SAS® Platform

Administration: Fast Track

Course Notes
SAS® Platform Administration: Fast Track Course Notes was developed by Sheila Riley and
Christine Vitron. Additional contributions were made by Darrell Barton, Marty Flis, John Hall, Dave
Naden, Gerry Nelson, and Raymond Thomas. Instructional design, editing, and production support
was provided by the Learning Design and Development team.

SAS and all other SAS Institute Inc. product or service names are registered trademarks or
trademarks of SAS Institute Inc. in the USA and other countries. ® indicates USA registration.
Other brand and product names are trademarks of their respective companies.

SAS® Platform Administration: Fast Track Course Notes

Copyright © 2020 SAS Institute Inc. Cary, NC, USA. All rights reserved. Printed in the United States
of America. No part of this publication may be reproduced, stored in a retrieval system, or
transmitted, in any form or by any means, electronic, mechanical, photocopying, or otherwise,
without the prior written permission of the publisher, SAS Institute Inc.

Book code E71655, course code LWSPAUM6/SPAUM6, prepared date 24Mar2020.

LWSPAUM6_001

ISBN 978-1-64295-994-9
 For Your Infor mation iii

Table of Contents

Lesson 1 Exploring the SAS ® Platform ...............................................................1-1

1.1 Introduction to the SAS Platform ........................................................................1-3

Demonstration: Accessing the Classroom Environment ................................ 1-18

Demonstration: Exploring SAS Resources for Administrators on the Web ....... 1-26

Practice ................................................................................................... 1-31

1.2 Administration Tasks ....................................................................................... 1-36

Demonstration: Reviewing SAS Deployment Wizard Response Files and

Stand-Alone Installs ........................................................... 1-56

Demonstration: Accessing SAS Management Console and SAS

Environment Manager ........................................................ 1-58

Practice ................................................................................................... 1-66

1.3 Backing Up the SAS Environment .................................................................... 1-70

Demonstration: Listing the Backup Schedule and Using the Backup

Manager............................................................................ 1-84

Practice ................................................................................................... 1-91

1.4 Solutions ....................................................................................................... 1-96

Solutions to Practices................................................................................ 1-96

Solutions to Activities and Questions ........................................................ 1-131

Lesson 2 Reviewing SAS ® Platform Architecture Components ...........................2-1

2.1 Exploring the Platform Architecture ....................................................................2-3

Practice ................................................................................................... 2-15

2.2 Exploring the SAS Middle-Tier Architecture ....................................................... 2-19

Practice ................................................................................................... 2-30

2.3 Operating SAS Servers and Spawners ............................................................. 2-35

Demonstration: Using SAS Environment Manager to Operate Servers and

Spawners .......................................................................... 2-42

Practice ................................................................................................... 2-44

iv For Your Information

2.4 Exploring SAS Environment Manager............................................................... 2-47

Demonstration: Exploring SAS Environment Manager .................................. 2-55

Practice ................................................................................................... 2-66

2.5 Exploring SAS Environment Manager Service Architecture ................................ 2-71

Practice ................................................................................................... 2-84

2.6 Solutions ....................................................................................................... 2-89

Solutions to Practices................................................................................ 2-89

Solutions to Activities and Questions ........................................................ 2-131

Lesson 3 Understanding SAS ® Metadata and the Metadata Server .....................3-1

3.1 Exploring the SAS Metadata Server and Metadata Repositories ...........................3-3

Practice ................................................................................................... 3-12

3.2 Exploring Initial Authentication to the Metadata Server ....................................... 3-16

Practice ................................................................................................... 3-22

3.3 Exploring SAS Metadata Objects ..................................................................... 3-28

Demonstration: Exploring SAS Metadata in SAS Environment Manager ......... 3-39

Practice ................................................................................................... 3-44

3.4 Implementing a SAS Metadata Server Cluster .................................................. 3-47

3.5 Backing Up the SAS Metadata Server .............................................................. 3-59

Practice ................................................................................................... 3-70

3.6 Solutions ....................................................................................................... 3-72

Solutions to Practices................................................................................ 3-72

Solutions to Activities and Questions ........................................................ 3-104

Lesson 4 Administering Users, Groups, and Roles .............................................4-1

4.1 Administering Users and Groups .......................................................................4-3

Practice .....................................................................................................4-9

4.2 Using Import Macros....................................................................................... 4-12

Practice ................................................................................................... 4-21

 For Your Infor mation v

4.3 Exploring Internal Accounts and Internal Authentication Mechanisms .................. 4-25

Practice ................................................................................................... 4-32

4.4 Administering Roles and Administrative Identities .............................................. 4-34

Practice ................................................................................................... 4-39

4.5 Solutions ....................................................................................................... 4-44

Solutions to Practices................................................................................ 4-44

Solutions to Activities and Questions .......................................................... 4-85

Lesson 5 Managing SAS ® Compute Servers and Spawners ................................5-1

5.1 Understanding SAS Compute Servers ................................................................5-3

Demonstration: Monitoring SAS Servers and Sessions from

SAS Management Console ................................................. 5-20

Practice ................................................................................................... 5-23

5.2 Exploring Credential Management ................................................................... 5-30

Demonstration: Configuring Access to a Database in SAS Management
Console (Optional) ............................................................. 5-36

Practice ................................................................................................... 5-46

5.3 Administering Server Logging .......................................................................... 5-47

Demonstration: Viewing Metadata Server Logging in SAS Management

Console............................................................................. 5-58

Practice ................................................................................................... 5-63

5.4 Solutions ....................................................................................................... 5-69

Solutions to Practices................................................................................ 5-69

Solutions to Activities and Questions .......................................................... 5-99

Lesson 6 Securing Metadata ..............................................................................6-1

6.1 Reviewing Metadata Security ............................................................................6-3

Demonstration: Exploring the Repository ACT.............................................. 6-12

Practice ................................................................................................... 6-18

6.2 Exploring Metadata Permissions and ACTs ....................................................... 6-25

Demonstration: Identifying Applicable Permissions ....................................... 6-34

vi For Your Information

Practice ................................................................................................... 6-37

6.3 Customizing SAS Folders ............................................................................... 6-45

Practice ................................................................................................... 6-53

6.4 Solutions ....................................................................................................... 6-72

Solutions to Practices................................................................................ 6-72

Solutions to Activities and Questions ........................................................ 6-155

Lesson 7 Establishing Connectivity to Data Sources ..........................................7-1

7.1 Registering Libraries and Tables in Metadata ......................................................7-3

Demonstration: Registering SAS Library and Table Metadata in SAS

Environment Manager ........................................................ 7-14

Demonstration: Registering SAS Library and Table Metadata in

SAS Management Console (Optional).................................. 7-21

Practice ................................................................................................... 7-24

7.2 Setting Up Data Access .................................................................................. 7-28

Practice ................................................................................................... 7-39

7.3 Solutions ....................................................................................................... 7-46

Solutions to Practices................................................................................ 7-46

Solutions to Activities and Questions .......................................................... 7-87

Lesson 8 Monitoring Your SAS ® Environment ....................................................8-1

8.1 Monitoring a SAS Environment with SAS Environment Manager ...........................8-3

Demonstration: Exploring Alerts in SAS Environment Manager...................... 8-13

Practice ................................................................................................... 8-20

8.2 Additional Topics about SAS Server Maintenance ............................................. 8-35

Practice ................................................................................................... 8-41

8.3 Solutions ....................................................................................................... 8-46

Solutions to Practices................................................................................ 8-46

Solutions to Activities and Questions .......................................................... 8-82
 For Your Infor mation vii

To learn more…
For information about other courses in the curriculum, contact the
SAS Education Division at 1-800-333-7660, or send e-mail to
[email protected]. You can also find this information on the web at
http://support.sas.com/training/ as well as in the Training Course
Catalog.

For a list of SAS books (including e-books) that relate to the topics
covered in this course notes, visit https://www.sas.com/sas/books.html or
call 1-800-727-0025. US customers receive free shipping to US
addresses.
viii For Your Information
Lesson 1 Exploring the SAS®
Platform

1.1 Introduction to the SAS Platform ................................................................................. 1-3

Demonstration: Accessing the Classroom Environment .............................................. 1-18

Demonstration: Exploring SAS Resources for Administrators on the Web...................... 1-26

Practice............................................................................................................... 1-31

1.2 Administration Tasks ................................................................................................. 1-36

Demonstration: Reviewing SAS Deployment Wizard Response Files and Stand-
Alone Installs ................................................................................. 1-56
Demonstration: Accessing SAS Management Console and SAS Environment
Manager ....................................................................................... 1-58

Practice............................................................................................................... 1-66

1.3 Backing Up the SAS Environment.............................................................................. 1-70

Demonstration: Listing the Backup Schedule and Using the Backup Manager................ 1-84
Practice............................................................................................................... 1-91

1.4 Solutions ................................................................................................................... 1-96

Solutions to Practices ............................................................................................ 1-96

Solutions to Activities and Questions...................................................................... 1-131

1-2 Lesson 1 Exploring the SAS® Platform

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 1.1 Introduction to the SAS Platform 1-3

1.1 Introduction to the SAS Platform

The SAS Platform

Analytics Visualization

Data Management
3
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

The SAS Platf orm is enterprise sof tware that includes SAS product offerings in high-perf ormance
analytics, data management, and visualization. These components provide support for f oundational
capabilities such as distributed processing, security, administ ration, program development and
execution, resource management, user interf aces, and integration with operating systems and third -
party sof tware.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
1-4 Lesson 1 Exploring the SAS® Platform

The SAS Platform

Big Data Timely Intelligence

4
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

The SAS Platf orm architecture is designed to ef ficiently access large amounts of data, while
simultaneously providing timely intelligence to a large number of users. The users’ skill sets can
range f rom a power user perf orming analysis and creating reports to consumers using those reports.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 1.1 Introduction to the SAS Platform 1-5

The SAS Platform

SAS 9.4 SAS Viya

5
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

The SAS Platform consists of the f ollowing:

• SAS Business Analytics Framework is enterprise sof tware that encompasses a comprehensive set
of business solutions, technologies, and services. It consists of applications across multiple
machines that help you accomplish the various tasks f or accessing and creating inf ormation, as
well as perf orming analysis and reporting.
• SAS Viya is an integrated part of the SAS Platf orm. It offers a rich set of data mining and machine-
learning capabilities that run on a robust, in-memory, distributed-computing infrastructure. It
provides elastic, scalable, and fault-tolerant processes to address your complex analytical
challenges. It is an environment that is unif ied, open, powerf ul, and adaptive.

SAS 9.4M5 introduces powerf ul options for integrating with SAS Viya and leveraging the power and
innovation of the new CAS technology while still using f amiliar tools and interf aces. SAS 9.4M5
supports sessions between SAS and SAS Viya 3.2 Cloud Analytic Services (CAS). From a SAS
session with the CAS server, you can load data to the CAS server and save CAS tables, and submit
DATA step code, SAS Viya analytic procedures, CAS server utility procedures, and Base SAS
procedures.

SAS 9.4M6 is part of the SAS Platf orm, and it can be used stand-alone or in conjunction with SAS
Viya.

For more inf ormation about SAS 9.4M6 integration with SAS Viya:
https://documentation.sas.com/?cdcId=pgmsascdc&cdcVersion=9.4_3.3&docsetId=whatsnew&docs
etTarget=titlepage.htm&locale=en

For more inf ormation about SAS Viya: https://support.sas.com//en/software/sas-viya.html

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
1-6 Lesson 1 Exploring the SAS® Platform

SAS 9.4 Deployment Types

Single
Tier

N-tier
SAS SAS
Foundation Platform

6
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d . ...

SAS Foundation is the traditional SAS installation available bef ore the advent of the SAS Platf orm.
The SAS Foundation sof tware is installed locally, and the programming interf aces run their jobs on
the local copy of SAS.

The SAS Platf orm introduces a distributed environment with inf rastructure components that work
together to provide an interactive computing environment f or users with diverse skills and needs. It
typically consists of a multiple-tier environment.
• Client Tier
• Middle Tier
• Server Tier: SAS Metadata Server
• Server Tier: SAS Compute Servers

Clustering of the tiers can also be perf ormed to provide a highly available environment with load -
balancing capabilities.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 1.1 Introduction to the SAS Platform 1-7

For smaller organizations, the SAS Platf orm can also be deployed on a single host.

SAS Foundation and Development Tools

SAS Studio is a web browser
The SAS
accessible development application.
windowing
environment is
used to develop
and run SAS
programs.

SAS Enterprise Guide is a

task-based, point-and-click
SAS program development
interface.
7
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d . ...

The SAS Foundation deployment includes the SAS windowing environment, which enables
programmers to directly write and submit their code. SAS Foundation can also include SAS
Enterprise Guide, which enables you to write SAS programs using a point-and-click interf ace. In
addition to the programming interf ace similar to that f ound in the windowing environment, Enterprise
Guide includes various tasks that provide a guided, point -and-click interf ace to programming. The
tasks provide templates that enable programmers to select task options and the data to perf orm the
task on.

The next option to develop your SAS programs is SAS Studio. SAS Studio is a web interf ace similar
to Enterprise Guide. Programmers can write and submit programs in SAS Studio, or they can use
the task-based point-and-click programming interf ace like SAS Enterprise Guide to create and
submit their programs. SAS Studio has two versions available. A single-user version can be installed
on a Windows system with the SAS Foundation sof tware. SAS Studio is more commonly found in a
SAS Platf orm deployment as part of the middle tier.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
1-8 Lesson 1 Exploring the SAS® Platform

1.01 Question
The SAS Platform can exist on a single machine.
 True
 False

8
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

The SAS Platform

Analytics/
High-Performance
Analytics

10
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 1.1 Introduction to the SAS Platform 1-9

SAS High-Performance Analytics

The SAS High-Performance Analytics infrastructure consists of software that
performs analytic tasks in a high-performance environment, which is characterized
by massively parallel processing (MPP). The infrastructure is used by SAS products
and solutions that typically analyze big data that resides in a distributed data storage
appliance or Hadoop cluster. Controller

SAS ANALYTICS
Client

11 Apache Hadoop on Commodity Hardware

C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

The SAS In-Memory Analytics Server divides analytic processes into manageable pieces and
distributes them in parallel across a dedicated set of blade servers, either Hadoop or commercial
databases such as Greenplum and Teradata.

SAS procedures, DS2 thread programs, f ormatted SQL queries, and scoring models are run inside
the database.

Here are the SAS In-Memory Analytics product solutions:

• SAS High-Perf ormance Analytics products
• SAS Visual Analytics: web-based solution f or exploring large data volumes
• SAS In-Memory Statistics: delivers statistical modeling and machine learning capabilities in a
programming environment
• SAS Code Accelerator f or Hadoop (DS2)

Hadoop is an open source sof tware f ramework that provides distributed storage and processing of
large amounts of data. The data is divided into blocks and stored across multiple connected nodes
(computers) that work together.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
1-10 Lesson 1 Exploring the SAS® Platform

Advanced Analytics
SAS offers a rich and expansive portfolio of analytic products. The portfolio
includes products for predictive and descriptive modeling, data mining, text
analytics, forecasting, optimization, simulation, data visualization, model
management, and experimental design.
• SAS Enterprise Miner
• SAS Forecast Server
• SAS Model Manager
• JMP

12
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

SAS Enterprise Miner enables analysts to create and manage data mining process f lows. These
f lows include steps to examine, transf orm, and process data to create models that predict complex
behaviors of economic interest. The SAS Intelligence Platf orm enables SAS Enterprise Miner users
to centrally store and share the metadata f or models and projects. In addition, SAS Data Integration
Studio provides the ability to schedule data mining jobs.

SAS Forecast Server enables organizations to plan more ef f ectively for the f uture by generating
large quantities of high-quality f orecasts quickly and automatically. This solution includes the SAS
High-Perf ormance Forecasting engine, which selects the time series models, business drivers, and
events that best explain your historical data, optimizes all model parameters, and generates high-
quality f orecasts. SAS Forecast Studio provides a graphical interf ace to these high-perf ormance
f orecasting procedures.

SAS Model Manager supports the deployment of analytical models into your operational
environments. It enables registration, modification, tracking, scoring, and reporting on analytical
models that have been developed f or BI and operational applications.

JMP is interactive, exploratory data analysis and modeling software f or the desktop. JMP makes
data analysis (and the resulting discoveries) visual and helps communicate those discoveries to
others. JMP presents results both graphically and numerically. By linking graphs to each other and to
the data, JMP makes it easier to see the trends, outliers, and other patterns that are hidden in your
data.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 1.1 Introduction to the SAS Platform 1-11

Data Management
The data management components enable you to consolidate and manage
enterprise data from a variety of source systems, applications, and
technologies.
Here are the primary applications and software products:
• SAS Data Integration Studio
• SAS Data Loader for Hadoop
• SAS Enterprise Data Management Server Platform
• SAS Data Quality Server

13
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

The sof tware tools in the data management category enable you to consolidate and manage
enterprise data f rom a variety of source systems, applications, and technologies. SAS provides
access engines and interf aces to a wide variety of data sources. Data developers create and
manage metadata objects that def ine sources, targets, and the sequence of steps f or the extraction,
transf ormation, and loading of data.

SAS Data Integration Studio provides a powerf ul visual design tool for building, implementing, and
managing data integration processes regardless of data sources, applications, or platforms. An
easy-to-manage, multiple-user environment enables collaboration on large enterprise projects with
repeatable processes that are easily shared. The sof tware enables you to create jobs and process
f lows that extract, transf orm, and load data for use in data warehouses and data marts. You can also
create processes that cleanse, migrate, synchronize, replicate, and promote data f or applications
and business services.

SAS Data Loader f or Hadoop is a software offering that makes it easier to move, cleanse, and
analyze data in Hadoop. It enables business users and data scientists to do self -service data
preparation on a Hadoop cluster. Hadoop is highly efficient at storing and processing large amounts
of data. SAS Data Loader f or Hadoop provides a set of wizards, called directives, that help business
users and data scientists perf orm tasks.

SAS Enterprise Data Management Server Platf orm software enables you to discover, design,
deploy, and maintain data across your enterprise in a centralized way. Data quality, data integration,
and master data management are all provided under a unif ied user interf ac e called SAS Data
Management Studio. Data Management Studio provides a web interf ace f or managing a list of
business data terms, f or managing ref erence data, or f or viewing exceptions to monitored business
rules.
These DataFlux products work with SAS Data Integration Studio and are part of the SAS Data
Management Standard and SAS Data Management Advanced of ferings.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
1-12 Lesson 1 Exploring the SAS® Platform

SAS Data Quality Server works with SAS Data Integration Studio and the SAS Enterprise Data
Management Server Platf orm to analyze, cleanse, transf orm, and standardize your data. The
language elements that make up the SAS Data Quality Server sof tware f orm the basis of the data
quality transf ormations in SAS Data Integration Studio.

SAS Data Quality Solution includes the f o llowing features:

• business rule validation – ensures that data meets organizational standards f or data quality
and processes.
• data prof iling – examines the structure, completeness, and suitability of your inf ormation assets.
• data quality – improves the quality of your enterprise inf ormation.
• entity resolution – matches data and identif ies potential relationships across sources.
• master data management f oundation – creates a hub of master data based on a subset of your
existing data through a phased MDM approach.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 1.1 Introduction to the SAS Platform 1-13

SAS Business Intelligence

The business intelligence components enable users with various needs and
skill levels to create, produce, and share their reports and analyses.
The software tools in the business intelligence category address two main
functional areas: information design and self-service reporting and analysis.

SAS Enterprise
BI Server
SAS Business SAS Office
Intelligence Analytics
SAS Visual
Analytics

14
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

The SAS Platf orm applications were created to organize the f unctions of various job roles into the
dif ferent applications. Instead of having one large client application that does everything f or all
people across the organization, there are several applications to accomplish these tasks.

Some of the applications are installed on each user’s machine. Others are accessed using a web
browser.

SAS Add-In for The SAS Add-In f or Microsoft Office enables business users to
Microsoft Office transparently leverage the power of SAS analytics, reporting, and data
access directly f rom Microsoft Office via integrated menus and toolbars.

SAS BI SAS BI Dashboard is a point-and-click dashboard development

Dashboard application that enables the creation of dashboards from a variety of
data sources to surf ace inf ormation visually.

SAS Data SAS Data Integration Studio enables a data warehouse developer to
Integration create and manage metadata objects that def ine sources, targets, and
Studio the sequence of steps f or the extraction, transf ormation, and loading of
data.

SAS Enterprise SAS Enterprise Guide provides a guided mechanism to exploit the
Guide power of SAS and publish dynamic results throughout the organization.
SAS Enterprise Guide can also be used f or traditional SAS
programming.

SAS Information The SAS Inf ormation Delivery Portal is a web application that can
Delivery Portal surf ace the dif ferent types of business analytic content such as
inf ormation maps, stored processes, and reports.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
1-14 Lesson 1 Exploring the SAS® Platform

SAS Information SAS Inf ormation Map Studio is used to build information maps, which
Map Studio shield business users f rom the complexities of the underlying data by
organizing and ref erencing data in business terms.

SAS Management SAS Management Console provides a single interf ace f or

Console administrators to manage the metadata and servers on the SAS
Platf orm. Specific administrative tasks are supported by plug -ins to the
SAS Management Console.

SAS OLAP Cube SAS OLAP Cube Studio is used to create OLAP cubes, which are
Studio multidimensional structures of summarized data. The Cube Designer
provides a point-and-click interf ace for cube creation.

SAS Web Report SAS Web Report Studio provides intuitive and ef ficient access to query
Studio and reporting capabilities on the web.

SAS Visual SAS Visual Analytics Apps enables users to use mobile devices (iPad
Analytics Apps and Android) to view certain relational reports that have been created
with SAS Web Report Studio.

Note: The applications listed above are not all of the applications available with the SAS Platf orm.

SAS Visual Analytics

SAS Visual Analytics is a web-based product that leverages SAS High-Performance
Analytics technologies to enable organizations to explore data of any size
It is built on the platform for SAS Business Analytics and is designed to work with the
SAS LASR Analytic Server.

Clients Server Components

Web Browser SAS Visual Analytics

Web Applications Platform Servers
• Home Page • SAS Metadata Server
• Explorer • SAS Workspace Server
• Designer • and so on
Mobile Device • Viewer
• Data Builder
• Graph Builder SAS LASR Analytic Server
• Administrator

15
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

The SAS Visual Analytics inf rastructure includes some of the same sof tware components that are
included on the platf orm. However, SAS Visual Analytics is installed in a dedicated environment that
includes specialized hardware and its own instances of SAS software and servers.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 1.1 Introduction to the SAS Platform 1-15

SAS Solutions
SAS Business Solutions leverage traditional strengths of SAS in data
management and data analysis into cross-functional, as well as vertically
specific, analytic application areas.
• Manage credit risk in financial services
• Develop, execute, and manage drug trials to market in life sciences
• Identify cross-sell opportunities in retail
• Forecast demand to predict outcomes in manufacturing
• Prevent fraud in insurance
• Monitor transactions for money laundering and terrorist financing
activities in banking

16
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

SAS Platform Job Roles

There are various job roles for users of the platform.

Platform for SAS

Business
Analytics

17
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
1-16 Lesson 1 Exploring the SAS® Platform

SAS Platform Applications

The platform
applications provide
intuitive point-and-
click interfaces
to surface the
power of business
analytics.
SAS Platform Applications
Data Management Analytics Reporting
SAS Enterprise Miner SAS Information Delivery
SAS Data Integration Studio
Portal
DataFlux Data SAS Forecast Server SAS BI Dashboard
Management Studio
SAS OLAP Cube Studio SAS Model Manager SAS Web Report Studio

SAS Add-In for Microsoft

SAS Information Map Studio JMP
Office

SAS Studio

SAS Enterprise Guide

18
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

1.02 Multiple Choice Question

Which SAS Business Intelligence application listed below is solely for SAS
administrators?
a. SAS Enterprise Guide
b. SAS Web Report Studio
c. SAS Management Console
d. SAS Information Delivery Portal

19
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 1.1 Introduction to the SAS Platform 1-17

Classroom Environment
Here are the components of the classroom environment:
• a single-machine SAS deployment on Windows
• a three-machine SAS deployment on Linux

sasclient

sasapp sasmid

Linux Servers
sasserver

Windows 2008 Server

21
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

For the Linux platf orm: From your client machine, use mRemoteNG or WINSCP to access your
sasapp and sasmid machines. You are automatically logged on to mRemoteNG and WINSCP with
the SAS installer credentials.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
1-18 Lesson 1 Exploring the SAS® Platform

Accessing the Classroom Environment

This demonstration illustrates how to access the classroom environment, view licensed sof tware
components, and verif y that the SAS servers are started.

1. Access your Windows client machine.

Live Web Course Classroom Course

Use the URL in step 6 of the email that Use a remote desktop connection with the
you received f rom Live Web Administration. IP address that is given to you by your
instructor.

Log on with these credentials:

User: Student
Password: Metadata0
2. Explore the location of your SAS deployment.

Open Internet Explorer f rom the systems tray.

3. On the Favorites toolbar, there is a f older to access SAS web applications for Windows SAS
deployment and one f or Linux SAS deployment.

4. Open the SAS Studio web application from your Windows or Linux environment.

The SAS Logon Manager appears initially. The purpose of the SAS Logon Manager is to
authenticate and direct a successf ul sign-in to the appropriate web application. It enables the
user to access SAS web applications without a credential challenge.

Note: Accessing the Sign In to SAS page is a good indicator that your middle-tier servers
are up.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 1.1 Introduction to the SAS Platform 1-19

5. Sign in as Eric and use the password Student1.

You see in the bottom right that you are logged on as Eric. Eric has successf ully authenticated to
the SAS Metadata Server, as well as the SAS processing server. (SAS Servers are discussed
later.)

SAS Studio is used by your SAS users who want to access data f iles, libraries, and existing
programs and write new programs. You can also use the predef ined tasks in SAS Studio to
generate SAS code. When you run a program or task, SAS Studio connects to a SAS server to
process the SAS code.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
1-20 Lesson 1 Exploring the SAS® Platform

6. Enter the f ollowing code in the Program Editor:

proc setinit;
run;
This procedure writes site inf ormation to the log, such as site number, expiration of license, and
the SAS products that are licensed.

7. Click Run (the running person icon) located above the code to submit the program.

Af ter the code is processed, the results are returned to SAS Studio in your browser.

The Log window appears. It contains a note that includes a list of the SAS software products that
are licensed in this environment. Review the inf ormation.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 1.1 Introduction to the SAS Platform 1-21

8. Because you were successf ul in signing in to SAS Studio and having code processed, you know
that the necessary servers are up in this environment. You can also verif y this using the steps
that f ollow.

For the Windows environment

The SAS deployment is located on this machine. By def ault, SAS servers and services are
installed as Windows services and are set to start automatically when you restart the machine
(or machines in a multi-tier Windows deployment).

a. Click the Services button in the system tray, . With Services selected, scroll down to
the SAS services.

Verif y that the status f or most of the SAS services is Started. It is acceptable to have these
services not started.

Note: In a typical deployment, the Windows services would have a start -up type of
Automatic. The classroom image uses a batch script to start services.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
1-22 Lesson 1 Exploring the SAS® Platform

b. Open Windows Explorer on the system tray and navigate to D:\thirdparty\scripts. These
scripts were created specif ically for our environment to manage the SAS servers.

Note: You can double-click the .bat f ile. However, if you want to view the steps taken in a
console as it is occurring, run the script in a CMD window under Start  Command
Prompt.

For the Linux environment

The SAS Platf orm has been deployed on two Linux machines.

The server tier: sasapp.demo.sas.com (or sasapp)

The middle tier: sasmid.demo.sas.com (or sasmid)

a. Use mRemoteNG as a terminal session to the Linux servers. A connection to

sasapp.demo.sas.com and sasmid.demo.sas.com is set up in mRemoteNG.

Double-click the mRemoteNG button on the desktop and then double-click the
sasserver.demo.sas.com session. Connections are already set up to both machines using
the install account of sas.

b. Double-click the sasapp.demo.sas.com session.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 1.1 Introduction to the SAS Platform 1-23

c. By def ault, a sas.servers script is generated on every machine on which SAS is d eployed.
Navigate to /opt/sas/config/Lev1 to view the script.

d. Verif y the status of the SAS servers by entering the f ollowing command:

./sas.servers status. (The valid commands are stop, start, restart, and status.)

e. This has our SAS servers, but the middle-tier servers are on the sasmid.demo.sas.com
machine. Double-click the sasmid.demo.sas.com session.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
1-24 Lesson 1 Exploring the SAS® Platform

f. Navigate to /opt/sas/config/Lev1 to view the script.

g. Verif y the status of the SAS servers by entering the f ollowing command:

./sas.servers status. (The valid commands are stop, start, restart, and status.)

Connecting to Your Environment

1. Open SAS Enterprise Guide f rom the Start menu.

2. You are connected to sasapp.demo.sas.com. This is displayed in the top right of the interf ace.
By placing the mouse pointer on the connection link, you can see that you are connected to the
Linux platf orm as Jacques. Click this connection.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 1.1 Introduction to the SAS Platform 1-25

3. For those using the Windows platf orm, highlight the sasserver.demo.sas.com prof ile and click
Set Active. Click Close. (Credentials are saved with each prof ile, so you are not credential
challenged when opening SAS Enterprise Guide. You see how to change this later.)

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
1-26 Lesson 1 Exploring the SAS® Platform

Exploring SAS Resources for Administrators on the Web

This demonstration explores the SAS Administrators web page.

1. Open an internet browser and enter support.sas.com. Scroll down to f ind the SAS Support
quick links to Documentation, Technical Support, Training, and Communities. Click
Communities.

2. In the Find a Community drop-down list, click Administration. Also notice there are links to
Administration subsections if you expand the + next to Administrations.

3. On the Communities Administration page, there is a link to Join Now. Be sure to register! In
addition to the subsections accessible f rom the Communities page, there are sections here f or
the f ollowing:
• Latest Activity
• Links to the subsections that we saw on the previous page
• Latest Topics
• New Solutions

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 1.1 Introduction to the SAS Platform 1-27

4. Return to the SAS Customer Support home page. There are two ways to get to the SAS
Administrators Support page. At the top, there is a Select Your Desktop drop-down list in which
SAS Administrator is selected, or you can scroll to the bottom of the SAS Customer Support
home page and click View SAS administrator resources.

(The direct URL is https://support.sas.com/en/sas-administrators.html.)

5. This is a great resource f or SAS administrators. Click Downloads & Hot Fixes.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
1-28 Lesson 1 Exploring the SAS® Platform

6. Click Hot Fixes in the lef t pane.

Here are some of the links that you will f ind there:
• SAS Communities Hot Fix Site
• SASHFADD Usage Guide
• SAS Deployment Wizard and SAS Deployment Manager User’s Guide
• Hot Fix FAQ

7. Go back to the SAS Administrators page and click SAS 9.4 Administration in the Read the
latest documentation section.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 1.1 Introduction to the SAS Platform 1-29

8. Make sure that the 9.4 tab is selected. All the SAS administration documentation can be
accessed f rom this page.

A good starting point for administrators is the System Administration manual. For more details
and specif ic details about your environment, there are additional manuals f or Security
Administration, Data Administration, and others.

9. Go back to the SAS Administrators page. There you will f ind a rotating set of technical papers
written by SAS experts, as well as a link that enables you to view additional technical papers .

10. Click the Read more technical papers link. This page is a collection of papers that changes
f requently. To the right, there are links to additional papers.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
1-30 Lesson 1 Exploring the SAS® Platform

11. Go back to the SAS Administrators page. When you scroll down, you can see additional
resources. There are multiple online communities f ocused on SAS deployment and
administration.
• SAS Administrators Blog
• SAS Administrators Community
• Recommended Reading

12. Scroll down more to see inf ormation about becoming SAS Platform certified.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 1.1 Introduction to the SAS Platform 1-31

Practice

1. Locating and Opening the Instructions.html Document

This practice illustrates how to f ind SAS web application URLs f or your SAS environment, which
are documented in Instructions.html.

Instructions.html is the ref erence document f or your SAS deployment, and it contains any
manual conf iguration steps that must be perf ormed. It provides an overview of your deployment,
including the web application URLs. It is located under the SAS conf iguration directory in the
Levn/Documents subdirectory (f or example, D:\SAS\Config\Lev1\Documents).

Note: An Instructions.html document is created on each machine that executes the

SAS Deployment Wizard.

a. Access your Windows client machine.

Live Web Course Classroom Course

Use the URL in step 6 of your email that Use a remote desktop connection with the
you received f rom Live Web Administration. IP address that is given to you by your
instructor.

Log on with these credentials:

User: Student
Password: Metadata0
b. Connect to the server machine and check the status of SAS servers.

For Linux Server

1. Use mRemoteNG as a terminal session to the Linux server. A connection to

sasapp.demo.sas.com and sasmid.demo.sas.com is set up in mRemoteNG.

Double-click the mRemoteNG button on the desktop and then double-click the
sasapp.demo.sas.com session.

For Linux
Server

2. Navigate to the conf iguration directory, cd /opt/sas/config/Lev1. Use the sas.servers

script to verif y the status of the SAS servers: ./sas.servers status

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
1-32 Lesson 1 Exploring the SAS® Platform

3. Check the status of your middle-tier servers by double-clicking the

sasmid.demo.sas.com session.

4. Navigate to the conf iguration directory, cd /opt/sas/config/Lev1. Use the sas.servers

script to verif y the status of the SAS servers: ./sas.servers status

If any of the servers are not started, you need to start them. However, the o rder of server
start-up does matter. Please contact your instructor f or details.

For Windows Server

1. Click the Services button on the system tray or f rom the Start menu. With Services
selected, scroll down to the SAS services. Verif y that the status f or most of the SAS
services is Started. It is acceptable to have these services not started.

Note: In a typical deployment, the Windows services would have a start -up type of
Automatic. The classroom image uses a batch f ile to start services.

2. If the SAS services are started, go to part c below.

3. If they are not started, open a CMD window under Start  Command Prompt.

4. Enter the d: command.

5. Enter cd thirdparty\scripts.

You can enter the command dir to view the contents of the directory. You will see two
scripts here: startSAS.bat, stopSAS.bat

6. (Optional – Contact instructor bef ore running.) Enter stopSAS. You should begin to see
various SAS servers stopping in sequence.

Enter Y when prompted to stop any SAS services that require conf irmation.

A message is displayed when the script is done and the SAS servers have stopped.

7. If you ran optional step 6 above, start the servers with the startSAS script. The command
prompt displays the services as they are starting.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 1.1 Introduction to the SAS Platform 1-33

Enter Y when prompted.

8 Notif ications appear regarding the starting of SAS services. Click OK to dismiss these
notif ication windows. Notice how some components take longer to start than others.

9. A message is displayed when the script is done. (You can start the Task Manager to
watch the CPU activity.)

Note: The SAS Web Application Server might take as long as 30 minutes to start.

c. Locate and open the Instructions.html document. In a def ault deployment, it is located
under the conf iguration directory in the Levn/Documents subdirectory.

For Linux Server

1. Use WinSCP, which is located on the client desktop. Because you are looking for web
application URLs, open the connection to the middle-tier server:

Navigate to /opt/sas/config/Lev1/Documents.

Note: You should start in /opt/sas.

2. Right-click Instructions.html and select Open. (Double-clicking the f ile opens it in the
WinSCP editor, not Internet Explorer.)

3. (Optional) You can use MRemoteNg. Use the firefox

/opt/sas/config/Lev1/Documents/Instructions.html command to open the
document. (Make sure that you are on the sasmid.demo.sas.com machine.)

For Windows Server

1. Access Windows Explorer and navigate to D:\SAS\Config\Lev1\Documents.

2. Double-click Instructions.html to open the document in Internet Explorer.

d. Click SAS Web Applications in the Overview list at the top of the page.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
1-34 Lesson 1 Exploring the SAS® Platform

e. Review the URLs of the SAS web applications. Scroll to SAS Studio Mid-Tier and click the
URL f or the SAS Studio web application.

For Linux Server

For Windows Server

Note: The page request is going through the SAS Web Server. The port f or the SAS Web
Server dif f ers in Windows and Linux environments.

f. The SAS Logon Manager appears initially. It is a web application that handles all
authentication requests f or SAS web applications. Users see the same logon page when
they access any SAS web application. It is a global sign-in session. It enables the user to
access all SAS web applications without a credential change.

Sign in as Eric and use the password Student1.

g. Enter the f ollowing code in the Program Editor:

proc setinit;
run;
Note: This procedure writes site inf ormation to the log, such as site number, expiration of
license, and the SAS products that are licensed.

h. Click Run (the running person icon) located above the code to submit the program.

i. The Log window appears. It contains a note that includes a list of the SAS software products
that are licensed in this environment. Review the inf ormation.

On what operating system are these products licensed?

What products listed pertain to data access?

j. Close out of Internet Explorer.

2. Using the SAS Installation Reporter Program

You run the program identif ied below to generate a report that shows which SAS components
(f or example, sof tware, client applications, and hot f ixes) are installed.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 1.1 Introduction to the SAS Platform 1-35

a. Use SAS Studio to run the sasinstallreporter4u.sas program located in the f ollowing
directory:
For Windows Server – D:\Workshop\spaftWIN

For Linux Server – /opt/sas/Workshop/spaft

Note: There is a spaftWIN f older and a spaftLNX f older on this machine. For this program,
sasinstallreporter4u.sas, it does not matter where you retrieve the program
because it will be processed on whichever platf orm you are connected to through the
connection prof ile.
b. Review the output on the Results tab.

The report includes the f ollowing information:

• licensed SAS sof tware (f or example, Base SAS and SAS/STAT)
• installed SAS sof tware
• installed SAS clients or applications (f or example, SAS Enterprise Guide and the SAS
System Viewer)
• installed SAS hot f ixes (along with cursory status)
• other versions of SAS software (only in Windo ws environments and when the XCMD
system option is enabled)
• inf ormation about your deployment, including orders and configured servers
• installed and running SAS Windows services (when the XCMD system option is enabled)

Note: To download the program in your environment, see Usage Note 20390, “The SAS
Installation Reporter program creates a report showing which applications, clients,
and hotf ixes are installed”: http://support.sas.com/techsup/notes/v8/20/390.html

Note: There are two SAS procedures that give you similar inf ormation:
• The SETINIT procedure tells you what is licensed and the expiration dates , and
it works in all versions of SAS.
• The PRODUCT_STATUS procedure tells you what is installed. Some products
might be licensed but not installed. For example, if you are not actively using
the product, you might not want to use disk space.

