Download RDBMS Setup and Authentication in SAS 9

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
Document related concepts

Business intelligence wikipedia , lookup

Metadata wikipedia , lookup

Expense and cost recovery system (ECRS) wikipedia , lookup

Microsoft Access wikipedia , lookup

Entity–attribute–value model wikipedia , lookup

PL/SQL wikipedia , lookup

Concurrency control wikipedia , lookup

Relational model wikipedia , lookup

Microsoft SQL Server wikipedia , lookup

Database wikipedia , lookup

Versant Object Database wikipedia , lookup

Database model wikipedia , lookup

Oracle Database wikipedia , lookup

Clusterpoint wikipedia , lookup

Transcript 
RDBMS Setup and Authentication in SAS 9
Paresh Patel, Shlomish Consulting Inc, IL
Richard Kerwin R.K. Consulting Inc, IL
ABSTRACT
The SAS V9 uses a single sign-on model that enables user’s access to a variety of computing resources, including
various RDBMS like Oracle, Teradata, and Sybase, without repeated prompting for user IDs and passwords. After
initial authentication to the Metadata Server, additional authentication can occur when a request is received from the
client to retrieve data from external RDBMS resources. It is common practice in SAS 9 to have a group login for such
requests, but using that scenario undermines the database securities set up by DBA’s, can violate Sarbanes -Oxley
rules, and disallows individual activity to be traced back to the user. It is always preferable to access the RDBMS
through Interactive login rather then shared credentials, and if your RDBMS contains data of a sensitive nature, it is
required.
INTRODUCTION
SAS Integration Technologies allows users of SAS V9 to utilize a standard API like Enterprise Guide to interface with
the SAS environment, and to authenticate and validate users. This paper discusses how you can give Enterprise
Guide V4 access to users with predefined SAS and RDBMS libraries, without storing passwords in the Metadata. It
explains how to manage access and security to databases without undermining database security rules set up by the
DBA’s and also, to defer database connections until requests are submitted specifically for a database resources,
thus avoiding straining system resources by opening unnecessary DBMS connection threads. This paper discusses
the set up of additional authentication domains for individual databases, forcing interactive window prompts for
database connections, and deferring connections until database resources are requested for the most widely used
RDBMS’s – Oracle and Teradata.
SAS 9 BUSINESS INTELIGENCE
Each component of the SAS Intelligence Architecture leverages the sharing of common metadata and
a common repository. The main components that are of interest when accessing any data sources are.
METADATA SERVER
Metadata Server:- A SAS Metadata Server is a multithreaded, multi-user SAS software server.
•
enables multiple clients to use the same SAS process at the same time
•
Listens over a particular port for communications from client applications and other processes
Each SAS client application attempts to communicate with the metadata server upon invocation
Because each client application and each Web application attempts to communicate with the metadata
server upon invocation, it is important that this server not experience excessive downtime.
AUTHENTICATION
Authentication is the process of proving who you are to another entity. Most of the time, identification
and authentication are paired.
User ID and password: When you log on most systems, you are asked for your user ID and password.
This pair identifies you to the system and proves who you are to the system.
AUTHORIZATION
Authorization is the concept of determining what you are allowed to do and what you are allowed to see.
After your identity has been verified, the focus is on what you can do and what you cannot do. These are
often thought of as permissions.
Authentication Domain
An authentication domain is a metadata object that links logins to the servers for which the logins are valid:
•
Each authentication domain should be associated with one or more servers and with the logins that provide
access to those servers.
•
All of the computing resources within an authentication domain use the same authentication provider.
Authentication Provider
An authentication provider is a technology that servers or applications use to verify that users are who they say they
are. Authentication providers include:
•
Operating systems
•
LDAP (Lightweight Directory Access Protocol)
•
Microsoft Active Directory
•
Third-party database system authentication mechanisms
1
Figure 1
DATA TIER
The data tier contains the enterprise data sources
•
RDBMS – Relational Database Management System
•
ERP – Enterprise Resource Planning
RDBMS TABLES
These are collection of related tables managed by a Relational Database Server accessed by SAS using specific
interfaces provided by SAS/ACCESS software
