-Ahead Log (WAL)
t i .
 configuring standby database performance
s n
25
I n t i o
S
A tri b u
For more information see: “Tuning the Web Infrastructure Platform Data Server” in SAS® 9.4 Web
Applications: Tuning for Performance and Scalability documentation.
t S
For detailed information about tuning PostgreSQL, see the following documentation:
s
Performance Optimization: https://wiki.postgresql.org/wiki/Performance_Optimization
i g h d i
Tuning Your PostgreSQL Server: https://wiki.postgresql.org/wiki/Tuning_Your_PostgreSQL_Server
r e
Managing Kernel Resources: http://www.postgresql.org/docs/9.1/static/kernel-resources.html
y r
o p f o r
SAS Middle-Tier Software Components
C o t
The configuration directory for your SAS middle tier
is SAS-configuration-directory\Levn\Web.
N Each component has the following:

 scripts for start, stop, and status
(JMS Broker)
 scripts to install and uninstall \logconfig
(Cache Locator)
 Windows services
 configuration files (which
include logging control)
 log files (\logs directory)
26
Log Locations for Applications and Servers
Application or Log Location

Server
Cache Locator SAS-configuration-
.
directory\Levn\Web\gemfire\instances\ins_port-
JMS Broker
number\gemfire.log file
SAS-configuration-
In c
t e
directory\Levn\Web\activemq\data\activemq.log file
u
SAS Environment
Manager Agent i t
SAS-configuration-
t .
s
directory\Levn\Web\SASEnvironmentManager\agent-version-
I n i o n
EE\log directory
SAS Environment
S u t
SAS-configuration-
Manager Server
S A tri b
directory\Levn\Web\SASEnvironmentManager\server-version-
EE\logs directory
SAS Web
h t i s SAS-configuration-
r
Server
i g
Application
r e d directory\Levn\Web\WebAppServer\SASServern_m\logs directory
p y
SAS web
o r SAS-configuration-directory\Levn\Web\Logs\SASServern_m
C o t f
applications directory
N o
SAS Web
Infrastructure
Platform Data
SAS-configuration-
directory\Levn\WebInfrastructurePlatformDataServer\Logs
directory
Server
 In a multi-machine deployment, the default log location is on the server
tier.
SAS Web Server SAS-configuration-directory\Levn\Web\WebServer\logs directory
For more information about SAS server logging, see “Administering Logging for SAS Servers” in
SAS® Intelligence Platform: System Administration Guide.
For additional information about specific web application logs, see SAS® Intelligence Platform: Web
Application Administration Guide.
Exercises
4. Exploring the server.xml File
The maxThreads and maxPoolSize options are set in the server.xml file.
a. Locate and open the server.xml file.
For Windows Server

Navigate to D:\SAS\Config\Lev1\Web\WebAppServer\SASServer1_1\conf.
c .
For Linux Server
e In
t u t
Navigate to /opt/sas/config/Lev1/Web/WebAppServer/SASServer1_1/conf.

s t i
b. What are the values for maxThreads and maxPoolSize?
n .
If you have multiple instances of SAS Web Application Server, make the same changes
I n t i o
in each of the files for all the servers that you want to tune.
c. Close the file without making any changes.
S u
5. Administering Logging for SAS Web Infrastructure Platform Data Server
A tri b
S
t
clicking the Home button
s
i g h d i
b. Type PgAdmin III tool in the Search field and click Search.
y r e
c. Click the first entry, SAS Web Infrastructure Platform Data Server, dated 2016-01-19.
r
o p o r
d. Click Administering Logging for the Server. Review logging steps.
The pgAdmin III Tool follows. It is a PostgreSQL database design and management system tool
f
that can be downloaded and enables you to administer the SAS Web Infrastructure Platform Data
C o t
Server.
6. Defining an Alert for Available Memory

Create an alert to be triggered whenever the free heap memory on a SAS Web Application Server
is less than 20% of the max heap size, or if the free heap memory is greater than 50% of the max heap
size. The alert should be issued once every 15 minutes until the condition is cleared.
a. Sign in to SAS Environment Manager as Ahmed using the password Student1,
if you are not already logged on.
b. Click Resources  Browse.
c. Click sasserver.demo.sas.com tc Runtime SASServer1_1.
c .
In
d. On the Detail page, select Alert  Configure to display the Alert Configuration page.
e. Notice there is an alert already defined regarding Heap Free Memory. Click New.
t e
f. Fill in the fields with the following information:
u
Name: Free Heap Memory
Priority: !!! - High
t i t .
I s i o n
If condition: Metric: Heap Memory Free < (Less than) 20 % of
n Linux: 2.2 GB (Max Value)
S u
g. Click Add Another Condition. t
Windows: 2.3 GB (Max Value)
A tri b
h. Fill in the following information:
S
h t
If condition: Metric: Heap Memory Free > (Greater than) 50 % of
i s Linux: 2.2 GB (Max Value)
r i g r e d Windows: 2.3 GB (Max Value)

i. Enable Actions(s): Each time conditions are met
p y o r
C o t f
N o
j. Click OK.
7. Setting Up Log Tracking for a Resource in SAS Environment Manager

Many of the server-level resources enable the administrator to set up log tracking. This is a method of
monitoring specific log files, usually for specific messages, such as severe errors or other critical
information. By doing this, you are not required to open the log files directly. You can access only the
portion that you need from the user interface. The log file entries are one type of event that can be
configured and customized in SAS Environment Manager.
For SAS Servers, a special file, sev_logtracker_plugin.properties, is automatically set up by the
SAS Deployment Wizard. For servers that are not SAS servers, you have to turn on log tracking and
specify the log messages that you want to capture.
c .
In
In this exercise, you will enable log tracking for a SAS Web Application Server. The tc Server
(SASServer1 instance) log file will be scanned for start-up completion. If you must restart that
t e
server, you know when it fully started up, and that all the web applications are loaded and ready for
users. Although this server might appear as Available or Started right away, it is not actually ready to
u
applications.
t t
receive requests for 20–30 minutes after that, given the necessary full deployment of all the SAS web
i .
I
already logged on. s i o n
a. Sign in to SAS Environment Manager as Ahmed using the password Student1, if you are not
n
S u t
S A tri b
d. Click Views  Application Management. There are fewer web applications deployed on this
h t
instance, so choose this tc Server to use for log tracking.
i s
e. Click the Inventory tab.
r i g r e d
f. Scroll to the bottom to the Configuration Properties section, and click Edit.
p yg. Set the following three properties:
o r
1) Click the Enable Log Tracking check box.
C o f
2) Select INFO from the Track Event Log Level drop-down menu.
t
N o 3) Under Log Pattern Match, enter the following code:
Server startup in \d{5,} ms
4) For the log files, enter logs/server.log.
h. Click OK at the bottom center of the window. You should see the following message:
i. Restart the server. Select Resources  Browse  sasserver.demo.sas.com tc Runtime

SASServer2_1.
j. Click the Control tab.
k. Select Control Action: Restart. Click the arrow to the right.
l. When the command state indicates Completed, click the Monitor tab. The Restart event was
recorded and appears in the Events/Logs Tracking timeline at the bottom of the window:
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
If you click the event bubble, a message appears. The server is not yet available because all the
t S
applications were not deployed and started yet.
s
m. If you wait a few minutes, you can see an additional item on the Events/Logs Tracking timeline.
i g h d i
While waiting, you can change the time range of metrics displayed by selecting 30 and Minutes
y r e
from the drop-down lists next to Last. Click OK.
r
o p f o r
C o t
N
That second event provides the actual message text from the log file that you specified in your
search, Server startup in XXXXXX ms, as shown above.
8.3 High Availability, Authentication, and

Secure Communication
Objectives
 Identify topologies for the SAS middle tier.
c .
In
 Identify authentication mechanisms.
 Identify middle-tier authorization layers.