3. (Optional) Considering Users and Applications in Your Environment

What types of users do you have at your site and which SAS applications are used by these
users?

Platform Job Role Applications

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
1-36 Lesson 1 Exploring the SAS® Platform

1.2 Administration Tasks

Administration Tasks
Deployment
Administration
Tasks

Maintenance Administrator Metadata

Administration Administration
Tasks Tasks Tasks

Ongoing
Administration
Tasks

27
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Administrators are asked to perf orm a wide variety of tasks that can be grouped in the f ollowing
ways:
• Deployment Administration tasks
• Metadata Administration tasks
• Ongoing Administration tasks
• Maintenance Administration tasks

Some of these tasks occur once. Others occur on a daily, weekly, or monthly basis. For detailed
inf ormation about administration tasks, view the Checklist of SAS Platform Administration Tasks:
http://support.sas.com/resources/papers/Platform-Administration-Tasks.pdf

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 1.2 Administration Tasks 1-37

Deployment Administration Tasks

Client
Application
Provisioning

Backup and Deployment

Tasks
Authentication
Restore

Encryption

28
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d . ...

Client application provisioning includes the f ollowing:

• ensuring that pre-install requirements are met
• adding third-party components.
• updating clients f or hot fixes and maintenance releases
• adding SAS desktop applications to users

There is no single mechanism that is applicable to all authentication events throughout a typical
deployment. Each deployment uses some combination of the f ollowing:
• authentication processes
• trust relationships
• single sign-on technologies

Encryption protects inf ormation about disk and in transit. On the SAS Platf orm:
• Passwords in conf iguration files and the metadata are encrypted or encoded. Most other metadata
is not encrypted.
• Passwords in transit to and f rom SAS servers are encrypted or encoded.
• You can choose to encrypt all such traf fic, instead of encrypting only credentials.
• When you obtain and implement certif icates f or SAS Web Server and other middle-tier
components, you can use auto-generated certif icates f rom SAS Deployment Wizard or provide
your own.

For more inf ormation about encryption, see Encryption in SAS 9.4:
http://documentation.sas.com/?docsetId=secref&docsetTarget=secref whatsnew94.htm&docsetVersi
on=9.4&locale=en

Encoding versus encryption:

http://documentation.sas.com/?docsetId=secref&docsetTarget=n0lkz988trezwln1kwk6z7sltti 1.htm&d
ocsetVersion=9.4&locale=en#n0rhf 48ontv9nzn10ncxiwpshei8

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
1-38 Lesson 1 Exploring the SAS® Platform

Backups of your SAS Platf orm are scheduled by def ault at deployment, but they can be modified
and run anytime af ter with the f ollowing:
• SAS Management Console
• SAS Environment Manager
• scripting tools

Know Your Deployment

SAS Software Depot
SAS Software
SAS Deployment Deployment Location
Wizard
<root>

config SASHOME
Response file

Plan file
Instructions.html

29
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

You must have a SAS Sof tware Depot to install SAS. A SAS Software Depot is automatically created
by the SAS Download Manager during order download and verif ication.

A single depot maintains disk copies of installation media f or all your orders, o ptimizing space by
storing a single copy of any product that appears in multiple orders. A centralized network accessible
depot enables you to run the SAS Deployment Wizard on each machine, which eliminates the need
f or additional disk space on each machine. The SAS Deployment Wizard is located at the root of the
SAS Sof tware Depot alongside f olders that contain license f iles, third -party support files, various
deployment utilities, and the packages f rom which products are installed and conf igured. With all the
inf ormation contained in the SAS Sof tware Depot, be sure to include it in your disk backups. It is not
included in the backups provided as part of the SAS Platform.

SAS 9.4 Intelligence Platform: Installation and Configuration Guide:

http://support.sas.com/documentation/cdl/en/biig/63852/HTML/def ault/titlepage.htm

SAS Deployment Wizard and SAS Deployment Manager 9.4: User’s Guide

http://support.sas.com/documentation/installcenter/en/ikdeploywizug/66034/PDF/default/user.pdf

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 1.2 Administration Tasks 1-39

Metadata Administration Tasks

User • SAS Management Console

Management • SAS Environment Manager

Metadata
Server Backups Data Access
Metadata Management
Tasks

Moving Authorization
Metadata on Folder
Content Structure

30
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d . ...

Metadata Administration tasks:

• setting up users to access the SAS Platf orm
• registering data f or the users to access and analyze
• setting up a f older structure f or organizing SAS content and securing the content so that only
authorized users can access it
• moving or copying content in the metadata
• ensuring that metadata is being backed up

Examples of SAS content stored in SAS metadata f olders:

• libraries
• tables
• stored processes
• reports
• inf ormation maps
• jobs

SAS Management Console and SAS Environment Manager Administration are tools to manage SAS
resources and resource def initions such as these:
• f olders and objects
• metadata security
• users and groups
• libraries
• servers
• SAS content backups

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
1-40 Lesson 1 Exploring the SAS® Platform

Comparison of SAS Management Console and the Current Version of SAS Environment
Manager

Administration Task Available in Available in

Environment Management
Manager Console

Start, stop, and restart the SAS Web Application Server. Start,
stop, and reload web applications.
✓
View metrics on the availability, perf ormance, utilization,
resource consumption, and throughput of server machines on
✓
the middle tier and the SAS server tier. Set up alerts based on
these metrics.

Use reporting tools to obtain a comprehensive view of the

perf ormance and status of your SAS environment and its
✓
resources.

Start servers on the SAS server tier. ✓

Pause, resume, quiesce, and stop servers on the SAS server
tier. View the status of server processes on the SAS server tier.
✓ ✓
View events of a specif ied level from server log f iles. ✓ ✓
View server logs and dynamically change logging levels. ✓
Validate servers on the SAS server tier and run the Deployment
Tester.
✓
Schedule, conf igure, monitor, and perf orm integrated backups
of your SAS content across multiple tiers and machines.
✓
Back up and restore the metadata server, and create and
administer metadata repositories.
✓
Monitor the operation of grids, and administer grid hosts,
queues, and jobs.
✓ ✓
Schedule f lows to run on a scheduling server.
✓
Browse the contents of SAS f olders, view and update
properties of folders and objects, and rename and delete
✓ ✓
objects.

Create, rename, and delete SAS f olders.

✓ ✓
Create and modif y metadata def initions f or users, groups, and
roles. Manage memberships, logins, and internal accounts.
✓ ✓

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 1.2 Administration Tasks 1-41

Administration Task Available in Available in

Environment Management
Manager Console

Def ine metadata access rules, and create and update access
control templates (ACTs).
✓ ✓
Browse any type of library or server that has been def ined in
SAS metadata. ✓ ✓
Create and modif y metadata def initions f or Base SAS libraries,
SAS LASR Analytic Server libraries, and SAS LASR Analytic
Servers.

Create and modif y metadata def initions f or other types of

SAS libraries and servers. ✓
Create and modif y metadata def initions f or database schemas,
map services, servers, stored processes, publication channels, ✓
and subscribers.

Display lineage inf ormation.

✓
Promote (export and import), copy, and paste metadata.
✓
View and modif y configuration attributes f or SAS applications,
and view and modif y deployment configurations for ✓
inf rastructure and extension services that are used by these
applications.

Another tool, SAS Web Administration Console, is a web-based interf ace that enables you to do the
f ollowing:
• monitor which users are logged on to SAS web applications
• view audit reports of logon and logoff activity
• manage notif ication templates and letterheads
• manage web-layer authorization (including privileges, roles, and permissions)
• access the SAS Content Server Administration Console
• view the current conf iguration of the web applications
• dynamically adjust logging levels f or some web applications

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
1-42 Lesson 1 Exploring the SAS® Platform

Metadata Security
Setting security in the metadata occurs in conjunction with
User
several administrator tasks: Management

• adding users and managing access

• establishing connectivity to data sources
Data Access
Management
• setting up your metadata folder structure

Authorization
It is important to plan security for your environment on Folder
Structure
before implementing it.

31
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Registering users in the SAS Platf orm enables administrators to define authorization rules to control
access to the content and to track user activity.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 1.2 Administration Tasks 1-43

Writing and Maintaining a Security Model

A security model refers to security-related procedures that apply to the
installation, configuration, and management of the SAS Platform. The model
conforms to whatever standards and practices are followed by your
organization.
SAS administrators should write and maintain a security policy to include
the following items:
• authorization (access rights and permissions) in SAS
• any data or databases accessed via SAS
• OS-managed assets

32
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Here are the major components of a security model:

• users and groups def initions and authentication
• specif ication of what users and groups have access to which resources (authorization)
• organization of SAS assets on the f ile systems and in SAS metadata
• encryption procedures
• backup/recovery of SAS assets

You should be aware of the f ollowing components that have been put in place during the inst allation
and deployment process:
• SAS Metadata Server
• SAS Application Server components
• other SAS servers
• ports that are used by each server to listen f or incoming requests
• conf iguration directories that store configuration f iles, logs, scripts, and special -purpose SAS data
sets on each SAS server machine and each middle-tier machine
• initial SAS users, groups, and roles that have been def ined, both on your host OS and the SAS
Metadata Repository

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
1-44 Lesson 1 Exploring the SAS® Platform

1.03 Activity
Who should have SAS Management Console installed on their desktops?

Who should have access to SAS Environment Manager?

33
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 1.2 Administration Tasks 1-45

Maintenance Administration Tasks

Maintain
Hardware
Capacity
Manage Apply
Configurations Maintenance

Maintenance
Administration Apply Hot
Update Fixes
Passwords

Update Update
Host Names
Licenses

35
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d . ...

Maintenance administration tasks are f actors that inf luence when to update your SAS deployment.
• corporate policies
• user community tolerance f or change
• volume of users
• availability of fixes for identified issues
• desire f or new capabilities
• downtime
• ease and speed of updates

Some tasks are perf ormed at the time of a major upgrade of the sof tware, such as a maintenance
release, adding new products, renewing licenses, and applying hot f ixes. Many times, these
maintenance tasks are perf ormed at the time of a scheduled system downtime. Other tasks can be
done anytime.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
1-46 Lesson 1 Exploring the SAS® Platform

Maintaining the Software: Applying Maintenance

Update-in-place
<root>

config SASHOME
SAS Deployment
Wizard

The SAS Deployment Wizard automatically

enters Update mode if the software in the
SAS Depot is more recent than the software
in the SASHOME directory.

36
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Maintenance releases can be sets of hot f ixes, enhanced capabilities, and , in some cases, new
product releases.

There are two types of maintenance releases:

• A SAS maintenance release is a maintenance release f or SAS Foundation. This type of
maintenance release includes sof tware changes f or multiple SAS products, such as Base SAS
and SAS/GRAPH.
• A product-specific maintenance release is a maintenance release f or a specif ic product, such as
the f irst maintenance release f or SAS Forecast Server. This type of maintenance release includes
sof tware changes f or a single SAS product.

Customers must request maintenance packs. They can be added to an existing software depot or a
newly created depot.

Maintenance packs have these f eatures:

• can be scheduled as needed
• can introduce new supported platforms or third -party products
• can add a maintenance number to product version numbers f or products receiving maintenance

SAS 9.4 Guide to Software Updates:

http://support.sas.com/documentation/cdl/en/whatsdiff/66129/HTML/def ault/titlepage.htm

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 1.2 Administration Tasks 1-47

Maintaining the Software: Applying Hot Fixes

Generate
Deployment
SAS Hot Fix
Registry Report
Analysis,
Download, and
Deployment Tool
(SASHFADD) SAS Deployment
DeploymentRegistry.txt Manager

Analyze and download

Install
37
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d . ...

Hot f ixes are used to solve critical and f requently recurring problems. They are tested and supported
by SAS. Hot f ixes are packaged or grouped in three ways:
• individual hot f ixes
• container hot f ixes
• hot f ix bundles

SAS of f ers several tools to help you manage hot f ixes ,

Deployment Registry Analysis

Bef ore updating your SAS products or applying hot f ixes, you need the product release numbers f or
all SAS products at your site. To determine these product release numbers f or each machine in your
SAS deployment, generate a deployment registry report and save it f or f uture ref erence. The script is
f ound in the SASHOME/deploymntreg directory.

SAS Hot Fix Analysis, Download, and Deployment

SASHFADD is designed to streamline the hot f ix identif ication, download, and install process. The
tool requires that you run the ViewRegistry Report f irst and then the f ollowing events occur:
• A SAS Deployment Registry is analyzed.
• A customized report listing available hot f ixes is created.
• Scripts f or automatically downloading hot fixes are generated.

The Hot Fix Report can be f ound in the ANALYSIS_ directory. The report lists the hot f ixes that are
available f or your installed SAS products based on the DeploymentRegistry.txt f ile.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
1-48 Lesson 1 Exploring the SAS® Platform

The Hot Fix Report can contain up to three sections:

1. Hot fixes that may be downloaded and installed individually or by using the generated
scripts – This section always appears in the Hot Fix Report and lists hot f ixes that can be
downloaded and installed individually, or by using the generated download scripts, SAS
Deployment Manager f or SAS 9.3 or 9.4, or install_scripts f or SAS 9.2. Successful installation of
these hot f ixes is recorded in the deployment registry. If your system is up -to-date with these hot
f ixes, then an appropriate message appears.
2. Hot fixes that are available only by clicking the Download link and following installation
instructions – This section might appear in the Hot Fix Report, and it lists hot f ixes that must be
downloaded and installed individually by closely f ollowing the instructions in the documentation.
Successf ul installation of these hot f ixes might be recorded in the SAS Deployment Registry,
depending on the unique properties of the hot f ix. It is possible that you will continue to see these
hot f ixes in the report even if they have been successf ully installed. If you have already applied
these hot f ixes by following the installation instructions, then you can saf ely ignore their
reappearance in the report.
3. Hot fixes containing updates only to non-English software components – This section
might appear in the Hot Fix Report, and it lists hot f ixes that can be applied only to systems
where the languages listed with the hot f ix are installed f or the specif ic SAS product. These hot
f ixes do not appear in the SASHFADD FTP scripts. They must be downloaded by clicking the
Download link. Successful installation of these hot f ixes is recorded in the SAS Deployment
Registry. If you are ineligible to install these hot f ixes because you have not installed the SAS
product f or the languages listed, then you can saf ely ignore the appearance of these hot f ixes in
the report. If you do not want to see these hot f ixes in the report, uncomment the line "-
ENGLISH_ONLY" in SASHFADD.cfg.

SAS Deployment Manager

The SAS Deployment Manager applies the hot f ixes af ter they have been downloaded.

Use this link to stay inf ormed about the latest hot f ixes to SAS software:

https://communities.sas.com/t5/SAS-Hot-Fix-Announcements/bg-p/hf

SAS provides hot f ixes to previously shipped software. A hot f ix is created to resolve a number of
problems, ranging f rom an isolated code fix for a critical bug f ound in a specific customer application
to a f requently recurring problem that af f ects all users of the SAS Software.

Each hot f ix f rom SAS is tested and f ully supported. It can then be downloaded and installed. It is
also incorporated into the next maintenance release or f ull release of the s of tware component or
product.

Hot f ixes are packaged or grouped in three dif f erent ways:

• Individual hot f ixes – created to f ix one product or software component.
• Container hot f ixes – created to provide fixes for one or more sof tware components that mus t be
hot f ixed together to provide a complete resolution to the problem being addressed. In order to
f ully install the container hot f ix, the container needs to be applied to each machine in the
deployment that contains one or more of the products being fixed by the container.
• Hot f ix bundles – an accumulation of one or more individual hot f ixes. These bundles tend to be
produced (and named) f or products such as SAS Marketing Optimization and can contain a
number of f ixes for different components within the product. Bundling these f ixes makes it simpler
f or you to obtain and install them.

For more inf ormation about hot fixes, see http://ftp.sas.com/techsup/download/hotfix/hotfix.html.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 1.2 Administration Tasks 1-49

The installation of SAS products is logged in the SAS Deployment Registry. ViewRegistry is a
reporting utility that processes the deployment registry to generate a report that identif ies currently
installed sof tware and hot f ixes in the current SASHOME location. Two reports,
DeploymentRegistry.html and DeploymentRegistry.txt, are generated. The .txt f ile is used as
input to the SAS Hot Fix Analysis Download and Deployment tool.

The ViewRegistry Report is generated by executing the JAR f ile sas.tools.viewregistry.jar. This
JAR f ile is in the SASHOME/deploymntreg directory and must be executed f rom this directory.

For more inf ormation about using the ViewRegistry Report, see Usage Note 35968, “Using the
ViewRegistry Report and other methods to determine the SAS 9.2 and later sof tware releases and
hot f ixes that are installed”: http://support.sas.com/kb/35/968.html.

The SAS Hot Fix Analysis, Download, and Deployment Tool (SASHFADD)
• analyzes a SAS Deployment Registry (DeploymentRegistry.txt)
• creates a Hot Fix Report with inf ormation and links to hot f ixes, which are eligible to be installed on
the SAS deployment
• generates scripts that automate the download of the eligible hot f ixes.
The SASHFADD tool can be downloaded from http://ftp.sas.com/techsup/download
/hotf ix/HF2/SASHFADD.html.
The usage guide can be f ound here:
http://ftp.sas.com/techsup/download/hotfix/HF2/SASHFADD_usage.pdf

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
1-50 Lesson 1 Exploring the SAS® Platform

SAS Deployment Manager Tasks

Update
Passwords

Remove or
Update Existing
Configurations

Apply Hot
Fixes

Update
Licenses

Update Host
Names

39
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

SAS Deployment Manager is a graphical user interf ace that enables you to do the f ollowing:
• update passwords f or the service accounts that were conf igured when you ran the SAS
Deployment Wizard
• rebuild and redeploy web applications that have previously been configured but whose
conf iguration has changed
• remove one or more components of a SAS Intelligence Platf orm conf iguration from your
environment
• update setinit (license) inf ormation in metadata f or some SAS solutions that depend on a SAS
middle tier
• manage the def ault associations between f ile types and SAS software
• change the host names (including the network domains to which they belong) of serv er machines
in your deployment
• apply downloaded hot fixes to your SAS software
• update existing conf iguration for SAS products that have been updated or upgraded
• change the passphrase that is used to encrypt stored passwords
• conf igure the language and region f or SAS Foundation and certain SAS applications
• conf igure autoload directory for SAS Visual Analytics
• uninstall SAS sof tware
• conf igure and manage the SAS Deployment Agent service
• conf igure certain SAS/ACCESS products to include Hadoop configurations
• manage Trusted CA Bundle

For details, see “Overview of SAS Deployment Manager” in SAS 9.4 Intelligence Platform: System
Administration Guide, Third Edition.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 1.2 Administration Tasks 1-51

SAS sof tware is licensed on a periodic basis. In order to run your licensed sof tware, you must apply
the SAS installation data f ile (SID f ile) to renew your sof tware. The SAS Deployment Manager
includes a task to update the license f ile in the metadata.

http://documentation.sas.com/?docsetId=bisag&docsetTarget=n1dkjbmslqhtw2n1rf te1g05py2h.htm&
docsetVersion=9.4&locale=en

When your SAS license expires, you need to do the f ollowing:

• Obtain an SID f ile f rom SAS.
• Apply the SID f ile in all of the appropriate places in your deployment.

Note: In addition, some SAS solutions require the license to be updated in the metadata. For a
complete list, see http://support.sas.com/kb/49/750.html.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
1-52 Lesson 1 Exploring the SAS® Platform

1.04 Multiple Answer Question

Which of the following tasks are performed using SAS Deployment
Manager? (Select all that apply.)
a. updating license information
b. deploying SAS software
c. updating host names
d. updating passwords for user accounts
e. starting SAS Deployment Agent

40
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

1.05 Question
The deploymntreg directory is located under your SAS Software Depot.
 True
 False

42
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 1.2 Administration Tasks 1-53

Ongoing Administration Tasks

Monitor the
activity of
Schedule batch servers
Maintain I/O
tasks throughput
capacity

Perform Ongoing
backups and Start, stop,
Tasks pause, resume,
recovery
and refresh the
servers

Use server logs

Set up alerts and configure
logging options

44
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d . ...

Ongoing administration tasks are perf ormed on a continuing ongoing basis to keep the SAS
Intelligence Platf orm operational.

There are also some optional tasks that might be necessary f or you to modify your initial
conf iguration to meet specific requirements in your environment. Optional administration and
conf iguration tasks include the f ollowing:
• optimizing perf ormance of the metadata server
• modif ying the conf iguration of your processing servers
• optimizing web application performance
• adjusting server logging
• enabling job and report scheduling
• increasing Java heap memory allocation f or desktop applications
• setting up change management f or SAS Data Integration Studio jobs
• collecting ARM log inf ormation f or SAS Data Integration Studio batch use

For additional inf ormation, see “Optional Setup Tasks” in SAS 9.4 Intelligence Platform: System
Administration Guide, Fourth Edition.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
1-54 Lesson 1 Exploring the SAS® Platform

Backup and Restore Tools

Formal, regularly scheduled backups are scheduled at deployment of your
SAS Platform with these tools:
• Metadata Server Backup Facility in SAS Management Console
• SAS Backup Manager in SAS Environment Manager or Deployment Backup
and Recovery Tool commands Perform
backups and
recovery

45
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Best Practice: Backing Up the SAS Platform

Here are some recommended best practices for ensuring the integrity of the
content that is created and managed by the SAS Platform:
• Always use the metadata server backup facility to back up the repository
manager and metadata repositories.
• Perform regularly scheduled full backups.
• Perform backups before and after major changes.
• Specify a reliable backup destination that is included in daily system
backups.
Perform
Have a disaster recovery plan in place (which includes the SAS recovery backups and
tools) as part of a larger scheme of recovering all of your SAS software. recovery

46
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

In addition to performing regular f ull backups, in some situations, it might be appropriate to back up
specif ic objects or f olders in the metadata f olders (SAS Folders) tree. In these situations, you can
use the promotion tools, which include the Export SAS Package Wizard, the Import SAS Package
Wizard, and the Batch Export and Import tools.

Note: You should synchronize the backups with the backup of other physical files.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 1.2 Administration Tasks 1-55

1.06 Multiple Choice Question

How often do you need to check the status of your SAS servers?
a. never
b. at installation time and as needed thereafter
c. as needed
d. daily

47
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
1-56 Lesson 1 Exploring the SAS® Platform

Reviewing SAS Deployment Wizard Response Files and Stand-

Alone Installs

In this demonstration, the response f iles generated during the installation using the SAS Deployment
Wizard are located, and an installation of SAS Enterprise Guide is perf ormed.

1. Open Windows Explorer on the Windows machine and navigate to D:\thirdparty.

The f olders sasapp, sasmid, and winserver contain the response f iles that were generated f or
each of the SAS Platf orm deployments with the SAS Deployment Wizard. The Linux deployment
is a two-machine deployment. Thus, there is a separate response f ile f or each machine. The
Instructions.html and DeploymentSummary.html f iles were also copied to this location.

The SAS Deployment Wizard provides a record and playback f eature that enables you to
automate a SAS installation across multiple machines and have a copy of all of Deployment
Wizard values. This is done by running the SAS Deployment Wizard once in Record mode to
create the response f ile. SAS is not installed or conf igured . The only output is a response f ile.
Subsequently, the SAS Deployment Wizard response f ile is played back in one of three modes,
depending on the level of prompting that you want.

2. Open the sasapp f older. Right-click the SPAFTM6_app_install-cfg.txt f ile and select
Edit with Notepad++.

3. Each snippet pertains to a wizard window question, valid responses, and then the response that
was chosen f or this environment.

Notice that this is a customized install with the depot written out to the f ollowing path:

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 1.2 Administration Tasks 1-57

4. Authentication is specif ied in various locations:

5. Notice that passwords are encoded with sas002, SASProprietary encryption.

6. SAS Enterprise Guide and SAS Add-In f or Microsoft Office can be delivered in a smaller f ormat
that does not require using the SAS Deployment Wizard. (The standard f ormat is to be installed
by the SAS Deployment Wizard.) This second f ormat makes it much easier to install over a
distributed deployment, especially using provisioning tools such as SCCM f rom Microsoft. These
products are available only on Windows.
Navigate to where the SAS Sof tware Depot is on the sasserver machine and in the subdirectory
standalone_installs:

D:\depot\standalone_installs\SAS_Enterprise_Guide_Independent_Installer

From here, you can install the SAS tools found in this directory. An administrator can also put
these f iles in a shared location to enable users to install the sof tware themselves.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
1-58 Lesson 1 Exploring the SAS® Platform

Accessing SAS Management Console and SAS Environment

Manager

This demonstration introduces SAS Management Console and SAS Environment Manager.

1. On the Windows machine, start SAS Management Console by selecting Start  SAS
Management Console. When the Connection Prof ile window appears, choose the existing
Linux Server or Windows Server SAS Admin connection. Click OK to connect.

2. Log on as Ahmed using the password Student1.

Note: Ahmed is the SAS administrator in our classroom environment.

Because you are logged on as Ahmed, you can see all three tabs: Plug-ins, Folders, and
Search.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 1.2 Administration Tasks 1-59

A plug-in is an application module that is designed to create and maintain metadata f or a specif ic
type of resource.

Only certain users can view and use plug -ins. A user’s access depends on which roles the user
is assigned to and which capabilities are assigned to those roles. We cover roles in Lesson 4.

Here are some of the plug-ins:

• Authorization Manager: used to def ine and maintain access rules to control how users and
groups can access metadata def initions
• Data Library Manager: used to create and maintain def initions for SAS libraries and database
schemas
• Metadata Manager: used to perf orm administration tasks related to the SAS Metadata Server
• Server Manager: used to create and maintain server def initions
• User Manager: used to create and maintain def initions for users, groups, and roles

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
1-60 Lesson 1 Exploring the SAS® Platform

The Folders tab displays the SAS Folders hierarchy. Metadata is organized and viewed through
the f olders.

The Search tab in SAS Management Console enables users to search f or metadata objects
based on object names, locations, descriptions, object types, creation or modification dates,
keywords, and responsibilities. After perf orming a search, click the Save button on the Search
tab to specif y a f older and location in which to store the search criteria. Opening a search f older
causes the search to be rerun and updated search results to appear.

You can keep SAS Management Console minimized on your desktop because you use the
application throughout class.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 1.2 Administration Tasks 1-61

3. Open Internet Explorer or Google Chrome f rom the Windows machine using the taskbar. Select
SAS Environment Manager f rom the Windows or Linux f older on the Favorites bar.

Note: To access SAS Environment Manager, go to http://<localhost>:7080, where localhost

is the machine on which the SAS Environment Manager server is installed.

4. Sign in as sasadm@saspw using the password Student1.

5. Your initial view is the dashboard. Click Resources  Browse, or click Resources and that
takes you to the Resources page. Your SAS resources can be viewed and monitored f rom there.
These resources are categorized by Platf orms, Servers, and Services. There are other
groupings that can be used f or ease of access to resources.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
1-62 Lesson 1 Exploring the SAS® Platform

6. By clicking an entry, such as sasapp.demo.sas.com Object Spawner - sasapp under Server,

you are taken to the monitoring page of that resource.

Metrics are displayed that are relevant to this resource. You can navigate to Inventory to see
conf iguration details. Navigate to Alerts to see alerts f or this resource, modif y existing alerts, or
create new alerts. Navigate to Control to perf orm or schedule a control action, such as starting,
stopping, or restarting the object spawner.

These actions are discussed in subsequent lessons.

7. Click the Administration tab.

The Administration page is where you can manage SAS metadata. The application provides
these f unctions using pages. Each page manages a specif ic type of SAS metadata.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 1.2 Administration Tasks 1-63

Initially, the application displays the Folders page. This view enables you to view and manage
SAS f olders and the metadata objects that they contain.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
1-64 Lesson 1 Exploring the SAS® Platform

8. To switch to a dif ferent page, click the related icon on the vertical navigation bar. Click the
expand button to view text labels to the vertical navigation bar.

9. Click Servers.

10. Expand SASApp  SASApp - Logical Workspace Server  SASApp - Workspace Server.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 1.2 Administration Tasks 1-65

11. Highlight SASApp - Workspace Server to see the metadata properties.

You can keep SAS Environment Manager and SAS Environment Manager Administration
minimized throughout class, although you will need to log back in each day because the time-out
interval of cached credentials f or SAS web applications is 12 hours, by default.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
1-66 Lesson 1 Exploring the SAS® Platform

Practice

4. Exploring Metadata in SAS Management Console

a. On the Windows machine, log on to SAS Management Console. Use the SASAdmin
connection prof ile that is appropriate: SASAdmin - Linux Server or SASAdmin Windows
Server. Provide the user ID Ahmed and the password Student1.

b. On the Plug-ins tab, expand Data Library Manager  Libraries.

c. Right-click Sales Analysis Library and select Properties to see the metadata def inition.
The answers to the questions can be f ound on the Properties tabs.
• Where is the location of this library definition in the metadata f older structure?
• Where is the physical location that this library is ref erencing?
• Are there any tables registered in metadata in this library? You will not f ind this under the
metadata def inition of the library. Expand the Data Library Manager plug-in  Libraries
and highlight the library. You can see which tables are registered to the library in the right
pane.

d. Navigate to the metadata f older location of Sales Analysis Library and the
SALES_ANALYSIS table.

Note: The table is stored in the same metadata f older as the library to which it is registered.
Registering libraries and its registered tables to the same metadata f older is a good
practice due to the metadata access controls. This is discussed in a later lesson.

5. Comparing the Server Hierarchy in SAS Management Console and SAS Environment
Manager
Compare the server hierarchy in the Server Manager plug -in in SAS Management Console
to the Server module in SAS Environment Manager Administration.

a. In SAS Management Console, on the Plug -ins tab, expand Server Manager.
b. Open Internet Explorer or Google Chrome f rom your Windows machine using the taskbar.
Select SAS Environment Manager f rom the Windows or Linux f older on the Favorites bar.
Sign in as sasadm@saspw using the password Student1.

1) Click the Administration tab.

Note: To open Administration in a separate tab, hold down the Ctrl key while clicking
Administration.

2) Select Servers f rom the vertical navigation bar.

c. Do the server hierarchies in SAS Management Console and SAS Environment Manager
Administration differ?
Expand SASMeta and SASApp in either interf ace.
• How many servers are def ined under SASMeta?
• How many servers are def ined under SASApp?

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 1.2 Administration Tasks 1-67

d. In SAS Management Console, right-click Object Spawner - (sasapp or sasserver) and

select Properties.

e. Click the Servers tab.

f. In SAS Environment Manager Administration, highlighting Object Spawner - (sasapp or
sasserver) displays the server’s properties in the right pane.

From the tabbed menu, select Servers.

Which server or servers are the object spawner responsible f or?

g. You are viewing SAS server metadata in SAS Management Console and SAS Environment
Manager.

You can also monitor your SAS compute servers and middle-tier servers in SAS
Environment Manager. In SAS Management Console, you can monitor usage on your SAS
compute servers only. (This is covered in later lessons.)

6. Accessing Deployment Manager

Access SAS Deployment Manager and explore the listed tasks. Also, view the internal service
accounts that would be updated with this application.

This practice instructs how to update passwords, but do not update any passwords at
this time.

a. On the server machine, navigate to SAS Deployment Manager.

For Linux Server

On sasapp.demo.sas.com machine, navigate to

/opt/sas/SASHome/SASDeploymentManager/9.4 and run sasdm.sh:

./sasdm.sh

For Windows Server

Navigate to D:\Program Files\SASHome\SASDeploymentManager\9.4

and run sasdm.exe.

b. Click OK when prompted f or language.

c. Scroll through the list of tasks that are perf ormed in SAS Deployment Manager.
d. With Update Passwords selected, click Next.
e. Click Next to move through the selection of the configuration directory and level.
f. Enter Student1 as the password f or sasadm@saspw. Click Next.
g. On Windows, enter Student1 as the password f or ShareServices. Click Next.
h. Review the list of internal service accounts that were created at SAS deployment. Click
Cancel because no passwords need to be updated.
i. Click Yes when prompted to verif y that you want to cancel.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
1-68 Lesson 1 Exploring the SAS® Platform

Note: Passwords f or any service accounts that you introduce in SAS Management Console are
not managed by this tool. For example, if you designate a new logon as the launch
credential f or a server, that launch credential is not automatically added to the list of
accounts that the SAS Deployment Manager can update.

7. Generating the Deployment Registry Report

The installation of SAS products is logged in the SAS Deployment Registry. The Deployment
Registry report processes the deployment registry and identifies all SAS 9.2 and later sof tware
that is installed in the current SASHOME location. Installed hot f ixes are also logged in the SAS
Deployment Registry and reported in DeploymentRegistry.html.

Note: For details about running the ViewRegistry report, see Usage Note 35968:
http://support.sas.com/kb/35/968.html.

The ViewRegistry utility that is used to generate the report is installed in

SASHOME/deploymntreg.

For Linux Server

1. On sasapp.demo.sas.com machine, navigate to /opt/sas/SASHome/deploymntreg.

2. Run the command java -jar sas.tools.viewregistry.jar.

3. Open DeploymentRegistry.html in the same directory.

You can use the WinSCP application that has a shortcut on your desktop or use Firef ox on
your Linux server. When opening in WINSCP, be sure to right-click the f ile and select
Open.

4. You can also generate the DeploymentRegistry f iles f or the middle-tier deployment as
well. Repeat steps 1–3 on the sasmid.demo.sas.com machine.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 1.2 Administration Tasks 1-69

For Windows Server

1. Open a command prompt, change to the D: drive, and navigate to D:\Program
Files\SASHome\deploymntreg.

2. Run this command:

"D:\Program Files\SASHome\SASPrivateJavaRuntimeEnvironment\9.4\jre\bin\
java.exe" -jar sas.tools.viewregistry.jar

3. Using Windows Explorer, navigate to D:\Program Files\SASHome\deploymntreg and

open DeploymentRegistry.html in a web browser.

Inspect the products and versions of SAS software installed.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
1-70 Lesson 1 Exploring the SAS® Platform

1.3 Backing Up the SAS Environment

Backup and Restore Tools

Formal, regularly scheduled backups are scheduled at deployment of your
SAS Platform with these tools:
• Metadata Server Backup Facility in SAS Management Console
• SAS Backup Manager in SAS Environment Manager or Deployment Backup
and Recovery Tool

54
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

The Deployment Backup and Recovery tool is the underlying sof tware used f or SAS Backup
Manager in SAS Environment Manager.

The SAS Deployment Agent must be running on each middle-tier and server-tier host
machine. The Deployment Backup and Recovery tool connects with the agent and automatically
discovers the tiers in your deployment and their installed components. New components in your
deployment are detected automatically and added to the backup. For example, the tool detects new
instances of the SAS Web Inf rastructure Data Server and new databases that are managed by the
server.

An alert email is generated if a backup or recovery is unsuccessf ul. By default, the email is sent to
the system administrator email address that was specif ied in the SAS Deployment Wizard. You can
use either SAS Backup Manager or the sas-update-backup-config command to specify different
email addresses.

By def ault, backups on Windows systems are perf ormed by the Local system account for the SAS
Deployment Agent. On UNIX, backups are perf ormed by the SAS Installer user f or each server and
middle-tier machine. A special user account to perf orm backups must be defined in the f ollowing
situations:
• if you have specif ied a central vault location and your environment includes one or more Windows
hosts
• if a clustered metadata server has been conf igured and your environment includes one or more
Windows hosts

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 1.3 Backing Up the SAS Environment 1-71

SAS Backup Manager

SAS Backup Manager is a user interface, accessed in SAS Environment
Manager, that enables you to schedule, configure, monitor, and perform
integrated backups of your SAS content across multiple tiers and machines.

55
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

The SAS Backup Manager f ound in Environment Manager is an interf ace that enables you to
conf igure your backups, perf orm ad hoc backups, perf orm recoveries, and examine the details of a
backup af ter it has been perf ormed.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
1-72 Lesson 1 Exploring the SAS® Platform

Deployment Backup and Recovery Tool

The Deployment Backup and Recovery tool consists of a variety of batch
commands that you can use to do the following:
• execute an ad hoc (unscheduled)
backup
• customize your backups
• display information such as the
current schedule, the current
configuration, and detailed
backup history
• perform a full or partial recovery
from one of the backups

56
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

The Deployment Backup and Recovery tool is a collection of commands that provides an integrated
method f or backing up and recovering your SAS content across multiple tiers and machines. The
tool is installed on the middle tier as part of the SAS Web Inf rastructure Platf orm. It connects with the
SAS Deployment Agent on each middle-tier and server-tier host machine. The SAS Backup
Manager in Environment Manager uses many of these commands to perf orm and manage backups.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 1.3 Backing Up the SAS Environment 1-73

Batch Tool Commands

sas-backup Execute an ad hoc (unscheduled) deployment backup.

sas-status-backup Display status inf ormation f or a particular backup or recovery operation.

sas-list-backups Display details about backups and recoveries that are recorded in backup
history, including backups that were purged due to the retention policy.

sas-display- Display details about a particular backup recorded in backup history.

backup

sas-set-backup- Specif y days and times that are to be added to the deployment backup
schedule schedule.

sas-set-backup- Display detailed inf ormation about the contents of a specific backup that was
source-content taken f rom a particular source on a particular host machine.

sas-list-backup- Display the deployment backup schedule that is currently in ef f ect.

schedule

sas-remove- Remove specif ied days and times f rom your deployment backup schedule.
backup-schedule

sas-display- List the conf iguration properties that are currently in ef f ect for your
backup-config deployment backups.

sas-update- Update the backup conf iguration properties that are in ef f ect for your
backup-config deployment.

sas-update- Specif y custom directories that are to be backed up (in addition to the
backup-config directories included by default). Each directory must be located under
SAS-configuration-directory/Levn on a host machine where the Deployment
Backup and Recovery tool is installed.

sas-recover-offline Perf orm a f ull or partial recovery when some of the resources in the
deployment are unavailable or have been taken of f line to prevent user
activity.

sas-display- Display details about a particular recovery that was perf ormed.
recovery

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
1-74 Lesson 1 Exploring the SAS® Platform

When submitting a deployment backup or recovery command, you must provid e the f ollowing
connection options to log on to the SAS Web Application Server:

-host host-name Identif ies the host machine f or the SAS Web Server. If your deployment
does not include SAS Web Server, specif y the host machine f or the SAS
Web Application Server.

The option is required if the -prof ile option is not set.

-port port Specif ies the port on which the SAS Web Server runs. If your deployment
does not include SAS Web Server, specif y the port on which the SAS Web
Application Server runs.

The option is required if the -prof ile option is not set.

-user user-ID Specif ies the user ID of an unrestricted user.

This option is required if the -prof ile option is not set.