Tables are arranged in a rectangular structure of rows and columns. There are several SAS/ACCESS products.
For example, SAS/ACCESS to Oracle provides a data engine that enables a SAS server to submit SQL to an Oracle
server. Using the Pass-Through feature, vendor specific SQL can be sent to the database. This enables existing
queries to be easily incorporated into your SAS environment
FIGURE 2
ORACLE EXAMPLE
If your SAS Foundation installation includes SAS/ACCESS to Oracle, you can access Oracle tables and views. To
make this work, you must have an Oracle client installed and configured on the machine running SAS Foundation.
You must have SAS/ACCESS to Oracle installed, as well. SAS will request a connection to Oracle. The Oracle client
will facilitate the connection to the database. Once connected, SQL statements and data are passed from SAS to
Oracle. Using the SQL Pass-Through Facility, it is possible to pass SQL specific to Oracle to the database server for
execution. Oracle security is honored, so you will need to have your DBA grant privileges on any database objects
you need to access.
RDBMS Connection Challenges
Usually it is suggested that a password is stored in the Metadata repository for a single sign-on but if that is
implemented then when the password is changed then it needs to be changed also in the Metadata repository and it
2
becomes a maintenance night-mare. This method allows individual tracking of database activities but it requires more
maintenance.
The second suggestion is to create a group password and this may need just changing group password .The
problem with this approach is that there cannot be any audit activity on Database side as every user is coming to the
database as a single group id. DBA’s get frustrated as they can not track the inefficient queries to individual user
because of a group shared identity. Also there cannot be individual security implemented on database and it needs to
be done on a group level.
With any stored password approach in Metadata there are connection threads open to the database putting
non needed stress on database and also slowing response rates. There are certain database options like
DEFER=YES but they do not work for all the database. For Teradata the DEFER =YES shared connection options do
not work and with stored passwords each client opens connections. if we have 10 different pre-defined libraries (10
different schemas)then when users use a client like Enterprise Guide each user opens 10 different connection to
Teradata for each client window .If there are 50 users then there are total 500 open connections to Teradata which
makes the initial opening and library refresh of Enterprise Guide very slow. Also sometimes there are limit on
connections which can be made to RDBMS.
Enterprise Guide and RDBMS Connections
In SAS 9 environment Enterprise Guide 4.X uses the Metadata Repository. This will need the initial authentication
to the Metadata Repository.
Initial authentication steps:
•
The user’s credentials are authenticated.
•
The metadata server determines the user’s metadata identity.
Enterprise Guide will also need Additional authentication if it needs to access data from Database like Teradata,
Oracle.
The ways that applications can obtain credentials to access other servers include the following:
•
Reuse credentials that are cached from an interactive log on
•
Retrieve credentials from the metadata repository
•
Interactively prompt for credentials
We will use the third approach of interactive prompt for credentials as shown in figure 3.
Figure 3
In SAS 9 environment Enterprise Guide 4.X uses the Metadata Repository. The database library will be pre-defined
using the SAS Management Console. The user identity will be stored in the Metadata. There will de DEFAULT Auth
used for the metadata where as for the database authorization we can have a new Auth domain .In this new auth
domain .The user-id for this new auth domain will also be entered in the Metadata but the password will not be stored.
This will result in the library being pre-assigned in Metadata but not when Enterprise guide opens up .It will have a
Red X mark.. When you right click and select assign a window will appear prompting for database Credentials as
shown in figure 3.
SAS ACCESS Library in Management Console
The following are the steps needed to be followed for setting up a pre-defined library.
1. Define the DBMS User in the Metadata Repository
2. Define the DBMS Server.
3. Define the Database Schema. Each Schema in the database needs to be defined here
4. Define the Database Library.
1.
RDBMS User Login and Creating New Authentication Domain(ex TERAAUTH,ORAAUTH,SYBAUTH)
ƒ
Open the properties of an existing user in User Manager that you want to allow access to the DBMS server.
ƒ
On the Logins tab add the DBMS User id and password by selecting ‘New’.
ƒ
For the Authentication Domain select your DBMS Authentication domain (i.e. 'Oracle Auth'). If the
3
ƒ
2.