Sockets Layer (SSL).
u t e
Describe Transport Layer Security (TLS) and Secure
t i t .
I n s i o n
S u t
S A tri b
30
h t i s
r i g r e d
Topology Dimensions for the SAS Middle Tier
p y o r
Design a middle-tier configuration that meets the needs of
C o t f
your organization with regard to performance, security,
and maintenance.
N o  distributing server functions: proxy servers, clusters,

backup servers
 authenticating users
 securing communication: which points in the topology
to secure
31
Refer to “Best Practices for Configuring Your Middle Tier” in SAS® Intelligence Platform: Middle-Tier
8.3 High Availability, Authentication, and Secure Communication 8-35
Authenticating Users
Authentication is the process of validating the identity of
someone or something, to verify that they are in fact who
they claim to be.
 SAS authentication – credentials provided by user
 Integrated Windows Authentication (IWA)
 web authentication
c .
In
 third-party tool
u t e Comp
Test
t
Receive Forward
Eval
s t i n .
32
I n t i o
S
A tri
SAS Authentication b u
t S s
h i
SAS Web Server SAS Web
g d
Application
y r i r e
Server
o p f o r
C o tClient
SAS
Metadata
N (browser)
Authentication
Provider
(DBMS,LDAP)
Server
33
By default, SAS web applications use the form-based authentication that is provided by the SAS Logon
Manager application. When credentials are provided to SAS Logon Manager, the credentials are sent to
the SAS Metadata Server for authentication. The metadata server then authenticates the credentials
against its authentication provider. The default provider is the host operating system.
Web Authentication
Application
Server
c .
e
SAS
Metadata In
t
Client
(browser) Server
i
Provider
t t
(DBMS,LDAP)u
Authentication
.
34
I n s i o n
S u t
Web authentication means that the SAS Web Application Server performs the initial authentication of the
A tri b
user credentials before requesting initial connection to the metadata server. The metadata server accepts
(trusts) the requested connection. This process uses a trusted user connection to the metadata server.
S
h t
When users log on to a SAS web application, SAS Web Application Server handles the initial
i s
authentication for container-managed security.
r i g e d
SAS supports CA SiteMinder, IBM Tivoli Access Manager WebSEAL, and Integrated Windows
Authentication (IWA). For information see “Web Authentication” in SAS® 9.4 Intelligence Platform:
r
p y
Middle-Tier Administration Guide.
o r
C o t f
Web Authentication: A Closer Look
N o
35
1. In a web browser, the user makes a request for the target application.
2. The web container prompts the user for credentials.

Note: If the user has already authenticated at the web perimeter, this step is omitted.
3. The user supplies credentials to the web container.
Note: If the user has already authenticated at the web perimeter, this step is omitted.
4. The web container's realm directs the container to authenticate the user against a designated third-party
authentication provider.
5. SAS Logon Manager retrieves the authenticated user ID from the web container. The SAS Logon
Manager stores the user ID for later use.
c .
6. SAS Logon Manager provides a ticket for the target application and redirects the user to that
application.
e In
t u t
7. The target application connects back to SAS Logon Manager (over HTTP) to validate the supplied
ticket. SAS Logon Manager supplies the requesting user’s authenticated user ID as part of the validation
response.
s t i n .
8. The target application uses the Trusted Login Module (from the SASTRUSTED JAAS context) to
I n o
generate a JAAS subject from the authenticated user ID. The generated JAAS subject is given to the
t i
local user service instance (inside the target application), which creates a user context and connects to
S
the metadata server.
A tri b u
9. The metadata server looks up the user's ID in the metadata repository in order to determine the user’s
t S
SAS identity. As usual, this step does not involve password validation and is not affected by
authentication domain assignments. Only the user's ID is being matched (the authentication domain
s
i g h d i
assignment in a login affects only credential reuse).
Note: Some components (such as SAS Comment Manager) do not require a connection to the metadata
r e
server. Such components don’t have a user context or a persistent connection to the metadata server.
y r
o p f o r
Middle-Tier Authorization Layers
C o

t Firewall authorization policies control access to only
certain ports or enable certain protocols.
N 

Web Server authorization can control which clients are
allowed to connect and what URLs they can request.
Web Application Server authorization can control access
to specific resources within the enterprise web
applications.
 Database Server authorization controls what data a user
can access and what they are allowed to do with it.
36
Firewalls
SAS Web
Server
c .
Client
(browser)
e
SAS Web
Application
SAS
Metadata
In
t u t Server Server
i
 A demilitarized zone (DMZ) provides a network barrier
t
between the servers and the clients.
s n .
37
I n t i o
S
A tri b u
A firewall is a program that can exist in many different forms but essentially functions as a barrier
between your local area network (LAN) and the outside world. The SSL/TLS protocol interprets a
computer on which a firewall is running as presenting a man-in-the-middle attack, which prevents the
t S
transaction from happening.
s
g h d i
Many organizations use a series of firewalls to create a demilitarized zone (DMZ) between their servers
and the client applications. A DMZ provides this protection whether the clients reside within the
i
r e
organization's computing infrastructure (intranet) or reside outside the organization on the Internet.
y r
r
The outer firewall that connects to the public network is called the domain firewall. Typically, only the
o p
HTTP (80) and HTTPS (443) network ports are open through this firewall. Servers that reside directly
f o
behind this firewall are exposed to a wide range of clients through these limited ports. As a result, the
C t
servers are not fully secure.
o
An additional firewall, the protocol firewall, is configured between the non-secure machines in the DMZ
N
and the machines in the secure middle-tier network. The protocol firewall has additional network ports
open. However, the range of IP addresses that are allowed to make connections is typically restricted to
the IP addresses of the servers that reside in the DMZ.
The DMZ usually contains HTTP servers, reverse proxies, and load-balancing software and hardware. Do
not deploy SAS Web Application Server or any SAS servers that handle important business logic, data, or
metadata in the DMZ.
If your applications are accessed by clients through the Internet, then you should include a DMZ as part
of your deployment in order to safeguard critical information. For deployments on a corporate intranet,
you might want to implement a DMZ as an additional layer of security.
 Some network topologies already have a web server that is used to proxy connections. In these
deployments, you can reconfigure the SAS middle tier so that it interacts with the existing web
server. In these network topologies, it is simplest to keep SAS Web Server in the deployment so
that it can continue to load-balance connections to a SAS Web Application Server cluster. Refer
to “Configuring the Middle Tier to Use an Existing Customer Reverse Proxy” in SAS® 9.4
Intelligence Platform: Middle Tier Administration Guide, Second Edition.
Secure Sockets Layer (TLS SSL) Options

SAS Web Server
SAS Web
Application
Server
c .
e
SAS
Metadata In
Client
(browser)
t u t Server
s t i n .
38
I n t i o
S
A tri b u
The most common SSL configuration has only the data from the browser to the Web Server encrypted,
with a firewall. This could be one-way SSL (server authentication only) or two-way SSL (server and
S
client authentication).
h t i s
r i g r e d
p y o r
SAS Web Server
SAS Web
Application
C o t f Server
N o SAS
Metadata
Client Server
(browser)
39
The data is encrypted between the proxy server and the application server. This topology typically has a
second firewall as well, which creates a DMZ.