-password Specif ies the password of the specified user.

password
This option is required if the -prof ile option is not set.

-protocol Specif ies the communication protocol that is used by the specif ied host
HTTP|HTTPS machine and port. If the option is not specified, the def ault protocol (HTTP)
is assumed.

You can specif y this option either on the command line or in the f ile that is
specif ied in the -prof ile option.

-profile filename Specif ies the name of a f ile that contains the host, port, user ID, and
password options. It can also contain the -protocol option. A sample profile
f ile named environment.properties is in the SAS-installation-
directory/SASPlatf ormObjectFramework/9.4/tools/admin/conf/sample.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 1.3 Backing Up the SAS Environment 1-75

What Is Backed Up?

• The config directories include the contents of the Data directories,

SASEnvironment directories, and server configuration directories for each
server on the SAS server tier. Additional directories can be included using
the command sas-update-backup-config.
• By default, all of the databases are backed up that are managed by the
SAS Web Infrastructure Platform Data Server.
57
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Note: For metadata server backups, the metadata server backup utility is used.

Note: If symbolic links in the conf iguration directories point to other locations, the ref erenced
locations are not backed up.

Note: Additional directories under SAS-configuration-directory/Levn can be included in the backup,

using the command sas-update-backup-config. If your deployment is not current with SAS
9.4M3, use the command sas-update-backup-config.

Note: If you need to exclude specific tiers, servers, databases, directories, or f iles f rom the backup,
you can do so by using the command sas-update-backup-config. You can also use the
SAS Backup Manager user interf ace to update the basic backup configuration. You cannot
use the user interf ace to def ine f ilters.

The SAS Content Server contains content that is associated with metadata objects , including
content f or the SAS Inf ormation Delivery Portal, report def inition files, other supporting files for
reports including PDF f iles and images, and content f or SAS solutions.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
1-76 Lesson 1 Exploring the SAS® Platform

Backup Schedule
By default, the Deployment Backup and Recovery tool runs automatically
each Sunday at 1:00 a.m.
Backup files are retained for a period of 30 days.

58
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

The backup schedules can be modif ied as appropriate for your deployment. However, make sure not
to schedule the Deployment Backup and Recovery tool to run at the same time as the stand -alone
metadata server backups. Also, if you schedule multiple b ackups per day, be sure to leave enough
time f or each backup job to complete before the next scheduled backup start s.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 1.3 Backing Up the SAS Environment 1-77

Default Backup Location

All components, except for the metadata server, are backed up to the following path
on each host machine: SAS-configuration-directory/Lev1/Backup/Vault
The directory is created on each machine the first time that a backup is executed.

59
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

By def ault, backup files are stored locally on the same machine where the backed -up component is
located.

For metadata server backups, the tool uses the backup f iles that are created by the metadata server
backup utility. The tool copies these f iles to SAS-configuration-directory/Lev1/Backup/Vault on
the metadata server machine.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
1-78 Lesson 1 Exploring the SAS® Platform

Central Vault Locations

In addition, if you specify a central, network-accessible vault location, the
backups from each host machine are copied to that location following each
backup operation.

60
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

A central vault location is

• required in clustered middle-tier environments
• highly recommended f or multiple machine deployments
• highly recommended to avoid the loss of backup files in the event that a host machine f ails.

The SAS Deployment Wizard enables you to specif y a central vault location during the installation
and conf iguration process, if you have a homogeneous operating system environment. Otherwise,
you can use either SAS Backup Manager or the sas-update-backup-config command to specify a
central vault location. A homogeneous environment is one in which all of the host machines that are
included in the backup are in the same operating system f amily. For example, Solaris and HP -UX
machines are both considered to be in the UNIX operating system f amily.

Immediately af ter creating or modif ying the central vault conf iguration, it is strongly
recommended that you perf orm a backup with either SAS Backup Manager or the
sas-backup command. You cannot recover using local backups after a central vault
has been def ined.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 1.3 Backing Up the SAS Environment 1-79

Backup and Recovery Tool Architecture

Tier 1: Tier 2: Tier 3:
Local storage Local storage Local storage
Middle Tier Metadata Server Compute Tier

Middle Tier Metadata Server SAS App Server

components components components
Config Local
Config Backup
files Local files Config Local
Backup for BRT files Backup
Content Metadata
Server
for BRT WIP DB for BRT

SAS Deployment SAS Deployment SAS Deployment

Agent Agent Agent
SAS Backup and
Recovery Tool

/CentralBackupVault - Step 1
Shared storage
/MetadataBackupByFacility - Step 2
61
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d . ...

Step 1:

1. A backup is created on each participating host machine and stored locally in

/SAS-configuration-directory/Lev1/Backup. This includes SAS components
(Conf iguration f iles, WIP database, SAS Content Server repositories, custom directories),
except f or SAS Metadata Server content.

2. Metadata server content backup is created with the SAS Metadata Server Backup Utility and
stored in a location conf igured for this utility. (In the diagram, this is /MetadataBackupByFacility
in a shared storage.) Local Backup History f iles are updated.

Step 2:
1. For non-metadata content, backup f iles are copied from local storage (/SAS-configuration-
directory/Lev1/Backup) to Central Backup Vault.

2. For metadata content, backup f iles are copied f rom /MetadataBackupByFacility to Central
Backup Vault. The Central Backup Vault Backup History f ile is updated.

Backup and Recovery Logs

The log f ile on the middle-tier machine reports errors and warnings about the tool:

SAS-configuration-directory /Lev1/Web/Logs/SASServer1_1/SASDeploymentBackup9.4.log

For backup, recovery, and purge operations, log f iles are created in the directories where local
backups are stored. The def ault location is

SAS-configuration-directory/Lev1/Backup/Logs/<backup-ID>

Inf ormation about server-side activity: SAS-configuration-

directory/Lev1/Backup/backupserver.log

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
1-80 Lesson 1 Exploring the SAS® Platform

By def ault, SASDeploymentBackup9.4.log reports only errors and warnings. If you want to set
dif f erent logging levels, you can do so by editing SASDeploymentBackup-log4j.xml, which is
located in SAS-configuration-directory/Lev1/Web/Common/LogConfig/.

What Is Not Backed Up?

The Deployment Backup and Recovery Tool has the following limitations:
• Host machines on which the SAS Deployment Agent is not installed are
excluded from backups.
• The tool backs up only SAS content and configuration information. It does
not back up your SAS software.
• If you are using a third-party vendor database (instead of the SAS Web
Infrastructure Platform Data Server) for the SharedServices database, the
Deployment Backup and Recovery Tool cannot back it up.
• The tool does not back up the entire contents of your SAS configuration
directories, only Data directories, the SASEnvironment directories, and the
server configuration directories for each server on the SAS server tier.

62
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

To back up additional subdirectories under SAS-configuration-directory/Levn, add them with the

command sas-update-backup-config.

For commands that require input data, you supply the data using the JavaScript Object Notation
(JSON) f ormat. Sample JSON f iles are provided in SAS-installation-
directory/SASPlatformObjectFramework/9.4/tools/admin/conf/sample.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 1.3 Backing Up the SAS Environment 1-81

What Needs to Be Backed Up

Files to Include How Often Tools to Back Up
SAS binaries and • After initial install Any tool that will clone the
associated files • After each hot fix, patch, operating system, all applications,
and maintenance update and home directory of the
account used to install SAS
SAS deployment • After any change to the SAS Deployment Backup and
files files Recovery Tool or SAS Environment
• Daily Manager
SAS application • After any changes to the Any tool
files files that cannot easily be
reproduced
• Daily

63
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
1-82 Lesson 1 Exploring the SAS® Platform

SAS Support for Disaster Recovery

Disaster recovery for a SAS deployment is usually based on cloning
production systems to back up hardware using system imaging or ghosting
tools (Disk Cloning or Disk Imaging) or other virtual machine (VM) cloning
techniques.
• Backup machines must use the same host names as the production
machines.
• Third-party applications and SAS customer data must be considered as
part of a disaster recovery plan.
• External systems and processes SAS uses or depends on must be
considered.
• SAS data files must be closed before backing them up.

64
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Disaster-recovery planning is important f or any critical business system, including production

systems running the SAS Intelligence Platf orm and SAS solutions.

Because the implementation of the SAS Intelligence Platf orm and SAS solutions is often highly
customized and each customer can have dif f erent requirements f or replicating SAS content, there is
no single tool or process that comprehensively meets all of the SAS disaster-recovery needs.

Note: Disaster recovery is not the same as high availability. Though both concepts are related to
business continuity, high availability is about providing undisrupted continuity of operations
whereas disaster recovery involves some amount of downtime, typically measured in days.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 1.3 Backing Up the SAS Environment 1-83

1.07 Multiple Choice Question

How often do you need to back up your environment?
a. never
b. daily
c. as needed
d. weekly

65
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
1-84 Lesson 1 Exploring the SAS® Platform

Listing the Backup Schedule and Using the Backup Manager

This demonstration uses the batch tools to list the backup schedule, and then a backup is perf ormed
using the Backup Manager in SAS Environment Manager.
1. The SAS Deployment Agent must be running on every machine that has a SAS deployment.
Start the agent using SAS Environment Manager. Open SAS Environment Manager if it is not
already open.
Note: You can also start the SAS Deployment Agent in the operating system, or it can be
started in SAS Deployment Manager.
• For a Windows server, use Window Services.
• For a Linux server, the command is in the SASHOME directory: SASHOME
Directory/SASDeploymentAgent/9.4. The command to start the agent is agent.sh
start. The command to check the status of the agent is agentadmin.sh stat up.

Note: The SAS Deployment Agent must be started on every machine in a multi-machine SAS
deployment.

2. Sign in as sasadm@saspw with the password Student1.

3. Go to Resources  Servers and select the f ollowing:

For Linux Server

sasapp.demo.sas.com SAS Deployment Agent 1.0

sasmid.demo.sas.com SAS Deployment Agent 1.0

For Windows Server

sasserver SAS Deployment Agent 1.0

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 1.3 Backing Up the SAS Environment 1-85

4. It is not currently up, as shown by the Availability inf ormation. Select Control.

5. In the Quick Control area, select Start f rom the Control Action drop-down menu and click the
arrow to the right.

6. Navigate to the location where the Deployment Backup tools are installed.

For Linux Server

On the sasapp.demo.sas.com machine, navigate to

/opt/sas/SASHome/SASPlatformObjectFramework/9.4/tools/admin.

For Windows Server

Open a Command Prompt under the Start menu and issue the f ollowing commands:

D:

cd D: \Program Files\SASHome\SASPlatformObjectFramework\9.4\tools\admin

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
1-86 Lesson 1 Exploring the SAS® Platform

7. Run the sas-list-backup-schedule tool.

For Linux Server

1. ./sas-list-backup-schedule -help

2. ./sas-list-backup-schedule -host sasmid.demo.sas.com -port 7980 -user

sasadm@saspw -password Student1

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 1.3 Backing Up the SAS Environment 1-87

For Windows Server

1. In the command window, issue this command: sas-list-backup-schedule.exe -help

2. sas-list-backup-schedule.exe -host sasserver.demo.sas.com -port 80 -user

sasadm@saspw -password Student1

8. Access Backup Manager in SAS Environment Manager.

Note: To run an ad hoc backup, you need to be logged in as sasadm@saspw to back up the
SAS Web Inf rastructure Platf orm Data Server.
9. Click the Administration tab.

10. Click Backup Manager in the vertical navigation bar.

Note: The SAS Backup Manager takes several minutes to discover the assets in your
deployment that are available f or backup.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
1-88 Lesson 1 Exploring the SAS® Platform

11. Select Policy f rom the tabbed navigation bar. The Policy page displays the f ollowing:

a. Conf iguration Details – displays details about the current backup conf iguration.

Note: You can also use the sas-display-backup-config command to display the backup policy.

b. Diagrams (Source View and Machine View) – displays a tree diagram of the currently
def ined backup sources.
• Click the Source View button on the toolbar to display a node f or each backup source.
Under each backup source, a child node is displayed for each host machine f or that
source.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 1.3 Backing Up the SAS Environment 1-89

• Click the Machine View button on the toolbar to display a node f or each host machine.
Under each machine, child nodes are displayed f or the backup sources that are on the
machine.

When a diagram is displayed, you can do the f ollowing:

• Zoom in or out by clicking the diagram to select it and then pressing the Ctrl key while
scrolling the mouse wheel.
• If parts of the diagram are not visible, drag the entire diagram right, lef t, upward, or
downward.
• Click a node to collapse its child nodes.
• Click the node again to expand it so that its child nodes reappear.

Backup sources are discovered automatically. The sources are displayed in the Source View
and Machine View diagrams, and they are also listed at the bottom of the Conf iguration
Details pane. To view additional inf ormation about a source, click the Collapsed arrow ( ) to
the lef t of the source name. The f ollowing information is displayed:
• Host – the host name of the machine where the source is located.
• Included – indicates whether the source is currently included or excluded f rom backups.
This setting cannot be changed in the SAS Backup Manager user interf ace. To include or
exclude a backup source, use the command sas-update-backup-config.
• Operating System – the host name of the machine where the source is located.
• Conf igurable Path – the path to the conf iguration directory f or this source. This f ield is not
applicable to all source types.
• SAS Conf ig – the path to the Levn directory that is associated with this backup source.
• Includes and Excludes – lists any f ilters that are associated with this backup source. Filters
are applied using the batch commands via JSON f iles.
The source inf ormation is f or display only. To f ilter physical data or add or remove tiers,
servers, or database instances f rom the backup configuration, use the sas-update-
backup-config command.

12. From the tabbed navigation, select Schedule.

The Schedule page displays a row f or each time of day that backups are scheduled to run.
Check marks in the columns indicate the scheduled days of the week f or each time. By def ault,
the SAS Deployment Wizard schedules backups to be perf ormed automat ically each Sunday at
1:00 a.m.

You can modif y this scheduled backup here by clicking the Add button or Edit button on
the toolbar.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
1-90 Lesson 1 Exploring the SAS® Platform

For example, if you add a row, a new row is added to the schedule with the def ault time (1:00
a.m.) and def ault day (Sunday) selected. In the new row, click the Time f ield. Use the time
selector to specify the additional backup start time and then click OK.

You can verif y the updated backup schedule using the Deployment Backup and Recovery tool
batch command sas-list-backup-schedule.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 1.3 Backing Up the SAS Environment 1-91

Practice

8. Using Backup Manager to Run an Unscheduled Backup and View the Backup Contents
SAS Backup Manager is an easy-to-use interf ace f or the Deployment Backup and Recovery tool.
You can use SAS Backup Manager f or the f ollowing tasks:
• view backup and recovery history
• run an immediate (ad hoc) backup
• view the backup conf iguration
• modif y the backup configuration (except backup filters and custom directories)
• view inf ormation about backup and recovery sources
• view and modif y the backup schedule

Prior to SAS 9.4M3, these f unctions were available only through batch commands.
SAS Backup Manager can be accessed f rom the SAS Environment Manager Administration
page.
a. Start the SAS Deployment Agent using SAS Environment Manager.

1) Open a web browser. Select SAS Environment Manager f rom the Windows or Linux
f older on the Favorites bar.

2) Sign in as sasadm@saspw with the password Student1.

Note: To run a f ull backup, you must be logged o n to SAS Environment Manager as
sasadm@saspw with the password Student1.

3) Go to Resources  Servers and select the f ollowing:

For Linux Server

sasapp.demo.sas.com SAS Deployment Agent 1.0

sasmid.demo.sas.com SAS Deployment Agent 1.0

(Start both agents using Control Actions, shown on step 4.)

For Windows Server

sasserver SAS Deployment Agent 1.0

4) Select Control.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
1-92 Lesson 1 Exploring the SAS® Platform

5) In the Quick Control area, select Start f rom the Control Action drop-down menu and
click the arrow to the right.

Note: You can also start the SAS Deployment Agent on the operating system, or it can
be started in SAS Deployment Manager.
• For a Windows server, use Window Services.
• For a Linux server, the command is located in the SASHOME directory:
SASHOME Directory/SASDeploymentAgent/9.4. The command to start the
agent is agent.sh start. The command to check the status of the agent is
agentadmin.sh stat up.

b. Access Backup Manager in SAS Environment Manager.

1) Click the Administration tab in SAS Environment Manager. When the Administration
page appears, maximize the window.

2) Click Backup Manager in the vertical navigation bar.

Note: SAS Backup Manager takes several minutes to discover the assets in your
deployment that are available f or backup.

The drop-down menu shows the f ollowing selections:

• History – view inf ormation about a particular backup or recovery
• Policy – view details of the current backup policy
• Schedule – view and modif y the current backup schedule

c. Run an unscheduled backup.

1) With History selected in the tabbed navigation menu, click the Start Backup button in
the upper right of the SAS Backup Manager window.

2) Provide a meaningf ul name and comment f or the backup. The backup name must be
unique. Both the name and comment are optional and are recorded in backup history
and displayed in the backup’s Operation Details.

3) Click Start Backup.

A notif ication is displayed when the backup completes.

Note: Recoveries cannot be run f rom SAS Backup Manager. Instead, use the
sas-recover-offline command.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 1.3 Backing Up the SAS Environment 1-93

d. Click the Sources button to display the components that were backed up.
The sources f or the currently selected backup or recovery are listed in the right pane, below
the operation details. Items appear only as they complete. For example, you might see only
the metadata server at f irst af ter running the backup. (If you are viewing details f or a
recovery, only the sources that were recovered are listed.)
The status icon next to each source indicates the status of its backup or recovery.

By def ault, the backup sources include the f ollowing:

• metadata server
• content server
• conf ig directories
• database
Note: Custom might also be listed. This means that additional directories under
SAS-configuration-directory/Levn, as specif ied by the administrator, were
backed up or recovered.

To view details about a particular backup or recovery source, click the Collapsed arrow to
the lef t of the source name. The f ollowing details are displayed:
• the host name of the machine where the source is located
• the status of the source’s backup or recovery
• the directory location of the source’s local backup f iles on the host machine
• the total size of the backup f iles for this source
• the directory location of the source’s configuration f iles
• the operating system of the source’s host machine

e. Select View Diagram f rom the Sources pane.

The diagram includes the f ollowing:

• The root node specif ies the ID of the backup or recovery, which is based on the date and
time that the backup or recovery started (f or example, 2015-02-01T03_13_01). For
backups, the ID is also the name of corresponding backup directory.
• Under the root node, a child node is displayed for each backup source that was included
in the backup or recovery. You can click a node to collapse its child nodes.
• Under each source node, a child node is displayed for each host machine f or that source.
f. Hold the mouse pointer on a node to see the size of the f iles that were backed up or
recovered.

g. Click the node sasserver.demo.sas.com under the Database node. The child node of Web
Inf rastructure Platf orm Data Server 9.4 appears under the Database tree.

h. Click the node Web Infrastructure Platform Data Server 9.4. The databases that are a part
of the node appear.

The green check mark in the bottom right of the node indicates its backup status.
Specif ically, it indicates that the backup or recovery was completed without errors or
warnings.

i. Place your mouse pointer over each of the databases in the Web Inf rastructure Platf orm Data
Server 9.4 node. Notice that many of the databases are relatively small.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
1-94 Lesson 1 Exploring the SAS® Platform

j. Select Close to close the Backup Details window.

k. Find the location of the backup. Select History f rom the navigation menu.

l. Click the Collapsed arrow to the lef t of the content server. The directory location of the
source’s local backup f iles on the host machine is under Backup Location.

m. Find this location on the server’s local f ile system. There is a directory f or each of the
sources listed in Backup Manager.

For Linux Server

On the sasapp.demo.sas.com machine, navigate to

/opt/sas/config/Lev1/Backup/Vault.

On the sasmid.demo.sas.com machine, navigate to

/opt/sas/config/Lev1/Backup/Vault.

For Windows Server

Navigate to D:\SAS\Config\Lev1\Backup\Vault.

n. Click the Collapsed arrow to the lef t of the metadata server and examine the backup
location.

Why is this location different f rom the others?

9. Displaying the Backup Configuration Using Batch Tools

a. Navigate to the location where the Deployment Backup tools are installed.

For Linux Server

On the sasapp.demo.sas.com machine, navigate to

/opt/sas/SASHome/SASPlatformObjectFramework/9.4/tools/admin.

For Windows Server

Open a command prompt from the Start menu, and issue the f ollowing command:

D: cd \Program Files\SASHome\SASPlatformObjectFramework\9.4\tools\admin

b. Run the sas-display-backup-config tool.

For Linux Server

Issue the f ollowing command:

./sas-display-backup-config -host sasmid.demo.sas.com -port 7980 -user

sasadm@saspw -password Student1

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 1.3 Backing Up the SAS Environment 1-95

For Windows Server

In the command window, issue the f ollowing command:

sas-display-backup-config.exe -host sasserver.demo.sas.com -port 80 -user

sasadm@saspw -password Student1

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
1-96 Lesson 1 Exploring the SAS® Platform

1.4 Solutions
Solutions to Practices
1. Locating and Opening the Instructions.html Document

This practice illustrates how to f ind SAS web application URLs f or our SAS environment, which
are documented in Instructions.html.

Instructions.html is the ref erence document f or your SAS deployment, and it contains any
manual conf iguration steps that must be perf ormed. It provides an overview of your deployment,
including the web application URLs. It is located under the SAS conf iguration directory in the
Levn/Documents subdirectory (f or example: D:\SAS\Config\Lev1\Documents).

Note: An Instructions.html document is created on each machine that executes the

SAS Deployment Wizard.

a. Access your Windows client machine.

Live Web Course Classroom Course

Use the URL in step 6 of your email that Use a remote desktop connection with the
you received f rom Live Web Administration. IP address that is given to you by your
instructor.

Log on with these credentials:

User: Student
Password: Metadata0
b. Connect to the server machine and check the status of SAS servers.

For Linux Server

1. Use mRemoteNG as a terminal session to the Linux server. A connection to

sasapp.demo.sas.com and sasmid.demo.sas.com is set up in mRemoteNG.

Double-click the mRemoteNG button on the desktop and then double-click the
sasapp.demo.sas.com session.

For Linux
Server

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 1.4 Solutions 1-97

2. Navigate to /opt/sas/config/Lev1. Use the sas.servers script to verif y the status of the
SAS servers: ./sas.servers status

3. Check the status of your middle-tier servers by double-clicking the

sasmid.demo.sas.com session.

4. Navigate to /opt/sas/config/Lev1. Use the sas.servers script to verif y the status of the
SAS servers: ./sas.servers status

If any of the servers are not started, you need to start them. However, the order of
server start-up does matter. Please contact your instructor f or details.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
1-98 Lesson 1 Exploring the SAS® Platform

For Windows Server

1. Click the Services button on the system tray or under the Start menu. With Services
selected, scroll down to the SAS services. Verif y that the status f or all the SAS services
is Started.

Note: In a typical deployment, the Windows services would have a start -up type of
Automatic. The classroom image uses a batch f ile to start services.

2. If the SAS services are started, go to part c below.

3. If they are not started, open a CMD window under Start  Command Prompt.

4. Enter the d: command.

5. Enter cd thirdparty\scripts.

You can enter the command dir to view the contents of the directory. You will see two
scripts here: startSAS.bat, stopSAS.bat

6. Enter stopSAS. You should begin to see various SAS servers stopping in sequence.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 1.4 Solutions 1-99

Enter Y when prompted to stop any SAS services that require conf irmation.

A message is displayed when the script is done and the SAS servers have stopped.

7. Start the servers with the startSAS script. The command prompt displays the services
as they are starting.

Enter Y when prompted.

8. Notif ications appear regarding the starting of SAS services. Click OK to dismiss these
notif ication windows. Notice how some components take longer to start than others.

9. A message is displayed when the script is done. (You can start the Task Manager to
watch the CPU activity.)

Note: The SAS Web Application Server might take as many as 30 minutes to start.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
1-100 Lesson 1 Exploring the SAS® Platform

c. Locate and open the Instructions.html document. In a def ault deployment, it is located
under the conf iguration directory in the Levn/Documents subdirectory.

For Linux Server

1. Use WinSCP, which is located on the client desktop. Because you are looking for web
application URLs, open the connection to the middle-tier server:

Navigate to /opt/sas/config/Lev1/Documents.

2. Right-click Instructions.html and select Open. (Double-clicking the f ile renders it in the
WinSCP editor, not Internet Explorer.)

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 1.4 Solutions 1-101

3. (Optional) You can use MRemoteNg. Use the firefox

/opt/sas/config/Lev1/Documents/Instructions.html command to open the document.
(Make sure that you are on the sasmid.demo.sas.com machine.)

For Windows Server

1. Access Windows Explorer and navigate to D:\SAS\Config\Lev1\Documents.

2. Double-click Instructions.html to open the document in Internet Explorer.

d. Click SAS Web Applications in the Overview list at the top of the page.

e. Review the URLs of the SAS web applications. Scroll to SAS Studio Mid-Tier and click the
URL f or the SAS Studio web application.

For Linux Server

For Windows Server

Note: The page request is going through the SAS Web Server. The port f or the SAS Web
Server dif f ers on Windows and Linux environments.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
1-102 Lesson 1 Exploring the SAS® Platform

f. The SAS Logon Manager appears initially. It is a web application that handles all
authentication requests f or SAS web applications. Users see the same logon page when
they access any SAS web application. It is a global single sign-in session. It enables the user
to access all SAS web applications without a credential change.
Sign in as Eric and use the password Student1.

g. Enter the f ollowing code in the Program Editor:

proc setinit;
run;
Note: This procedure writes site inf ormation to the log, such as site number, expiration of
license, and the SAS products that are licensed.

h. Click Run (the running person icon) located above the code to submit the program.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 1.4 Solutions 1-103

i. The Log window appears. It contains a note that includes a list of the SAS software products
that are licensed in this environment. Review the inf ormation.

On what operating system are these products licensed?

What products listed pertain to data access? SAS/ACCESS Interface products, such
as the following:

j. Close out of Internet Explorer.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
1-104 Lesson 1 Exploring the SAS® Platform

2. Using the SAS Installation Reporter Program

You run the program identif ied below to generate a report that shows which SAS components
(f or example, sof tware, client applications, and hot f ixes) are installed.

a. Use SAS Enterprise Guide or SAS Studio to run the sasinstallreporter4u.sas program
located in the f ollowing directory on your client machine:
D:\Workshop\spaftWIN

Note: There is a spaftWIN and a spaftLNX f older on this machine. For this program,
sasinstallreporter4u.sas, it does not matter where you retrieve the program
because it will be processed on whichever platf orm you are connected to through the
connection prof ile.
b. Review the output on the Results tab.

The report includes the f ollowing information:

• licensed SAS sof tware (f or example, Base SAS, SAS/STAT, and so on)
• installed SAS sof tware
• installed SAS clients or applications (f or example, SAS Enterprise Guide, the SAS System
Viewer, and so on)
• installed SAS hot f ixes (along with cursory status)
• other versions of SAS software (only in Windows environments and when the XCMD
system option is enabled)
• inf ormation about your deployment, including orders and configured servers
• installed and running SAS Windows services (when the XCMD system option is enabled)

Note: To download the program in your environment, see Usage Note 20390, “The SAS
Installation Reporter program creates a report showing which applications, clients,
and hotf ixes are installed”: http://support.sas.com/techsup/notes/v8/20/390.html

Note: There are two SAS procedures that give you similar inf ormation:
• The SETINIT procedure tells you what is licensed and the expiration dates, and
it works in all versions of SAS.
• The PRODUCT_STATUS procedure tells you what is installed. Some product s
might be licensed but not installed. For example, if you are not actively using
the product, you might not want to use disk space.

3. Considering Users and Applications in Your Environment (Optional)

What types of users do you have at your site and which SAS applications are used by these
users?

Platform Job Role Applications

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 1.4 Solutions 1-105

4. Exploring Metadata in SAS Management Console

a. On the Windows machine, log on to SAS Management Console. Use the SASAdmin
connection prof ile that is appropriate: SASAdmin - Linux Server or SASAdmin Windows
Server. Provide the user ID Ahmed and the password Student1.

b. On the Plug-ins tab, expand Data Library Manager  Libraries.

c. Right-click Sales Analysis Library and select Properties to see the metadata def inition.
The answers to the questions can be f ound on the Properties tab.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
1-106 Lesson 1 Exploring the SAS® Platform

• Where is the location of this library definition in the metadata f older structure?

/Orion Star/Marketing Department/Data

• Where is the physical location that this library is ref erencing?

For Linux Server

/opt/sas/Workshop/OrionStar

For Windows Server

D:\Workshop\OrionStar

Server
• Are there any tables registered in metadata in this library?

Yes, SALES_ANALYSIS

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 1.4 Solutions 1-107

d. Navigate to the metadata f older location of the Sales Analysis Library and the
SALES_ANALYSIS table.

Note: The table is stored in the same metadata f older as the library to which it is registered.
Registering libraries and its registered tables to the same metadata f older is a good
practice due to the metadata access controls. This is discussed in a later lesson.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
1-108 Lesson 1 Exploring the SAS® Platform

5. Comparing the Server Hierarchy in SAS Management Console and SAS Environment
Manager
Compare the server hierarchy in the Server Manager plug -in in SAS Management Console to the
Server module in SAS Environment Manager Administration.

a. In SAS Management Console, on the Plug -ins tab, expand Server Manager.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 1.4 Solutions 1-109

b. Open Internet Explorer or Google Chrome f rom your Windows machine using the taskbar.
Select SAS Environment Manager f rom the Windows or Linux f older on the Favorites bar.
Sign in as sasadm@saspw using the password Student1.

1) Click the Administration tab.

2) Click Servers on the vertical navigation bar.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
1-110 Lesson 1 Exploring the SAS® Platform

c. Do the server hierarchies in SAS Management Console and SAS Environment Manager
Administration differ?

No. It is a different tool displaying the same metadata. (If your lists are different, make
sure that you are signed in to the same Connection Profile, Linux or Windows. Each
platform has different lists of servers.)

Expand SASMeta and SASApp in either interf ace.

• How many servers are def ined under SASMeta?
Linux: There is one under SASMeta.
Windows: There is one under SASMeta
• How many servers are def ined under SASApp?
Linux: There are seven under SASApp. (The Logical Connect Server is running on
Linux.)
Windows: There are six under SASApp.
d. In SAS Management Console, right-click Object Spawner - (sasapp or sasserver) and
select Properties.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 1.4 Solutions 1-111

e. Click the Servers tab.

f. In SAS Environment Manager Administration, highlighting Object Spawner - (sasapp or

sasserver) displays the server’s properties in the right pane.

From the tabbed menu, select Servers.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
1-112 Lesson 1 Exploring the SAS® Platform

Which server or servers are the object spawner responsible f or?

g. You are viewing SAS server metadata in SAS Management Console and SAS Environment
Manager.

You can also monitor your SAS compute servers and middle-tier servers in SAS
Environment Manager. In SAS Management Console, you can monitor usage on your SAS
compute servers only. (This is covered in later lessons.)

6. Accessing Deployment Manager

Access SAS Deployment Manager and explore the listed tasks. Also, v iew the internal service
accounts that would be updated with this application.

This practice instructs how to update passwords, but do not update any passwords at
this time.

a. On the server machine, navigate to SAS Deployment Manager.

For Linux Server

On sasapp.demo.sas.com machine, navigate to

/opt/sas/SASHome/SASDeploymentManager/9.4 and run sasdm.sh:

./sasdm.sh

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 1.4 Solutions 1-113

For Windows Server

Navigate to D:\Program Files\SASHome\SASDeploymentManager\9.4

and run sasdm.exe.

b. Click OK when prompted f or language.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
1-114 Lesson 1 Exploring the SAS® Platform

c. Scroll through the list of tasks that are perf ormed in SAS Deployment Manager.
d. With Update Passwords selected, click Next.

e. Click Next to move through the selection of configuration directory and level.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 1.4 Solutions 1-115

f. Enter Student1 as the password f or sasadm@saspw. Click Next.

g. On Windows, enter Student1 as the password f or ShareServices. Click Next.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
1-116 Lesson 1 Exploring the SAS® Platform

h. Review the list of internal service accounts that were created at SAS deployment. Click
Cancel because no passwords need to be updated.

i. Click Yes when prompted to verif y that you want to cancel.

Note: Passwords f or any service accounts that you introduce in SAS Management Console
are not managed by this tool. For example, if you designate a new logon as the
launch credential f or a server, that launch credential is not automatically added to the
list of accounts that the SAS Deployment Manager can update.

7. Generating the Deployment Registry Report

The installation of SAS products is logged in the SAS Deployment Registry. The Deployment
Registry report processes the deployment registry and identifies all SAS 9.2 and later sof tware
that is installed in the current SASHOME location. Installed hot f ixes are also logged in the SAS
Deployment Registry and reported in DeploymentRegistry.html.

Note: For details about running the ViewRegistry report, see Usage Note 35968:
http://support.sas.com/kb/35/968.html.

The ViewRegistry utility that is used to generate the report is installed in

SASHOME/deploymntreg.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 1.4 Solutions 1-117

For Linux Server

1. On sasapp.demo.sas.com machine, navigate to /opt/sas/SASHOME/deploymntreg.

2. Run the command java -jar sas.tools.viewregistry.jar.

3. Open DeploymentRegistry.html in the same directory.

You can use the WinSCP application that has a shortcut on your desktop or use Firef ox on
your Linux server. When opening in WINSCP, be sure to right-click the f ile and select
Open.

4. You can also generate the DeploymentRegistry f iles f or the middle-tier deployment as
well. Repeat steps 1–3 on the sasmid.demo.sas.com machine.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
1-118 Lesson 1 Exploring the SAS® Platform

For Windows Server

1. Open a command prompt and navigate to D:\Program Files\SASHome\deploymntreg.

2. Run this command:

"D:\Program Files\SASHome\SASPrivateJavaRuntimeEnvironment\9.4\jre\
bin\java.exe" -jar sas.tools.viewregistry.jar

3. Using Windows Explorer, navigate to D:\Program Files\SASHome\deploymntreg and

open DeploymentRegistry.html in a web browser.

Inspect the products and versions of SAS software installed.

8. Using Backup Manager to Run an Unscheduled Backup and View the Backup Contents

SAS Backup Manager is an easy-to-use interf ace f or the Deployment Backup and Recovery tool.
You can use SAS Backup Manager f or the f ollowing tasks:
• view backup and recovery history
• run an immediate (ad hoc) backup
• view the backup conf iguration
• modif y the backup configuration (except backup filters and custom directories)
• view inf ormation about backup and recovery sources
• view and modif y the backup schedule

Prior to SAS 9.4M3, these f unctions were available only through batch commands.

SAS Backup Manager can be accessed f rom the SAS Environment Manager Administration
page.
a. Start the SAS Deployment Agent using SAS Environment Manager.

1) Open a web browser. Select SAS Environment Manager f rom the Windows or Linux
f older on the Favorites bar.

2) Sign in as sasadm@saspw with the password Student1.

Note: To run a f ull backup, you must be logged on to SAS Environment Manager as
sasadm@saspw with the password Student1.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 1.4 Solutions 1-119

3) Go to Resources  Servers and select the f ollowing:

For Linux Server

sasapp.demo.sas.com SAS Deployment Agent 1.0

sasmid.demo.sas.com SAS Deployment Agent 1.0

(Start both agents using Control Actions, shown on step 4.)

For Windows Server

SASSERVER SAS Deployment Agent 1.0

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
1-120 Lesson 1 Exploring the SAS® Platform

4) Select Control.

5) In the Quick Control area, select Start f rom the Control Action drop-down menu and
click the arrow to the right.

Note: You can also start the SAS Deployment Agent in the operating system, or it can
be started in SAS Deployment Manager.
• For a Windows server, use Window Services.
• For a Linux server, the command is located in the SASHOME directory:
SASHOME Directory/SASDeploymentAgent/9.4. The command to start the
agent is agent.sh start. The command to check the status of the agent is
agentadmin.sh stat up.

b. Access Backup Manager in SAS Environment Manager.

1) Click the Administration tab in SAS Environment Manager. When the Administration
page appears, maximize the window.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 1.4 Solutions 1-121

2) Click Backup Manager in the vertical navigation bar.

Note: The SAS Backup Manager takes several minutes to discover the assets in your
deployment that are available f or backup.
The drop-down menu shows the f ollowing selections:
• History – view inf ormation about a particular backup or recovery
• Policy – view details of the current backup policy
• Schedule – view and modif y the current backup schedule
c. Run an unscheduled backup.
1) With History selected in the tabbed navigation menu, click the Start Backup button in
the upper right of the SAS Backup Manager window.

2) Provide a meaningf ul name and comment f or the backup. The backup name must be
unique. Both the name and comment are optional and are recorded in backup history
and are displayed in the backup’s Operation Details.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
1-122 Lesson 1 Exploring the SAS® Platform

3) Click Start Backup.

A notif ication is displayed when the backup completes.

Note: Recoveries cannot be run f rom SAS Backup Manager. Instead, use the
sas-recover-offline command.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 1.4 Solutions 1-123

4) Highlight the backup, and click the Properties button on the right to display the details.

d. Click the Sources button to display the components that were backed up.

The sources f or the currently selected backup or recovery are listed in the right pane, below
the operation details. If you are viewing details f or a recovery, only the sources that were
recovered are listed.

The status icon next to each source indicates the status of its backup or recovery.

By def ault, the backup sources include the f ollowing:

• metadata server
• content server
• conf ig directories
• database

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
1-124 Lesson 1 Exploring the SAS® Platform

Note: Custom might also be listed. This means that additional directories under
SAS-configuration-directory/Levn, as specif ied by the administrator, were
backed up or recovered.

To view details about a particular backup or recovery source, click the Collapsed arrow to
the lef t of the source name. The f ollowing details are displayed:
• the host name of the machine where the source is located
• the status of the source’s backup or recovery
• the directory location of the source’s local backup f iles on the host machine
• the total size of the backup f iles for this source
• the directory location of the source’s configuration f iles
• the operating system of the source’s host machine

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 1.4 Solutions 1-125

e. Select View Diagram f rom the Sources pane.

The diagram includes the f ollowing:

• The root node specif ies the ID of the backup or recovery, which is based on the date and
time that the backup or recovery started (f or example, 2015-02-01T03_13_01). For
backups, the ID is also the name of corresponding backup directory.
• Under the root node, a child node is displayed for each backup source that was included in
the backup or recovery. You can click a node to collapse its child nodes.
• Under each source node, a child node is displayed for each host machine f or that source.

f. Hold the mouse pointer on a node to see the size of the f iles that were backed up or
recovered.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
1-126 Lesson 1 Exploring the SAS® Platform

g. Click the node sasserver.demo.sas.com under the Database node. The child node of Web
Inf rastructure Platf orm Data Server 9.4 appears under the Database tree.

h. Click the node Web Infrastructure Platform Data Server 9.4. The databases that are a part
of the node appear.