appropriate authentication domain is not listed select 'New' and add it.
Appropriate DBMS login for each individual user to the Login tab for the properties of that particular user.
Every user’s DBMS login can use the same authentication domain. No Password for the DBMS must be
stored
RDBMS Server
ƒ
From Server Manager select ‘Actions->New Server’ to add the DBMS server:
ƒ
Select the correct DBMS, i.e.: Teradata, Oracle, etc( as shown in figure 4)
ƒ
Name the server
ƒ
Select ‘Next’ to accept the defaults( as shown in figure 5)
ƒ
Enter DBMS specific server info such as Oracle path, Teradata server, etc (as shown in figure 6)
ƒ
Select the Authentication domain that was created in step #1 above.( as shown in figure 7)
Figure 4
Figure 5
4
Figure 6
Figure 7
3.
Database Schema
•
From the Data Library manager-> Database Schemas select ‘Actions-> New Database Schema’
•
Enter the Schema name and select the Server name was created in step #2 above.( as shown in figure 9)
5
Figure 8
Figure 9
4.
Pre-defined Database Library
ƒ
From the Data Library manager-> SAS Libraries select ‘Actions-> New Library’ to add new DBMS library:
for use in SAS client Enterprise Guide
ƒ
Select the appropriate DBMS(as shown in figure 10)
ƒ
Name the library(as shown in figure 11)
ƒ
Give it a libref
ƒ
Select the Advanced options tab and select ‘Library is Pre-assigned’
ƒ
select the database server you added for #2 above(as shown in figure 12)
ƒ
Add the schema
ƒ
Select your workspace server
Since we have not stored the password and we will have the library pre-assigned in SAS Management Console but it
will not be assigned in Enterprise Guide.
6
Figure 10
Figure 11
Figure 12
7
Enterprise Guide Client
While defining the Teradata library we have not associated any logins. In the figure above the Default
loginÆNONE. This will appear as unassigned library in Enterprise Guide with a red X mark (as shown in figure 13).
We have to right click and it will prompt for login credentials to the Teradata library. (as shown in figure 14)
Figure 13
Figure 14
8
CONCLUSION
This paper describes the method for creating and establishing connectivity to a Teradata installation from SAS V9 that
utilizes three-tiered security architecture: 1) At the individual level, through a prompted personal login; 2) At the SAS
System level via Metadata Security, which defines and controls access to objects through an individual’s identity and
the inclusion or exclusion of that identity to various groups and 3) At the DBMS level, where a DBA can define roles to
associate with schemas that are defined to directly support the various permutations of SAS usage within an
organization. These schemas, when setup as individual SAS libraries, can provide a Sarbanes–Oxley compliant
security model that has the added benefit of reducing the number of connections into a database. Defining
connectivity to Oracle and Sybase installations is very similar. However, both Oracle and Sybase require that
additional extended attributes like LoginMode need to be setup in the Metadata, and connectivity to SybaseIQ needs
to be defined through the SAS/ACCESS Engine to ODBC and a SybaseIQ ODBC Driver.
ACKNOWLEDGMENTS
Special thanks to Brian Kowalczyk of Kowal Computer Solutions, Inc. ([email protected]) for assisting with
details of the paper.
CONTACT INFORMATION
Your comments and questions are valued and encouraged. Contact the author at:
Paresh Patel
Shlomish Consulting Inc
[email protected]
Richard K .Kerwin
R.K. Consulting, Inc
[email protected]
SAS and all other SAS Institute Inc. product or service names are registered trademarks or trademarks of SAS
Institute Inc. in the USA and other countries. ® indicates USA registration.
Other brand and product names are trademarks of their respective companies.
9
Related documents
Using the SAS System to Mine Your Data
Using the SAS System to Mine Your Data
SAS and a Multi-User Estimating Database
SAS and a Multi-User Estimating Database
SAS/ACCESS: An Interface to ORACLE
SAS/ACCESS: An Interface to ORACLE
Customer Success Story: Have Your Cake and Eat it Too! Accelerate Forecasting Combining SAS and Teradata
Customer Success Story: Have Your Cake and Eat it Too! Accelerate Forecasting Combining SAS and Teradata
Sprinting with SAS/Access
Sprinting with SAS/Access
Database Conversion: What about our programs?
Database Conversion: What about our programs?
Customer Case Study: Competitive Intelligence through Business Analytic and Data Mining Environments
Customer Case Study: Competitive Intelligence through Business Analytic and Data Mining Environments
Multi-Process Connect; What, When, Where, How, and Why
Multi-Process Connect; What, When, Where, How, and Why
Sponsor Presentation: HP Category Management - Data Mining and intelligence In Action
Sponsor Presentation: HP Category Management - Data Mining and intelligence In Action
Recall from yesterday the two conjectures that you derived about the
Recall from yesterday the two conjectures that you derived about the