Application
Server
c .
e
CLIENT- SAS
CERT Metadata
Server In
Client
(browser)
t u t
s t i n . User ID
40
I n t i o
S
A tri b u
If the configuration also includes web authentication, as shown here, then CLIENT-CERT authentication
can be added. The SSL certificate coming from the client includes a user ID embedded in it. The user ID
S
can be authenticated against the LDAP server or the database.
h t
Two-way SSL is a prerequisite for CLIENT-CERT authentication, because an identifying certificate must
i s
come from the client (the browser) to provide the user ID.
i g d
This architecture is considered highly secure.
r r e
p y r
Securing Communication
o
C o t f
Encryption is the encoding of information in such a way
N o that only authorized parties can read it.
Transport Layer Security (TLS) and its predecessor,

Secure Sockets Layer (SSL), are cryptographic protocols
that are designed to provide communication security over
the Internet. TLS and SSL are protocols that provide
network data privacy, data integrity, and authentication.
41
 It is a best practice to acquire certificates signed by certificate authorities before you install and
configure SAS software. Refer to these for more information:
 SAS® 9.4 Intelligence Platform: Installation and Configuration Guide

 Encryption in SAS® 9.4, Fourth Edition
 “Advanced Security Configuration Options for SAS 9.4 Web Applications and Mobile
Devices,” Global Forum Paper SAS054-2014
http://support.sas.com/resources/papers/proceedings14/SAS054-2014.pdf
What Is a Digital Certificate?

A digital certificate is used for identification.
c .
 electronic “passport” that identifies a person,
e
computer, or organization securely over the Internet In
 forgery resistant
t u t
 uses Public Key Infrastructure (PKI)
t i .
 can be identified – issued by trusted agency
s n
 contains identifying information:
I n
– name of certificate holder
– serial number
t i o
S
– expiration dates
A tri b u
– certificate holder’s public key
t S
– digital signature of the certificate issuing authority
s
42
42
i g h d i
y r r e
A certificate is a sort of electronic “passport” that allows a person, computer, or organization to exchange
information securely over the Internet using the Public Key Infrastructure, or PKI. A public key
o p f o r
infrastructure supports the distribution and identification of public encryption keys, enabling users and
computers to both securely exchange data over networks and verify the identity of the other party.
C t
Much like a passport, a digital certificate provides identifying information, is forgery resistant and can be
o
verified because it was issued by an official, trusted agency. The certificate contains identifying
N
information such as the name of the certificate holder, a serial number, expiration dates, a copy of the
certificate holder's public key, and the digital signature of the certificate-issuing authority so that a
recipient can verify that the certificate is real.
The idea of a trusted certificate is much like the initial trust relationship established between a child and a
parent – the child initially trusts just a few people (like parents), and then from those relationships begin
to trust other people. The trusted certificate in a browser starts with some pre-defined trust relationships,
and then infer trust information about other sites.
SSL Certificates
SSL needs public/private key pairs.
 Public keys are stored in files commonly called
certificates, and private keys are stored in files
commonly called keys.
 To send a certificate, the sender has to indicate which
public certificate to send and have access to its private
key.
c .
e In
“Key”
t
(private key)
u t “Certificate”
(public key)
s t i n .
43
I n t i o
S
A tri
Securing Communication b u
t S s
i g h d i
y r r e
o p f o r
C o t
N  The server sends its public key to the client.
 The private key is never sent anywhere.
 Data is encrypted by the sender with the public key
and decrypted by the receiver with the private key.
44
Public and private key pairs are used to negotiate algorithms between the TLS client and the TLS enabled
server.
1. The “handshake.”
2. The server sends its public key to the client. To send a certificate, the sender indicates which public
certificate to send and has access to its private key associated with that public certificate. If the
private key uses a password, the sender must know that password to use the private key.
A certificate authority (CA) is an authority in a network that issues and manages security credentials
and public keys for message encryption. As part of a public key infrastructure (PKI), a CA checks
with a registration authority to verify information provided by the requestor of a digital certificate.
Digital certificates are used in a network security system to guarantee that the two parties exchanging
information are really who they claim to be. Depending on how a network's security system is
configured, the certificate can include its owner's public key and name, the expiration date of the
certificate, or other information. There are many certificate authorities on the Internet, though
VeriSign is the best-known example.
Authenticating entities is accomplished through three types of certificates:
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
g h d i
Operating systems and browsers maintain lists of trusted CA root certificates, so they can easily
i
y r r e
verify certificates that the CAs have issued and signed. When deployed internally, digital certificates
can be self-signed. In all these cases, the Certificate Authority (CA) is the trusted third party – trusted
o p f o r
by both the subject (owner) of the certificate and the party relying upon the certificate.
3. The client can then send its public key to the server. (Clients are required to send their certificates to
C t
the server only if they are asked to.)
o
4. Server decrypts session key using its private key establishing a secure session. Also, the receiver
N
verifies the certificates in the following ways:
 making sure the certificate has not expired.
 making sure the certificate authority (CA) listed in the certificate is known and is valid. If the CA
in a certificate is signed by another CA certificate, it is known as an intermediate CA. The signer
CA’s certificate must also be verified. This creates a CA certificate chain.
 making sure that the certificate’s “Subject” common name (CN) is for the host that the certificate
was sent from. Wildcards such as “*.mydomain.com” can be used in the certificate.
 making sure the certificate has not been revoked.
SAS and Certificates

SAS entities can be secured with TLS certificates:
 SAS Deployment Agent
 SAS Environment Manager Server and Agent
 SAS Web Server
 SAS Security Framework Certificate
c .
e In
t u t
s t i n .
45
45
I n t i o
S
A tri b u
The SAS Deployment Agent and the SAS Environment Manager Server and Agent can automatically
create self-signed certificates or can use site-signed or third-party signed certificates.
t S
The SAS Web Server is an HTTP server based on Pivotal Web Server. A native application built with
OpenSSL, the SAS Web Server does not use Java Keystores. The SAS Web Server requires the
s
following:
g h d i
 RSA private key, not protected with a passphrase
i
r e
 X.509-signed certificate containing the public key in ASCII (Base-64 encoded) PEM file format
y r

o p f o r
Starting with the third maintenance release for SAS 9.4, SAS is shipped with a new trusted CA
certificate bundle, which makes deploying SAS securely much easier. As SAS installation on all
hosts, use SAS Deployment Manager to automate the process of updating the CA certificate and
C o t the trusted Mozilla CA bundle. After SAS installation, you can use SAS Deployment Manager to
add your own trusted certificates to this list.
N
For more information, see the section Setting Up Certificates for SAS Deployment in SAS 9.4
Intelligence Platform: Installation and Configuration Guide. Additional information can be found in the
section Installing and Configuring TLS and Certificates in Encryption in SAS 9.4, Fifth Edition.
8.4 Solutions 8-45
8.4 Solutions
1. Finding Web Applications Deployed on SAS Web Application Server Instances
There are a few places that you can look to find out on which SAS Web Application Server instance
your web applications are deployed:
c
contains any manual configuration steps that must be performed. It provides an overview of your.
 It is documented in Instructions.html. This is the reference document for your SAS deployment. It
deployment, including the web application URLs.