The green check mark in the bottom right of the node indicates its backup status.
Specif ically, it indicates that the backup or recovery was completed without errors or
warnings.

i. Place your mouse pointer over each of the databases in the Web Inf rastructure Platf orm
Data Server 9.4 node. Notice that many of the databases are relatively small.

j. Select Close to close the Backup Details window.

k. Find the location of the backup. Select History f rom the navigation menu.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 1.4 Solutions 1-127

l. Click the Collapsed arrow to the lef t of the content server. The directory location of the
source’s local backup f iles on the host machine is under Backup Location.

m. Find this location on the server’s local f ile system. There is a directory f or each of the
sources listed in the Backup Manager.

For Linux Server

On the sasapp.demo.sas.com machine, navigate to

/opt/sas/config/Lev1/Backup/Vault.

On the sasmid.demo.sas.com machine, navigate to

/opt/sas/config/Lev1/Backup/Vault.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
1-128 Lesson 1 Exploring the SAS® Platform

For Windows Server

Navigate to D:\SAS\Config\Lev1\Backup\Vault.

n. Click the Collapsed arrow to the lef t of the metadata server and examine the backup
location.

Why is this location different f rom the others? This is where the metadata server backups
are stored by default.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 1.4 Solutions 1-129

9. Displaying the Backup Configuration Using Batch Tools

a. Navigate to the location where the Deployment Backup tools are installed.

For Linux Server

On the sasapp.demo.sas.com machine, navigate to

/opt/sas/SASHOME/SASPlatformObjectFramework/9.4/tools/admin.

For Windows Server

Open a command prompt from the Start menu, and issue the f ollowing command:
D: cd \Program Files\SASHome\SASPlatformObjectFramework\9.4\tools\admin

b. Run the sas-display-backup-config tool.

For Linux Server

Issue the f ollowing command:

./sas-display-backup-config -host sasmid.demo.sas.com -port 7980 -user

sasadm@saspw -password Student1

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
1-130 Lesson 1 Exploring the SAS® Platform

For Windows Server

In the command window, issue the f ollowing command:

sas-display-backup-config.exe -host sasserver.demo.sas.com -port 80 -user

sasadm@saspw -password Student1

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 1.4 Solutions 1-131

Solutions to Activities and Questions

1.01 Question – Correct Answer

The SAS Platform can exist on a single machine.
 True
 False

9
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

1.02 Multiple Choice Question – Correct Answer

Which SAS Business Intelligence application listed below is solely for SAS
administrators?
a. SAS Enterprise Guide
b. SAS Web Report Studio
c. SAS Management Console
d. SAS Information Delivery Portal

SAS Environment Manager is another web-based administrative

application. We discuss and use these applications throughout the course.

20
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
1-132 Lesson 1 Exploring the SAS® Platform

1.03 Activity – Correct Answer

Who should have SAS Management Console installed on their desktops?

Who should have access to SAS Environment Manager?

SAS administrators, not end users

34
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

1.04 Multiple Answer Question – Correct Answer

Which of the following tasks are performed using SAS Deployment
Manager? (Select all that apply.)
a. updating license information
b. deploying SAS software
c. updating host names
d. updating passwords for user accounts
e. starting SAS Deployment Agent

41
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 1.4 Solutions 1-133

1.05 Question – Correct Answer

The deploymntreg directory is located under your SAS Software Depot.
 True
 False

The ViewRegistry report is generated by executing the JAR file

sas.tools.viewregistry.jar. This JAR file is located in the
SASHOME/deploymntreg directory and must be executed from
this directory.

43
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

1.06 Multiple Choice Question – Correct Answer

How often do you need to check the status of your SAS servers?
a. never
b. at installation time and as needed thereafter
c. as needed
d. daily

48
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
1-134 Lesson 1 Exploring the SAS® Platform

1.07 Multiple Choice Question – Correct Answer

How often do you need to back up your environment?
a. never
b. daily
c. as needed
d. weekly

66
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
Lesson 2 Reviewing SAS®
Platform Architecture Components
2.1 Exploring the Platform Architecture ............................................................................. 2-3
Practice............................................................................................................... 2-15

2.2 Exploring the SAS Middle-Tier Architecture ............................................................... 2-19

Practice............................................................................................................... 2-30

2.3 Operating SAS Servers and Spawners ....................................................................... 2-35

Demonstration: Using SAS Environment Manager to Operate Servers and Spawners ..... 2-42
Practice............................................................................................................... 2-44

2.4 Exploring SAS Environment Manager ........................................................................ 2-47

Demonstration: Exploring SAS Environment Manager................................................ 2-55
Practice............................................................................................................... 2-66

2.5 Exploring SAS Environment Manager Service Architecture ....................................... 2-71

Practice............................................................................................................... 2-84

2.6 Solutions ................................................................................................................... 2-89

Solutions to Practices ............................................................................................ 2-89
Solutions to Activities and Questions...................................................................... 2-131
2-2 Lesson 2 Reviewing SAS® Platform Architecture Components

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 2.1 Exploring the Platfor m Architecture 2-3

2.1 Exploring the Platform Architecture

SAS Platform Architecture

The platform for SAS Business Analytics consists of
a multiple-tier environment that is typically
represented by the following: Clients

• clients
SAS Servers
• middle tier
• SAS servers
Metadata
• data sources Server

The tiers do not necessarily Middle Data

represent separate computers Tier Sources
or groups of computers.

3
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

The platform for SAS Business Analytics consists of a multiple-tier environment that is typically
represented by the following:
Client Tier: SAS client software is installed on users’ desktops. SAS client applications cannot
execute SAS code on their own. They must request code submission and other services from a
SAS server. A web browser is all that is necessary for SAS web applications.
Middle Tier: The middle tier is where the web applications reside and execute. The middle tier also
contains the infrastructure that supports the execution of the web browser applications, including a
Java servlet container (or web application server), the Java Runtime Environment, the JMS Broker,
the Cache Locator, the SAS Web Infrastructure Platform, the Content Server.
Server Tier: SAS Servers: The server tier consists of one or more machines where the SAS
servers are installed and accessed by the SAS Platform applications. Several types of SAS servers
are available to handle different workload types and processing intensities, including the metadata
server, the workspace servers, the stored process servers, and the object spawner.
Server Tier: SAS Metadata Server: The SAS Platform uses the metadata server and metadata
repositories to manage information about the entire environment, including serv er definitions, data
definitions, users and groups, security settings, and business intelligence content.
Data Tier: Data sources store your enterprise data. All of your existing data assets can be used,
whether your data is stored in third-party database management systems, SAS tables, or enterprise
resource planning (ERP) system tables.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
2-4 Lesson 2 Reviewing SAS® Platform Architecture Components

SAS Platform Architecture

Data Sources
SAS Data Sets
SAS OLAP Cubes
Third-Party Data Stores
Enterprise Resource
Planning (ERP) Systems
SAS Web Infrastructure
Platform Data Server
Metadata Server Client Tier
Middle Tier
SAS Servers SAS Web Application Server
Web Appl i cations: SAS Management Console
SAS Workspace Server SAS Enterprise Guide
SAS Studi o
SAS Pooled Workspace SAS Web Report Studi o SAS Add-In for Microsoft
Server SAS Informa tion Delivery Office
SAS Stored Process Porta l SAS Enterprise Miner
Server SAS Web Report Studi o SAS Data Integration Studio
SAS Grid Servers SAS Vi s ual Analytics SAS Information Map Studio
SAS OLAP Server Other SAS Web Appl i cations
SAS OLAP Cube Studio
SAS LASR Analytic a nd Sol utions
SAS Solution Applications
Server
SAS Web Infra structure
Web Browser
Pl a tform
(Logon Ma na ger)
SAS Environment
Manager Agent SAS Environment SAS Web Server Mobile Devices (to view
Manager Agent (http server) some types of reports)
SAS Environment
JMS Broker
Manager Server

Cache Locator
4
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

The f our tiers listed above represent categories of software that perf orm similar types of computing
tasks and require similar types of resources. The tiers do not neces sarily represent separate
computers or groups of computers.
For a large company, the tiers can be installed across a multitude of machines with dif f erent
operating systems. For prototyping, demonstrations, or very small enterprises, all of the tiers can b e
installed on a single machine.

Clients
Desktop clients run on Windows desktops. Client Tier
Some of these clients are native Windows
applications and others are Java applications.
SAS Management Console
Some clients require only a web browser SAS Enterprise Guide
SAS Add-In for Microsoft
to be installed on each client machine. Office
SAS Enterprise Miner
SAS Web Applications:
SAS Data Integration Studio
SAS Logon Manager SAS Information Map Studio
SAS Environment Manager SAS OLAP Cube Studio
SAS Studio SAS Solution Applications
SAS Information Delivery Portal
SAS Web Report Studio Web Browser
SAS Visual Analytics
Mobile Devices (to view
some types of reports)

5
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 2.1 Exploring the Platfor m Architecture 2-5

The client tier provides users with desktop access to intelligence data and f unctionality through easy -
to-use interf aces. For most inf ormation consumers, reporting and analysis tasks can be perf ormed
with only a web browser. For more advanced design and analysis tasks, SAS client software is
installed on users’ desktops.

SAS Servers: Metadata Server

The SAS Metadata Server is the
most critical software component SAS Servers
in the SAS Intelligence Platform. Metadata Server
Client Tier
SAS applications connect to the
SAS Metadata Server and other SAS Management Console

SAS servers that are part of the SAS Enterprise Guide

SAS Add-In for Microsoft
Office
platform depend on the SAS SAS Enterprise Miner
SAS Data Integration Studio

Metadata Server. SAS Information Map Studio

SAS OLAP Cube Studio
SAS Solution Applications

Web Browser
SAS Web Applications:
SAS Logon Manager
SAS Environment Manager
Note: The term server refers to SAS Studio
SAS Information Delivery Portal
SAS Web Report Studio
a process or processes. SAS Visual Analytics

6
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
2-6 Lesson 2 Reviewing SAS® Platform Architecture Components

SAS Servers
SAS servers execute SAS SAS Servers
analytical and reporting Metadata Server
processes for distributed
Client Tier
clients. These servers are
Object Spawner
typically accessed either by SAS Workspace Server SAS Management Console

desktop clients or by web SAS Pooled Workspace SAS Enterprise Guide

SAS Add-In for Microsoft
Server Office
applications that run in the SAS Enterprise Miner
SAS Stored Process SAS Data Integration Studio

middle tier. Server

SAS Information Map Studio
SAS OLAP Cube Studio
SAS Solution Applications
SAS Grid Servers
SAS OLAP Server Web Browser
SAS LASR Analytic SAS Web Applications:
SAS Logon Manager
Server SAS Environment Manager
SAS Studio
SAS Information Delivery Portal
SAS Web Report Studio
SAS Visual Analytics

7
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

On the platf orm, the term server ref ers to a process or processes that wait f or and f ulfill requests
f rom client programs f or data or services. The term server does not necessarily ref er to a specif ic
computer, because a single computer can host one or more servers of various types.
The SAS servers use the SAS Integrated Object Model (IOM). The IOM is a set of distributed object
interf aces that make SAS sof tware f eatures available to client applications when SAS is executed on
a server. Each server uses a dif ferent set of IOM interf aces and has a dif ferent purpose.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 2.1 Exploring the Platfor m Architecture 2-7

Data Sources
The platform includes several
SAS Servers
Data Sources options for data storage,
Metadata Server
including SAS data sets, SAS
Object Spawner
SAS Workspace Server OLAP cubes, and the SAS Web
SAS Data Sets SAS Pooled Workspace
Server Infrastructure Platform Data
SAS OLAP Cubes SAS Stored Process

Third-Party Data Stores

Server
SAS Grid Servers Server.
SAS OLAP Server
Enterprise Resource SAS LASR Analytic In addition, SAS provides
Planning (ERP) Systems Server
products that enable you to
SAS Web Infrastructure
access data in your existing
Client Tier
Platform Data Server third-party data stores and
SAS Client Applications
ERP systems.
SAS Web Applications

8
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

SAS data sets are analogous to relational database tables.

SAS OLAP cubes are multidimensional structures of summarized data.
The SAS Web Infrastructure Platform Data Server is the def ault location f or middle-tier data such as
alerts and comments. It can store the data f or the SAS Content Server. The server is provided as an
alternative to using a third-party relational database.
The SAS/ACCESS interf aces provide direct acces s to a variety of data stores.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
2-8 Lesson 2 Reviewing SAS® Platform Architecture Components

Middle Tier
Middle Tier The middle tier includes
SAS Web Server Cache Locator the following:
Client Tier
(http server)
JMS Broker • SAS Web Server and
SAS Client Applications SAS Web Application Server SAS Web Application
Web Browser
Web Appl i cations:
SAS Studi o
Server
SAS Web Report Studi o
SAS Servers SAS Informa tion Delivery • a Java Runtime
Porta l
Metadata Server SAS Web Report Studi o Environment (JRE)
SAS Vi s ual Analyti cs

SAS Servers
Other SAS web a pplica tions
a nd s olutions
• SAS web applications
Data Sources SAS Web Infra structure • SAS Web Infrastructure
Pl a tform
SAS Web Infra structure
Pl a tform Da ta Server (Logon Ma na ger) Platform
SAS Environment SAS Environment SAS Environment
Manager Agent
• SAS Environment Manager
Manager Agent Manager Server
Server and Agent
9
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

The middle tier enables users to access intelligence data and f unctionality via a web browser. This
tier provides web-based interf aces for report creation and inf ormation distribution while passing
analysis and processing requests to the SAS servers.
Beginning with the release of SAS 9.4, SAS includes an embedded middle-tier server called SAS
Web Application Server. SAS no longer requires nor supports external third -party application
servers. SAS also now includes several new middle-tier capabilities, including enhanced monitoring
and management, web-based administration, load balancing, and improved availability.
The SAS Web Infrastructure Platform includes the SAS Content Server and other inf rastructure
applications and services.
A JMS broker provides distributed communication with Java Messaging Services. Some SAS web
applications use queues and topics f or business logic.
A cache locator is used by SAS web applications to locate and connect to a distributed cache. The
SAS web applications use the cache to maintain awareness of user sessions and to share
application data.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 2.1 Exploring the Platfor m Architecture 2-9

SAS Environment Manager Server is responsible for communicating with the agents. It collects
information about items such as discovered resources, metrics, and availability, and issues control
actions received from the SAS Environment Manager application. Collected data is stored in the
SAS Environment Manager database.
SAS Environment Manager Agent is a software process that runs on each platform (middle-tier and
server-tier machine) in a SAS deployment. The agent is responsible for tasks such as discovering
software components on its platform, gathering metric and availability data for the platform and
components, and performing resource control actions. The agents communicate with the
management server. Plug-ins are used to provide the agents with the information needed to discover
SAS resources installed on a platform.

SAS Platform Architecture (Review)

Data Sources
SAS Data Sets
SAS OLAP Cubes
Third-Party Data Stores
Enterprise Resource
Planning (ERP) Systems
SAS Web Infrastructure
Platform Data Server
Metadata Server Client Tier
Middle Tier
SAS Servers SAS Web Application Server
SAS Management Console
Object Spawner Web Appl i cations:
SAS Enterprise Guide
SAS Workspace Server SAS Studi o
SAS Web Report Studi o SAS Add-In for Microsoft
SAS Pooled Workspace
SAS Informa tion Delivery Office
Server
Porta l SAS Enterprise Miner
SAS Stored Process
SAS Web Report Studi o SAS Data Integration Studio
Server
SAS Vi s ual Analyti cs SAS Information Map Studio
SAS Grid Servers Other SAS web a pplica tions SAS OLAP Cube Studio
SAS OLAP Server a nd s olutions SAS Solution Applications
SAS LASR Analytic
Server SAS Web Infra structure
Pl a tform Web Browser
(Logon Ma na ger)
SAS Environment
Manager Agent SAS Environment SAS Web Server Mobile Devices (to view
Manager Agent (http server) some types of reports)
SAS Environment
JMS Broker
Manager Server

Cache Locator
10
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
2-10 Lesson 2 Reviewing SAS® Platform Architecture Components

SAS Installation and Configuration

SAS installation and configuration files are stored in separate locations.

SASHOME Directory The location on a file system where an instance

of SAS software is installed
SAS Configuration The location on a file system where configuration
Directory information for a SAS deployment is stored

11
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

The location of the SASHOME directory is established at the initial installation of SAS software by
the SAS Deployment Wizard. That location becomes the default installation location for any other
SAS software that is installed on the same computer.

Securing a SAS Configuration

The SAS configuration directory on each server machine must be protected
by operating system controls. These controls prevent inappropriate access
to the following:
• metadata repository data sets
• server scripts
• server logs
• configuration files

12
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 2.1 Exploring the Platfor m Architecture 2-11

Securing a SAS Configuration: Windows

On Windows, all of the configuration
directories, files, and scripts are owned by
the user who performed the installation.
It is recommended that you set additional
operating system permissions.

13
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

These recommendations assume that your SAS servers and spawners run as services under the
Local System account. If servers and spawners run under a different account, then grant that
account the permissions that are recommended for SYSTEM.

Directories Recommended Permissions for Windows

• SAS-configuration-directory • SYSTEM and Administrators: Full Control
• SAS-configuration-directory\Lev1 • All other users: List Folder Contents, Read
• Lev1 subdirectories: Documents,
ReportBatch, SASApp, SASMeta, Utilities,
Web
Lev1 subdirectories: • SYSTEM and Administrators: Full Control
• ConnectSpawner • Remove all other users and groups
• Logs
• ObjectSpawner
• SASApp\OLAPServer
• SASMeta\MetadataServer
• FrameworkServer
• ShareServer
SASApp subdirectories: • SYSTEM, Administrators, and SAS
PooledWorkspaceServer, StoredProcessServer Spawned Servers (sassrv): Full Control
• Remove all other users and groups

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
2-12 Lesson 2 Reviewing SAS® Platform Architecture Components

Directories Recommended Permissions for Windows

SASApp subdirectories: • SYSTEM and Administrators: Full Control
• ConnectServer\Logs
• Data\wrsdist
• Data\wrstemp
• PooledWorkspaceServer\Logs
• PooledWorkspaceServer\sasuser
• StoredProcessServer\Logs
• StoredProcessServer\sasuser
• WorkspaceServer\Logs
SASMeta\WorkspaceServer\Logs
• SYSTEM and Administrators: Read and
sasv9_meta.cfg file
Write
• Remove all other users and groups

If you selected the customer installation option to place all of your log files in a single directory, then
you need to grant the SAS Spawned Servers (sassrv) user Full Control of the central log destination.
If you enable logging for a standard workspace server, then you need to grant all users of the
workspace server Full Control of the log directory.

Securing a SAS Configuration: UNIX and z/OS

On UNIX and z/OS systems, the SAS Deployment Wizard automatically
applies the permissions that give appropriate access to the configuration
directory of the following:
• SAS Installer account (typically sas)
• sas group (which includes sas and sassrv)
In addition to the default security, you might want to give administrators
access to the configuration directory so that they can modify files and run
backups.

14
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 2.1 Exploring the Platfor m Architecture 2-13

On UNIX and z/OS systems, the SAS Deployment Wizard automatically applies the appropriate
permissions. The def ault permissions are shown below.

Directories Default Permissions for UNIX and z/OS

• SAS-configuration-directory • SAS Installer: Read, Write, and Execute
• SAS-configuration-directory\Lev1 • All other users: Read and Execute
• Lev1 subdirectories: Documents,
ReportBatch, SASApp, SASMeta, Utilities,
Web
Lev1 subdirectories: • SAS Installer: Read, Write, and Execute
• ConnectSpawner • All other users: no access
• Logs
• ObjectSpawner
• SASApp/OLAPServer
• SASMeta/MetadataServer
• FrameworkServer
• ShareServer
SASApp subdirectories: • SAS Installer: Read, Write, and Execute
PooledWorkspaceServer, StoredProcessServer • sas group: Read and Execute
SASApp subdirectories • SAS Installer: Read, Write, and Execute
• ConnectServer/Logs • sas group: Read, Write, and Execute
• Data/wrsdist
• Data/wrstemp
• PooledWorkspaceServer/Logs
• PooledWorkspaceServer/sasuser
• StoredProcessServer/Logs
• StoredProcessServer/sasuser
• WorkspaceServer/Logs
SASMeta/WorkspaceServer/Logs
• sasv9_meta.cfg file • SAS Installer: Read and Write
• All other users: no access

If you selected the customer installation option to place all of your log files in a single directory, then
you need to grant the SAS Spawned Servers (sassrv) user Read, Write, and Execute permission to
the central log destination.
If you enable logging for a standard workspace server, then you need to grant all users of the
workspace server Read, Write, and Execute permission to the log directory.
Make sure that the SAS Spawned Server (sassrv) account is a member of the sas group, which has
the necessary permissions to server configuration files and log directories.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
2-14 Lesson 2 Reviewing SAS® Platform Architecture Components

Environment Snapshot
The Environment Snapshot captures and reports information about the
state of all the machines in your SAS deployment at a single point in time.
This can assist in debugging issues in a SAS deployment.

15
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Environment Snapshot:
• Collects and displays the most current performance measures and configuration parameters from
the SAS Environment Manager database
• Executes live queries and gathers real-time usage information
• Can save all of the data to a text file
Tabs contain inf ormation about the f ollowing:
• Hardware (CPU speed, free memory, RAM, CPU specifications)
• System (OS details
• Network (IP address, DNS information, network interfaces, and transmission speeds)
• Mounts (File and NFS mount points, response metrics)
• Servers (counts of active servers on the machine)
• Services (counts of active services on the machine)
• Logs (locations of important log repositories)
• Control Actions (history and schedule of start/stop/restart actions)
• SAS (SAS servers, versions, install paths, ports, and so on)
• Live System Queries (output from df, who, top commands).

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 2.1 Exploring the Platfor m Architecture 2-15

Practice

1. Locating the Installation and Configuration Directories of the SAS Deployment

a. On the server machine, locate the installation directory.

For Linux Servers

1 On the sasapp.demo.sas.com machine, navigate to /opt/sas/SASHome. Are any

desktop applications installed on the server machine?

2. On the sasmid.demo.sas.com machine, navigate to /opt/sas/SASHome. Are any

desktop applications installed on the server machine?

For Windows Server

Access Windows Explorer and navigate to D:\Program Files\SASHome. Are any desktop
applications installed on the server machine?

b. Locate the configuration directory.

For Linux Servers

1. On the sasapp.demo.sas.com machine, navigate to /opt/sas/config/Lev1. What

directory is the metadata server configured in?

2. On the sasmid.demo.sas.com machine, navigate to

/opt/sas/config/Lev1/Web/WebAppServer. How many web application servers are
deployed?

For Windows Server

Access Windows Explorer and navigate to D:\SAS\Config\Lev1. What directory is the

metadata server configured in? Continue to the
D:\SAS\Config\Lev1\Web\WebAppServer directory. How many web application servers
are deployed?

Note: The Levn subdirectory contains configuration information and other files for a
particular installation instance. Lev1 is generally used for production environments.
Additional levels such as Lev2 and Lev3 can be used for environments that you
install for purposes such as development and testing. During installation, the SAS
Deployment Wizard enables you to select the level number.
2. Examining details_diagram.html
A 9.4 Standard Deployment plan is an XML-based description of the topology for your SAS
system. Similar to an architect’s floor plan, the plan describes the intended final SAS software
environment. The plan is used in the SAS software deployment process to “tell” the SAS
Deployment Wizard which software components to install and configure on each machine. A
diagram of your customized deployment plan, called details_diagram.html (optimized for
Firefox) or details_diagram_for_ie7.mht (optimized for Internet Explorer), comes with your
custom plan file.
Note: See Installation Note 44320, “Using deployment plans during a SAS installation.”

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
2-16 Lesson 2 Reviewing SAS® Platform Architecture Components

a. On the server machine, locate and open the details_diagram.html file.

For Linux Server

On the sasapp.demo.sas.com machine, navigate to /opt/sas/depot/plan_files.

Use WinSCP, right-click details_diagram.html, and select open. (Double-clicking
opens the file for edit.) You can open the file using Firefox on the Linux machine.

For Windows Server

Access Windows Explorer, and navigate to D:\depot\plan_files.

b. Where is SAS Management Console installed? Configured?

Where is SAS Foundation software installed? Configured?
Where is SAS Enterprise Guide installed? Configured?
3. Creating an Environment Snapshot
The Environment Snapshot contains a comprehensive listing of the system information in the
SAS Environment Manager database. It collects and displays the most current performance
measures and configuration parameters, as well as executes and gathers real-time usage
information.
a. Log on to SAS Environment Manager as sasadm@saspw using the password Student1.
b. Select Analyze  Environment Snapshot.
c. Under Summary Table on the left, select your system:

For Linux Server

sasapp.demo.sas.com

For Windows Server

sasserver.demo.sas.com

d. Click the SAS tab and notice the metadata server configuration attributes. What port does
the metadata server use?
e. Click the Logs tab. A comprehensive list of server log locations is displayed. Notice that
many of the middle-tier servers do not have log tracking enabled or there is no log location
set, whereas the SAS servers do.
For Linux Server: Because your SAS middle tier is on a different machine, change your
summary table to sasmid.demo.sas.com and then click the Logs tab.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 2.1 Exploring the Platfor m Architecture 2-17

f. You can change this by going to a resource inventory property and enable log tracking.
Go to Resources  Browse  Servers and select the following:

For Linux Server

sasmid.demo.sas.com SASWebApplicationServer SASServer1_1

For Windows Server

SASSERVER SASWebApplicationServer SASServer1_1

Note: You might need to go to the next page to find the resource.

Alternatively, you can filter for sasweb.

g. Click the Inventory tab and scroll down to Configuration Properties and click Edit.
h. Select server.log_track.enable and click OK.
Many of the server-level resources enable the administrator to set up log tracking. This is a
method of monitoring log files for specific messages, such as severe errors or other critical
information. By doing this, you do not need to open the log files directly. You can access only
the portion that you need from the user interface. These log file entries are one type of event
that can be configured and customized in SAS Environment Manager.
For SAS Servers, a special file, sev_logtracker_plugin.properties, is automatically set up
by the SAS Deployment Wizard. For servers that are not SAS servers, you have to turn on
log tracking and specify the log messages that you want to capture.
Note: Setting up log tracking is covered in a later lesson.
i. Return to Environment Snapshot on the Analyze tab and select your system:

For Linux Server

sasmid.demo.sas.com

For Windows Server

sasserver.demo.sas.com

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
2-18 Lesson 2 Reviewing SAS® Platform Architecture Components

j. Click the Logs tab to see that one of the SASWebApplicationServer 9.45 servers now has
a logging file location.
k. Click Snapshot Environment under Create a Snapshot.
l. When the processing is complete, click the Snapshots tab. A text file is created. Take note of
the snapshot physical location displayed on the screen. The path is on the middle-tier
machine where SAS Environment Manager Server is located and is relative to the SAS
configuration directory.
m. Navigate to the file location and view the file contents:

For Linux Server

Because you took the snapshot of your SAS middle-tier environment, go to

sasmid.demo.sas.com machine and navigate to
/opt/sas/config/Lev1/Web/SASEnvironmentManager/server-5.8.0-EE and

For Windows Server

D:\SAS\Config\ Lev1\Web\SASEnvironmentManager\server-5.8.0-EE and

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 2.2 Exploring the SAS Middle- Tier Architecture 2-19

2.2 Exploring the SAS Middle-Tier

Architecture

What Is a Middle-Tier Architecture?

Middle-tier architecture refers to a three-tier model where the browser is the client
tier, the database is the back-end tier, and the servers in the middle tier retrieve
and process data from the servers in the data tier for presentation to clients. The
middle-tier server performs the business logic.
Back-End DB
Middle Tier Server/
SAS Servers

HTTP Server

Client PC
Web Application
Server
Web Applications
Web Server Web Infrastructure
Platform WIP Data Server
JMS Broker
Web Browser Cache Locator
Environment Manager

19
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Clients access the servers in the web tier directly or through a firewall. They access the servers in
the data tier only through the servers in the web tier.
The definition comes from http://www.onjava.com/2003/10/01/middletier.html.
For SAS web applications to be deployed into a clustered environment, the SA S Web Server
implements session affinity. Session affinity is an association between a web application server and
a client that requests an HTTP session with that server. This association is known in the industry by
several terms in addition to session affinity, including server affinity and sticky sessions. With session
affinity, after a client is assigned to a session with a web application server, the client remains with
that server for the duration of the session. By default, session affinity is enabled.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
2-20 Lesson 2 Reviewing SAS® Platform Architecture Components

Middle Tier
SAS Web Server
Middle Tier
Web
Browser (http server)

In this scenario, all of SAS Web Application Server SAS Environment

Manager Agent
the SAS middle-tier Web Appl i cations:
SAS Studi o SAS Web Report Studi o
SAS Environment
components are installed SAS Informa tion Delivery Porta l Manager Server
SAS Vi s ual Analyti cs
on a single system. Other SAS web a pplica tions Cache Locator
SAS Web Infra structure Pl a tform
JMS Broker

SAS Servers
Metadata Server
SAS Workspace Server
SAS Web Infra structure SAS Stored Process Server
Pl a tform Da ta Server SAS Pooled Workspace Cache Locator
Server
SAS EV Agent

20
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

The SAS Intelligence Platf orm architecture provides the f lexibility to distribute these components
according to your organization’s requirements. For small implementations, the middle-tier sof tware,
SAS Metadata Server, and other SAS servers (such as the SAS Workspace Server and SAS Stored
Process Server) can all run on the same machine. In contrast, a large enterprise might have multiple
servers and a metadata repository that are distributed across multiple platforms. The middle tier in
such an enterprise might distribute the web applications to many web application server instances
on multiple machines.
SAS 9.4 middle-tier software includes the following:

SAS Web • It provides the execution environment for the SAS web applications.
Application • The SAS Deployment Wizard can automatically configure the web
Server application server, or you can configure it manually.

• It is an HTTP server that is configured as a single connection point for SAS

SAS Web Server
web applications.
• It is automatically configured to perform load-balancing when the SAS
middle tier is clustered, as well as updated to route web sessions to SAS
Web Application Server instances
• It is automatically configured to cache static web content such as
JavaScript files, cascading style sheets, and graphic files.
• It can be configured for HTTPS automatically.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 2.2 Exploring the SAS Middle- Tier Architecture 2-21

• It is used by applications on server-tier and middle-tier machines to locate

Cache Locator
other members and form a data cache.
• The SAS Web Application Server uses a single locator instance. In a
clustered environment, each instance uses the one locator to learn about
the other server instances when f orming the cache.
• A locator is also installed on the first server-tier machine that includes an
instance of SAS Web Infrastructure Platform Scheduling Services.

• SAS middle-tier software uses the broker for Java Messaging Services
JMS Broker
(JMS). The JMS Broker provides distributed communication and acts as a
message broker.
• An instance is conf igured as a server on the machine that is used f or the
SAS middle tier.
• Some SAS web applications use JMS connection f actories, queues, and
topics f or implementing business logic, and use JMS f or this
communication between middle tier applications and services.

The SAS middle-tier environment includes a Java Runtime Environment with SAS 9.4 software. You
do not need to install a separate Java environment for the middle-tier environment.

Middle-Tier Components

21
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
2-22 Lesson 2 Reviewing SAS® Platform Architecture Components

SAS Content Server

The SAS Content Server stores digital content (such as documents, reports,
and images) that is created and used by SAS web applications, such as
SAS Web Report Studio and SAS Information Delivery Portal.
• It is part of the SAS Web Infrastructure Platform.
• Client applications use Web Distributed Authoring and Versioning
(WebDAV) protocols for access, versioning, collaboration, security, and
searching.
• Content mapping is in place to ensure that report content is stored using
the same folder names and permissions that the SAS Metadata Server
uses to store corresponding report metadata.

22
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

The SAS Web Inf rastructure Platf orm always installs and conf igures the SAS Content Server. By
def ault, the SAS Content Server uses f ile system storage located in the SAS conf iguration directory,
Levn/AppData/SASContentServer/Repository.
The SAS Content Server is managed using the SAS Content Server Administration Console,
https://server:port/SASContentServer/dircontents.jsp. You must be an unrestricted user to administer
content in the SAS Content Server.

SAS Web Infrastructure Platform Data Server

The SAS Web Infrastructure Platform Data Server is used as transactional
storage by SAS middle-tier software and some SAS solutions.
• It is based on PostgreSQL 9.1.9 and configured specifically to support
SAS software.
• The server is configured to manage the following databases:
• Administration
SAS Web Application Server Server Tier
• EVManager
• SAS Environment Manager
SAS Web Infra structure
• Shared Services •
•
Content Server
SAS Visual Analytics Pl a tform Da ta Server
Transport Services
• transportsvcs_db
• The databases that are managed by the server are backed up and restored
with the Backup and Recovery Deployment Tool.
23
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 2.2 Exploring the SAS Middle- Tier Architecture 2-23

The Administration database contains conf iguration inf ormation for the modules that SAS develops
to extend the f eatures of SAS Environment Manager.
The EVManager database is used by SAS Environment Manager. The database contains
conf iguration and metric inf ormation f or the machines and servers that SAS Environment Manager
manages in your deployment.
The SharedServices database is used by the SAS web applications and middle-tier software. For
example, comments that are added through various web applications are stored in this database.
Digital content that is stored with SAS Content Server is also stored in this database.
Note: You can choose to use a third-party vendor database server for this database when you
install and configure software with the SAS Deployment Wizard. This database is identified
as the SAS Web Infrastructure Platform Database on the pages in the wizard.
This transportsvcs_db database is used by SAS Visual Analytics Transport Service. The database
stores mobile logon history inf ormation, as well as the device’s blacklist and whitelist data that is
maintained through SAS Visual Analytics Administrator. It is also used to support caching within the
Transport Service application.
If your deployment includes SAS solutions software that supports SAS Web Inf rastructure Platf orm
Data Server, then more databases might be conf igured on the server.

SAS Middle-Tier Software Components

The configuration directory for your SAS middle tier (JMS Broker)
is SAS-configuration-directory\Levn\Web.
Each component has the following: \logconfig
(Cache Locator)
• scripts for start, stop, and status
• scripts to install and uninstall
• Windows services
• configuration files (which include logging control)
• log files (\logs directory)

24
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
2-24 Lesson 2 Reviewing SAS® Platform Architecture Components

Log Locations for Applications and Servers

Application or Log Location

Server

Cache Locator SAS-configuration-

directory\Levn\Web\gemfire\instances\ins_port-
number\gemfire.log file

JMS Broker SAS-configuration-

directory\Levn\Web\activemq\data\activemq.log file

SAS SAS-configuration-
Environment directory\Levn\Web\SASEnvironmentManager\agent-version-
Manager Agent
EE\log directory

SAS SAS-configuration-
Environment directory\Levn\Web\SASEnvironmentManager\server-version-
Manager Server
EE\logs directory

SAS Web SAS-configuration-

Application directory\Levn\Web\WebAppServer\SASServern_m\logs directory
Server

SAS web SAS-configuration-directory\Levn\Web\Logs\SASServern_m

applications directory

SAS Web SAS-configuration-

Infrastructure directory\Levn\WebInfrastructurePlatformDataServer\Logs
Platform Data
Server directory
Note: In a multi-machine deployment, the default log location is on the
server tier.

SAS Web Server SAS-configuration-directory\Levn\Web\WebServer\logs directory

For more information about SAS server logging, see “Administering Logging for SAS Servers” in
SAS Intelligence Platform: System Administration Guide.
For more information about specific web application logs, see SAS Intelligence Platform: Web
Application Administration Guide.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 2.2 Exploring the SAS Middle- Tier Architecture 2-25

Distributing Server Functions

• Web application requests are distributed by the SAS Web Server. The SAS
Web Server is configured as a load-balancing HTTP (reverse) proxy.
SAS Studio
SAS Web Server SAS Visual Analytics
(http server)
Web Browser SAS Web Report Studio

SAS Web Application

Server

• The SAS Web Application Servers “host” the SAS web applications.
• Web application server instances can coexist on the same machine
(vertical clustering), or the server instances can run on a group of middle-
tier server machines (horizontal clustering).

25
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

The SAS Web Server acts as a reverse proxy server. A user requests access to a web application
such as SAS Studio and communicates with the web server. The web server knows where the web
applications are located and forwards the request to the web application endpoint requested. It does
not perform any actions on the requests, but it does act like the actual end point to the user.
No matter how you cluster the applications, you can achieve a level of high availability and load
balancing of users requests by clustering you web application servers.

Vertical Clustering
of SAS Web Application Servers
Clients Middle Tier

SAS Web Server

Web Browser
(http server) SASServer1_1

SASServer1_2

SASServer1_3

SAS Servers SAS Web Application Servers

SAS Metadata Server

SAS Workspace Server…

SAS Web Infrastructure

Platform Data Server

26
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
2-26 Lesson 2 Reviewing SAS® Platform Architecture Components

Vertical clustering can be configured automatically by the SAS Deployment Wizard. The custom
prompting level is used in the SAS Deployment Wizard.
If you configured multiple instances of a managed server, such as SASServer1_1 and
SASServer1_2, then the web applications that support clustering are deployed identically to each
instance. Each of these instances is a vertical cluster member.
Advantages:
• If the Java process that underlies one of the instances in the web application server cluster
encounters problems that stop the functioning of the web applications, the applications in the other
cluster instance are still able to respond. In this case, it would be possible to stop and restart the
web application server that is experiencing problems. Requests would still be serviced by the
applications in the other cluster instance. Users who had sessions on the stopped server would
lose session data, but an attempt to reconnect to a clustered application would be successful.
• In some cases, the operating system can balance CPU load more effectively if separate Java
processes are used.
Disadvantages:
• If the single machine on which the vertical cluster is deployed experiences an outage, then all the
instances in the cluster are affected. Therefore, the failure of a single machine would cause the
application to become unavailable.
Note: Some applications, such as SAS BI Dashboard Event Generator, and some SAS solutions
applications cannot be clustered. Those are examples of when the server instances and
applications are not identically configured.