 SAS Environment Manager
e In
t u t
 Configuration directory for the SAS middle-tier
i
a. Open Instuctions.html. It is located under the SAS configuration directory in the
t
Levn/Documents subdirectory.
s n .
1. n
For Windows Server
I t i o
Access Windows Explorer, and navigate to
S
A tri b u
D:\SAS\Config\Lev1\Documents\Instructions.html
(Make sure you are on the Windows server and not Windows client.)
t S s
i g h d i
y r r e
o p f o r
C o t
N

c .
e In
t u t
s t i n .
I n t i o
3.
S u
A tri b
t S s
i g h d i
y r r e
o p f o r
C o t
N
What web application is not clusterable? SASBIDashboardEventGen4.4
What web app server instance is it deployed on? SASServer1_1
What web app server instance is SASStudio deployed on? SASServer2_1
8.4 Solutions 8-47
For Linux Server

1. You can use WinSCP (there is a shortcut on your desktop) to access and view files
on the Linux server. Click Login to open the application. (No changes are needed.)
c .
e In
t u t
s t i n .
I n t i o
2. S
A tri b u
In WinSCP, navigate to /opt/sas/config/Lev1/Documents.
Linux Server
t S s
i g h d i
y r r e
o p f o r
C o t
N (As an alternative you can use MRemoteNG: Use the firefox
/opt/sas/config/Lev1/Documents/Instructions.html command to open the document.)
3. Right-click Instructions.html and select Open. (Double-clicking the file renders it in the
c .
e In
t u t
s t i n .
4.
I n i o
t
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N
What web application is not clusterable? SASBIDashboardEventGen4.4
What web app server instance is it deployed on? SASServer1_1
What web app server instance is SASStudio deployed on? SASServer2_1
b. Open SAS Environment Manager.

1) Open Internet Explorer on the client machine, located on the system tray.
8.4 Solutions 8-49
2) Select SAS Environment Manager on the Favorites bar.
3) Connect as Ahmed, with a password of Student1.

4) Go to Resources  Browse  Servers.
c .
In
5) Select a web application server, such as sasserver.demo.sas.com tc Runtime
SASServer2_1.
u t e
6) Select Views  Application Management.
t i t .
I n s i o n
S u t
S A tri b
7) The deployed SAS web applications are listed. You can stop and start a web application from
h t i s
this location as well.
r g e d
c. Find the WAR files that are deployed on each web application server instance. They are located
i
in the sas_webapps directory under the SAS Web Application Server configuration directory.
r
p y o rFor Windows Server
C o t f Navigate to
D:\SAS\Config\Lev1\Web\WebAppServer\...serverinstancenumber\sas_webapps.
N o For Linux Server

Navigate to
/opt/sas/config/Lev1/Web/WebAppServer/…serverinstancenumber/sas_webapps.
 You can use WinSCP or MRemoteNG.
2. Setting Up a Basic Alert for SAS Web Server in SAS Environment Manager
In this exercise, you will create an alert indicating when the SAS Web Server is down, and when it is
back up, (a recovery alert). An escalation scheme will also be created, which is a series of steps to be
executed when the alert fires.
Favorites bar.)
b. Create an Escalation Scheme.
1) Click the Manage tab.
2) Click the Escalation Schemes Configuration link.
3) Fill in the form with the following information:

c .
Name:
Description:
e
WebServerScheme
Web Server Status In
t u t
If the alert is acknowledged:
If the alert state changed:
Allow user pause escalation for 5 minutes
Notify previously notified users
t i .
If the alert is not fixed when escalation ends:
s n
Repeat escalation actions
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
4) Click Next Step.
N 5) Click the Create Action button.
6) Complete the following fields:

Create an Action for this escalation: SMS
8.4 Solutions 8-51
Select method to notify: Notify Roles
In the pop-up box, select Super User Role  OK. Then select continue.
c .
e In
t u t

s i
Ahmed is a member of the Super User Role. You might want all members of the role
t n .
to be notified when something as crucial as a server goes down.
n o
Then: continue
7) Click Save.
S I t i
A tri b u
c. Create the first alert that indicates that the web server is down.
1) Select Resources. Making sure that Servers list is selected, click sasserver.demo.sas.com
t S
Pivotal Web Server 5.4 WebServer.
s
i g h d i
y r r e
o p f o r
C o t
N 2) Select Alert  Configure.
3) On the Alert Definitions page, click New.
c .
4) Enter the following information in the fields:
e In
Name: NoWebServer
t u t
Description: SAS Web Server Down
Priority: High
s t i n .
Active: Yes
I n t i o
If Condition: Metric Availability is < 100% of Baseline Value
S
A tri b u
Enable Actions: Each time conditions are met
Enable Action Filters: Generate one alert and then disable alert definition until fixed
t S s
i g h d i
y r r e
o p f o r
C o t
N
5) Click OK to save the alert definition.
8.4 Solutions 8-53
d. You are now presented with an additional window that enables you to associate this alert with
an escalation scheme. Use the drop-down list to select the WebServerScheme scheme that was
just created.
c .
e In
alert.
t u t
e. Once the escalation scheme is selected, click Return to Alert Definitions to create the recovery
t i .
f. Create the second alert, the recovery alert, which indicates the server is back up.
s n
1) Click New. A new alert definition window appears.
I n i o
2) Enter the following information:
t
S
Name: YesWebServer
A tri b u
Description: SAS Web Server is back up!
t S
Priority: High
s
i g h d i
Active: Yes
If Condition: Metric Availability = 100% of Baseline Value
y r r e
Recovery Alert for: NoWebServer
o p f o r
Enable Action Each time conditions are met
Enable Action Filters: (blank)
C o t
N
3) Click OK to save the new recovery alert.
g. Select Analyze  Alert Center. Click the Definition tab. All defined alerts are listed, including
the two that you just defined.
c .
e In
t u t
s t i n .
h. Test the new alerts. Go to Resource  Browse. Click sasserver.demo.sas.com Pivotal Web
I n
Server 5.4 Web Server.
t i o
S
A tri b u
t S s
i g h d i
y r r e
o p o r
i. Click Control.
f
C t
j. Select Stop from the drop-down list and click
o
next to the Control Action field.
8.4 Solutions 8-55
 It can take up to five minutes before the system detects that the SAS Web Server is down,
because the default collection interval for it is five minutes.
k. Select Resources. With Servers selected, the SAS Web Server is displayed as Not Available on
the Availability timeline.
Various locations where alerts appear include the following:
 Dashboard  Recent Alerts or Problem Resources portlets
 on the header of the Environment Manager
 Analyze tab  Alert Center
c .
In
 event bar for that resource (added automatically when an event is generated)
 if you set the alert (notify) to send an email
t e
l. You can look at the other locations as well:
u
t i t
Recent Alerts Portlet on Dashboard Tab
.
I n s i o n
S u t
SAS Environment Manager Header and Alert Center
S A tri b
h t i s
r i g r e d
p y o r
C o t f
N o
Event Bar for the SAS Web Server Resource
c .
e In
t u t
s t i n .
I n t i o

S u
The default metric collection interval for the Pivotal Web Server is five minutes.
A tri b
(This can be changed by selecting Manage  Monitoring Defaults. Scroll to Pivot Web
t S Server 5.4 Servers. Select Edit Metric Template to the far right of the entry.)
s
Therefore, you might wait as long as five minutes before the alert fires and you see
i g h d i
results on your interface.
y r e
m. Acknowledge the alert. This enables others on the system to be aware that an administrator is
r aware of the problem. You can acknowledge an alert in two places:
o p f o r
 the dashboard Recent Alerts portlet
 Analyze  Alert Center  Alerts tab
C o t
N
1) On the dashboard, check the box next to the NoWebServer and click ACKNOWLEDGE.
8.4 Solutions 8-57
2) You can add a note for the reason. It will show up as “acknowledged” on the Alerts page. If it
is not fixed within five minutes, (as specified when the alert was created), then it will request
acknowledgement again.
c .
n. Restart the SAS Web Server, by issuing the control action. Go to Resources 
e In
u t
sasserver.demo.sas.com Pivotal Web Server 5.4 Webserver  Control. Select Start and the
arrow in the Quick Control area.
t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o. Within five minutes or less, you should see the recovery alert, called YesWebServer. It appears in
the same places, and indicates that the SAS Web Server is running again.
p o r
3. (Optional) Configuring the PostgreSQL Server Component to Interact with Your PostgreSQL
o RDBMS
f
C o t
There are three PostgreSQL database servers listed under Resources  Servers. None of these
servers are currently being monitored because the resources are not fully configured. In this exercise,
Nyou will modify the necessary information so that the SAS Web Infrastructure Platform Data
Server resource can be monitored. (This is the PostgreSQL database server with listening port 9432.)
Favorites bar.)
b. Go to Resources  Browse  Servers.
c .
e In
t u t
c. Find the PostgreSQL 9.x server resource in the list. (You can also go to the resource using
the Search bar. In the drop-down list, select PostgreSQL 9.x and click the arrow on the right.)
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N
d. The status of the PostgreSQL server is undetermined. Click the server link
sasserver.demo.sas.com PostgreSQL 9.x localhost:9432.
8.4 Solutions 8-59
e. You see that the server is not well configured. Click Configuration Properties.
c .
f. Enter the required parameter values:
e In
PostgreSQL.user: dbmsowner
PostgreSQL.pass: Student1
t u t
t i .
PostgreSQL.program or Windows Service:
s n
I n
For Windows Server
t i o
Use the Windows Service Name: SAS [Config-Lev1] Web Infrastructure Platform Data

S
Server
A tri b u
t S s
To avoid typographical errors, go to the Windows Services application and copy
and paste the service name to the service name field.
i g h d i
y r r e
o p f o r
C o t
N
For Linux Server

/opt/sas/config/Lev1/WebInfrastructurePlatformDataServer/webinfdsvrc.sh
c .
e In
t u t
t i .
g. Make sure that the Auto-Discover DataBases, Indexes, and other services? Check box is
s
selected. Then click OK.
n
I n t i o
h. Click Monitor. After a few minutes (or the required time for the agent to query the system),
you see the server availability, some server metrics, and two new services.
S
A tri b
4. Exploring the server.xml File
u
t S
The maxThreads and maxPoolsize options are set in the server.xml file.
s
a. Locate and open the server.xml file.
i g h d i
For Windows Server
y r r e
Navigate to D:\SAS\Config\Lev1\Web\WebAppServer\SASServer1_1\conf
o p f o r
For Linux Server
C o t Navigate to /opt/sas/config/Lev1/Web/WebAppServer/SASServer1_1/conf
Nb. What are the values for maxThreads and maxPoolSize? maxThreads=300, maxPoolSize=10
 If you have multiple instances of SAS Web Application Server, make the same changes
in each of the files for all the servers that you want to tune.
c. Close the file without making any changes.
8.4 Solutions 8-61
5. Administering Logging for SAS Web Infrastructure Platform Data Server

clicking the Home button in the upper right tool bar.
b. Type PgAdmin III tool in the Search field and click Search.
c. Click the first entry, SAS Web Infrastructure Platform Data Server dated 2016-01-19.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
d. Click Administering Logging for the Server. Review logging steps.
The pgAdmin III Tool follows. It is a PostgreSQL database design and management system tool
t S
that can be downloaded and enables you to administer the SAS Web Infrastructure Platform Data
Server.
s
i g h d i
y r r e
o p f o r
C o t
N
6. Defining an Alert for Available Memory
Create an alert to be triggered whenever the free heap memory on a SAS Web Application Server
is less than 20% of the max heap size, or if the free heap memory is greater than 50% of the max heap
size. The alert should be issued once every 15 minutes until the condition is cleared.
already logged on.
c .
e In
t u t
s i
d. On the Detail page, select Alert  Configure to display the Alert Configuration page.
t n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
e. Click New.
C o t
N
8.4 Solutions 8-63
f. Fill in the form with the following information:

Name: Free Heap Memory
Priority: !!! - High
Condition Set:
c .
In
If condition: Metric: Heap Memory Free < (Less than) 20 % of
Linux: 2.2 GB (Max Value)
t e
u
t i t .
I n s i o n
S u t
S A tri b
h t i s
r i g r e d
p y o r
C o t f
g. Click Add Another Condition.
N o
h. Fill in the following information:

If condition: Metric: Heap Memory Free > (Greater than) 50 % of
Linux: 2.2 GB (Max Value)
i. Enable Actions(s): Each time conditions are met
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h
j. Click OK.
d i
y r r e
o p f o r
C o t
N
7. Setting Up Log Tracking for a Resource in the SAS Environment Manager
Many of the server-level resources enable the administrator to set up log tracking. This is a method of
monitoring specific log files, usually for specific messages, such as severe errors or other critical
information. By doing this, you are not required to open the log files directly. You can access only the
portion that you need from the user interface. The log file entries are one type of event that can be
configured and customized in SAS Environment Manager.
For SAS Servers, a special file, sev_logtracker_plugin.properties, is automatically set up by the
SAS Deployment Wizard. For non-SAS servers, you have to turn on log tracking and specify the log
messages you want to capture.
8.4 Solutions 8-65
In this exercise, you will enable log tracking for a SAS Web Application Server. The tc Server
(SASServer1 instance) log file will be scanned for start-up completion. If you must restart that
server, you know when it fully started up, and that all the web applications are loaded and ready for
users. Although this server might appear as Available or Started right away, it is not actually ready to
receive requests for 20–30 minutes after that, given the necessary full deployment of all the SAS web
applications.
already logged on.
c .
In
d. Click Views  Application Management. There are fewer web applications deployed on this
t e
instance, so choose this tc Server to use for log tracking.
u
t i t .
I n s i o n
S u t
S A tri b
h t i s
r i g r e d
p y r
e. Click the Inventory tab.
o
C o t f
N o
f. Scroll to the bottom to the Configuration Properties section, and click Edit.
c .
e In
t u t
s t i n .
I n t i o
g. Set the following three properties:
S u
1) Click the Enable Log Tracking check box.
A tri b
t S
2) Select INFO from the Track Event Log Level drop-down menu.
3) Under Log Pattern Match, enter the following code:
s
i g h d i
Server startup in \d{5,} ms
e
4) For the log files, enter log/server.log.
y r r r
o p f o
C o t
N
h. Click OK at the bottom center of the window. You should see the following message:
8.4 Solutions 8-67
i. Restart the server. Select Resources  Browse  sasserver.demo.sas.com tc Runtime

SASServer2_1.
j. Click the Control tab.
c .
In
k. Select Control Action: Restart. Click the arrow to the right.
u t e
t i t .
I n s i o n
S u t
S A tri b
l. When the Command State indicates Completed, click the Monitor tab.
h t i s
r i g r e d
p y o r
C o t f
N o The Restart event was recorded and appears in the Events/Logs Tracking timeline at the bottom
of the window, as shown.
If you click the event bubble, a message appears. The server is not yet available because all the
applications were not deployed and started yet.
m. If you wait a few minutes, you can see an additional item on the Events/Logs Tracking timeline.
c .
e In
t u t
s t i n .
That second event provides the actual message text from the log file that you specified in your
I n i o
search earlier: “Server startup in XXXXXX ms,” as shown above.
t
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N
Chapter 9 Exploring Ongoing
Administration Tasks
9.1 Updating SAS Software ................................................................................................9-3

c .
In
Exercises .............................................................................................................................. 9-10
e
9.2
t
Finding Resources for SAS Administrators.............................................................. 9-11
t u
9.3
t i .
Solutions .....................................................................................................................9-16
s n
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N
9-2 Chapter 9 Exploring Ongoing Administration Tasks
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N
9.1 Updating SAS Software 9-3
9.1 Updating SAS Software
Objectives
 Explore SAS software updates.