Horizontal Clustering
of SAS Web Application Servers
Clients Middle Tier
SAS Web Application Servers

SAS Web Server

Web Browser
(http server) SASServer1_1

SASServer1_2
SAS Servers

SAS Metadata Server

SAS Workspace Server… SASServer1_3

SAS Web Infrastructure
Platform Data Server

27
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

In this topology, some deployments can implement a failover scheme, in which a server failure does
not interrupt a user’s session. The proxy server detects the failure and redirects the requests to a
different application server. That server can then retrieve the users’ session information and
continue.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 2.2 Exploring the SAS Middle- Tier Architecture 2-27

Advantages:
• The SAS web applications and the web application server cluster are protected by firewalls.
• The web application server and SAS web applications can be configured to perform web
authentication for single sign-on to the applications and other web resources in the network.
• Response time is improved because static content is cached by SAS Web Server.
• The greater computing capacity of the web application server cluster also improves performance.
• After the cluster is established, additional server instances can be added to support larger
numbers of concurrent users.
• Clustering provides fault isolation that is not possible with a single web application server. If a
machine in the cluster fails, then only the users with active sessions on that machine are affected.
• You can plan downtime for maintenance by taking some servers offline. New requests are then
directed to the applications deployed on the remaining servers while maintenance is performed.
• Configuration and deployment of the cluster and the applications can still be automated with the
SAS Deployment Wizard.
Disadvantages:
• SAS Web Server remains a single point of failure. Software and hardware high-availability options
exist to mitigate this disadvantage.
• Some operations, such as redeploying web applications, can require more effort when more
machines are used.

Cluster Configurations
There are two general deployment topologies.
SASServer1_1
• Single server: SASServer1_2
• homogeneous cluster SASServer1_3

• clustered nodes containing the same applications that can be clustered

• Multiple server:
• heterogeneous cluster SASServers2_1
SASServer3_1
• specific applications that are deployed to SASServer3_2
different server instances
• can allocate additional resources to the applications and application groups that
are more heavily used

28
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Similar to clustering, the applications can be distributed to different managed servers. Distributing
the applications is similar to clustering in that additional web application server instances are used. It
is different in that the managed server profiles are different. That is, single instances of the
applications are distributed to web application servers rather than redundant instances.
Distributing the applications enables more memory availability for the applications that are deployed
on each managed server and also increases the number of users that can be supported.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
2-28 Lesson 2 Reviewing SAS® Platform Architecture Components

Some SAS solutions are configured automatically with multiple servers by the SAS Deployment
Wizard. However, you can choose to configure multiple managed servers by running the wizard with
the custom prompting level and selecting this feature.
Whether the single or multiple server topology is selected, both vertical and horizontal clusters are
still possible, as is a combination of both clustering techniques. The only dif ference is how the
applications are distributed to the server instances.

High Availability
Several middle-tier components can be configured for high availability, and each has
different requirements and considerations.

SAS Web Server

SAS Web Server

SAS Web Server

SAS Web Application Server SAS Web Application Server SAS Web Application Server
SASServer1_1 SASServer1_1 SASServer1_1

Cache Locator JMS Broker Cache Locator JMS Broker Cache Locator JMS Broker

SAS Grid Manager

SAS Compute SAS Metadata SAS Content
SAS Compute SAS Metadata
Server SAS Content
Server SAS WIP Data
Server
SAS Compute
Server SAS Metadata
Server SAS Content
Server Server
Server Server Server
29
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Note: Some components, such as SAS Web Application Server, can be configured in a cluster
automatically. Other components, like JMS Broker, require manual configuration to enable
high availability.
The following SAS Platform components can be deployed and configured for high availabili ty:
• SAS Metadata Server
• SAS Web Server
• SAS Web Application Server
• SAS Web Infrastructure Platform Data Server
• SAS JMS Broker
• SAS Cache Locator
• SAS Object Spawner
• SAS OLAP Server
• SAS Environment Manager Server
• SAS Environment Manager Agent
• SAS Deployment Agent

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 2.2 Exploring the SAS Middle- Tier Architecture 2-29

For more information, refer to the following:

• “High-Availability Features in the Middle Tier” in SAS Intelligence Platform: Middle-Tier
Administration Guide.
• “Best Practices for Implementing High Availability for SAS 9.4.” SAS Global Forum Paper 305-
2104. http://support.sas.com/resources/papers/proceedings14/SAS305-2014.pdf
• “Managing SAS Web Infrastructure Platform Data Server High-Availability Clusters.” SAS Global
Forum Paper SAS1776-2015. http://support.sas.com/resources/papers/proceedings15/SAS1776-
2015.pdf

Classroom Environment
In the classroom environment, four SAS Web Application Server instances
exist, but they are not clustered. Web applications are deployed on only
one instance.
Middle Tier
Clients SAS Web Application Servers

SAS Web Server SASServer1_1

Web Browser (http server)
SASServer2_1
SAS Servers
SASServer12_1
SAS Metadata Server

SAS Compute Servers

SAS Web Infrastructure

Platform Data Server

30
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
2-30 Lesson 2 Reviewing SAS® Platform Architecture Components

Practice

4. Finding Web Applications Deployed on SAS Web Application Server Instances

There are a few places where you can look to find out on which SAS Web Application Server
instance your web applications are deployed.
• It is documented in Instructions.html. This is the reference document for your SAS
deployment. It contains any manual configuration steps that must be performed. It provides an
overview of your deployment, including the web application URLs.
• SAS Environment Manager.
• Configuration directory for the SAS middle tier.
a. Open Instuctions.html. It is located under the SAS configuration directory in the
Levn/Documents subdirectory.

For Linux Server

1. You can use WinSCP (there is a shortcut on your desktop) to access and view files
on the Linux server. Log on to sasmid.demo.sas.com. (You are logging on as the
install account; no changes are needed.)

2. In WinSCP, navigate to /opt/sas/config/Lev1/Documents.

(As an alternative, you can use MRemoteNG and connect to sasmid.demo.sas.com.
Use the firefox /opt/sas/config/Lev1/Documents/Instructions.html command to
open the document.)

3. Right-click Instructions.html and select Open. (Double-clicking the file renders it in

the WinSCP editor, not Internet Explorer.)

4. Select Web Application Server in the Overview list. Review the configuration details.
What web application is not clusterable?
What web application server instance is it deployed on?
What web application server instance is SAS Studio deployed on?

For Windows Server

1. Access Windows Explorer, and navigate to
D:\SAS\Config\Lev1\Documents\Instructions.html.

2. Double-click Instructions.html to open the document in Internet Explorer.

3. Select Web Application Server in the Overview list. Review the configuration details.
What web application is not clusterable?
What web application server instance is it deployed on?
What web application server instance is SAS Studio deployed on?

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 2.2 Exploring the SAS Middle- Tier Architecture 2-31

b. Open SAS Environment Manager.

1) Connect as sasadm@saspw with a password of Student1.
2) Go to Resources  Browse  Servers.
3) Select a web application server, such as the following:
For Linux Server: sasmid.demo.sas.com SASWebApplicationServer SASServer2_1
For Windows Server: sasserver.demo.sas.com SASWebApplicationServer
SASServer2_1
4) Select Views  Application Management.
The deployed SAS web applications are listed. You can stop and start a web application
from this location as well.

c. Find the WAR files that are deployed on each web application server instance. They are
located in the sas_webapps directory under the SAS Web Application Server configuration
directory.

For Linux Server

On the sasmid.demo.sas.com machine, navigate to

/opt/sas/config/Lev1/Web/WebAppServer/…serverinstancenumber/sas_webapps.
Note: You can use WinSCP or MRemoteNG.

For Windows Server

Navigate to
D:\SAS\Config\Lev1\Web\WebAppServer\...serverinstancenumber\sas_webapps.

5. Configuring the PostgreSQL Server Component to Interact with Your PostgreSQL RDBMS
In this practice, you modify the necessary information so that the SAS Web Infrastructure
Platform Data Server resource can be monitored. (This is the PostgreSQL database server with
listening port 9432.)
a. Sign in to SAS Environment Manager as sasadm@saspw using the password Student1, if
not already signed in.
b. Go to Resources  Browse  Servers.
c. Find the PostgreSQL 9.x server resource in the list. (You can also go to the resource using
the Search bar. In the drop-down list, select PostgreSQL 9.x and click the arrow on the
right.)
d. The status of the PostgreSQL server is undetermined. Click the resource:
For Linux Server: sasapp.demo.sas.com PostgreSQL 9.x localhost:9432
For Windows Server: sasserver.demo.sas.com PostgreSQL 9.x localhost:9432
e. You see that the server is not well configured. Click Configuration Properties.
f. Enter the required parameter values:
PostgreSQL.user: dbmsowner
PostgreSQL.pass: Student1
PostgreSQL.program or Windows Service:

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
2-32 Lesson 2 Reviewing SAS® Platform Architecture Components

For Linux Server

/opt/sas/config/Lev1/WebInfrastructurePlatformDataServer/webinfdsvrc.sh

For Windows Server

Use the Windows Service name: SAS [Config-Lev1] Web Infrastructure Platform
Data Server
Note: To avoid typographical errors, go to the Windows services application and copy
and paste the service name to the service name field.

g. Make sure that the Auto-Discover DataBases, Indexes, and other services? check box is
selected. Then click OK.
h. Click Monitor. After a few minutes (or the required time for the agent to query the system),
you see the server availability, some server metrics, and two new services.
6. Setting Up Log Tracking for a Resource in SAS Environment Manager
Many of the server-level resources enable the administrator to set up log tracking. This is a
method of monitoring specific log files, usually for specific messages, such as severe errors or
other critical information. By doing this, you are not required to open the log files directly. You can
access only the portion that you need from the user interface. The log file entries are one type of
event that can be configured and customized in SAS Environment Manager.
For SAS servers, a special file, sev_logtracker_plugin.properties, is automatically set up by
the SAS Deployment Wizard. For servers that are not SAS servers, you have to turn on log
tracking and specify the log messages that you want to capture.
In this practice, you enable log tracking for a SAS Web Application Server. The SAS Web
Application Server (SASServer1 instance) log file is scanned for start-up completion. If you must
restart that server, you know when it is fully started up, and that all the web applications are
loaded and ready for users. Although this server might appear as Available or Started right
away, it is not actually ready to receive requests for 20 to 30 minutes after that, given the
necessary full deployment of all the SAS web applications.
a. Sign in to SAS Environment Manager as sasadm@saspw using the password Student1, if
you are not already logged on.
b. Click Resources  Browse.
c. Select the following:
For Linux Server: sasmid.demo.sas.com SASWebApplicationServer SASServer2_1
For Windows Server: SASSERVER SASWebApplicationServer SASServer2_1
d. Click Views  Application Management. There are fewer web applications deployed on
this instance, so choose this SAS Web Application Server to use for log tracking.
e. Click the Inventory tab.
f. Scroll to the bottom to the Configuration Properties section and click Edit.
g. Set the following properties:
1) Click the Enable Log Tracking check box.
2) Select INFO from the Track Event Log Level drop-down menu.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 2.2 Exploring the SAS Middle- Tier Architecture 2-33

3) Under Log Pattern Match, enter the following code:

Server startup in \d{5,} ms
4) For the log files, enter logs/server.log.
h. Click OK at the bottom center of the window. You should see the following message:

i. Restart the server. Select Resources  Browse and then select the following:
For Linux Server: sasmid.demo.sas.com SASWebApplicationServer SASServer2_1
For Windows Server: sasserver.demo.sas.com SASWebApplicationServer
SASServer2_1
j. Click the Control tab.
k. Select Control Action: Restart. Click the arrow to the right.
l. When the command state indicates Completed, click the Monitor tab. The Restart event was
recorded and appears in the Events/Logs Tracking timeline at the bottom of the window.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
2-34 Lesson 2 Reviewing SAS® Platform Architecture Components

If you click the event bubble, a message appears. The server is not yet available because all
the applications were not deployed and started yet.
m. If you wait a few minutes, you can see an additional item on the Events/Logs Tracking
timeline.
While waiting, you can change the time range of metrics displayed by selecting 30 and
Minutes from the drop-down lists next to Last. Click OK.

That second event provides the actual message text from the log file that you specified in
your search, Server startup in XXXXXX ms, as shown above.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 2.3 Operating SAS Servers and Spawners 2-35

2.3 Operating SAS Servers and Spawners

Methods for Operating Servers and Spawners

Servers and spawners and can be started and stopped several ways.
• Windows Services Manager
• Scripts:
• Individual Server Scripts
• UNIX and z/OS sas.servers script
• SAS Tools:
• SAS Management Console (stop only)
• SAS Environment Manager

33
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Available Methods for Operating Servers

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
2-36 Lesson 2 Reviewing SAS® Platform Architecture Components

Start-Up Parameters
Start-up parameters for SAS servers are stored in sasv9 configuration files.
These SAS system options take effect each time that you invoke SAS.

If you want to specify different values for system options, or if

you want to specify additional options, then enter your updates
and additions in sasv9_usermods.cfg, which is located in the same
directory as sasv9.cfg. You must restart the server in order for
the changes to take effect.

34
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Running Servers as Windows Services

On Windows, the SAS servers and services are installed as Windows services
that have these features:
• start automatically when you restart the machines
• are named SAS [deployment-name-and-level] <server-context -> server-name
• can be managed from a command line using SAS provided batch scripts:
net start|stop|pause|continue “service-name”
• have built-in dependencies to ensure that they start up in the correct
order on each machine

35
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Note: In a typical deployment, the Windows services would have a start-up type of Automatic.
The classroom image uses a batch f ile to start services and has a start-up type of Manual.
Note: Service dependencies are not set up by the SAS Deployment Wizard for the SAS Web
Application Server. See Installation Note 52100: http://support.sas.com/kb/52/100.html.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 2.3 Operating SAS Servers and Spawners 2-37

Using the sas.servers Script on UNIX or z/OS

The SAS Deployment Wizard creates a sas.servers script during installation.
The script enables you to use a single command to do any of the following:
• start, stop, or restart all of the SAS servers and spawners on the machine
in the correct order
• display the status of all the SAS servers and spawners on the machine
Note: The script does not include the SAS Deployment Agent. To start and
stop the SAS Deployment Agent, use the following:
- SAS Deployment Manager
- SAS Environment Manager
- the command, located in the SASHome directory

36
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Using the sas.servers Script on UNIX or z/OS

The script is located in the top level of the configuration directory (for
example, SAS-configuration-directory/Lev1).
To use the sas.servers script, perform the following steps:
1. Log on as the SAS Installer user.
2. Go to the configuration directory where the sas.servers script is stored.
3. Issue the following command:
./sas.servers start|stop|restart|status

You can also install the sas.servers script as a boot script.

37
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Some servers are started directly by the sas.servers script. Other servers are started by the
sas.servers.pre and sas.servers.mid scripts, which are called by sas.servers. The table below
shows the script names, the components that are included in each script, and the order in which the
components are started.
Beginning with SAS 9.4M1, the sas.servers.mid script starts the SAS Web Server before the SAS
Web Application Server. This start-up order helps ensure optimum performance when web
applications are initialized.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
2-38 Lesson 2 Reviewing SAS® Platform Architecture Components

Script Tier Start-up Order

sas.servers.pre (called server tier SAS Web Inf rastructure Platf orm Data Server
by sas servers)

sas.servers server tier SAS Metadata Server, SAS OLAP Server, SAS Object
Spawner, SAS/SHARE server, SAS/CONNECT spawner,
and SAS Distributed In-Process Scheduler Job Runner
sas.servers.mid (called middle tier JMS Broker, Cache Locator, SAS Web Server, SAS Web
by sas.servers) Application Server, and SAS Environment Manager
server
sas.servers.mid (called server and SAS Environment Manager Agent
by sas.servers) middle tier

If needed, you can use the sas.servers.pre or sas.servers.mid script to start a subset of servers.
However, make sure that you follow the start-up order that is shown in the preceding table.
Other servers might also be included in the scripts, depending on which SAS applications you
configured.

You should not directly update the sas.servers script. If the script needs to be updated
(f or example, to add new servers or remove servers), then regenerate the script by using
generate_boot_scripts.sh. For details, see “Regenerating a sas.servers Script” in SAS 9.4
Intelligence Platform: System Administration Guide.

Required Servers: Stacking Toy Analogy

For clients to access the SAS environment, the following components must
be running on network-accessible machines.
Stop Order

Middle Tier
Servers

Compute Tier
Servers

Metadata Server
(cluster)
Start
38
Order C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Because of dependencies, it is important to start the servers in the correct order. Processes on the
server tier need to be started bef ore the middle tier. The recommended order is described on the
f ollowing slides.
Note: All of the servers except the SAS Web Inf rastructure Platf orm Data Server depend on the
metadata server.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 2.3 Operating SAS Servers and Spawners 2-39

Note: In clustered conf igurations, make sure that all the metadata server nodes are running bef ore
you start dependent components.

Required Servers: Stacking Toy Analogy

Stop Order

Compute

Metadata Server

Middle Tier
Servers

39
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Recommended Start-Up Order

SAS Deployment Agent
SAS Environment Manager Agent
JMS Broker
Middle Tier Cache Locator
Servers: SAS Web Server
SAS Web Application Server
SAS Environment Manager Server

SAS OLAP Server

SAS Object Spawner
Compute Tier SAS/SHARE Server
Servers: SAS Deployment Tester Server
SAS Distributed In-Process
Schedule Job Runner
SAS Web Infrastructure Platform Data Server
Metadata Server (cluster)
40
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

By def ault, the SAS Web Inf rastructure Platf orm Data Server is backed by PostgreSQL and is
provided as an alternative to using a third -party DBMS. The server cannot be used as a general
purpose data store.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
2-40 Lesson 2 Reviewing SAS® Platform Architecture Components

The SAS Object Spawner is a process that runs on workspace server, pooled workspace server,
and stored process server host machines. It listens f or requests f or these servers, authenticates
clients, and launches server processes as needed. The object spawner connects to the metadata
server to obtain inf ormation about the servers that it manages.
The SAS/SHARE server provides concurrent Read and Write access to tables.
SAS/CONNECT servers provide computing resources on remote machines where SAS Integration
Technologies is not installed.
OLAP cubes are logical sets of data that are organized and structured in a hierarc hical
multidimensional arrangement. Cubes are queried by using the multidimensional expression (MDX)
language by the OLAP Server.
The SAS Deployment Tester Server is a diagnostic tool used for assessing a SAS deployment. After
an installation or upgrade, you can use the Deployment Tester to ensure that your SAS software and
critical components have been installed and configured correctly. The Deployment Tester Server is
installed on each server tier machine in the SAS deployment.
The Job Execution Service provides a common, standardized way for web applications to create,
submit, store, retrieve, and queue jobs for SAS servers. The SAS Distributed In-Process Scheduler
Job Runner can be used for running these scheduled jobs.
SAS middle-tier servers include the SAS Web Application Server, SAS Web Server, SAS
Environment Manager Server, and the supporting JMS Broker and Cache Locator components.
Note: The SAS Web Application Server depends on the Cache Locator.
Note: The SAS Environment Manager Server depends on the SAS Web Infrastructure Platform
Data Server and the SAS Web Application Server, but it can start without these components.
However, the SAS Environment Manager application requires these components in order to
provide full functionality.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 2.3 Operating SAS Servers and Spawners 2-41

Multi-tiered SAS Services

The sas.servers script does not take into account the correct start-up order
of SAS servers across multiple machines. Technical Support does supply a
utility that manages multi-tiered SAS services for UNIX and Linux
deployments.
1 2 3

Metadata Server SAS Servers Middle Tier

SAS Web Infrastructure Platform
SAS Environment Data Server SAS Web Application Server
Manager Agent SAS Object Spawner
SAS OLAP Server SAS Environment SAS Web Server
SAS/CONNECT Spawner Manager Agent (http server)
SAS/SHARE Server
SAS Environment
JMS Broker
SAS Environment Manager Server
Manager Agent
Cache Locator

41
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

See Usage Note 58231, “Utility that manages multi-tiered SAS services f or UNIX and Linux
deployments” f or more inf ormation: http://support.sas.com/kb/58/231.html
Also, see the SAS Global Forum paper “An Oasis of Serenity in a Sea of Chaos: Automating the
Management of Your UNIX/LINUX Multi-tiered SAS Services”:
http://support.sas.com/resources/papers/proceedings17/SAS0339-2017.pdf

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
2-42 Lesson 2 Reviewing SAS® Platform Architecture Components

Using SAS Environment Manager to Operate Servers and

Spawners
This demonstration uses SAS Environment Manager to operate SAS servers and spawners.
1. On the Windows machine, choose either Internet Explorer or Chrome and select SAS
Environment Manager from the Linux or Windows folder on the Favorites bar.
2. Log on as sasadm@saspw using the Student1 password.
3. Click the Resources tab.
4. Click Servers.

5. In the list of servers, click SAS Object Spawner 9.4. You might need to go to the next page for
the object spawner, or you can increase the Items Per Page value.

Alternatively, the Search feature can quickly locate resources.

6. Click Control.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 2.3 Operating SAS Servers and Spawners 2-43

7. You can issue and schedule control actions from this location. An example of this is if you need
to recycle a SAS Web Application Server at a low usage time.
Under Quick Control, change Control Action to Stop and click .

After the control action is complete, a message is presented.

8. Check the status of that server from the main monitoring page. Select Resources  Browse 
Servers and verify that the Stop control action worked properly. The status of the object spawner
changes to not available. However, the change in status does not show up immediately.

Or you can see a bubble at the bottom of the monitoring page of the object spawner, which
signifies an event just occurred. Clicking the bubble shows the event.

9. Start the object spawner. (You can either use the Quick Control action in SAS Environment
Manager or perform the appropriate action on the server machine.)

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
2-44 Lesson 2 Reviewing SAS® Platform Architecture Components

Practice

7. Operating the SAS Servers

a. Check the status of the SAS servers.

For Linux Server

1. On UNIX systems, scripts are designed to enforce the correct order of stopping and
starting SAS servers. They are called sas.servers.pre, sas.servers, and
sas.servers.mid.
Some servers are started directly by the sas.servers script. Other servers are started
by the sas.servers.pre and sas.servers.mid scripts, which are called by
sas.servers. The table on page 2-37 of the course notes shows the script names, the
components that are included in each script, and the order in which the components
are started. For Linux Server

2. On the sasapp.demo.sas.com machine, navigate to /opt/sas/config/Lev1. Use the

sas.servers script to verify the status of the SAS servers: ./sas.servers status. (The
valid commands are stop, start, restart, and status.)

3 On the sasmid.demo.sas.com machine, navigate to /opt/sas/config/Lev1. Use the

sas.servers script to verify the status of the SAS servers: ./sas.servers status. (The
valid commands are stop, start, restart, and status.)

4. Because we have a multi-machine deployment, a single script was created that will
first run the sas.servers script on the sasapp.demo.sas.com machine and then start
the sas.servers script on the sasmid.demo.sas.com machine.
On the sasapp.demo.sas.com machine, navigate to /usr/local/bin. Use a text editor,
such as gedit, to view the startAll script: gedit startAll
(You can also use WinSCP.)
Who must run this script?
If you need to restart the SAS servers, you can use this script to ensure that the
servers are stopped and started in the correct order. Because you need to run these
scripts as root, there is a connection set up in mRemoteNG for root.
Do not restart servers at this time.

You might use a script similar to this one in your environment. However, be
aware that this script deletes log files, which you would not want for a SAS
environment outside of the classroom.
See Usage Note 58231, “Utility that manages multi-tiered SAS services f or UNIX and
Linux deployments,” f or more inf ormation: http://support.sas.com/kb/58/231.html

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 2.3 Operating SAS Servers and Spawners 2-45

For Windows Server

1. On your Windows Server machine, it is fastest to use the Windows Services

application to check status and to stop and start SAS servers. Click the Services icon
in the system tray. With Services selected, scroll down to the SAS services. Verify
that the status for all the SAS services is Started.

2. Check the built-in Windows Service dependencies for the SAS Metadata Server.
Right-click SAS[Config-Lev1] SASMeta-Metadata Server and select Properties.
Note: In a typical deployment, the Windows services would have a start -up type of
Automatic. The classroom image uses a batch file to start services.

3. Click the Dependencies tab.

Note: The dependencies do not include any middle tier servers. It is not
recommended that you include them in the dependencies. However, it is
possible. See Installation Note 52100: http://support.sas.com/kb/52/100.html

b. Review the start-up order of the SAS servers.

For Linux Servers

Use gedit, vi, or WinSCP to open the sas.servers script located in the
/opt/sas/config/Lev1 directory on the sasapp.demo.sas.com machine and the
sasmid.demo.sas.com machine. Review the start-up order of the SAS servers.

For Windows Server

Navigate to D:\thirdparty\scripts. Right-click StartSAS.bat and select Edit. Review the

start-up order of the servers.
How much time is built in for the web server to wait for the cache locator to start up? What
is being read before it starts up?

You might use a script similar to this one in your environment. However, be aware
that this script deletes log files, which you would not want for a SAS Environment
outside of the classroom.

8. Validating the Servers in SAS Management Console

a. On the client machine, log on to SAS Management Console as Ahmed using the Student1
password.
b. Expand Server Manager  SASApp  SASApp - Logical Workspace Server 
SASApp - Workspace Server. Right-click the following:
For Linux Server: sasapp.demo.sas.com
For Windows Server: sasserver.demo.sas.com
Select Validate.
Was the validation successful? If not, verify that the object spawner is running.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
2-46 Lesson 2 Reviewing SAS® Platform Architecture Components

c. View the details of the validation. What autoexec file was executed at server initialization?
Note: An autoexec file contains SAS statements that are executed immediately after
SAS initializes the server.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 2.4 Exploring SAS Environment Manager 2-47

2.4 Exploring SAS Environment Manager

SAS Environment Manager

SAS Environment Manager provides a framework for SAS administrators to
monitor the performance, health, and operation of their SAS deployments.
• A comprehensive view of all
resources related to SAS is displayed.
• It provides drill-down into different
levels of detail about resources.
• It provides a flexible alerting function
to warn administrators of problems.

46
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

SAS Environment Manager surf aces the f ollowing key monitoring and management capabilities f rom
Hyperic:
• Resource discovery automatically discovers resources and software, and enables the detailed and
customized monitoring of them.
• Personal dashboards can display summaries and high-level monitoring, based on user IDS or on
role memberships.
• Metric collection collects a standard set of metrics that reflect availability, performance, utilization,
and throughput.
• Event tracking monitors log and configuration files and records events of interest for most server
types.
• Resource control: You can use SAS Environment Manager for remote control and administration
of your software resources (for example, starting, stopping, or pausing a server).
• Alerting and escalation: You can set alerts on metrics and configure actions to perform when an
alert fires. For example, when an alert fires, the system can issue email notifications, set SNMP
traps, perform a control action, or issue a communication to another management system.
• Visualizations are in the form of graphic displays for server monitoring, memory/disk, and/or
processor usage.
• Live data: Hyperic provides Live Exec views for all platform types. You can run a variety of real-
time system commands to obtain the live system status.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
2-48 Lesson 2 Reviewing SAS® Platform Architecture Components

SAS Environment Manager Architecture

Platform 1 (machine 1)
SAS Environment
Service A
Manager Server
SAS Environment
Service B
Manager Agent Management Server
Middle Tier
Servers
resources, metrics,
events, alerts,
control actions
Platform 2 (machine 2)
SAS Environment
Service C Manager web
SAS Environment application SAS Environment
Service D Manager
Manager Agent
SAS Servers Database
Object
Spawner

Platform 3 (machine 3) Upgradeable through plug-ins: each

plug-in is associated with a specific resource.
SAS Environment
SAS Metadata Server
Manager Agent

47
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Components of SAS Environment Manager:

The SAS Environment Management Server communicates with the agents to collect inf ormation
about discovered resources, metrics, and availability. It issues control actions received from the
SAS Environment Manager application.
The SAS Environment Manager Agent is a sof tware process that runs on each machine in the
conf iguration (middle-tier and server-tier machines in a SAS deployment). It scans the machine, the
process table, and the f ile system f or processes that it is f amiliar with, and gathers that inf ormation.
Periodically, the agents send their inf ormation to the server, where it is summarized and added to
the database as part of the inventory. Plug-ins are used to provide the agents with the inf ormation
needed to discover SAS resources installed on a platf orm.
SAS Environment Manager Database is a repository f or all of the resource inf ormation that is known
to SAS Environment Manager. It uses the SAS Web Inf rastructure Platf orm Data Server, which is
based on PostgreSQL. Af ter resources are discovered and added to your inventory, the database
stores data that is collected f rom the agents abo ut the resources.
SAS Environment Manager Application is the web-based interf ace to the SAS Environment Manager
system. Administrators can use the web -based interf ace to view this data, and thereby obtain a host
of inf ormation about the various resources that are running in the system. The interf ace also enables
administrators to set up alerts when specif ied events occur, and generate reports that summarize
the state of the platf orm. SAS Environment Manager also enables administrators to control the
servers, via the agents, and perf orm such actions as starting and stopping servers and modifying the
conf igurations of various servers. The application also includes a f ramework to add f unctions specific
to SAS, such as server, library, and user administration.
Plug-ins enable agents to discover and monitor resources in a SAS environment. Each plug -in is
associated with a specif ic resource, and provides the agents with the instructions needed to
recognize the resource during auto-discovery and to monitor and collect metrics for the resource.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 2.4 Exploring SAS Environment Manager 2-49

The basic architecture of SAS Environment Manager consists of an agent process running on each
platf orm in a SAS deployment that communicates to a central management server. Agents monitor
detected resources and periodically report resource metrics back to the server. The server provides
an interf ace f or interacting with those agents, managing the data collected by the agents, distributing
plug-ins, creating alerts and escalation procedures based on collected metrics, and grap hing the
metrics provided through the installed plug -ins.

SAS Environment Manager Architecture

A broad set of operational metrics is collected.
Solutions
Web Application Servers
WIP Services and DB
ActiveMQ Messaging
Apache tc Server Availability
SAS Servers
• Metadata Performance
• Object Spawner
• StoredProcess Server Configuration
Operating Systems changes
• Memory
SAS Environment
• Processor Events Manager Database
• IO
Storage and IO Systems
• LASR Log entries
• Scalable Performance Data Server
• SAS Data Set Virtualization
48
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Metrics are the measurements taken by the SAS Environment Manager agents, on the various
computing resources being monitored. Metrics can be static numbers, f requencies over some time
period, percentages, or averages over some time period. They are periodically sent to the server,
and stored in the database.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
2-50 Lesson 2 Reviewing SAS® Platform Architecture Components

Resource Inventory Model

The relation between service, server, and platform is a resource hierarchy.
The Resources page lists the inventory of resources.

Platform Platform
Machine, OS, network
switch, or SAS deployment
Server

Server Service

A software product or Service A task-specific software

processes, such as SAS component, such as SAS
Metadata Server or tc logical server, that runs
Server, that runs on a on a server or platform
platform
49
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Examples of types of resources:

Platforms: operating system platforms (such as sasserver.demo.sas.com), SAS deployments
(such as SAS 9.4 Application Server Tier), virtual and network platf orms (such as
Cisco IOS or GemFire Distributed System)
Servers: web application server, web server, Postgres server, SAS Metadata Server, SAS
Object Spawner, SAS Home Directory Service
Services: DNS service, Fileserver mount, Windows service, Work directory
Note: When you run SAS Environment Manager f or the f irst time, the application auto -discovers
and auto-accepts the resources listed in the auto-approved.properties f ile. (This is created
when the SAS Deployment Wizard installs SAS applications and is located in the
<agenthome>/conf directory.) Resource types that are not listed in this f ile must be
accepted f or monitoring af ter they have been discovered.
Additional Groups That Can Be Created

Compatible These groups contain selected instances of a single type of resource (f or

Groups example, SAS Object Spawners or Visual Analytics nodes). Because every
member of a compatible group is unif orm, the metrics collected across the group
can be aggregated f or reporting purposes.

Mixed Groups These are user-created groups that can contain multiple types of resources, such
as other groups, platforms, servers, and services. Availability is the only metric
that is available f or a mixed group.

Application These groups are sets of selected services, usually running on dif ferent servers
on multiple platf orms that together f ulf ill a single business purpose. Creating
application groups enables you to manage your inf rastructure f rom an application
perspective, as opposed to a hardware perspective.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 2.4 Exploring SAS Environment Manager 2-51

Metrics
Metrics are the measurements taken by the SAS Environment Manager
agents on the various computing resources being monitored.
• The “Availability” metric is required by all plug-ins, and it is the one
measure that is found on all resources.
• A different set of metrics is collected
for each type of resource.
• There is a default subset of
metrics that will be displayed
for each resource type, but
this can be modified.

50
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Using the Dashboard

The dashboard is your first view when you start SAS Environment Manager.
It provides a configurable graphical display of important items to be
watched.
The administrator is able to do the following:
• focus on a few specific resources and their availability
• focus on specific metrics that are most important for a given resource
• compare similar resources on a specific metric
• organize alerts
• create multiple dashboards for different purposes (for example, a “basic
monitoring” dashboard or a “troubleshooting” dashboard)

51
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Each user can access their own personal dashboard as well as a dashboard f or each of the native
roles of which the user is a member. Each dashboard can be customized to meet the needs of the
user or role.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
2-52 Lesson 2 Reviewing SAS® Platform Architecture Components

Using the Dashboard

The dashboard is divided into two columns. The portlets can be rearranged, deleted,
and added back in. Some portlets can appear only once, whereas other portlets can
appear more than once.
Left Column Only Right Column Only
Availability Summary * Auto-Discover
Saved Charts * Metric Viewer *
Summary Counts Group Alerts Summary *
Recently Added Control Actions
Search Resources Favorite Resources *
Recent Alerts *
Problem Resources *

Note: The portlets with an asterisk (*) are specifically for monitoring.
52
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

The portlets that can appear more than once display inf ormation about a selected group of
resources. Each instance of the portlet displays inf ormation about different resources. The portlets
that can appear only once display inf ormation for the entire environment.
Available Portlets

Name Description Location Instances

Auto- Lists new and changed resources and enables you to add Right One
Discovery them to the inventory. Check this portlet af ter you install a
plug-in to accept the newly discovered resources into the
inventory.

Availability Indicates the availability of selected resources, grouped by Left Multiple

Summary resource type. This portlet ref reshes every minute.

Control Lists recently perf ormed actions on managed resources and Right One
Actions upcoming scheduled actions. Also indicates which quick
control actions are most f requently perf ormed.

Favorite Lists selected resources. Right One

Resources

Saved Displays selected charts as a slide show. Left One

Charts

Recent Lists the most recently triggered alerts f or selected Right Multiple
Alerts resources. This portlet ref reshes every minute.

Recently Lists platf orms that have been recently added to inventory. Left One
Added

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 2.4 Exploring SAS Environment Manager 2-53

Name Description Location Instances

Search Enables you to search f or resources. The search supports Left One
Resources case-insensitive, partial-term queries f or a specif ied
inventory type

Summary Displays a count of managed resources by inventory type. Left One

Counts Only those resources that you are allowed to access are
displayed.

Group Displays traf fic light indicators for resource alerts and group Right One
Alerts alerts f or selected groups. To view a list of alerts that have
Summary f ired f or a group, click that group’s traffic light. To view a
group page, click that group’s name.

Metric Displays selected metrics for selected resources. This Right Multiple
Viewer portlet ref reshes every minute.

Problem Lists all resources that have problem metrics and provides Right One
Resources details, including availability status, number of alerts per
resource, number of times the metric has been out of
bounds, and the most recent time that the out-of -bounds
metric was collected.

Controlling Access to Environment Manager

Users in SAS Environment Manager are mapped to users created in
SAS metadata.
Group Name in SAS Metadata Role in Environment Manager
SAS Environment Manager Super User Super user role
SAS Environment Manager Guest Guest role
SAS Environment Manager App Server SAS App Tier role
Tier Users
SAS Environment Manager Data Mart (not used)
Administrators
SAS Environment Manager Data Mart (not used)
Users
53
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Although native user def initions are internal to SAS Environment Manager, they are mapped to user
def initions created in SAS metadata. Native users are created by f irst creating the user def inition in
metadata and then synchronizing the user inf ormation with SAS Environment Manager. You cannot
create or edit native user def initions in SAS Environment Manager directly.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
2-54 Lesson 2 Reviewing SAS® Platform Architecture Components

Native roles enable you to grant capabilities and permissions for actions in SAS Environment
Manager to selected users. For example, an administrator role could be granted f ull permissions f or
all resource types and the ability to acknowledge and f ix alerts, whereas a guest role could be
denied the ability to f ix or acknowledge alerts and have only Read permission f or resources.
Assigning a native role to a native user determines the actions that the user can perf orm in SAS
Environment Manager.
Each native role also has its own unique dashboard page. Each user has access to his or her own
personal dashboard page and to the dashboard pages of all native roles of which he or she is a
member.

Authentication to Environment Manager

Environment Manager controls access and permissions within the
application with its own registry of users and its own system of roles and
permissions.
SASServer1_1 SAS Metadata
Server
/SASLogon Group: SAS EV
application 3 Super Users
(sasadm@saspw)

2
5
SAS EV Server
Role: Super
4 User (contains
user sasadm )

URL: http:<machine>:7080 1

54
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Step 1: User accesses the URL to SAS Environment Manager in browser.

Step 2: Request is redirected to the SAS Logon Manager application f or authentication.
Step 3: User is authenticated by the SAS Metadata Server.
Step 4: Request is passed on to SAS Environment Manager Server.
Step 5: User is again authenticated in SAS Environment Manager, and the user’s Role membership
determines what he or she can do in SAS Environment Manager.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 2.4 Exploring SAS Environment Manager 2-55

Exploring SAS Environment Manager

This demonstration explores SAS Environment Manager.

1. Open Internet Explorer or Google Chrome from the Windows machine using the taskbar. Select
SAS Environment Manager from the Windows or Linux folder on the Favorites bar.

2. Sign in as sasadm@saspw using the password Student1.

The interface is organized around five main areas.

Dashboard Configurable collections of portlets; this is the initial view when starting
SAS Environment Manager

Resources Resource-level monitoring and management

Analyze Deployment-wide views of events and alerts

Administration Metadata definitions for folders and objects, servers, libraries, users, and
metadata security and access controls

Manage Native users, roles, permissions, plug-ins

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
2-56 Lesson 2 Reviewing SAS® Platform Architecture Components

3. Dashboard: The Dashboard page is the initial view when a user logs on. It contains two
columns of portlets. Each portlet contains the resources and metrics that are most important to
your environment.
• The Dashboard page is customized by deleting, adding, or rearranging the various portlets
that you see.
• Selecting an entry in a portlet takes you to more detailed information about the entry.
• Each user can access his or her own personal dashboard as well as a dashboard for each of
the native roles of which the user is a member. Each dashboard can be customized to meet
the needs of the user or role. To choose a different dashboard, select the one that you want to
use from the Select a Dashboard field.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 2.4 Exploring SAS Environment Manager 2-57

4. Resources: Click Resources  Browse. The Resources page enables you to monitor,
configure, and manage inventory resources, organized by type (for example, Platforms, Servers,
Services).
• The number of resources extends to two pages. You can change items per page in the
bottom right of the interface, or use the black arrow to move to the second page of resources.
• You can click the resource to open the Details page that includes links to Monitor, Inventory, or
Alerts pages.