Explore hot fixes.
Explore SAS maintenance packs.
c .
In
 Explain how to update SAS licenses.
u t e
t i t .
I n s i o n
S u t
3
3
S A tri b
h t i s
r i g r e d
SAS Software Updates
y
SAS delivers software updates in several formats.
o p o r
Hot fixes
f
Targeted for specific issues
C o t
Maintenance Sets of hot fixes, enhanced capabilities,
releases and in some cases new product releases
N New software Updates to the larger SAS software

releases grouping
4
4
The planning that goes into maintenance releases and new software releases is beyond this discussion.
Hot Fixes
Hot fixes are used to solve critical and frequently recurring
problems. They are tested and supported by SAS.
Hot fixes are packaged or grouped in three ways:
 Individual hot fixes
 Container hot fixes
 Hot fix bundles
c .
e In
t u t
s t i n .
5
5
I n t i o
S
A tri b u
SAS provides hot fixes to previously shipped software. A hot fix will be created to resolve a number of
problems ranging from an isolated code fix for a critical bug uncovered by a specific customer application
t S
to a frequently recurring problem in a common code base. The hot fix tooling has changed over time to
simplify their identification and installation.
s
i g h d i
Each hot fix from SAS is tested and fully supported and then typically incorporated into the next
maintenance release or full release of the software component or product. Hot fixes are packaged or
r r e
grouped in three different ways:
y
p o r
 Individual hot fixes – created to fix one product or software component.
 Container hot fixes – created to provide fixes for one or more software components that must be hot
o f
fixed together in order to provide a complete resolution to the problem being addressed. In order to
C t
fully install the container hot fix, the container needs to be applied to each machine in the deployment
o
that contains one or more of the products being fixed by the container.
N
 Hot fix bundles – an accumulation of one or more individual hot fixes. These bundles tend to be
produced (and named) for products such as SAS Marketing Optimization and can contain a number of
fixes for different components within the product. Bundling these fixes makes it simpler for you to
obtain and install them.
For more information about hot fixes, refer to

http://ftp.sas.com/techsup/download/hotfix/faq.html.
Managing Hot Fixes

SAS offers several tools to help you manage hot fixes:
 tsnews-l listserv: Receive automatic notification when
hot fixes become available:
http://support.sas.com/techsup/news/tsnews.html
 ViewRegistry reporting utility
 SAS Hot Fix Analysis, Download, and Deployment
c .
In
Tool (SASHFADD)
 SAS Deployment Manager
u t e
t i t .
6
I n s i o n
t
6
S
A tri b u
View Registry Reporting Utility
t S s
The ViewRegistry reporting utility processes the
i g h d i
deployment registry and generates a report that identifies
currently installed software and hot fixes.
y r r e
o p f o r
C o t
N ViewRegistry
7
7
The installation of SAS products is logged in the SAS Deployment Registry. ViewRegistry is a reporting
utility that processes the deployment registry to generate a report. This report identifies all SAS 9.2 and
later software that is installed in the current SASHOME location. Installed hot fixes are also logged in the
SAS Deployment Registry and reported in DeploymentRegistry.html.
Beginning with SAS 9.4 M3, the default output will report only the current release of product
components, which are installed in the current SASHOME. Duplicate product component entries will
appear only for products that support side-by-side deployment, for example, SAS Enterprise Guide and
SAS Add-In for Microsoft Office. The -all option can be used to report on all product components that
have been installed in SASHOME.
The ViewRegistry report is generated by executing the JAR file sas.tools.viewregistry.jar. This JAR file
is located in the SASHOME/deploymntreg directory and must be executed from this directory.
Two output files are produced by the reporting utility, DeploymentRegistry.html and
DeploymentRegistry.txt. The HTML and TXT output files are written in the SASHOME/deploymntreg
directory.
 In order to run the reporting utility, Windows users must have Write permissions for the
deploymntreg directory (the default location is D:\Program Files\SASHome\deploymntreg)
to the SASHOME location.

c .
because the resulting reports are written to this location. UNIX users must have Write permission
For more information about using the ViewRegistry report, see Usage Note 35968: “Using the
e In
t
ViewRegistry Report and other methods to determine the SAS® 9.2 and later software releases and
hot fixes that are installed.”
t i t u .
I s
SAS Hot Fix Analysis, Download, and
n
Deployment Tool (SASHFADD)
i o n
S u t
This tool is designed to streamline the hot fix identification,
A tri b
download, and install process. The tool requires that you
S
run the ViewRegistry report tool first and then the following
t
occurs:

g h d
is analyzed.
i s
A SAS deployment registry
y r i

r e
A customized report listing
available hot fixes is
o p 
f r
created.
o
Scripts for automatically
C o t downloading hot fixes are

generated.
N
8
The SAS Hot Fix Analysis, Download, and Deployment Tool (SASHFADD):
 analyzes a SAS Deployment Registry (DeploymentRegistry.txt)
 creates a Hot Fix Report with information and links to hot fixes, which are eligible to be installed on
the SAS deployment
 generates scripts that will automate the download of the eligible hot fixes
The SASHFADD tool can be downloaded from http://ftp.sas.com/techsup/download
/hotfix/HF2/SASHFADD.html.
The usage guide can be found here: http://ftp.sas.com/techsup/download
/hotfix/HF2/SASHFADD_usage.pdf
Reviewing the Hot Fix Report
c .
e In
t u t
s t i n .
9
9
I n t i o
S u
The Hot Fix Report can contain up to three sections:
A tri b
S
Hot fixes that can be downloaded and installed individually or by using the generated scripts: This
section will always appear in the Hot Fix Report and will list hot fixes that can be downloaded and
t i s
installed individually, or by using the generated download scripts, SAS Deployment Manager for SAS
h
9.3/9.4 or install_scripts for SAS 9.2. Successful installation of these hot fixes will be recorded in the
r
appear.
i g r e d
deployment registry. If your system is up-to-date with these hot fixes, then an appropriate message will
p y r
Hot fixes that are available only by clicking the Download link and following installation
o
C o t f
instructions: This section might appear in the Hot Fix Report, and will list hot fixes that must be
downloaded and installed individually by closely following the instructions in the documentation.
Successful installation of these hot fixes might be recorded in the SAS Deployment Registry, depending
N o
on the unique properties of the hot fix. It is possible that you will continue to see these hot fixes in the
report even if they have been successfully installed. If you have already applied these hot fixes by
following the installation instructions, then you can safely ignore their reappearance in the report.
Hot fixes containing updates only to non-English software components: This section might appear in
the Hot Fix Report and will list hot fixes that can be applied only to systems where the languages listed
with the hot fix are installed for the specific SAS product. These hot fixes will not appear in the
SASHFADD FTP scripts. They must be downloaded by clicking the Download link. Successful
installation of these hot fixes will be recorded in the SAS Deployment Registry. If you are ineligible to
install these hot fixes because you have not installed the SAS product for the languages listed, then you
can safely ignore the appearance of these hot fixes in the report. If you do not wish to see these hot fixes
in the report, uncomment the line “-ENGLISH_ONLY” in SASHFADD.cfg.
SAS Deployment Manager

SAS Deployment Manager includes a wide variety of
administration tasks including to apply hot fixes to your
deployment.
c .
e In
t u t
s t i n .
10
10
I n t i o
S
A tri
SAS Maintenance Packsb u
t S s
Maintenance packs are aggregations of hot fixes
i g h d i
and limited features.
e
Maintenance packs have these features:
y r r r
 can be scheduled as needed
 can introduce new supported platforms or third-party
o p f o
products
 can add a maintenance number to product version
C o t numbers for products receiving maintenance
N
11
11
Maintenance packs are applied using the SAS Deployment Wizard.