5. Click Platforms.
There are three platforms for the SAS deployment on Linux:
• sasapp.demo.sas.com machine
• sasmid.demo.sas.com machine
• SAS Application Server Tier
There are two platforms for the SAS deployment on Windows:
• SASSERVER.demo.sas.com machine
• SAS Application Server Tier

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
2-58 Lesson 2 Reviewing SAS® Platform Architecture Components

6. Click a machine platform:

For Linux environment: sasapp.demo.sas.com
For Windows environment: SASSERVER.demo.sas.com
The details about this resource, the OS platform, are displayed. (The details for each resource
differ somewhat, depending on what type of resource it is.)
• Across the top, basic machine specifications are given: OS, CPU speed, architecture, IP
address, RAM.

• Notice the five links on the upper left: Monitor, Inventory, Alert, Control, and Views. By
default, you are on the Monitor page. A variety of metric data is displayed, both in numeric and
graphic format, to enable you to examine detailed information about the resource’s operation.
• The fastest way to check the status of a resource is to use the availability bar, which is above
the indicator charts. The availability bar displays a color-coded dot that represents the
availability during a time slice. The length of each time slice depends on the display range that
you select (f or example, if you display the past eight hours of data, each dot corresponds to
approximately eight minutes). The percentage of time that the resource was available is
displayed at the end of the availability bar.
The dots are color-coded using the f ollowing format:
Green = 100% availability
Yellow = Partial availability; between 0% and 100%
Red = 0% availability

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 2.4 Exploring SAS Environment Manager 2-59

• To the left of the indicator charts, there are links to other resources that are under this resource
in the hierarchy.

• The events bar is displayed below the indicator charts. It is similar to the availability bar, with
dots representing time slices. The bar displays a dot if an event occurs during a time slice. If
no event occurs, the bar remains black.

7. On the bottom left of the page, click the down arrow next to Problem Metrics and select All
Metrics to display a list of all available metrics for this resource. Click the arrow next to a metric
to add the chart to those displayed on the page.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
2-60 Lesson 2 Reviewing SAS® Platform Architecture Components

8. Analyze: The Analyze pages contains the Alert Center, Report Center (only if you have enabled
SAS Environment Manager Service Architecture), Environment Snapshot, Event Center, and
Operations Center. (You might see a Monitoring Center, which is part of the Job Monitor service.
It would contain SAS jobs submitted by the Data Management solution.)
• An event is any type of activity in a resource that you are monitoring.
• An alert is a user-defined type of event that acknowledges a critical condition in a selected
resource. You can configure SAS Environment Manager to also log events for log messages
and resource configuration changes.
Note: The pages on the Analyze tab are discussed in a later lesson.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 2.4 Exploring SAS Environment Manager 2-61

9. Administration: Click the Administration tab. This view enables you to view and manage SAS
folders and the metadata objects that they contain. Initially, the application displays the Folders
page.
Note: In order to access the Administration page, you must be a member of one of following
roles: Management Console: Content Management or Management Console:
Advanced

10. To switch to a different page, click the related icon on the vertical navigation bar. Click the
expand button to add text labels to the vertical navigation bar.

In the first practice, you add Ahmed to a SAS Environment Manager group in metadata and then
it is synchronized to the corresponding role in SAS Environment Manager.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
2-62 Lesson 2 Reviewing SAS® Platform Architecture Components

11. Select the Users page.

12. Filter on Group.

13. Enter Super in the search field to get to SAS Environment Manager Super Users.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 2.4 Exploring SAS Environment Manager 2-63

14. Highlight SAS Environment Manager Super Users to open the metadata properties.

15. From the tabbed menu, select Members.

16. Add Ahmed to the group by clicking the Edit button in the upper right toolbar.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
2-64 Lesson 2 Reviewing SAS® Platform Architecture Components

17. Move Ahmed over from the Available identities list to the Direct members list. Click Save.

18. The Administration page is a separate web application, as you can see by the URL.

Return to SAS Environment Manager by clicking on the open window where it is running.
19. Click the Manage tab. The pages under Manage control how the SAS Environment Manager
application works.
• Authentication/Authorization: enables the management of users and roles. (These are not
the same as the users and roles in SAS metadata that control access to SAS metadata
objects, although SAS Environment Manager users are synchronized with users that are
defined in metadata and added to specific groups.)
• Server Settings: change settings for the SAS Environment Manager server; set default
monitoring and alerting definitions for all types of platforms, servers, and services; define
notification or logging actions that are taken for alerts; list currently loaded plug-ins; and
enable deleting or adding plug-ins.
• Plug-ins: contain functions that are added to the base functionality of SAS Environment
Manager to perform a specific action.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 2.4 Exploring SAS Environment Manager 2-65

• Licenses Usage Status: displays the number of licenses in use on the platform as well as the
total number of licenses that are permitted.
20. Click Synchronize Users.

21. Click OK twice.

Although it is no longer necessary to synchronize users when adding them to this role, it is
important to know how to force the synchronization for when/if permission to access SAS
Environment Manager is revoked and an administrator needs to force the synchronizat ion of
users.
Authentication is discussed in more detail in a later lesson.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
2-66 Lesson 2 Reviewing SAS® Platform Architecture Components

Practice

9. Adding a SAS Administrator to the Super User Role in SAS Environment Manager
The internal account sasadm@saspw is the default account for signing on to SAS Environment
Manager. In order to have other users such as Ahmed access SAS Environment Manager, the
user needs to be added to a SAS Environment Manager group in metadata and then
synchronized to the corresponding role in SAS Environment Manager.
a. Sign in to SAS Environment Manager as sasadm@saspw using the password Student1 if
you have not done so in the previous practice.
b. Go to the Manage page and select List Users to see a list of the current users in
Environment Manager. Three users are listed.
c. Click List Roles to see the Environment Manager roles. There should be three.
These three roles map to three user groups created in SAS metadata.
d. Add Ahmed to the SAS Environment Manager Super User group in metadata.
1) Go to the Administration page and select Users from the Side menu.
2) Filter on Group.

3) Enter Super in the search field to get to SAS Environment Manager Super Users.
4) Highlight SAS Environment Manager Super Users to open the metadata properties,
and from the tabbed menu, select Members.
5) Add Ahmed to the group by clicking the Edit button in the upper right toolbar.
6) Move Ahmed from the Available identities list to the Direct members list.
7) Click Save.
e. You do not need to synchronize users from the Manage page. Instead, sign out as
sasadm@saspw and sign back in as Ahmed to verify that he now has access to
SAS Environment Manager. Stay signed in as Ahmed for the rest of the practices.

10. Adding an Availability Summary Portlet to Your Dashboard

a. In SAS Environment Manager, click the Dashboard tab if you are not already there. Make
sure that you are logged on as Ahmed.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 2.4 Exploring SAS Environment Manager 2-67

b. Create an OS and SAS Server Tier availability summary portlet.

1) On the left side of the Dashboard page, select Availability Summary in the Add
Content to this column field.
2) Click the Configure button to display the Dashboard Settings page for the portlet.
3) Click Add to List in the Selected Resources area.
4) In the View field, make sure that Platforms is selected. Move all resources to the right.
Click OK.
5) Specify the name OS and SAS Server Tier in the Description field. Click OK.
6) Move the OS and SAS Server Tier availability summary portlet to the top by clicking the
heading and dragging it to the top of the left column.
c. What are the metrics that are collected for the SAS Application Server Tier platform?
Click SAS Application Server Tier from the summary portlet.
The metrics pertain to metadata server clustering. (Metadata server clustering is reviewed in
the next lesson.)
11. Evaluating Resource and Memory Usage on a Host
System resources can approach their limits and cause the system to become slow or unstable. If
you see a problem with system responsiveness from the users’ point of view, there are some
metrics that can be checked to give us clues as to why. It is also possible for system resources
to be nearing their limits, but with no obvious effect on user experience. Regardless, you can
monitor these items through SAS Environment Manager.
a. Review metrics for the server machine.

For Linux Server

Click Linux under your OS and SAS Server Tier summary portlet that you just created.
Click sasapp.demo.sas.com and that takes you to the same view as Resources 
Browse  Platform  sasapp.demo.sas.com.

For Windows Server

Click Win32 under your OS and SAS Server Tier summary portlet that you just created.
That takes you to the same view as Resources  Browse  Platform 
sasapp.demo.sas.com.

b. What is the RAM for this machine? What is the CPU speed?
The RAM field (in the upper right) specifies the total memory for the host.
The CPU Speed field (in the upper left) specifies the number and speed of the processors on
the machine.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
2-68 Lesson 2 Reviewing SAS® Platform Architecture Components

c. Click Metric Data to view the table of metrics for the host. They are displayed in categories:
• metrics to evaluate memory usage for the host, such as used memory or percent used
memory
• metrics to evaluate swap space usage
• metrics to determine CPU and I/O usage for a host in a deployment

For each enabled metric for one or more members of a compatible group, the following
information is displayed:
• Alerts – number of times that the metric value triggered an alert
• OOB – number of times that the metric was out of bounds
• LOW – lowest value that was collected
• AVG – average of values that were collected
• PEAK – highest value that was collected
• LAST – the last value that was collected
• Collection Interval – the frequency of metric collection (NONE indicates that data is not
being collected.)
d. Click Indicators to view these metrics in chart form. The charts can be useful for evaluating
changes in memory usage over time, for example.
Note: If the chart for one or more of the metrics is not displayed, select the Problem
Metrics field on the bottom left of the page and change the selection to All Metrics.
Move the metric that you want added in the Indicators display by clicking the black
arrow next to the metric
e. When you click the metric, a chart appears that contains more-detailed information. Scroll to
the bottom of the metric charts and click Zombie Processes. This is one metric at the
Platform level that can indicate too many “runaway” or “stuck” processes. If there are any
numbers above zero consistently, it might be time to reboot the machine when there is
opportunity to do so.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 2.4 Exploring SAS Environment Manager 2-69

You have options within the chart view such as editing ranges, saving a chart to dashboards,
and defining an alert for this metric.

f. Click Back to Resource.

g. Click the down arrow next to Map to see a visual representation of resources and the next
level of parent and child resources. How many servers are under this machine platform?
Note: The map for a platform displays the servers under the platform, and the map for a
server displays the services under the server. Servers as well as services under the
platform are also listed on the left of the Monitor page.
h. Click Views  Live Exec.
i. Select a query to run from the drop-down menu, such as df and top.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
2-70 Lesson 2 Reviewing SAS® Platform Architecture Components

2.01 Multiple Choice Question

On the Resources page in SAS Environment Manager, where would you find
the SAS Object Spawner resource?
a. Services
b. Servers
c. Platforms
d. Mixed Groups

58
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

2.02 Multiple Choice Question

Which statement is true regarding the SAS Environment Manager Agent?
a. You can have only one SAS Environment Manager Agent in a SAS
deployment.
b. The SAS Environment Manager Agent summarizes the metric
information and writes it to the PostgreSQL database.
c. The SAS Environment Manager Agent can be monitored under
Platforms in SAS Environment Manager’s Resource page.
d. You will have a SAS Environment Manager Agent running on every
platform where SAS components are configured in your SAS
deployment.

60
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 2.5 Exploring SAS Environment Manager Service Architecture 2-71

2.5 Exploring SAS Environment Manager

Service Architecture
continued...
SAS Environment Manager Service Architecture
The SAS Environment Manager Extended Monitoring package implements
best practices for resource monitoring, automates and extends the
application’s auditing and user monitoring capabilities, and follows industry
standards to enable servers to use Application Response Measurement
(ARM). The framework consists of two components:
1. Best Practices
Extended Monitoring
Best Practices:
• Predefined alerts
• Automate resource configuration
• Additional resource groups
• Metric collection adjustments
• Additional resources
• Event importing and exporting

63
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Extended monitoring includes these components:

Resource configuration: You must configure resources such as platforms and servers that are
added to your SAS Environment Manager inventory during installation so that they can begin
collecting metric data. Initializing extended monitoring automates the process of configuring these
resources, enabling you to start monitoring resources without having to go through a manual
configuration process.
Tuned alerts: Extended monitoring provides a set of optimized alerts, developed by SAS. These
alerts notify you of operational issues that might be encountered in a SAS environment (such as
storage issues, server status, and hardware issues).
Defined resource groups: Resources that form a logical group (such as all platforms, servers, and
services in the SAS App Tier) are automatically collected into predefined groups that are defined in
extended monitoring. These groups are automatically updated as you add and delete resources, so
they always stay current. A resource group for every reporting table in the data mart is automatically
created and maintained.
Event importing and exporting: You can export events that are generated by SAS Environment
Manager to support third-party monitoring applications. In addition, you can import events from other
SAS applications and from third-party applications into SAS Environment Manager for processing.
HTTP checks of web applications: Enabling extended monitoring defines a set of resources that
monitor the availability and responsiveness of key SAS web applications such as SAS Stored
Process Web Application.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
2-72 Lesson 2 Reviewing SAS® Platform Architecture Components

Adjustments to monitoring metrics: As part of the process of optimizing resource monitoring, some
adjustments are made in the metrics collected for system resources. Collection is started for some
metrics, and graphing intervals are changed for others in order to make them easier to follow.

continued...
SAS Environment Manager Service Architecture
The framework consists of two components:
1. Best Practices
Extended Monitoring
Best Practices:
• Predefined alerts Data Mart Infrastructure
• Automate resource configuration
• Additional resource groups
• Metric collection adjustments
• Additional resources
• Event importing and exporting

2. Data Mart Infrastructure, which provides empty data tables and stored
processes that produce reports

64
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

SAS Environment Manager Service Architecture

SAS Environment Manager service architecture uses extract, transform, and
load (ETL) processes to obtain data, convert it to a standard format, and
load it into the SAS Environment Manager data mart.

Extended Monitoring
Best Practices:
• Predefined alerts Data Mart Infrastructure
• Automate resource configuration
• Additional resource groups
• Metric collection adjustments
• Additional resources
• Event importing and exporting

• Audit, Performance, and Measurement (APM) ETL

• Agent-Collect Metrics (ACM) ETL
65
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 2.5 Exploring SAS Environment Manager Service Architecture 2-73

Agent Collected Metrics (ACM) ETL

The Agent Collected Metrics data is loaded into the SAS Environment
Manager database. The ACM ETL process then copies data from the
database, standardizes the data, and loads it into the data mart.

SAS Environment
Manager Agents

SAS Environment
Manager Server SAS Environment Manager
11 rolling days
Data Mart
of data
SAS Environment
SAS ACM
Manager Web App ACM ETL Process
WIP Data Server ARTIFACT 60 rolling days
(EVManager database)
Library of data
66
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

ACM data is processed and loaded into the data mart in these steps:
1. Metric data is collected f rom the SAS Environment Manager agents and sent to the SAS
Environment Manager database.
2. At specif ied intervals, the ACM ETL process runs. The process copies data f rom the database,
standardizes the data, and loads the data into the data mart.
3. ACM data in the data mart is available f or analysis and reporting.
The Report Center contains reports that are produced by ACM that display the f ollowing types of
inf ormation:
• response time for SAS HTTP web services
• workload, CPU usage, and memory usage for each platform in your environment
• usage and response information for file mounts
• total number of clients per minute on the SAS Metadata Server machine

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
2-74 Lesson 2 Reviewing SAS® Platform Architecture Components

Audit, Performance, and Measurement (APM) ETL

The APM ETL process extracts performance metric information from various
SAS server logs, HTTP access logs, SAS job logs, and SAS metadata audit data
and loads that information into the data mart.

SAS Environment Manager

Data Mart
Log
Server
Parser
Log Files APM
Execution
ARTIFACT 60 rolling days
Library of data

APM data is processed and loaded into the data mart in these steps:
• log discovery • log centralization
• log collection • log processing
67
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

APM ETL: Log Discovery

The APM ETL process scans the components in your SAS system for log files
and includes the logs that it finds that are supported by the APM ETL.

SAS server logs SAS job logs HTTP access logs

SAS Metadata

Enabling the APM ETL process causes a separate log to be created for SAS
servers. A large number of log files might be created. A best practice is to
create a daily archive file of the day’s log files and then copy the file to archive
storage. 68
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

1. The APM ETL process scans the components in your SAS system for log files and includes the
logs that it finds that are supported by the APM ETL. By default, the log discovery process runs
every 15 minutes throughout each day, so any new logs created by new components in your
SAS environment are discovered and included in the log collection process. You can also
choose to run the log discovery process manually though a control action, which enables you to
start collecting log data sooner than if you waited for the scheduled process. See Manually

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 2.5 Exploring SAS Environment Manager Service Architecture 2-75

Discovering and Collecting Logs in SAS Environment Manager 2.5: User’s Guide, Second
Edition.
Note: SAS logs are discovered and collected only if they are in default locations. If you
customize the log location, SAS Environment Manager cannot discover or collect the log.

APM ETL: Log Collection

The discovered logs are collected locally on the machine where they are
created and stored in the landing zone directory, which is
[levelRoot]/Web/SASEnvironmentManager/emi-client/LandingZone.

SAS Metadata
SAS server logs

SAS job logs

HTTP access logs

Local Landing Zone

69
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

2. The discovered logs are collected locally on the machine where they are created and stored in
the landing zone directory, which is [LevelRoot]/Web/SASEnvironmentManager/emi-
client/LandingZone. By default, the logs are collected nightly, but they can be collected
manually as often as every 30 minutes in order to obtain an update view of the log information.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
2-76 Lesson 2 Reviewing SAS® Platform Architecture Components

APM ETL: Log Centralization

The locally collected logs are collected from the local landing zone
directories to a central landing zone directory, which is located on the
SAS Environment Manager Enablement Kit Server.

SAS Metadata
SAS server logs
Central Landing
Zone
SAS job logs

HTTP access logs

Local Landing Zone

70
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

3. The locally collected logs are collected from the local landing zone directories to a central
landing zone directory, which is located on the SAS Environment Manager Enablement Kit
Server. This machine is the machine containing the alphabetically first SAS Application Server
context that contains a SAS Workspace Server.
Beginning with the third maintenance release after SAS 9.4, you can use SAS Deployment
Agent to automatically copy the log files from the local landing zone directories to the central
landing zone directory. You can configure the SAS Deployment Agent in unsecured mode, or you
can use unsecured mode or NFS mounts and shares and symbolic links.
Beginning with the fourth maintenance release after SAS 9.4, you can use the SAS Deployment
Agent in secure mode to copy the log files. You can also set up file mounts or NFS shares to the
local landing zone directories so that the central landing zone directory has access to the log
files whenever they are saved to the local landing zone directories. After the logs are collected in
the central landing zone directory, they are deleted from the local landing zone directories.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 2.5 Exploring SAS Enviro nment Manager Service Architecture 2-77

APM ETL: Log Processing

The ETL process parses the logs in the central landing zone directory, puts
the information into a standard format, and archives the original log files.
The data is then put into the appropriate tables in the data mart.

SAS Environment Manager

Data Mart

Central Landing
Log Processing APM
Zone
ARTIFACT
Library

Log Archives
71
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

4. The ETL process parses the logs in the central landing zone directory, puts the information into a
standard format, and archives the original log files. The data is then put into the appropriate
tables in the data mart.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
2-78 Lesson 2 Reviewing SAS® Platform Architecture Components

SAS Environment Manager Data Mart

SAS Environment Server
Manager Agents Log Fi l es

SAS Tool of your

SAS Environment Log choi ce
Manager Server Parser
Execution

SAS Envi ronment Ma nager

SAS ETL Da ta Ma rt VA
Feed SAS Vi s ual Analyti cs
WIP Pl a tform Processing
Da ta Server
ACM APM KITS
ARTIFACT ARTIFACT Li bra ry
Li bra ry Li bra ry
Report
SAS Envi ronment Center Legend
Ma na ger Web App Agent Collected Metrics

Audit and Performance

LASR IMEL Measurement
Log Parser
Execution or KITS
SAS/ORS KITS
other ETL (processed as part of the APM ETL)
… Processing
DSA ……
72
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

SAS Environment Service Architecture consists of the following components:

SAS Environment Manager Data Mart: The data mart is the key component of the Service
Architecture and is created if you enable either one or both of t he ETL (Extract, Transform, and
Load) processes in the service architecture. The data mart consists of a set of tables that hold the
data collected by the ETL processes. The collected data is stored in a standard format, which makes
it easy to run reports and perform analysis. The stored processes in the Report Center use the data
in the data mart to produce predefined reports. Data is retained in the data mart for 60 days.
Report Center: The Report Center provides a convenient access point for the reports that are
provided as part of the Service Architecture. After one or more of the ETL components have been
initialized and enabled, data is available in the data mart. This data is then used to feed the
predefined reports in the Report Center. The Report Center is not available until either one or both of
the ETL processes is enabled.
Solution kit framework: The solution kit framework can extend the capabilities of SAS Environment
Manager to support specific solutions or applications. The framework includes support for collecting
and storing operation information about the solution in the data mart and for using the associated
reporting capabilities.
SAS Visual Analytics data feed: Data from the data mart can be easily loaded into SAS Visual
Analytics. If the data feed option is enabled in SAS Environment Manager, selected data tables from
the data mart are copied to a specified drop zone directory. SAS Visual Analytics can then
automatically load the tables from the drop zone into the application. For more information, see
“Feeding Data from the Data Mart into SAS Visual Analytics ” in SAS Environment Manager 2.5:
User’s Guide.
Federated data mart: If you are using a data mart on multiple deployments in your organization,
you can create a federated data mart to consolidate analysis and monitoring for all of the
deployments. The federated data mart collects into one location the ACM data from the dat a marts of
each deployment. Each deployment still retains its own data mart, but the federated data mart
enables you to easily compare the metric data across your organization. For more information, see
“Creating a Federated Data Mart” in SAS Environment Manager 2.5: User’s Guide.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 2.5 Exploring SAS Environment Manager Service Architecture 2-79

ETL jobs are run once per 24-hour period (overnight by default). This process collects and
standardizes the data and put it into the data mart. Data is stored for 60 days by default. The data is
then used to drive reports from the Report Center or by SAS Visual Analytics for further analysis.

Report Center
The Report Center is a collection of stored processes that produce reports
from data in the SAS Environment Manager data mart. The reports provide
a view of the performance and status of your SAS environment and its
resources.

73
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

The Report Center has three main f olders:

Products: contains most of the stored processes to generate reports based on APM or ACM
ETL processes.
System: contains stored processes f or ad ho c reports.
User folders: contains any custom reports that you have created and saved in your user f older.
Note: The stored processes are based on standard procedures f rom Base SAS and ODS.
You can f ind a complete listing of Report Center bundled reports here:
http://support.sas.com/rnd/emi/SASEnvMgr/EVSAF/Report_Center_Report_Listings.pdf
Data Mart Reports
These stored processes generate reports that display inf ormation about the content of the SAS
Environment Manager Data Mart tables, the resources that support the data mart, and the alerts that
are def ined in the data mart. Here are some example reports:
• All Alert Definitions
• ACM Data Mart Server Resources
• Data Mart PROC CONTENTS Full Listing
The reports are located at Stored Processes  Products  SAS Environment Manager 
Dynamic Reports  Datamart.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
2-80 Lesson 2 Reviewing SAS® Platform Architecture Components

Metadata Inventory Reports

These stored processes generate reports that display inf ormation about the metadata that is stored
on the SAS Metadata Server. Here are some example reports:
• Groups Roles and Users
• Metadata Content
• Server Properties
The reports are located at Stored Processes  Products  SAS Environment Manager 
Dynamic Reports  Metadata Inventory.
ACM Reports
These stored processes generate reports that display and chart detailed metrics f or the computing
resources in your environment. They are generated by data f rom ACM ETL processes. Here are
some example reports:
• File Mounts Summary Report
• Metadata Server Total Clients per Minute
• Platform Workload 1 Min Average
The reports are located at Stored Processes  Products  SAS Environment Manager 
Nightly Reports  ACM Reports.
ARM Reports
These stored processes generate reports that display and chart detailed metrics and information for
SAS jobs and processes. They are generated by data from APM ETL processes. Here are some
example reports:
• Resource – Procedure Usage
• User – Server Activity by User
• Workspace Server – Top Users by Memory Consumption
The reports are located at Stored Processes  Products  SAS Environment Manager 
Nightly Reports  ARM Performance Reports.
Note: In ARM reports, time metrics are charted in seconds and memo ry capacity metrics are
charted in kilobytes.
Metadata Audit Reports
These stored processes generate reports that display events recorded in SAS logs. They are
generated by data f rom APM ETL processes. Here are some example reports:
• Access Activity Events
• Metadata Client Activity
• Group Changes
The reports are located at Stored Processes  Products  SAS Environment Manager 
Nightly Reports  Audit Reports (Log Forensics).
SAS Environment Manager Service Architecture ETL Process Reports
These stored processes generate reports that display inf ormation and metrics about the APM ETL
processes. Here are some example reports:
• ETL Logfile Analysis
• Logfile Analysis Overview Report
• PROC Usage Summary

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 2.5 Exploring SAS Environment Manager Service Architecture 2-81

The reports are located at Stored Processes  Products  SAS Environment Manager 
Nightly Reports  Service Architecture ETL Reports.
Event Reports
These stored processes generate reports that display inf ormation and metrics about the events that
are generated and recorded in the data mart. They are generated by data f rom ACM ETL processes.
Here are some example reports:
• Event Summary Chart
• Event Summary Counts
• Log Event Details
The reports are located at Stored Processes  Products  SAS Environment Manager 
Nightly Reports  Event and Alerts.
Solution Kit Reports
These stored processes generate reports that display inf ormation that was stored in the data mart by
the solution kit. Each kit contains its own set of stored processes and custom reports.
The reports are located at Stored Processes  Products  SAS Environment Manager 
Nightly Reports  Kits  solution kit name.
Log File Job Reports
These stored processes generate reports that display inf ormation about the jobs and processes
used to analyze the SAS logs. They are generated by data f rom APM ETL processes. Here are
some example reports:
• Logfile Analysis Overview
• Logfile Summary by Logfile and Job Name
• PROC Usage Summary
The reports are located at Stored Processes  Products  SAS Environment Manager 
Nightly Reports  SASJobs.
Sample Reports
These stored processes generate reports that contain samples of different types of report styles.
They are generated by data f rom APM ETL processes. Here are some example reports:
• Pie Chart CPU Usage Profile by Platform
• Daily Resource Usage Summary
• Top 5 Ranked on CPU Usage
The reports are located at Stored Processes  Products  SAS Environment Manager 
Nightly Reports  Sample Gallery.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
2-82 Lesson 2 Reviewing SAS® Platform Architecture Components

Report Center
Metadata Server: Metadata Inventory:
• Metadata Server Client Activity • Duplications
• Authentication Errors • Groups, Roles, and Users
• Audit Report on Access Control Changes • Paths
• Access Activity by User ID • Portal Activity

74
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Report Center
Server Activity:
• Workspace Server Top 10 Memory Users
• Server Usage by User
• Data Usage
• Directory Usage
• Procedure Usage

75
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 2.5 Exploring SAS Environment Manager Service Architecture 2-83

Report Center
Data Mart Reports:
• Weekly Events from SAS Environment Manager
• All Alert Definitions
•Data Mart PROC Contents Full Listing
ACM Reports:
• Daily Resource Usage Summary
• Top 5 Ranked on CPU Usage

76
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Initializing SAS Environment Manager

Service Architecture
The process of initializing and configuring the service architecture consists
of two main processes:
• validating the Service Architecture
framework and initializing the
extended monitoring bundle
• enabling the ACM and APM ETL
framework, and initializing the
APM ETL framework

77
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

You must enable Extended Monitoring to use the SAS Environment Manager Data Mart. Instructions
can be found in these two places:
• the SAS Environment Manager configuration directory:
<configdir>/Lev1/Web/SASEnvironmentManager/emi-framework/
SAS_Environment_Manager_Service_Architecture_Quickstart.pdf
• “Initializing and Enabling the Service Architecture” in SAS Environment Manager 2.5: User’s
Guide.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
2-84 Lesson 2 Reviewing SAS® Platform Architecture Components

Practice

12. Reviewing Service Architecture Enablement Steps and Locating Logs Created by
Enabling and Initializing the APM ETL
a. Navigate to the emi-framework directory where the instruction document
SAS_Environment_Manager_Service_Architecture_Quickstart.pdf is located.

For Linux Server

On the sasapp.demo.sas.com machine, navigate to

/opt/sas/config/Lev1/Web/SASEnvironmentManager/emi-framework

For Windows Server

D:\SAS\Config\Lev1\Web\SASEnvironmentManager\emi-framework

The Initialization steps start on page 4 of the PDF. Initialization commands are located in the
bin directory.
Configuration of the package is broadly defined in three phases or stages. The main phases
of configuration are as follows:
1) Pre-check, validation of the initial deployment of SAS and SAS Environment Manager.
2) Validation of the SAS Environment Manager Service Architecture framework and the
initialization of the enhanced monitoring bundle.
3) Enabling either ACM or APM ETLs, including an additional initialization step for the APM
ETL. All ETL processes are optional and can be enabled at any time after the framework
has been initialized. However, one or more ETLs are required to construc t the data dart.
Note: The Service Architecture has already been initialized in the classroom environment.
b. If the APM ETL package is enabled and initialized, a potentially large volume of log files is
created. The ETL process extracts data from SAS logs and loads that data into the data mart
so that the applicable stored process reports have data to work with. Data is extracted from
the SAS logs only when the logs roll over (usually after midnight).
1) Locate log files that are generated.

For Linux Server

On sasapp.demo.sas.com.com, navigate to
/opt/sas/config/Lev1/SASApp/WorkspaceServer.

For Windows Server

Navigate to D:\SAS\Config\Lev1\ SASApp\WorkspaceServer.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 2.5 Exploring SAS Environment Manager Service Architecture 2-85

2) Open the PerfLogs directory. Logging of from this server causes a separate log file to be
created in this directory for each spawned SAS Workspace Server. This means that there
is a log file for each session of SAS Enterprise Guide or SAS Data Integration Studio
users.
With the enablement and initialization of the APM ETL package, the SAS Application
Server environment is modified to enable ARM (Application Response Measurement), as
well as the activation of SAS logging facility loggers and log appenders, to support the
ARM-enabled SASApp deployment.

Be aware of the potential f or the large number of log files that can be created in
this directory. You can create a daily archive of the logs in a ZIP or TAR f ile and
then copy the daily archive to another storage location. This process enables you
to manage the large number of log files while maintaining IT best practices f or
retaining usage logs.
13. Running Stored Processes from the Report Center
a. Select Analyze  Report Center. The Report Center is displayed in a separate window or
tab in your browser. The Report Center uses the SAS Stored Process web application, so
the window is titled Stored Processes.

To create a report, click the stored process entry. The viewing pane of the Report Center
window displays prompts for the information in the report. You can select the categories of
inputs on the left side of the display area to fully customize the report. Click Run to produce
the report.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
2-86 Lesson 2 Reviewing SAS® Platform Architecture Components

b. Run a report that shows a full listing of available reports. Select Products  SAS
Environment Manager  Dynamic Reports  Datamart  Report Center Report
Listings.

c. Run a report that shows a full listing of data mart tables and variables. Select Products 
SAS Environment Manager  Dynamic Reports  Datamart  Data Mart Proc
Contents Full Listing.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 2.5 Exploring SAS Environment Manager Service Architecture 2-87

d. Run a report that shows a listing how often a user has connected to the metadata server
through a client application. Select Products  SAS Environment Manager  Nightly
Reports  Audit Reports (Log Forensic)  Metadata Client Activity.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
2-88 Lesson 2 Reviewing SAS® Platform Architecture Components

e. Run a report that shows the top 10 users by workspace server sessions. (The SAS
Workspace Server is most frequently used by clients for data retrieval, manipulation, and
analysis.) Select Products  SAS Environment Manager  Nightly Reports  ARM
Performance Reports  Workspace Server - User Activity.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 2.6 Solutions 2-89

2.6 Solutions
Solutions to Practices
1. Locating the Installation and Configuration Directories of the SAS Deployment
a. On the server machine, locate the installation directory.

For Linux Servers

1. On the sasapp.demo.sas.com machine, navigate to /opt/sas/SASHome. Are any
desktop applications installed on the server machine?
Yes, SAS Management Console and SAS Deployment Manager

2. On the sasmid.demo.sas.com machine, navigate to /opt/sas/SASHome. Are any

desktop applications installed on the server machine?
Yes, SAS Management Console and SAS Deployment Manager, and web
applications

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
2-90 Lesson 2 Reviewing SAS® Platform Architecture Components

For Windows Server

Access Windows Explorer and navigate to D:\Program Files\SASHome. Are any

desktop applications installed on the server machine?
Yes, SAS Management Console and SAS Deployment Manager. There are some
others that have not been introduced in class.

b. Locate the configuration directory.

For Linux Servers

1. On the sasapp.demo.sas.com machine, navigate to /opt/sas/config/Lev1. What

directory is the metadata server configured in?
SASMeta

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 2.6 Solutions 2-91

2. On the sasmid.demo.sas.com machine, navigate to /opt/sas/config/Lev1

Web/WebAppServer. How many web application servers are deployed? Three

For Windows Server

Access Windows Explorer and navigate to D:\SAS\Config\Lev1. What directory is the

metadata server configured in? SASMeta

Continue to the D:\SAS\Config\Lev1\Web\WebAppServer directory. How many web

application servers are deployed? Three

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
2-92 Lesson 2 Reviewing SAS® Platform Architecture Components

Note: The Levn subdirectory contains configuration information and other files for a
particular installation instance. Lev1 is generally used for production environments.
Additional levels, such as Lev2 and Lev3, can be used for environments that you
install for purposes such as development and testing. During installation, the SAS
Deployment Wizard enables you to select the level number.
2. Examining details_diagram.html
A 9.4 Standard Deployment plan is an XML-based description of the topology for your SAS
system. Similar to an architect’s floor plan, the plan describes the intended final SAS software
environment. The plan is used in the SAS software deployment process to “tell” the SAS
Deployment Wizard which software components to install and configure on each machine. A
diagram of your customized deployment plan, called details_diagram.html (optimized for
Firefox) or details_diagram_for_ie7.mht (optimized for Internet Explorer), comes with your
custom plan file.
Note: See Installation Note 44320, “Using deployment plans during a SAS installation.”
a. On the Windows machine, locate and open the details_diagram.html file or
details_diagram_for_ie7.mht file.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 2.6 Solutions 2-93

For Linux Servers

On the sasapp.demo.sas.com machine, navigate to /opt/sas/depot/plan_files.

Use WinSCP, right-click details_diagram.html, and select open. (Double-clicking

opens the file for edit.) You can open the file using Firefox on the Linux machine.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
2-94 Lesson 2 Reviewing SAS® Platform Architecture Components

For Windows Server

Access Windows Explorer, and navigate to D:\depot\plan_files.

b. Where is SAS Management Console installed? Configured? For both, server and middle-
tier machine and client machine
Where is SAS Foundation software installed? Server and middle-tier machine for
Windows Server. For Linux Servers, only on the sasapp.demo.sas.com machine.
Configured? It is not configured.
Where is SAS Enterprise Guide installed? Client machine
Configured? It is not configured.
3. Creating an Environment Snapshot
The Environment Snapshot contains a comprehensive listing of the system information in the
SAS Environment Manager database. It collects and displays the most current performance
measures and configuration parameters, as well as executes and gathers real-time usage
information.
a. Log on to SAS Environment Manager as sasadm@saspw using the password Student1.
b. Select Analyze  Environment Snapshot.
c. Under Summary Table on the left, select your system:

For Linux Server

sasapp.demo.sas.com

For Windows Server

sasserver.demo.sas.com

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 2.6 Solutions 2-95

d. Click the SAS tab and notice the metadata server configuration attributes. What port does
the metadata server use? 8561

e. Click the Logs tab. A comprehensive list of server log locations is displayed. Notice that
many of the middle-tier servers do not have log tracking enabled or there is no log location
set, whereas the SAS servers do.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
2-96 Lesson 2 Reviewing SAS® Platform Architecture Components

For Linux Server: Because your SAS middle tier is on a different machine, change your
summary table to sasmid.demo.sas.com and then click the Logs tab.

f. You can change this by going to a resource inventory property and enable log tracking. Go to
Resources  Browse  Servers and select the following:

For Linux Server

sasmid.demo.sas.com SASWebApplicationServer SASServer1_1

For Windows Server

SASSERVER SASWebApplicationServer SASServer1_1

Note: You might need to go to the next page to find the resource.

Alternatively, you can filter for sasweb.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 2.6 Solutions 2-97

g. Click the Inventory tab and scroll down to Configuration Properties and click Edit.

h. Select server.log_track.enable and click OK.

Many of the server-level resources enable the administrator to set up log tracking. This is a
method of monitoring log files for specific messages, such as severe errors or other critical
information. By doing this, you do not need to open the log files directly. You can access only
the portion that you need from the user interface. These log file entries are one type of event
that can be configured and customized in SAS Environment Manager.
For SAS Servers, a special file, sev_logtracker_plugin.properties, is automatically set up
by the SAS Deployment Wizard. For servers that are not SAS servers, you have to turn on
log tracking and specify the log messages that you want to capture.
Note: Setting up log tracking is covered in a later lesson.
i. Return to Environment Snapshot on the Analyze tab and select your system:

For Linux Server

sasmid.demo.sas.com

For Windows Server

sasserver.demo.sas.com

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
2-98 Lesson 2 Reviewing SAS® Platform Architecture Components

j. Click the Logs tab to see that the SASWebApplicationServer 9.45 now has a logging file
location.

k. Click Snapshot Environment under Create a Snapshot.

l. When the processing is complete, click the Snapshots tab. A text file is created. Take note of
the snapshot location displayed on the screen. The path is on the middle-tier machine where
SAS Environment Manager Server is located and is relative to the SAS configuration
directory.
m. Navigate to the file location and view the file contents:

For Linux Server

Because you took the snapshot of your SAS middle tier environment, go to
sasmid.demo.sas.com machine and navigate to
/opt/sas/config/Lev1/Web/SASEnvironmentManager/server-5.8.0-EE and

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 2.6 Solutions 2-99

For Windows Server

D:\SAS\Config\ Lev1\Web\SASEnvironmentManager\server-5.8.0-EE and

4. Finding Web Applications Deployed on SAS Web Application Server Instances

There are a few places where you can look to find out on which SAS Web Application Server
instance your web applications are deployed.
• It is documented in Instructions.html. This is the reference document for your SAS
deployment. It contains any manual configuration steps that must be performed. It provides
an overview of your deployment, including the web application URLs.
• SAS Environment Manager.
• Configuration directory for the SAS middle tier.
a. Open Instuctions.html. It is located under the SAS configuration directory in the
Levn/Documents subdirectory.