Customers must request maintenance packs. They can be added to an existing software depot or a newly
created depot.
Applying a maintenance pack involves the following:
 updating software
 updating configuration
 possibly performing manual steps
SAS License Updates

When your SAS license expires, you need
 obtain a SID (SAS Installation Data) from SAS
 apply the SID file in all of the appropriate places

in your deployment
 Some products, such as DataFlux, have additional
c .
In
separate license files that also need to be updated.
 In addition, some SAS solutions require the license
u t e
to be updated in the metadata.
t i t .
12
I n s i o n
t
12
S u
The SAS Deployment Manager includes a task to update the license file in the metadata.
A tri b
t S s
i g h d i
y r r e
o p f o r
C o t
N
Exercises
1. Exploring SAS Software Updates

a. Review the Usage Note that instructs on using the ViewRegistry Report.
1) Open Internet Explorer and go to the Home page. You can click the Home button
upper right toolbar.
.
in the
c
2) In the Search field, enter Usage Note 35968 and click Search.
e In
u t
3) Select the first entry, 35968 – Using the ViewRegistry Report and other methods to
determine the SAS 9.2 and later software releases and hot fixes that are installed, dated
t
i
2015-07-16.
s t n .
b. Review the hot fix FAQ at http://ftp.sas.com/techsup/download/hotfix/faq.html.
I n t i o
c. Review SAS® Hot Fix Analysis, Download, and Deployment Tool Usage Guide at
http://ftp.sas.com/techsup/download/hotfix/HF2/SASHFADD_usage.pdf.
S
A tri b u
2. Exploring How to Update SAS Licenses
t S
Navigate to support.sas.com/techsup. Use the Search box to search for information about how
s
to update SAS licenses. For example, you can search for SAS 9.4 update license. Review
i g h d i
the information that is relevant to your deployment version and software.
y r r e
o p f o r
C o t
N
9.2 Finding Resources for SAS Administrators 9-11
9.2 Finding Resources for

SAS Administrators
Objectives
 Identify areas of support that SAS offers to support the
c .
In
deployment and administration communities.
 List additional available resources.
u t e
t i t .
I n s i o n
S u t
S A tri b
16
16
h t i s
r i g r e d
p y Where to Go for Help
o r
C o t f
N o
17
17
SAS provides a wide array of tools and resources designed to help you find answers and resolve
problems. From the SAS customer support website at support.sas.com, you can access the extensive SAS
knowledge base, where you can find information about SAS software, SAS product documentation, SAS
technical papers, samples, SAS notes, and much more.
Documentation
c .
e In
t u t
s t i n .
18
18
I n t i o
S
A tri b u
SAS documentation is available in multiple formats, based on your needs. Product documentation is
organized by usage, such as Installation, Configuration, and Migration information, Administration
t S
information, or a Programmer’s Bookshelf. There is also extensive search capabilities, by keywords,
release, or product. Documentation on current releases as well as previous releases is provided.
s
i g h d i
In addition to product documentation, many different forms of technical papers and conference
proceedings are available.
r r e
 SAS Technical Papers – http://support.sas.com/resources/papers/index.html
y
o p f o r
 SAS Technical Papers » Installation and Enterprise Administration –
http://support.sas.com/resources/papers/tnote/tnote_enterprise.html
 SAS Global Forum Conference Proceedings –
C o t
http://support.sas.com/events/sasglobalforum/previous/online.html
 SAS Presents – Technical Papers and Presentations – http://support.sas.com/rnd/papers/index.html
Install Center
c .
e In
t u t
s t i n .
19
19
I n t i o
S
A tri b u
SAS Install Center contains the most up-to-date installation and configuration documentation for SAS
software. The documentation on this site is grouped by SAS release, installation, and configuration type.
t S s
i g h d i
System Requirements
y r r e
o p f o r
C o t
N
20
20
Information about supported operating systems and associated platforms can be found in the System
Requirements section of the Knowledge Base on support.sas.com. The supported operating systems
derived from this page are for a set of products made up of the combination of Base SAS and the
orderable server-side products that are installed at the same time as Base SAS.
Samples and SAS Notes
c .
e In
t u t
s t i n .
21
21
I n t i o
S
A tri b u
Samples & SAS Notes provide useful examples of using SAS software. There are different types of SAS
notes available at the Samples & SAS Notes section of the Knowledge base:
t S
 Usage Notes – these notes provide information, examples, and suggestions for usage of SAS software.
s
 Installation Notes – focused on SAS installations, these notes provide useful information and references
i g h d i
for install related questions.
 Problem Notes – These notes contain useful information about usage problems, and provide
r r e
information about workarounds and available hot fixes.
y
o p f o r
http://support.sas.com/notes/index.html
C o t
Subscriptions
N
22
22
E-Newsletters – http://support.sas.com/community/newsletters/index.html
 SAS Tech Report
 SAS Statistics and Operations Research News
 SAS Learning Report
 SAS Book Report
 SAS Global Certification News
TS-NEWS-L – http://support.sas.com/techsup/news/tsnews.html
SNOTES-L – http://support.sas.com/techsup/news/snotes.html
c .
Security Bulletins – http://support.sas.com/security/alerts.html
e In
t u t
RSS feeds and Blogs – http://support.sas.com/community/rss/
s i
SAS-L – User supported Listserv – listserv.uga.edu/archives/sas-l.html
t n .
I n
Administration Online
t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
23
N23
There are multiple online communities focused on SAS deployment and administration.
 SAS Communities - https://communities.sas.com/
 Administrator Blog Series - http://blogs.sas.com/content/sgf/tag/sas-administrators/
 Administration and Deployment Community - https://communities.sas.com/t5/Administration-and-
Deployment/bd-p/sas_admin
9.3 Solutions
1. Exploring SAS Software Updates
a. Review the Usage Note that instructs on using the ViewRegistry Report.
1) Open Internet Explorer and go to the Home page. You can click the Home button
c .
in the
In
upper right toolbar.
u t e
2) In the Search field, enter Usage Note 35968 and click Search.
t i t .
I s i o n
3) Select the first entry, 35968 – Using the ViewRegistry Report and other methods to
n
determine the SAS 9.2 and later software releases and hot fixes that are installed, dated
t
2015-07-16.
S
A tri b u
t S s
i g h d i
b. Review the hot fix FAQ at http://ftp.sas.com/techsup/download/hotfix/faq.html.
y r e
c. Review the SAS® Hot Fix Analysis, Download, and Deployment Tool Usage Guide
r at http://ftp.sas.com/techsup/download/hotfix/HF2/SASHFADD_usage.pdf.
p o r
2. Exploring How to Update SAS Licenses
o f
C o t
Navigate to support.sas.com/techsup. Use the Search box to search for information about how
to update SAS licenses. For example, you can search for SAS 9.4 update license. Review
the information that is relevant to your deployment version and software.
Chapter 10 Learning More
10.1 SAS Resources ...........................................................................................................10-3
.
10.2 Beyond This Course ...................................................................................................10-6
c
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N
10-2 Chapter 10 Learning More
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N
10.1 SAS Resources 10-3
10.1 SAS Resources
Objectives
 Identify areas of support that SAS offers.
 List additional resources.
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
S
3
h t i s
r
Education
i g r e d
SAS Education provides comprehensive training
p y o r
to deliver greater value to your organization.
 more than 200 course offerings
C o t f
 world-class instructors
o
 multiple delivery methods
N
 training centers around the world
4 http://support.sas.com/training
SAS Books
Convenient. Practical. Enlightening.
Valuable insight with solid results.
Available in a variety of formats
to best meet your needs:
 hard-copy books
 e-books
c .
In
 PDF
u t e
t i t .
5
I n s
www.sas.com/store/books
i o n
S u t
A tri b
SAS Global Certification Program
S
h t i s
SAS Education enables you to validate your skills
and knowledge through certification and includes
r g
the following:
i r e d
 globally recognized certifications
p y o r
 preparation materials
 practice exams
C o t f
N o
6 http://support.sas.com/certify
10.1 SAS Resources 10-5
Customer Support
SAS provides a variety of self-help and assisted-help
resources including the following:
 SAS Knowledge Base
 downloads and hot fixes
.
 license assistance
 SAS discussion forums
 SAS Technical Support
In c
u t e
t i t .
7
I n s
http://support.sas.com/techsup/
i o n
S u t
A tri b
User Groups and SAS Support Communities
S
h t i s
SAS supports many local, regional, international,
and special-interest SAS user groups.
r i g d
http://support.sas.com/usergroups
r e
p y o r
C o t f
SAS Support Communities enable you to collaborate
with SAS and other SAS users.
N ohttp://communities.sas.com
Networking
Social media channels, SAS blogs, and user group
organizations enable you to
 interact with other SAS users and SAS staff
 learn new programming tips and tricks
.
 obtain exclusive discounts.
In c
u t e
t i t .
9
I n s i
http://support.sas.com/socialmedia
o n
S
10.2 Beyond This Course u t
S A tri b
h t
Objectives
i s
r i