For Linux Server

1. You can use WinSCP (there is a shortcut on your desktop) to access and view files
on the Linux server. Log on to the sasmid.demo.sas.com. (You are logging on as the
install account; no changes are needed.)

Linux Server

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
2-100 Lesson 2 Reviewing SAS® Platform Architecture Components

2. In WinSCP, navigate to /opt/sas/config/Lev1/Documents.

(As an alternative, you can use MRemoteNG and connect to sasmid.demo.sas.com.

Use the firefox /opt/sas/config/Lev1/Documents/Instructions.html command to
open the document.)

3. Right-click Instructions.html and select Open. (Double-clicking the file renders it in the
WinSCP editor, not Internet Explorer.)

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 2.6 Solutions 2-101

4. Select Web Application Server in the Overview list. Review the configuration details.

What web application is not clusterable? SASBIDashboardEventGen4.4

What web app server instance is it deployed on? SASServer1_1
What web app server instance is SAS Studio deployed on? SASServer2_1

For Windows Server

1. Access Windows Explorer, and navigate to

D:\SAS\Config\Lev1\Documents\Instructions.html.

2. Double-click Instructions.html to open the document in Internet Explorer.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
2-102 Lesson 2 Reviewing SAS® Platform Architecture Components

3. Select Web Application Server in the Overview list. Review the configuration details.

What web application is not clusterable? SASBIDashboardEventGen4.4

What web app server instance is it deployed on? SASServer1_1
What web app server instance is SAS Studio deployed on? SASServer2_1

b. Open SAS Environment Manager.

1) Connect as sasadm@saspw, with a password of Student1.
2) Go to Resources  Browse  Servers.
3) Select a web application server, such as the following:
For Linux Server: sasmid.demo.sas.com SASWebApplicationServer SASServer2_1
For Windows Server: SASSERVER SASWebApplicationServer SASServer2_1

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 2.6 Solutions 2-103

4) Select Views  Application Management.

The deployed SAS web applications are listed. You can stop and start a web application
from this location as well.
c. Find the WAR files that are deployed on each web application server instance. They are
located in the sas_webapps directory under the SAS Web Application Server configuration
directory.

For Linux Server

On the sasmid.demo.sas.com machine, navigate to

/opt/sas/config/Lev1/Web/WebAppServer/…serverinstancenumber/sas_webapps.
Note: You can use WinSCP or MRemoteNG.

For Windows Server

Navigate to
D:\SAS\Config\Lev1\Web\WebAppServer\...serverinstancenumber\sas_webapps.

5. Configuring the PostgreSQL Server Component to Interact with Your PostgreSQL RDBMS
In this practice, you modify the necessary information so that the SAS Web Infrastructure
Platform Data Server resource can be monitored. (This is the PostgreSQL database server with
listening port 9432.)
a. Sign in to SAS Environment Manager as sasadm@saspw using password Student1, if not
already signed in.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
2-104 Lesson 2 Reviewing SAS® Platform Architecture Components

b. Go to Resources  Browse  Servers.

c. Find the PostgreSQL 9.x server resource in the list. (You can also go to the resource using
the Search bar. In the drop-down list, select PostgreSQL 9.x and click the arrow on the
right.)

d. The status of the PostgreSQL server is undetermined. Click the resource:

For Linux Server: sasapp.demo.sas.com PostgreSQL 9.x localhost:9432
For Windows Server: SASSERVER PostgreSQL 9.x localhost:9432

e. You see that the server is not well configured. Click Configuration Properties.

f. Enter the required parameter values:

PostgreSQL.user: dbmsowner

PostgreSQL.pass: Student1

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 2.6 Solutions 2-105

PostgreSQL.program or Windows Service:

For Linux Server

/opt/sas/config/Lev1/WebInfrastructurePlatformDataServer/webinfdsvrc.sh

For Windows Server

Use the Windows Service name: SAS [Config-Lev1] Web Infrastructure Platform
Data Server
Note: To avoid typographical errors, go to the Windows Services application and
copy and paste the service name to the service name field.

g. Make sure that the Auto-Discover DataBases, Indexes, and other services? check box is
selected. Then click OK.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
2-106 Lesson 2 Reviewing SAS® Platform Architecture Components

h. Click Monitor. After a few minutes (or the required time for the agent to query the system),
you see the server availability, some server metrics, and two new services.

6. Setting Up Log Tracking for a Resource in the SAS Environment Manager

Many of the server-level resources enable the administrator to set up log tracking. This is a
method of monitoring specific log files, usually for specific messages, such as severe errors or
other critical information. By doing this, you are not required to open the log files directly. You can
access only the portion that you need from the user interface. The log file entries are one type of
event that can be configured and customized in SAS Environment Manager.
For SAS servers, a special file, sev_logtracker_plugin.properties, is automatically set up by
the SAS Deployment Wizard. For servers that are not SAS servers, you have to turn on log
tracking and specify the log messages that you want to capture.
In this practice, you enable log tracking for a SAS Web Application Server. The SAS Web
Application Server (SASServer1 instance) log file is scanned for start-up completion. If you must
restart that server, you know when it is fully started up, and that all the web applications are
loaded and ready for users. Although this server might appear as Available or Started right
away, it is not actually ready to receive requests for 20 to 30 minutes after that, given the
necessary full deployment of all the SAS web applications.
a. Sign in to SAS Environment Manager as sasadm@saspw using the password Student1, if
you are not already logged on.
b. Click Resources  Browse.
c. Select the following:
For Linux Server: sasmid.demo.sas.com SASWebApplicationServer SASServer2_1
For Windows Server: SASSERVER SASWebApplicationServer SASServer2_1
d. Click Views  Application Management. There are fewer web applications deployed on
this instance, so choose this web application server to use for log tracking.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 2.6 Solutions 2-107

e. Click the Inventory tab.

f. Scroll to the bottom to the Configuration Properties section, and click Edit.

g. Set the following properties:

1) Click the Enable Log Tracking check box.
2) Select INFO from the Track Event Log Level drop-down menu.
3) Under Log Pattern Match, enter the following code:
Server startup in \d{5,} ms
4) For the log files, enter log/server.log.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
2-108 Lesson 2 Reviewing SAS® Platform Architecture Components

h. Click OK at the bottom center of the window. You should see the following message:

i. Restart the server. Select Resources  Browse and select the following:
For Linux Server: sasmid.demo.sas.com SASWebApplicationServer SASServer2_1
For Windows Server: sasserver.demo.sas.com SASWebApplicationServer
SASServer2_1
j. Click the Control tab.

k. Select Control Action: Restart. Click the arrow to the right.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 2.6 Solutions 2-109

l. When the command state indicates Completed, click the Monitor tab.

The Restart event was recorded and appears in the Events/Logs Tracking timeline at the
bottom of the window, as shown.

If you click the event bubble, a message appears. The server is not yet available because all
the applications were not deployed and started yet.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
2-110 Lesson 2 Reviewing SAS® Platform Architecture Components

m. If you wait a few minutes, you can see an additional item on the Events/Logs Tracking
timeline.

That second event provides the actual message text from the log file that you specified in
your search earlier: Server startup in XXXXXX ms, as shown above.
7. Operating the SAS Servers
a. Check the status of the SAS servers.

For Linux Server

1. On UNIX systems, scripts are designed to enforce the correct order of stopping and
starting SAS Servers. They are called sas.servers.pre, sas.servers, and
sas.servers.mid.
Some servers are started directly by the sas.servers script. Other servers are started
by the sas.servers.pre and sas.servers.mid scripts, which are called by sas.servers.
The table on page 2-25 of the course notes shows the script names, the components
that are included in each script, and the order in which the components are started. For
Linux Server

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 2.6 Solutions 2-111

2. On the sasapp.demo.sas.com machine, navigate to /opt/sas/config/Lev1. Use the

sas.servers script to verify the status of the SAS servers: ./sas.servers status. (The
valid commands are stop, start, restart, and status.)

3. On the sasmid.demo.sas.com machine, navigate to /opt/sas/config/Lev1. Use the

sas.servers script to verify the status of the SAS servers: ./sas.servers status. (The
valid commands are stop, start, restart, and status.)

4. Because we have a multi-machine deployment, a single script was created that will first
run the sas.servers script on the sasapp.demo.sas.com machine and then start the
sas.servers script on the sasmid.demo.sas.com machine.
On the sasapp.demo.sas.com machine, navigate to /usr/local/bin. Use a text editor,
such as gedit, to view the startAll script: gedit startAll
(You can also use WinSCP.)
Who must run this script? root

If you need to restart the SAS servers, you can use this script to ensure that the servers
are stopped and started in the correct order. Because you need to run these scripts as
root, there is a connection set up in mRemoteNG for root.
Do not restart servers at this time.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
2-112 Lesson 2 Reviewing SAS® Platform Architecture Components

For Windows Server

1. On your Windows Server machine, it is fastest to use the Windows Services application
to check status and to stop and start SAS servers. Click the Services icon in the system
tray. With Services selected, scroll down to the SAS services. Verify that the status for
all the SAS services is Running.

2. Check the built-in Windows Service dependencies for the SAS Metadata Server.
Right-click SAS[Config-Lev1] SASMeta-Metadata Server and select Properties.

Note: In a typical deployment, the Windows services would have a start -up type of
Automatic. The classroom image uses a batch file to start services.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 2.6 Solutions 2-113

3. Click the Dependencies tab.

Note: The dependencies do not include any middle-tier servers. It is not

recommended that you include them in the dependencies. However, it is
possible. See Installation Note 52100: http://support.sas.com/kb/52/100.html

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
2-114 Lesson 2 Reviewing SAS® Platform Architecture Components

b. Review the start-up order of the SAS servers.

For Linux Server

Use gedit, vi, or WinSCP to open the sas.servers script located in the
/opt/sas/config/Lev1 directory on the sasapp.demo.sas.com machine and the
sasmid.demo.sas.com machine. Review the start-up order of the SAS servers.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 2.6 Solutions 2-115

For Windows Server

Navigate to D:\thirdparty\scripts. Right-click StartSAS.bat and select Edit. Review the

start-up order of the servers.

How much time is built in for the web server to wait for the cache locator to start up?
What is being read before it starts up?

You might use a script similar to this one in your environment. However,
be aware that this script deletes log files, which you would not want for a
SAS Environment outside of the classroom.

8. Validating the Servers in SAS Management Console

a. On the client machine, log on to SAS Management Console with the Linux Server or
Windows Server connection profile as Ahmed using the Student1 password.
b. Expand Server Manager  SASApp  - Logical Workspace Server 
SASApp - Workspace Server. Right-click the following:
For Linux Server: sasapp.demo.sas.com
For Windows Server: sasserver.demo.sas.com
Select Validate.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
2-116 Lesson 2 Reviewing SAS® Platform Architecture Components

Was the validation successful? If not, verify that the object spawner is running.

c. View the details of the validation. What autoexec file was executed at server initialization?
Note: An autoexec file contains SAS statements that are executed immediately after
SAS initializes the server.

9. Adding a SAS Administrator to the Super User Role in SAS Environment Manager
The internal account sasadm@saspw is the default account for signing on to SAS Environment
Manager. In order to have other users such as Ahmed access SAS Environment Manager, the

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 2.6 Solutions 2-117

user needs to be added to a SAS Environment Manager group in metadata and then
synchronized to the corresponding role in SAS Environment Manager.
a. Sign in to SAS Environment Manager as sasadm@saspw using the password Student1 if
you have not done so from the previous practice.
b. Go to the Manage page and select List Users to see a list of the current users in
Environment Manager.
Three users are listed.

c. Click List Roles to see the Environment Manager roles. There should be three.

These three roles map to three user groups created in SAS metadata.
d. Add Ahmed to the SAS Environment Manager Super User group in metadata.
1) Go to the Administration page and select Users from the Side menu.
2) Filter on Group.

3) Enter Super in the search field to get to SAS Environment Manager Super Users.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
2-118 Lesson 2 Reviewing SAS® Platform Architecture Components

4) Highlight SAS Environment Manager Super Users to open the metadata properties,
and from the tabbed menu, select Members.

5) Add Ahmed to the group by clicking the Edit button in the upper right toolbar.

6) Move Ahmed from the Available identities list to the Direct members list.

7) Click Save.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 2.6 Solutions 2-119

e. You do not need to synchronize users from the Manage page. Instead, sign out as
sasadm@saspw and sign back in as Ahmed to verify that he now has access to
SAS Environment Manager. Stay signed in as Ahmed for the rest of the practices.

10. Adding an Availability Summary Portlet to Your Dashboard

a. In SAS Environment Manager, click the Dashboard tab if not already there. Make sure that
you are logged in as Ahmed.
b. Create an OS and SAS Server Tier availability summary portlet.
1) On the left side of the Dashboard page, select Availability Summary in the Add
Content to this column field.

2) Click the Configure button to display the Dashboard Settings page for the portlet.

3) Click Add to List in the Selected Resources area.

4) In the View field, make sure that Platforms is selected. Move the resources to the right.
Click OK.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
2-120 Lesson 2 Reviewing SAS® Platform Architecture Components

5) Specify the name OS and SAS Server Tier in the Description field. Click OK.

6) Move the OS and SAS Server Tier availability summary portlet to the top by clicking
the heading and dragging it to the top of the left column.
c. What are the metrics that are collected for the SAS Application Server Tier platform?
Click SAS Application Server Tier from the summary portlet.

The metrics pertain to metadata server clustering. (Metadata server clustering is reviewed in
the next lesson.)

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 2.6 Solutions 2-121

11. Evaluating Resource and Memory Usage on a Host

System resources can approach their limits and cause the system to become slow or unstable. If
you see a problem with system responsiveness from the users’ point of view, there are some
metrics that can be checked to give us clues as to why. It is also possible for system resources
to be nearing their limits, but with no obvious effect on user experience. Regardless, you can
monitor these items through SAS Environment Manager.
a. Review metrics for the server machine.

For Linux Server

Click Linux under your OS and SAS deployment summary portlet that you just created.

Click sasapp.demo.sas.com and that takes you to the same view as Resources 
Browse  Platform  sasapp.demo.sas.com.

For Windows Server

Click Win32 under your OS and SAS Server Tier summary portlet that you just created.

That takes you to the same view as Resources  Browse  Platform 

SASSERVER.demo.sas.com.

b. What is the RAM for this machine? What is the CPU speed?
It varies: 15888 MB on Linux and 16384 MB on Windows
The RAM field (in the upper right) specifies the total memory for the host.
The CPU Speed field (in the upper left) specifies the number and speed of the proc essors on
the machine.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
2-122 Lesson 2 Reviewing SAS® Platform Architecture Components

c. Click Metric Data to view the table of metrics for the host.

They are displayed in categories:

• metrics to evaluate memory usage for the host, such as used memory or percent used
memory
• metrics to evaluate swap space usage
• metrics to determine CPU and I/O usage for a host in a deployment

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 2.6 Solutions 2-123

For each enabled metric for one or more members of a compatible group, the following
information is displayed:
• Alerts – number of times that the metric value triggered an alert
• OOB – number of times that the metric was out-of-bounds
• LOW – lowest value that was collected
• AVG – average of values that were collected
• PEAK – highest value that was collected
• LAST – the last value that was collected
• Collection Interval – the frequency of metric collection (NONE indicates that data is not
being collected.)

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
2-124 Lesson 2 Reviewing SAS® Platform Architecture Components

d. Click Indicators to view these metrics in chart form. The charts can be useful for evaluating
changes in memory usage over time, for example.
Note: If the chart for one or more of the metrics is not displayed, select the Problem
Metrics field on the bottom left of the page and change the selection to All Metrics.
Move the metric that you want added in the Indicators display by clicking the black
arrow next to the metric.

e. When you click the metric, a chart appears that contains more-detailed information. Scroll to
the bottom of the metric charts and click Zombie Processes. This is one metric at the
Platform level that can indicate too many “runaway” or “stuck” processes. If there are any
numbers above zero consistently, it might be time to reboot the machine when there is
opportunity to do so.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 2.6 Solutions 2-125

You have options within the chart view such as editing ranges, saving the chart to
dashboards, and defining an alert for this metric.

f. Click Back to Resource.

g. Click the down arrow next to Map to see a visual representation of resources and the next
level of parent and child resources. How many servers are under this machine platform?
Note: The map for a platform displays the servers under the platform, and the map for a
server displays the services under the server. Servers as well as services under the
platform are also listed on the left of the Monitor page.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
2-126 Lesson 2 Reviewing SAS® Platform Architecture Components

h. Click Views  Live Exec.

i. Select a query to run from the drop-down menu, such as df and top.

12. Reviewing Service Architecture Enablement Steps and Locating Logs Created by
Enabling and Initializing the APM ETL
a. Navigate to the emi-framework directory where the instruction document
SAS_Environment_Manager_Service_Architecture_Quickstart.pdf is located.

For Linux Server

On the sasapp.demo.sas.com machine, navigate to

/opt/sas/config/Lev1/Web/SASEnvironmentManager/emi-framework

For Windows Server

D:\SAS\Config\Lev1\Web\SASEnvironmentManager\emi-framework

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 2.6 Solutions 2-127

Note: You can also find instructions to initial and enable the service architecture in SAS
Environment Manager: User’s Guide:
http://documentation.sas.com/?cdcId=bicdc&cdcVersion=9.4&docsetId=evug&docse
tTarget=n0532grdsxrb63n1429imhgv4yx1.htm&locale=en
The Initialization steps start on page 4 of the PDF. Initialization commands are located in the
bin directory.
Configuration of the package is broadly defined in three phases or stages. The main phases
of configuration are as follows:
1) Pre-check, validation of the initial deployment of SAS and SAS Environment Manager.
2) Validation of the SAS Environment Manager Service Architecture framework and the
initialization of the enhanced monitoring bundle.
3) Enabling either ACM or APM ETLs, including an additional initialization step for the APM
ETL. All ETL processes are optional and can be enabled at any time after the framework
has been initialized. However, one or more ETLs are required to construct the data dart.
Note: The Service Architecture has already been initialized in the classroom environment.
b. If the APM ETL package is enabled and initialized, a potentially large volume of log files is
created. The ETL process extracts data from SAS logs and loads that data into the data mart
so that the applicable stored process reports have data to work with. Data is extracted from
the SAS logs only when the logs roll over (usually after midnight).
1) Locate log files that are generated.

For Linux Server

On sasapp.demo.sas.com.com, navigate to
/opt/sas/config/Lev1/SASApp/WorkspaceServer.

For Windows Server

Navigate to D:\SAS\Config\Lev1\ SASApp\WorkspaceServer.

2) Open the PerfLogs directory. Logging of from this server causes a separate log file to be
created in this directory for each spawned SAS Workspace Server. This means that there
is a log file for each session of SAS Enterprise Guide or SAS Data Integration Studio
users.
With the enablement and initialization of the APM ETL package, the SAS Application
Server environment is modified to enable ARM (Application Response Measurement), as
well as the activation of SAS logging facility loggers and log appenders, to support the
ARM-enabled SASApp deployment.

Be aware of the potential f or the large number of log files that can be created in
this directory. You can create a daily archive of the logs in a .zip or .tar f ile and
then copy the daily archive to another storage location. This process enables you
to manage the large number of log files while maintaining IT best practices f or
retaining usage logs.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
2-128 Lesson 2 Reviewing SAS® Platform Architecture Components

13. Running Stored Processes from the Report Center

a. Select Analyze  Report Center. The Report Center is displayed in a separate window or
tab in your browser. The Report Center uses the SAS Stored Process web application, so
the window is titled Stored Processes.

To create a report, click the stored process entry. The viewing pane of the Report Center
window displays prompts for the information in the report. You can select the categories of
inputs on the left side of the display area to fully customize the report. Click Run to produce
the report.
b. Run a report that shows a full listing of available reports. Select Products  SAS
Environment Manager  Dynamic Reports  Datamart  Report Center Report
Listings.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 2.6 Solutions 2-129

c. Run a report that shows a full listing of data mart tables and variables. Select Products 
SAS Environment Manager  Dynamic Reports  Datamart  Data Mart Proc
Contents Full Listing.

d. Run a report that shows a listing how often a user has connected to t he metadata server
through a client application. Select Products  SAS Environment Manager  Nightly
Reports  Audit Reports (Log Forensic)  Metadata Client Activity.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
2-130 Lesson 2 Reviewing SAS® Platform Architecture Components

e. Run a report that shows the top 10 users by workspace server sessions. (The SAS
Workspace Server is most frequently used by clients for data retrieval, manipulation, and
analysis.) Select Products  SAS Environment Manager  Nightly Reports  ARM
Performance Reports  Workspace Server - User Activity.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 2.6 Solutions 2-131

Solutions to Activities and Questions

2.01 Multiple Choice Question – Correct Answer

On the Resources page in SAS Environment Manager, where would you find
the SAS Object Spawner resource?
a. Services
b. Servers
c. Platforms
d. Mixed Groups

59
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

2.02 Multiple Choice Question – Correct Answer

Which statement is true regarding the SAS Environment Manager Agent?
a. You can have only one SAS Environment Manager Agent in a SAS
deployment.
b. The SAS Environment Manager Agent summarizes the metric
information and writes it to the PostgreSQL database.
c. The SAS Environment Manager Agent can be monitored under
Platforms in SAS Environment Manager’s Resource page.
d. You will have a SAS Environment Manager Agent running on every
platform where SAS components are configured in your SAS
deployment.

61
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
2-132 Lesson 2 Reviewing SAS® Platform Architecture Components

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
Lesson 3 Understanding SAS®
Metadata and the Metadata Server

3.1 Exploring the SAS Metadata Server and Metadata Repositories ................................... 3-3

Practice............................................................................................................... 3-12

3.2 Exploring Initial Authentication to the Metadata Server .............................................. 3-16

Practice............................................................................................................... 3-22

3.3 Exploring SAS Metadata Objects ............................................................................... 3-28

Demonstration: Exploring SAS Metadata in SAS Environment Manager........................ 3-39

Practice............................................................................................................... 3-44

3.4 Implementing a SAS Metadata Server Cluster ............................................................ 3-47

3.5 Backing Up the SAS Metadata Server ........................................................................ 3-59

Practice............................................................................................................... 3-70

3.6 Solutions ................................................................................................................... 3-72

Solutions to Practices ............................................................................................ 3-72

Solutions to Activities and Questions...................................................................... 3-104

3-2 Lesson 3 Understanding SAS® Metadata and the Metadata Server

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 3.1 Exploring the SAS Metadata Server and Metadata Repositories 3-3

3.1 Exploring the SAS Metadata Server

and Metadata Repositories

SAS Metadata Server

SAS applications connect to the metadata server.
SAS Environment Manager
SAS Enterprise Miner
SAS Data Integration
Studio
SAS OLAP Cube
Studio SAS Information Delivery
Portal
SAS Add-In for Microsoft
Office
SAS Studio
SAS Enterprise Guide

Metadata Server
i SAS Model Manager
SAS Information Map
Studio
SAS BI Dashboard
DataFlux Data
Management Studio
SAS Management Console
SAS Web Report
Studio
3
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

In most cases, users access and update metadata using SAS applications, including SAS
Management Console, SAS Environment Manager, SAS Data Integration Studio, and SAS
Enterprise Guide. Web-based applications need only a web browser. The connection prof ile is built
into the web application.

You can also access and manage SAS metadata through programmatic interf aces , including the
METADATA and METALIB procedures, DATA step f unctions, and the batch tools for metadata
management. The tools are documented in SAS 9.4 Intelligence Platform: System Administration
Guide.

Other parts of the SAS Platf orm also communicate with the metadata server, including SAS
spawners, SAS servers, and SAS middle-tier applications.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
3-4 Lesson 3 Understanding SAS® Metadata and the Metadata Server

SAS Metadata Server

The metadata server’s role is to read and write metadata.

i
Metadata SAS Metadata
Server Repositories

4
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

The management and use of threads are controlled b y the MAXACTIVETHREADS, THREADSMIN,
and THREADSMAX options. See “Conf iguring the Number of Threads Used by the Metadata
Server” in SAS 9.4 Intelligence Platform: System Administration Guide.

The metadata server

• uses multi-threaded processing to read metadata but uses a single thread to write and update
• is an ‘in-memory’ server, enabling high-speed access by applications
• supports concurrent users
• provides centralized management of metadata resources
• enables metadata exchange between applications so that applications can work together easily
and ef f iciently
• is built on the SAS Open Metadata Architecture, a metadata management f acility that provides
common metadata services to applications, including creating, accessing, and updating metadata.

Note: SAS 9.4 provides the option of implementing a metadata server cluster. Client applications
and users interact with the cluster in the same way that they would interact with a metadata
server that is not clustered.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 3.1 Exploring the SAS Metadata Server and Metadata Repositories 3-5

SAS Metadata
The SAS Metadata Server provides centralized management of metadata
resources. Metadata describes the location and structure of the
SAS Platform.
• server definitions Metadata
Server
• data definitions
• users and groups
• security settings
• business intelligence content
Metadata
Repositories

5
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

SAS applications connect to the SAS Metadata Server and issue SAS Open Metadata Interf ace
method calls that access metadata f rom repositories.

Metadata Repositories
A metadata repository is a library of tables in which a collection of related metadata
objects is stored.

The repository is stored in a physical location and managed by a repository manager.

Foundation
accentry accsscn0 action appactn assctnpr attprop

authdom caset cmap cndtn

other tables…
6
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
3-6 Lesson 3 Understanding SAS® Metadata and the Metadata Server

Repository Manager
The repository manager is a library of tables that holds information about
the other repositories in the environment.
rposmgr
assocmgr cntainer mdassoc metaimdb

mrrgstry rposctrl textpage

OBJNAME ID REPTYPE RPOSPATH

Foundation A0000001.A5STDM7N FOUNDATION MetadataServer\MetadataRepositories\Foundation
Ole’s Work Repository A0000001.A5590EKV PROJECT MetadataServer\MetadataRepositories\OleWork
Barbara’s Work Repository A0000001.A5WWW6FH PROJECT MetadataServer\MetadataRepositories\BarbaraWork
7
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

A metadata server cannot be started without a repository manager. Each metadata server can have
only one repository manager.

Metadata Repositories
The metadata server supports these types of metadata repositories:
Foundation Required metadata store for a metadata server. You
repository cannot create more than one foundation repository.
Custom An optional metadata store that is useful for physically
repository separating metadata for storage or security purposes.

Note: A third type of metadata repository is available for data management

solutions, called project repositories.

8
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

The BILineage repository created f or the BI Lineage plug -in is a custom repository. Custom
repositories appear as f olders in the metadata f older tree under the SAS root f older.

A project repository is an optional metadata store that acts as an isolated work area f or SAS Data
Integration Studio. Each user who participates in change management has a project repository.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 3.1 Exploring the SAS Metadata Server and Metadata Repositories 3-7

You can use the Metadata Manager plug -in to create and manage repositories.

Creating a new repository Creates initial repository content and all the metadata that def ines the
repository.

Registering a repository Creates the metadata that def ines the repository and points to
existing repository content.

Deleting a repository Deletes the repository content and all the metadata that def ines the
repository.

Unregistering a repository Removes the metadata that describes the repository without
removing the content of the repository itself.

SAS Metadata Server

To enable high-speed access by users, the metadata server is an
“in-memory” server. As clients submit queries, the requested records are
read from repository data sets on disk into the server’s memory.
Foundation
accentry accsscn0 action appactn assctnpr attprop

authdom caset cmap cndtn

i
Metadata Server
other tables…

In-memory database
9
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

When the f irst query f or a specific type of metadata object (f or example, a table) is submitted, all
table metadata is loaded into memory. The in-memory database remains until the metadata server is
paused or stopped.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
3-8 Lesson 3 Understanding SAS® Metadata and the Metadata Server

SAS Metadata Server Journaling

When journaling is enabled, access is returned to clients as soon as the
metadata updates are written to the in-memory database and the journal
file. The more time-consuming updates to the repository data sets
are performed later in the background.

Foundation
accentry accsscn0 action appactn assctnpr attprop
Journal file

authdom caset cmap cndtn

other tables…

i
Metadata Server In-memory database
10
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Journaling is enabled by def ault f or the metadata server. For best perf ormance, it is recommended
that journaling be enabled at all times. If the metadata server f ails bef ore the update process can
apply all updates f rom the journal f ile, the metadata server automatically recovers them f rom the
journal f ile when it is restarted.

In addition, journaling must be properly configured in order f or roll-forward recovery to be available if

you need to restore the metadata server. When the OMA JOURNALTYPE = option is set to
ROLL_FORWARD, the metadata server creates a linear journal f ile that permanently stores all
transactions that occurred since the most recent backup.

The metadata server is initially set up to write journal entries to a journal f ile that is stored in </SAS
Configuration Directory/Levn/>SASMeta/MetadataServer/Journal. Each time that a new backup is
executed, journaling stops and a new journal f ile is started in this location.

Journaling is controlled by options set in the omaconfig.xml f ile.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 3.1 Exploring the SAS Metadata Server and Metadata Repositories 3-9

Metadata Server Start-up

The metadata server reads the omaconfig.xml file at start-up. The
omaconfig.xml file contains SAS Metadata Server settings, including the
following:
• location of the repository manager
• email addresses to which alert emails are to be sent
• journaling options

Note: Any changes to this file require a restart of the metadata server in
order for the changes to take effect.

11
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Alert emails that are generated by the metadata server are sent to the addresses that are specif ied
in the OMA ALERTEMAIL option in the omaconfig.xml f ile. The generated email has Metadata
Server Alert in the subject line. The body of the message specifies the error that occurred, the
name of the metadata server host machine, the metadata server port, and the location of the
metadata server log.

The metadata server sends alert emails in these situations:

• An error occurs during metadata server backup or recovery.
• A problem occurs and prevents the repository data sets from being updated from the journal.

To test the alert email conf iguration, do the f ollowing:

1. Log on to SAS Management Console.

2. Expand the Metadata Manager plug-in. Right-click Active Server and select Properties.

3. In the Active Server Properties dialog box, select Send Test Message.

4. In the Send Alert E-mail Message dialog box, enter text to be included in the email. Click OK.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
3-10 Lesson 3 Understanding SAS® Metadata and the Metadata Server

Metadata Server Start-up

i
Metadata Server 3 Repository Manager

1 2
5

omaconfig.xml Metadata Repositories

17
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

1. The metadata server is launched f rom the operating system either as a Windows service or f rom
a command. As part of the start-up, the metadata server reads the omaconf ig.xml file in the
metadata server conf iguration directory.

2. One of the settings in the omaconf ig.xml file is the location of the repository manager.

3. The metadata server connects to the repository manager.

4. The repository manager provides inf ormation about the metadata repositories including location,
type, and name.

5. The metadata server connects to the metadata repositories.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 3.1 Exploring the SAS Metadata Server and Metadata Repositories 3-11

3.01 Question
By default, journaling is not enabled for the metadata server.
 True
 False

18
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

3.02 Multiple Choice Question

The metadata server knows the location of the repository manager because
it is specified in which of the following files?
a. sasv9_usermods.cfg
b. sasv9.cfg
c. omaconfig.xml
d. logconfig.xml

20
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
3-12 Lesson 3 Understanding SAS® Metadata and the Metadata Server

Practice

1. Exploring Metadata Pointers in SAS Management Console and the Contents of the
Metadata Server Directory

a. On your Windows machine, log on to SAS Management Console as Ahmed with the
password Student1. (SAS Management Console is listed under the Start menu.)

Connect with the SAS Admin - Linux Server or the SAS Admin - Windows Server
connection prof ile:

b. Where is all the metadata physically stored? Expand the Metadata Manager plug-in.
Select Active Server.

c. Where is the Foundation repository physically located? Under Active Server, select
Foundation.

d. In what f ormat is the metadata in the repository stored?

For Linux Server

On the sasapp.demo.sas.com machine, navigate to
/opt/sas/config/Lev1/SASMeta/MetadataServer/MetadataRepositories/Foundation .

Use WinSCP or mRemoteNg located on the Windows desktop.

For Windows Server

Use Windows Explorer to navigate to D:\SAS\Config\Lev1\SASMeta\

MetadataServer\MetadataRepositories\Foundation.

The metadata is stored in specially f ormatted SAS data sets. You should never access these
tables directly. While the metadata server is running, these tables are locked. Any access
(query, update, and so on) to these must be done via the metadata server. If you do not use
the metadata server to access these tables, you risk corrup ting the metadata.

Note: Metadata queries that are made using SAS applications, PROC METADATA, batch
tools f or metadata management, or DATA step f unctions are processed by the
metadata server.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 3.1 Exploring the SAS Metadata Server and Metadata Repositories 3-13

2. Checking the Availability of the Metadata Server in SAS Environment Manager

On the SAS Platf orm, the metadata server is the most critical component. It must always be
running and responsive. In this practice, you check the availability and health of the metadata
server.

a. Open Internet Explorer or Google Chrome f rom the Windows machine using the taskbar.
Select SAS Environment Manager f rom the Windows or Linux f older on the Favorites bar.

b. Sign in to SAS Environment Manager as Ahmed with the password Student1.

c. Click the Resources tab.

d. Click Servers. How many servers are listed?

e. Click the f ollowing:

For Linux Server

sasapp.demo.sas.com SASMeta - Metadata Server

For Windows Server

sasserver.demo.sas.com SASMeta - Metadata Server

Note: You might need to go to the second page of server listings by clicking the arrow at
the bottom right of the page.

Note: You can use the search f ield and enter Metadata Server. Make sure All Server
Types is selected in the second f ield, and then click the right-pointing arrow at
the f ar right.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
3-14 Lesson 3 Understanding SAS® Metadata and the Metadata Server

f. Look f or the f ollowing metrics for a quick overview:

Availability

Server Health

g. If the metadata server is overusing virtual memory (too much page swapping), that could
indicate trouble and might cause slow responses. These metrics are helpf ul:

Process Page Faults Per Minute

Time in Calls Per Minute

Not all metrics f or this resource, the metadata server, are displayed by default , such as Time
in Calls Per Minute.

h. Select All Metrics in the drop-down list on the lef t to see a list of all the metrics f or this
resource. (Currently, Problem Metrics is displayed in the drop-down list.)

i. Add Time in Calls Per Minute to the list of metrics displayed by clicking the black arrow next
to the metric.

j. Move Time in Calls Per Minute and Process Page Faults Per Minute to the top using the
up arrow to the right of the named metric.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 3.1 Exploring the SAS Metadata Server and Metadata Repositories 3-15

k. Click Apply next to View: Update Default located above the Availability metric and to the
right.

Note: You want to know how much the metadata server is having to use disk space because
it does not have enough memory available to it. Paging is when individual memory
segments, or pages, are moved to or f rom the swap area. When memory is low,
portions of a process are moved to use disk space as a temporary place to store
inf ormation that it would normally just hold in memory. This is called swapping to
disk. When a process needs to swap some data f rom disk to memory so that it can
access the data in memory, a page f ault occurs. It is an event that occurs because
the page of memory the process wanted is currently not in memory; it is held on the
swap f ile on the disk. Thus, when a page f ault occurs, the operating system knows
that it needs to swap the data that the p rocess wants back into memory, and it will
swap some other existing data f rom memory to the disk to f ree up the required
memory so that there is room f or the required page.

One of the metrics available f rom the OS that describes what a process does when i t
enters this memory-constrained state is the number of page f aults (swaps between
disk and memory) per period of time. You can see this metric f or the process
examined here, the SAS Metadata Server.

You expect some degree of virtual memory swapping (page f aults), which is normal,
but if you see a trend of increase over time, then you should probably investigate.

l. The data f or the past eight-hour time period is displayed. Change this to a 30-minute interval.
Use the Last (number)/(Unit) drop-down list to change the length of the time period
displayed. Click OK. (You can use the Previous Page/Next Page buttons to scroll through
earlier time periods as well.)

m. Select the Metric Data button to display the data underlying the charts.

You see all of the metrics displayed here in a tabular table, whereas with the Indicators
selected, there is only a subset showing, unless you add a metric to be displayed (step i).

Note: You can also click the Chart button next to an entry in the table to see a chart of that
metric. However, the chart is dif ferent f rom the indicator chart.

n. Select Alert.

o. Select Configure. How many alerts are conf igured? How many alerts are active?

There are built-in alerts because Extended Monitoring has been enabled in this environment.

Note: Two alerts that might be usef ul are “Metadata Server ERROR message in log” and
“Metadata User Lockout”. If either of these alerts is f ired, you might want to check the
logs f or the metadata server to get more details about why these events are
happening.

p. Click Metadata Time in Calls per Minute to look at the alert def inition.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
3-16 Lesson 3 Understanding SAS® Metadata and the Metadata Server

3.2 Exploring Initial Authentication to the

Metadata Server

SAS 9.4 Authentication Mechanisms

Authentication is the process of verifying the identity of a person or process
for security purposes.

External • Host authentication

• Direct LDAP authentication
• Integrated Windows Authentication
• Web authentication

Internal • SAS internal authentication

• SAS token authentication

25
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

External authentication mechanisms integrate SAS into your computing environment.

SAS Metadata Server

SAS desktop applications connect to the metadata server using connection
profiles. A connection profile is a file stored on the user’s machine. It
contains the information necessary for connection to the metadata server.

SAS Information
SAS Add-In for Map Studio
Microsoft Office

Connection Profile Connection Profile

SAS Enterprise
Guide
(ConfigurationV71.xml)

Metadata Server
i (SAS Admin.swa) SAS OLAP Cube Studio

SAS Management
Console

Windows Applications Java Applications

26
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 3.2 Exploring Initial Authentication to the Metadata Server 3-17

Web-based applications connect through the SAS Logon Manager, a web application that handles
all authentication requests f or SAS web applications. As a result, users see the same si gn-in page
when they access any of the SAS web applications.

Connection Profiles
Connection information is stored in different files for Java applications and
Windows applications.
Regardless, the connection information includes the metadata server host
name and port. By default, users have the option to save a user ID and
password in the profile.