g r e d
Introduce the different types of SAS training.
p y 
o r
Identify additional learning opportunities
that follow this course.
C o t f
N o
12
10.2 Beyond This Course 10-7
Several “Flavors” of SAS Training

SAS Education provides a variety of training formats
that are designed to satisfy your learning style, including
the following:
 classroom
 Live Web
 e-learning
c .
In
 on-site
training
 mentoring
u t e
t i t .
13
I n s i o n
http://support.sas.com/training/options
S u t
A tri b
Classroom Training and e-Learning
S
h t i
of the SAS System.
s
SAS Education provides training on all aspects
r i g e d
Classroom training can be delivered in SAS training
r
centers, in the Live Web classroom, and at your site.
p y r
http://support.sas.com/training/us/paths
o
C o t f
SAS e-Learning provides award-winning training
when and where you need it.
N ohttp://support.sas.com/elearn
14
SAS Platform Training Paths

SAS Education training paths are used to organize
training by similar functionality based on common
job tasks.
The training paths for
Business
the SAS platform include
.
Intelligence
the following:
 Administration
 Data Management
Data
Management
In c
 Business Intelligence
u t e
t i t .
Administration
15
I n s i o n
t
15
S
A tri b u
Additional Training Categories
t S s
In addition to SAS platform training, courses are available
i g h d i
in the following areas:
 Advanced Analytics
y r r e
 SAS Foundation
o p f o r
 SAS Solutions
Visit http://support.sas.com/training/us/paths to view all of
C o t
the courses that are available to meet your training needs.
N
16
16
10.2 Beyond This Course 10-9
SAS Video Tutorials

SAS Education provides an extensive set of “how-to”
videos, tutorials, and demos to learn tips and tricks for
working with SAS software.
c .
e In
t u t
s t i n .
17
17
I n i o
http://support.sas.com/training/tutorial
t
S
A tri
Next Steps b u
t S s
After you complete this course, you have access
i g h d i
to extended learning resources, including the following:
 an electronic copy of the course notes
y r r e
 links to technical papers
o p o r
 links to SAS Publishing documentation and books
 links to white papers, SAS Global Forum papers,
f and much more
C o t
To grow your SAS skills, remember to activate
N the extended learning page for this course.
18
18
c .
e In
t u t
s t i n .
I n t i o
S
A tri b u
t S s
i g h d i
y r r e
o p f o r
C o t
N

Lwspafm4 001 Chap 02

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Lwspafm4 001 Chap 02

Hochgeladen von

Copyright:

Verfügbare Formate

c .

Prerequisites .............................................................................................................................. viii

Exploring the SAS Metadata Server and Metadata Repositories..................................... 2-3

Exploring SAS Metadata Objects .................................................................................. 2-15

2.3 Implementing a SAS Metadata Server Cluster .............................................................. 2-39

2.4 Backing Up the SAS Metadata Server ........................................................................... 2-49

2.5 Backing Up the SAS Environment ................................................................................ 2-62

2.6 Solutions ........................................................................................................................ 2-81

Chapter 3 Understanding Initial Authentication and Administering

3.1 Exploring Initial Authentication to the Metadata Server ................................................. 3-3

t Demonstration: Exploring the Repository ACT ..................................................... 4-11

4.2N o Exercises.................................................................................................................. 4-19

Exploring Metadata Permissions and ACTs................................................................... 4-24

4.3 Customizing SAS Folders .............................................................................................. 4-44

4.4 Solutions ........................................................................................................................ 4-73

Chapter 5 Establishing Connectivity to Data Sources ...................................... 5-1

5.1 Registering Libraries and Tables in Metadata .................................................................. 5-3

o r SAS Environment Manager........................................................... 6-24

N oExploring SAS Environment Manager Service Architecture......................................... 6-37

6.4 Solutions ........................................................................................................................ 6-50

Chapter 7 Managing SAS® Compute Servers and Spawners ............................ 7-1

7.1 Understanding SAS Compute Servers ............................................................................. 7-3

7.2 Administering Server Logging ...................................................................................... 7-26

Demonstration: Viewing Metadata Server Logging in SAS Management

7.3 Solutions ........................................................................................................................ 7-44

Chapter 8 Exploring SAS® Middle Tier ................................................................ 8-1

t Solutions to Exercises ............................................................................................. 9-16

10.1 SAS Resources ............................................................................................................... 10-3

10.2 Beyond This Course ....................................................................................................... 10-6

i g h d i for a complete list of books and a convenient order form.

o Solutions to Exercises .......................................................................................................... 1-20

N Solutions to Student Activities (Polls/Quizzes) ..................................................................... 1-20

1.1 Exploring the Platform for SAS

Platform for SAS Business

C software with components that exist on multiple machines

SAS High-Performance Analytics

SAS In-Memory Analytics product solutions are:

 SAS Data Quality Server

C SAS Data Quality and SAS Data Management.

SAS Business Intelligence

SAS Data Integration Studio enables a data warehouse developer to create

 Develop, execute, and manage drug trials to market

 data quality steward

N Who are the users in

Accessing Your Server Machine

Accessing the Classroom Environment

 In a typical deployment, the Windows services would have a start-up type of

4. Enter the d: command.

For Linux Server

1. Locating and Opening the Instructions.html Document

Enter the d: command.

9. Click OK to the message prompt.

10. Click OK to the second message prompt.

For Windows Server

2. Double-click Instructions.html to open the document in Internet Explorer.

 You are opening Internet Explorer on the server machine.

For Windows Server

For Linux Server

N What products listed pertain to data access?

e. Click the Software tab.

f. Click View SAS Server Products.

Data Quality Steward

1.2 Exploring the Platform Architecture

N  SAS Web Server and