27
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

The Connection Prof ile window enables a user to open an existing prof ile, edit an existing profile, or
create a new prof ile. Profiles are stored locally on the user’s machine:
C:\Users\Student\AppData\Roaming\SAS\MetadataServerProfiles. If there are no prof iles on the
machine, the user is prompted to create one bef ore logging on. In that location, Java applications
have the connection inf ormation in .swa f iles. Windows applications are in a f ile named
ConfigurationV71.xml. (The version might be dif ferent.)

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
3-18 Lesson 3 Understanding SAS® Metadata and the Metadata Server

Initial Connection to the SAS Metadata Server

5

SAS Management
Console
1 i 4
Metadata Server
SAS Enterprise
Guide 6
Metadata
Repositories

2 3

Object
Spawner Authentication by Active Directory, Local Security Authority,
PAM, UNIX password file structure, or other provider

34
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

1. Ahmed supplies these credentials to log on to the metadata server:

• user ID: Ahmed
• password: Student1

Note: An alternative to providing credentials is to use Integrated Windows Authentication.

2. The metadata server passes Ahmed’s credentials to its host authentication provider. By default,
the metadata server passes the credentials to its host. If the accounts are local, they are verif ied
by the host. The host can also be conf igured to pass the authentication request to LDAP or
Microsof t Active Directory.

3. The authentication provider verif ies that the credentials are valid and returns the f ully qualif ied
user ID (sasserver\Ahmed) to the metadata server.

Note: The authentication provider does not return the password to the metadata server.

Note: The f orm of the f ully qualified user ID varies depending on the authentication provider.
For example, if the account is a UNIX account, the returned user ID is Ahmed.

4. The metadata server searches f or the f ully qualif ied user ID in the metadata repository (inbound
logon).

5. The metadata server determines which metadata identity owns the user ID. Based on the
metadata identity, the metadata server can determine what level of access Ahmed has to the
metadata. Access to the metadata server is set in the repository ACT (access control template).
Only users with ReadMetadata and WriteMetadata in the repository ACT, named Default ACT by
def ault, are allowed to connect to the metadata server.

6. The metadata server sends a credential handle to the application so that when the application
requests inf ormation f rom the metadata server, it can pass the handle. The metadata server then
knows the metadata identity of the user.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 3.2 Exploring Initial Authentication to the Metadata Server 3-19

Initial Connection Using Integrated Windows

Authentication (IWA)
Windows authentication, trusted authority

4 5
1 2
7
8 6

i
Metadata
SAS 3 Server
Management
Console Metadata
Repositories
43
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Integrated Windows Authentication (IWA)

1. The client asks Windows f or a token that represents the user who is currently logged on to the
client computer.

2. Windows provides the token to the client.

3. The client sends the Windows token to the metadata server. Notice that only the token is sent.
The user's password is not available to the metadata server.

4. The metadata server sends the token back to Windows f or verif ication.

5. Windows tells the metadata server that the token is valid.

6. The metadata server searches f or the f ully qualif ied user ID in the metadata repository
(inbound logon).

7. The metadata server verif ies that the user was granted access to the metadata in the
repository ACT.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
3-20 Lesson 3 Understanding SAS® Metadata and the Metadata Server

8. The metadata server accepts the connection f rom the client.

Note: For initial connection to the metadata server, this represents the verif ication phase. The
identif ication phase is essentially the same in all authentication models. Af ter verif ication,
the authenticated token includes the user ID. The metadata server searches its logons
f or a match. An inbound logon is still required.

Note: There are limitations to IWA f or servers on UNIX. In order to use IWA on UNIX platf orms:
• For SAS 9.4M1 on all platf orms, you must purchase, install, and configure an
additional third-party product (Quest Authentication Services 4.0).
• For SAS 9.4M2 on Linux platf orms, you must ensure that a shared library that
implements the GSSAPI with Kerberos 5 extensions is installed and conf igured to
allow authentication against your Active Directory domain or Kerberos realm. Quest
Authentication Services f ulf ills this requirement, as do the krb5 packages provided in
supported operating system distributions and in various third -party solutions.
• When you use IWA on UNIX, only Kerberos connections are supported . (There is no
support f or NTLM on UNIX.) If you use IWA f or a UNIX workspace server that makes
outbound Kerberos requests, the service principal account in Active Directory must
have the trusted for delegation to all services privilege.

For additional inf ormation about Integrated Windows Authentication, ref er to SAS 9.4 Platform
Intelligence: Security Administration Guide.

3.03 Question
An alternative to using credentials is to use Integrated Windows
Authentication.
 True
 False

44
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 3.2 Exploring Initial Authentication to the Metadata Server 3-21

3.04 Multiple Choice Question

If you make changes to the omaconfig.xml file, what would you need to do
to ensure that the changes are in effect?
a. nothing
b. Make sure no users are connected to the metadata server.
c. Pause the metadata server.
d. Restart the metadata server.

46
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
3-22 Lesson 3 Understanding SAS® Metadata and the Metadata Server

Practice

3. Exploring the Initial Connection to the Metadata Server

This practice demonstrates the initial authentication process to the metadata server.

a. On the Windows machine, select Start  All Programs  SAS  SAS Enterprise Guide
8.2. Close the Welcome to SAS Enterprise Guide window. Place the pointer on the f ollowing
in the upper right of the application interf ace:

For Linux Platf orm: sasapp.demo.sas.com

For Windows Platf orm: sasserver.demo.sas.com

You see the user who is logged on.

b. Click the appropriate connection:

For Linux Platf orm: sasapp.demo.sas.com

For Windows Platf orm: sasserver.demo.sas.com

c. Select the server prof ile that you want to work with, highlight it, and click Modify.

d. Clear the Save login in profile check box.

e. Remove Jacques f rom the User f ield and enter sas. Remove the asterisks f or the password
and enter Student1.

Note: This is the SAS install account. But this account is not linked with a metadata identity.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 3.2 Exploring Initial Authentication to the Metadata Server 3-23

f. Click Save. Click Yes to modif y the active profile and continue.

g. An Error window appears. How is the user identif ied by the metadata server?

Note: At initial deployment, the implicit group, PUBLIC, is denied access to all metadata
through the Repository ACT. The authorization layer of the SAS environment is
discussed in a later lesson.

h. Click Close.

i. Click Modify to change the saved Connection Prof ile user back to Jacques. You can select
Save login in profile.

j. Click Save. If needed, the prof ile of choice (Linux or Windows) can be set as the def ault using
the Set Active button. Click Close.

k. Open Internet Explorer or Google Chrome f rom the Windows machine. Select SAS Studio
f rom the Windows or Linux f older on the Favorites bar.

l. Sign in with user ID badguy and the password Student1.

Note: The user account badguy does not exist on the host.

m. Now sign in with user ID sas and the password Student1. (You might need to sign in twice
bef ore the message below appears.)

n. Select SAS Environment Manager f rom the Windows or Linux f older on the Favorites bar
and this time sign in as Ahmed with the password Student1.

o. Select Analyze  Event Center.

What event was generated pertaining to a bad logon?

p. Let’s look at the metadata def inition of a user such as Jacques. Click the Administration
tab, which opens in another browser. (You can render the Administration page in another tab
instead of a separate browser window by pressing the Ctrl key and clicking the
Administration tab simultaneously.)

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
3-24 Lesson 3 Understanding SAS® Metadata and the Metadata Server

q. Select Users f rom the vertical navigation bar on the lef t side.

r. Click to access a drop-down list on which you can f ilter. Select User.

s. Double-click Jacques to see the metadata def inition.

t. Click the Accounts tab to see the ID that is used and stored with the metadata identity f or
initial authentication to the metadata server.

4. Exploring Connection Profiles

Connection prof iles are stored in f iles on the user’s desktop , but stored passwords are
encrypted. Examine an existing connection profile.

a. Open SAS Management Console and edit the connection prof ile for the system that you are
managing in class.

b. Click Next.

c. On the Edit Connection Profile – SAS Admin – <server> Server, enter Ahmed in the
User ID f ield and Student1 in the Password f ield. Also click the Save user ID and
password in this profile box. Then click Finish to save the prof ile.

d. On the client machine, use Windows Explorer to navigate to

C:\Users\student\AppData\Roaming\SAS\MetadataServerProfiles. View the contents of
SAS Admin – Linux Server.swa or SAS Admin – Windows Server.swa associated with
the class environment that you are managing using a text editor such as Notepad.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 3.2 Exploring Initial Authentication to the Metadata Server 3-25

What is the value of AllowLocalPasswords?

Note: If the AppData f older is hidden, you can enter the path into Windows Explorer or
unhide the f older. To unhide it, in Windows Explorer, select Organize  Folder 
Search options. On the View tab, select Show hidden files, folders, and drives.
On the View tab, clear the Hide extensions for known file types check box.
Click OK.

e. Open SAS Enterprise Guide. Select File  New  Program. In the Program window, enter
the f ollowing code:
proc pwencode in="Student1";
run;

f. Click Run.

g. On the Log tab, locate the value that begins with {sas002}. Does the value match the
password value in the SAS Admin - <server>.swa f ile?

Note: A password string beginning with {sas002} is encoded using the SAS Proprietary
algorithm.

h. Close SAS Enterprise Guide.

i. View the metadata server log. Verif y the SAS Enterprise Guide initial connection to the
metadata server.

1) Open the most recent metadata server log.

For Linux Server

On the sasapp.demo.sas.com machine,

/opt/sas/config/Lev1/SASMeta/MetadataServer/Logs.

For Windows Server

D:\SAS\Config\Lev1\SASMeta\MetadataServer\Logs

2) Scroll down closer to the bottom and look for the name of the user ID that was used to
log on to SAS Enterprise Guide. (Otherwise, you can simplif y the search by using the
Find tool f or the name. Hold down the Ctrl key and press F.)

5. Exploring the omaconfig.xml File

The omaconfig.xml f ile is the start-up f ile f or the SAS Metadata Server. You can specif y
changes to standard f eatures of the SAS Metadata Server, the repository manager, and policies
related to internal users in this f ile.

Open the omaconfig.xml f ile.

For Linux Server

On the sasapp.demo.sas.com machine, navigate to

/opt/sas/config/Lev1/SASMeta/MetadataServer.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
3-26 Lesson 3 Understanding SAS® Metadata and the Metadata Server

For Windows Server

Use Windows Explorer to navigate to

D:\SAS\Config\Lev1\SASMeta\MetadataServer.

What is the setting in this f ile that governs saving a password in a connection prof ile?

Note: For a f ew solutions desktop clients (for example, SAS Model Manager, SAS Enterprise
Miner, and SAS Forecast Studio), the ability to store credentials in client -side connection
prof iles is instead controlled by the Policy.AllowClientPasswordStorage property. To
access this property, open the Plug-ins tab of SAS Management Console and navigate
to Application Management  Configuration Manager  SAS Application
Infrastructure. Right-click and select Properties  Settings  Policies  Allow client
password storage.

What is the def ault value? What other values are possible?
Note: To f ind the possible values, go to support.sas.com and search Reference Information
for omaconfig.xml.

If you make changes to this f ile, what steps need to be perf ormed?

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 3.2 Exploring Initial Authentication to the Metadata Server 3-27

3.05 Multiple Choice Question

A SAS user cannot log on to SAS Enterprise Guide. Here is the message that
is received:
What is the problem?

a. The user does not have an LDAP account.

b. The user is using an internal account and therefore cannot be
authenticated to the host.
c. The user does not have a SAS identity, or the SAS identity does not have
the correct fully qualified ID in the corresponding identity definition.
d. There is no group called PUBLIC in metadata.

50
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
3-28 Lesson 3 Understanding SAS® Metadata and the Metadata Server

3.3 Exploring SAS Metadata Objects

SAS Metadata
A metadata object, also known as a metadata definition, is a SAS resource
that is used by SAS applications.

Repository Root Folder Data Visual Analytics

Library Exploration Report

Folder
Application Cube
Logical Server Table
Server Report

Dashboard Stored
Identity Information Process Schema
Map
53
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Users (directly or through the groups to which they belong) need access to metadata as well
as to the non-metadata elements that they ref erence.

SAS Metadata Types

The SAS Metadata Model includes metadata types. Each metadata object
is a unique instance of a metadata type.

54
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 3.3 Exploring SAS Metadata Objects 3-29

SAS Metadata
SAS metadata is displayed in
• SAS Management Console on the Plug-ins tab
• SAS Environment Manager’s Administration tab
• the folder structure in SAS applications.

Metadata Administration
Metadata is organized in folders.
55
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Renaming, moving, or deleting SAS f olders and the objects that they contain can cause
unpredictable results.

Bef ore renaming, moving, or deleting an object or a f older, see the guidelines in “Best Practices f or
Managing SAS Folders” and “Best Practices f or Maintaining Associations among Objects in
SAS Folders” in SAS 9.4 Intelligence Platform: System Administration Guide.

The initial f older structure includes the f ollowing main components:

SAS Folders is the root f older f or the f older structure. This f older cannot be renamed, moved, or
deleted. It can contain other f olders, but it cannot contain individual objects.

My Folder is a shortcut to the personal f older of the user who is currently logged on.

BILineage is the root f older f or the BILineage metadata repository. This repository stores results
f rom scans that have been run using the BI Lineage plug -in. This f older should not be renamed,
moved, or deleted. The repository and f older should not be used f or any purpose other than storing
scan results

Products contains f olders f or individual SAS products. These f olders contain content that is installed
along with the product. For example, some products have a set of initial jobs, transformations, stored
processes, or reports that users can modif y for their own purposes. Other products include sample
content (f or example, sample stored processes) to demonstrate product capabilities. Where
applicable, the content is stored under the product's folder in subf olders that indicate the release
number f or the product.

Note: During installation, the SAS Deployment Wizard enables the installer to assign a dif f erent
name to this f older. Theref ore, your Products f older might have a dif f erent name.

Shared Data is provided f or you to store user-created content that is shared among multiple users.
Under this f older, you can create any number of subf olders, each with the appropriate permissions,
to f urther organize this content.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
3-30 Lesson 3 Understanding SAS® Metadata and the Metadata Server

Note: You can also create additional f olders under SAS Folders in which to store shared content.
System contains SAS system objects that are not directly accessed by business users. This f older
contains the f ollowing f olders:
• Administration is not currently used.
• Applications contains f olders f or individual SAS applications that have system objects. Under
these f olders, the objects are stored in subf olders that correspond to individual release numbers.
• Publishing contains channel and subscriber objects that are used by the Publishing Framework.
• Secured Libraries contains secured data f olders, secured library objects, and secured table
objects that have been created to support metadata-bound libraries. See SAS 9.4 Guide to
Metadata-Bound Libraries.
• Security and Servers contain ref erences to security objects (users, user groups, roles, access
control templates, and authentication domains) and server objects. The white f olders indicate that
these are virtual f olders. The f olders are displayed only in SAS Management Console to support
operations such as promotion. See “Promoting Security Objects and Server Objects” in the SAS
Help Center.
• Services is used by SAS BI Web Services to store metadata f or generated web services.
• Types contains type def initions for public objects that exist on this metadata server.

User Folders contains f olders that belong to individual users. These f olders are ref erred to as the
users' home f olders. The name of each home f older is based on the value of the user's Name f ield in
the User Manager plug-in f or SAS Management Console.

The f irst time a user logs on to an application that requires a home f older, the user's hom e f older is
automatically created. That same f older is then used by other applications that the user logs on to.

SAS Metadata External Associations: SAS Servers

Metadata server objects

Associated server directory

containing configuration files

56
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 3.3 Exploring SAS Metadata Objects 3-31

SAS Metadata External Associations: Users and Groups

Note: Typically, groups contain metadata users. An external account can be

associated with a group for third-party database access.
57
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Users, groups, and roles can be created, viewed, and managed in the f ollowing:
• User Manager plug-in in SAS Management Console
• Administration tab of SAS Environment Manager

SAS Metadata External Associations: Folders

Folder Metadata Object Folder
Hierarchical organization of metadata In most cases, no direct physical content
objects

No direct physical
content

Note: Content mapping is in place. Digital content is stored on the

SAS Content Server.
58
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
3-32 Lesson 3 Understanding SAS® Metadata and the Metadata Server

SAS Metadata External Associations: Libraries and Tables

Library Metadata Object Library
Connection information and nickname (libref) Collection of tables stored in the operating
for library system or RDBMS

Table Metadata Object Table

Description of the table including columns Physical store of relational data
(names, types, attributes), indexes, and library

59
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Create and manage libraries and registration using one of the f ollowing:
• Data Library Manager plug-in in SAS Management Console
• Administration tab of SAS Environment Manager
In SAS Environment Manager 2.5 (the current release f or the SAS 9.4 Platf orm), SAS LASR Analytic
Server and Base SAS libraries are the only two available values f or the Type f ield.

Note: Some of the metadata representations described above, such as tables, are actually a
collection of associated metadata objects.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 3.3 Exploring SAS Metadata Objects 3-33

SAS Metadata External Associations: Information

Maps and OLAP Cubes
Information Map Metadata Object Information Map
Collection of data items and filters that No direct physical content, but
provide a user-friendly view of the data information map points to tables or
cubes for input

OLAP Cube Metadata Object OLAP Cube

Description of cube, including Hierarchical, multidimensional
dimensions, levels, measures, drill- arrangement of data to enable quick
through table, and schema analysis

60
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

SAS Metadata External Associations: Reports and

Stored Processes
Report Metadata Object Report
Location of report definition and Report definition and additional files like
associated files graphics stored in SAS Content Server

Stored Process Metadata Object Stored Process

Location of SAS code (or code itself) and SAS code stored if stored outside of
execution parameters (including server metadata on a server
used for execution, type of output
created)

61
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
3-34 Lesson 3 Understanding SAS® Metadata and the Metadata Server

Metadata Object Associations

Many metadata objects are also associated with other metadata objects.
The following tools can help with discovering the associations:
• Export SAS Package Wizard,
part of the SAS Promotion Tools
• BI Lineage plug-in Server Library Folder

• Batch tools

Information
Table Map Report

62 Folder Folder Folder

C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

For example, a library metadata object is associated with a server and a f older. A table depends on a
library and is associated with a f older. An inf ormation map can depend on a table and be associated
with a f older. A report can depend on an inf ormation map and be associated with a f older.

Some of these associations are also the paths through which metadata permissions are inherited.

Export SAS Package Wizard

The Export SAS Package Wizard is available
through SAS Management Console. The wizard
enables you to see metadata associations that
would be packaged up on the export.
Promotion
(selected content)
Export

Import

Review: Promotion is the process of copying selected metadata and

associated content within or between63planned deployments of SAS.
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 3.3 Exploring SAS Metadata Objects 3-35

If using the Export SAS Package Wizard to create a package and not just to see dependencies, you
can selectively promote content.
• Select multiple nested f olders.
• Include all or selected objects in a f older.
• Include or exclude dependent objects.
• Use a f ilter to select objects based on the object name, object type, or time period during which
the object was created or last modif ied.
• Include empty f olders.
• Include associated physical content.

For objects to f unction properly in the target environment, you must import the resources that
objects depend on, unless those resources already exist in the target environment. For
example, if you want reports to f unction properly, the inf ormation maps that the reports
depend on must be present. If a report has stored processes or images associated with it,
then those objects must be present in the target system.

Virtual f olders named Servers and Security are displayed in the SAS Folders tree in SAS
Management Console f or use in promoting these objects.

BI Lineage Plug-in
The BI Lineage plug-in for SAS Management Console identifies connections
between BI objects.
• Scan results are stored in a special metadata repository called the
BILineage repository.
• BI Lineage scans can be run and viewed only by an unrestricted
administrative user.

64
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

The BILineage repository is created automatically the f irst time an unrestricted administrative user
logs on to SAS Management Console. The BILineage repository should not be used for any purpose
other than storing scan results.

To give users permission to view scan results, you must update the BILineage repository's Default
ACT to grant ReadMetadata permissions.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
3-36 Lesson 3 Understanding SAS® Metadata and the Metadata Server

Note: You cannot provide access by setting permissions on the BILineage f older that appears in
the SAS Folders tree, because scan results are not stored in the f older.

Because the lineage inf ormation is not generated in real time, it is important to keep the scan
inf ormation updated. To make this task easier, you can create jobs and then schedule them
to run at regular intervals. The plug-in can generate jobs f or running, exporting, or deleting BI
Lineage scans. Af ter the jobs are generated, you can use the Schedule Manager plug -in to
schedule the jobs. For details about these tasks, see the BI Lineage plug -in Help in SAS
Management Console.

SAS Intelligence Platform Batch Tools

The SAS Platform provides a variety of batch tools that you can use to
perform actions on objects and other components of the platform.
The batch tools are located in this path:
SAS-install-directory/SASPlatformObjectFramework/9.4/
The tools fall under these categories:
• metadata management tools
• export and import tools
• batch relationship reporting tools
• metadata server administration tools (…/tools)
• the Deployment Backup and Recovery tool (…/tools/admin)

65
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

The batch tools can be incorporated into scripts so that you can run them repeatedly on either an ad
hoc or scheduled basis.
• Metadata management tools can be used f or tasks such as listing selected objects, deleting
selected objects, creating new f olders, and managing metadata access.
• Export and import tools enable you to promote individual objects or groups of objects from one
SAS deployment to another, or f rom one f older location to another within the same deployment.
The promotion includes all associated content except physical f iles for tables and external f iles.
• Batch relationship reporting tools enable you to identify relationships among the content objects in
the SAS Folder tree. For example, you can identif y the objects that a given object depends on or
contains; the objects that depend on or contain a given object; and the objects that are associated
with a given object. Both direct and nested relationships can be identif ied.
• Metadata server administration tools can be used by administrators to perform tasks such as
executing metadata server backups and restores, creating and deleting metadata repositories,
and updating metadata prof iles.
• The Deployment and Backup and Recovery tool provides an integrated method f or backing up and
recovering your SAS content across multiple tiers and machines.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 3.3 Exploring SAS Metadata Objects 3-37

Additional batch tools are available f or middle-tier administration. See “Using the SAS Web
Inf rastructure Platf orm Utilities” in SAS Intelligence Platform: Middle-Tier Administration Guide.

Note: In all the SAS Intelligence Platf orm batch tools, you must use the correct case f or option
names (f or example, -includeDep and -newOnly) and object types (for example,
Inf ormationMap). All other elements of the commands are case insensitive.

Common Options for Batch Tools

For the Deployment Backup and Recovery batch commands and batch relationship
reporting tools:
Option Description
-host host-name Identifies the host machine for the SAS Web Server or SAS Web
Application Server.
-port port Specifies the port on which the SAS Web Server or SAS Web
Application Server runs.
-user user-ID Specifies the user ID of the connecting user.
-password password Specifies the password of the connecting user.
-protocol Specifies the communication protocol that is used by the
HTTP|HTTPS specified host machine and port.
-profile file-name Specifies the name of a file that contains the host, port, user ID,
and password options. This option can be provided in place of
-host, -port, -user, and66-password.
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

• The password should be encrypted using SAS proprietary 32-bit encryption. To obtain the
encrypted password, use PROC PWENCODE.
• If the -protocol option is not specified, the def ault protocol (HTTP) is assumed.
• A sample prof ile called environment.properties is located in SAS-installation-
directory/SASPlatf ormObjectFramework/9.4/tools/admin/conf/sample. If you use this f ile, be sure
to use operating system controls to protect access to the f ile.
• The sas-recover-of f line command uses different co nnection options. This command needs to
connect to the metadata server, not the web server or web application server.

The f ollowing additional options can be specified for the Deployment Backup and Recovery batch
commands:

-maxattempt maximum-number-of-attempts: The maximum number of attempts that are to be made

to execute the command if the f irst attempt fails. The def ault value is 2.

-help

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
3-38 Lesson 3 Understanding SAS® Metadata and the Metadata Server

Common Options for Metadata Batch Tools

You must provide connection options to log on to the SAS Metadata Server.
Option Description
-host host-name Identifies the host machine for the metadata server.
-port port Specifies the port on which the metadata server runs.
-user user-ID Specifies the user ID of the connecting user.
-password password Specifies the password of the connecting user.
-profile profile-name Specifies the name of the connection profile that is to be used to
connect to the metadata server. This option can be provided in
place of -host, -port, -user, and -password.

67
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

The connection prof ile must exist on the computer where the command is executed. You can specify
any connection prof ile that has been created f or use with client applications such as SAS
Management Console, SAS Data Integration Studio, and SAS OLAP Cube Studio. When you open
one of these applications, the available connection profiles are displayed in the drop-down box in the
Connection Prof ile dialog box.

The f ollowing additional options can be specified with any of the metadata server administration
batch commands:

-log log-path | log-path-and-filename specif ies the path (or the path and f ilename) where the log f ile
is to be written.

-help

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 3.3 Exploring SAS Metadata Objects 3-39

Exploring SAS Metadata in SAS Environment Manager

This demonstration illustrates how to use SAS Environment Manager to explore a library metadata
object, the tables registered to that library in metadata, and the physical location of the tables.

1. Log on to SAS Environment Manager with Ahmed’s credentials.

2. On the Administration page, select Libraries f rom the vertical navigation bar.

3. From the list of the registered libraries, right-click Orion Star Library and select Open.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
3-40 Lesson 3 Understanding SAS® Metadata and the Metadata Server

With what metadata f older is the library associated?

Note: Time stamps will be dif f erent f or the SAS deployment on Windows versus Linux.

4. Click the Options tab. To what physical location does the library point?

The path f or data stored on the Windows server would be D:\Workshop\OrionStar\orstar.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 3.3 Exploring SAS Metadata Objects 3-41

5. Click the Assigned SAS Servers tab. With what server grouping is the library associated?

6. Click the Tables tab. The tables registered to this library and their metadata f older location are
listed. Right-click Orion Star Customers and select Open to see the metadata def inition of this
table.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
3-42 Lesson 3 Understanding SAS® Metadata and the Metadata Server

7. Select Folders f rom the navigation bar.

8. Expand Orion Star  Marketing Department  Data. The library and tables are listed here.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 3.3 Exploring SAS Metadata Objects 3-43

9. Navigate to the location of the physical data.

For Linux Server

On the sasapp.demo.sas.com machine, navigate to

/opt/sas/Workshop/OrionStar/orstar. The customer_dim.sas7bdat SAS data set is
stored in this location.

For Windows Server

Use Windows Explorer to navigate to D:\Workshop\OrionStar\orstar. The

customer_dim.sas7bdat SAS data set is stored in this location.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
3-44 Lesson 3 Understanding SAS® Metadata and the Metadata Server

Practice

6. Using the Export SAS Package Wizard to Examine Dependencies and Associations
between Metadata Objects

The Export SAS Package Wizard and Import SAS Package Wizard enable you to promote
individual metadata objects or groups of objects f rom one SAS deployment to another or f rom
one f older location to another within the same deployment. The wizards display the associations
and dependencies between metadata objects.

a. In SAS Management Console, on the Folders tab, expand the Orion Star f older. Right-click
the Marketing Department f older and select Export SAS Package.

b. Accept the def aults and click Next. (You are not going to create this package, so the location
and options do not matter.)

c. Under the Data f older, select Orion Star Customers. The Dependencies tab identif ies the
metadata objects on which the Orion Star Customers table depends.

d. Click the Used By tab. The Used By tab identif ies the metadata objects that depend on the
Orion Star Customers table.

e. Click Cancel.
7. Using the List Objects Batch Tool

Use the List Objects batch tool (sas-list-objects) to create a list of metadata objects that are
stored in the SAS Folders tree. You can f ilter the list based on criteria such as object name,
object type, folder location, creation date and time, modification date and time, keywords, notes,
and responsible user. You can create the list in text, comma-separated values (CSV), or XML
f ormat.

a. First, f ind the metadata object type f or a stored process. In SAS Management Console,
under the Folders tab, navigate to System  Types. Right-click Stored process and select
Properties. Click the Advanced tab. Find the value f or TypeName. This will be used f or the
type option when using the batch tool.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 3.3 Exploring SAS Metadata Objects 3-45

b. Navigate to the location of the SAS batch tools and run the sas-list-objects batch tool to list
all stored processes in Orion Star  Marketing Department. How many objects were
f ound?

For Linux Server

1. In mRemoteNG, on the sasapp.demo.sas.com machine, use the cd (change

directory) command to navigate to
/opt/sas/SASHome/SASPlatformObjectFramework/9.4/tools.

2. List the contents of the directory.

3. Issue the f ollowing command: ./sas-list-objects -help

This displays the available options for this command.

4. Generate the list of stored processes with the f ollowing options:

./sas-list-objects -host sasapp.demo.sas.com -port 8561 -user Ahmed -password

“Student1” -f olderTree “Orion Star/Marketing Department” -types StoredProcess
-f ormat LIST

For Windows Server

1. Open the Command Prompt under the Start menu. Navigate to

D:\Program Files\SASHome\SASPlatformObjectFramework\9.4\tools.

2. Change the drive to D.

3. Use the cd (change directory) command to navigate to D:\Program

Files\SASHome\SASPlatformObjectFramework\9.4\tools.

4. Use the dir command to list the contents of the directory.

5. Issue the f ollowing command: sas-list-objects.exe -help

This displays the available options for this command.

6. Generate the list of stored processes with the f ollowing options:

sas-list-objects.exe -host sasserver.demo.sas.com -port 8561 -user Ahmed

-password “Student1” -f olderTree “Orion Star/Marketing Department” -types
StoredProcess -f ormat LIST

8. Using the BI Lineage Plug-in to Identify Connections between Objects

To generate lineage inf ormation, run a scan on a subset of f olders. The scan examines reports
and inf ormation maps that are stored in the selected f olders. It also identif ies objects (regardless
of their locations in metadata) that are connected to those reports and inf ormation maps.

a. In SAS Management Console, on the Plug -ins tab, right-click BI Lineage and select New
Scan.

b. Enter Orion Star Marketing Department Information Map Scan in the Name f ield.
Click Browse to navigate to Orion Star  Marketing Department  Information Maps.
Click OK  Next  Finish  Yes.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
3-46 Lesson 3 Understanding SAS® Metadata and the Metadata Server

c. Under the BI Lineage plug-in, expand Orion Star Marketing Department Information Map
Scan  Information Maps  SAS Folders  Orion Star  Marketing Department and
select Information Maps. These are the objects that were examined during the lineage
scan.

d. Right-click Orion Star Gold Orders Cube and select Lineage.

Note: Lineage identif ies all connected objects regardless of their locations in the metadata.
Reverse lineage includes only those objects in the f olders that were selected f or the
scan.

e. Examine the contents of the Report and Graph tabs.

Note: The Report tab displays the connected objects in a hierarchical view. The Graph tab
displays the connected objects in a process flow view.

There are two types of lineage results: high level and low level. High-level results
illustrate connections between high-level objects such as tables, reports, inf ormation
maps, cubes, and stored processes. Low-level results illustrate connections to other
low-level objects such as columns, hierarchies, or data items.

The results that you viewed in the last step are high-level results.
f. Click Cancel.

g. Right-click Orion Star Gold Orders Cube and select Properties. Right-click Average
Quantity and select Low Level Lineage. Examine the Report and Graph tabs.

h. Click Cancel twice.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 3.4 Implementing a SAS Metadata Server Cluster 3-47

3.4 Implementing a SAS Metadata Server

Cluster

SAS Metadata Server Cluster

A metadata server cluster is a coordinated set of metadata servers that act
as a single metadata server for a SAS software deployment. Client
applications and users interact with the cluster in the same way that they
would interact with a metadata server that is not clustered.

Metadata Server Clustering • Provides redundancy and high availability of the

metadata server.
• Ensures that the server continues to operate
if a server host machine fails.

72
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

For documentation about metadata server clustering, ref er to SAS 9.4 Intelligence Platform: System
Administration Guide.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
3-48 Lesson 3 Understanding SAS® Metadata and the Metadata Server

SAS Metadata Server Cluster

A cluster is three or more metadata server nodes. Each node
• typically runs on a separate machine
• runs its own server process
• has a complete copy of all metadata
• has its own server configuration directory, configuration files, journal file,
and logs.

If you change a configuration file or start-up script that is associated

with the metadata server, be sure to make the identical changes on
each node in the cluster.

73
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Each node also maintains a complete in-memory copy of the metadata repository.

Master Node and Slave Nodes

Master

Metadata
i Metadata
Server Repositories

i
Metadata Metadata Metadata
i Metadata
Server Repositories Server Repositories

Slave Node 1 Slave Node 2

74
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 3.4 Implementing a SAS Metadata Server Cluster 3-49

When a clustered metadata server is started, the nodes establish communication with one another.
One of the nodes becomes the master node that coordinates activity within the cluster. The other
nodes are considered slave nodes. A load-balancing process automatically distributes work among
the slave nodes.

Maintaining Quorum in a Clustered Environment

For a cluster to operate, a quorum of nodes must be running. If a quorum
is not achieved, the server is paused to offline status.
• In clusters with an odd number of nodes, a quorum exists if more than one
half of the nodes are running
• In clusters with an even number of nodes, a quorum exists if one half of
the nodes are running as long as the initially configured server is running.

75
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Quorum Determination with an Odd Number of Nodes

Node 1 Node 2 Node 3 Quorum? Server (Cluster)

Status

Yes Online

Yes Online

No Offline

Yes Online

No Offline

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
3-50 Lesson 3 Understanding SAS® Metadata and the Metadata Server

Quorum Determination with an Even Number of Nodes

Node 1 (initially Node 2 Node 3 Node 4 Quorum? Server (Cluster)

configured server) Status

Yes Online

Yes Online

Yes Online

No Offline

Yes Online

No Offline

No Offline

How Clients Connect to a Metadata Server Cluster

Master

Metada ta
i Metada ta
Server Repos itories

SAS Ma na gement
Cons ol e

Meta da ta
i Metada ta
i
Metada ta Metada ta
Server Repos itories Server Repos itories

Slave Node 1 Slave Node 2

76
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d . ...

A client application can connect to any of the three nodes. If a client application attempted to connect
to the master node, it would be redirected to a slave node.

In this example, the f irst client application connects to node 1, which is a slave node.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 3.4 Implementing a SAS Metadata Server Cluster 3-51

How Clients Connect to a Metadata Server Cluster

Master

Metada ta
i Metada ta
Server Repos itories

SAS Ma na gement
Cons ol e
Client 1
Meta da ta
i Metada ta
i
Metada ta Metada ta
Server Repos itories Server Repos itories
redi rect

SAS Enterpri s e
Slave Node 1 Slave Node 2
Gui de
Client 2

78
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

When the second client application attempts to connect to node1, it is redirected to one of the other
slave nodes (node 2 in this example) by a load -balancing process. Currently, the load -balancing
algorithm is a round-robin process.

Af ter a client application is connected, it can never be redirect ed to another node. If the node f ails,
the client must reconnect to another node.

Metadata Read Requests

Master

Metada ta
i Metada ta
Server Repos itories

SAS Enterpri s e
Gui de
Meta da ta
i Metada ta
i
Metada ta Metada ta
Server Repos itories Server Repos itories

Slave Node 1 Slave Node 2

79
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d . ...

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
3-52 Lesson 3 Understanding SAS® Metadata and the Metadata Server

Client applications request metadata f rom the slave node to which they are connected. If the request
does not require an update to metadata, the slave node executes the req uest using the metadata
that is stored on that node (or in memory). The other nodes are not aware and do not participate.

Metadata Update Requests

Master

Metada ta
i Metada ta
Server Repos itories

2 3 3

SAS Enterpri s e
Gui de 4 Meta da ta
i Metada ta
i
Metada ta Metada ta
Server Repos itories Server Repos itories

Slave Node 1 Slave Node 2

84
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

1. If the request requires an update to metadata, the slave node f orwards the request to the master
node.

2. The master node perf orms all of the needed preparation work bef ore the metadata is updated,
including constraint checks and permission checks. After it is accepted, the master node creates
a journal entry in its journal and queues the update to its in-memory copy of the metadata.

3. The master node f orwards the journal entry to the slave nodes. The slave nodes add the journal
entry to their individual journal f iles and queue the update to their in-memory copy of the
metadata.

4. The slave node updates its in-memory copy of the metadata. When it completes the update, the
slave node responds to the client application that is connected to the slave node. Be aware that
the other slave nodes might not have perf ormed the update to their in-memory metadata yet. If
any read requests come to the other slave nodes, they respond with consistent data without the
pending updates.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 3.4 Implementing a SAS Metadata Server Cluster 3-53

Slave Node Failure

Master

Metada ta
i Metada ta
Server Repos itories

SAS Ma na gement
Cons ol e
Meta da ta
i Metada ta
i
Metada ta Metada ta
Server Repos itories Server Repos itories

Slave Node 1 Slave Node 2

85
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d . ...

If a slave node f ails, it drops out of the cluster. The master node becomes aware that the slave node
is gone and no longer sends updates there. If quorum is maintained, load balancing uses only the
remaining slave nodes f or new connections. When a slave node f ails, in-f light transactions can f ail.

If a client application is currently connected to a node that dies, the application automatically tries to
connect to another node.

Slave Node Failure

Master

Metada ta
i Metada ta
Server Repos itories

SAS Ma na gement
Cons ol e
Meta da ta
i Metada ta
i
Metada ta Metada ta
Server Repos itories Server Repos itories

Slave Node 1 Slave Node 2

86
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
3-54 Lesson 3 Understanding SAS® Metadata and the Metadata Server

The client application reconnects to another slave node. The reconnection is either automatic or the
application prompts the user. Most applications have access to a list of nodes in the cluster. For
most applications, the list is updated automatically. On each machine that includes an object
spawner, a SAS/CONNECT spawner, or components of SAS Application Servers (such as
workspace servers, pooled workspace servers, OLAP servers, and stored process servers), you
need to use the sas-update-metadata-prof ile batch tool to update the metadata prof iles.

If the master node f ails, one of the slave nodes is promoted to the server when the master node and
the cluster resume operation.

Master Node Failure

Master

Metada ta
i Metada ta
Server Repos itories

SAS Ma na gement
Cons ol e
Meta da ta
i Metada ta
i
Metada ta Metada ta
Server Repos itories Server Repos itories

Slave Node 1 Slave Node 2

88
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d . ...

When the master node goes away, the slave nodes go offline. The remaining nodes immediately
establish communication with each other and select a new master node. Af ter a quorum is available,
the cluster comes back online.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 3.4 Implementing a SAS Metadata Server Cluster 3-55

Master Node Failure

Master

Metada ta
i Metada ta
Server Repos itories

SAS Ma na gement
Cons ol e
Meta da ta
i Metada ta
i
Metada ta Metada ta
Server Repos itories Server Repos itories

Slave Node 1 Slave Node 2

89
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

In this example, a client application was connected to a node that became the master node.
Because connection redirects happen only at connection time, this client application is not redirected
and stays connected to the master node, which services its requests. The new master node does not
accept new connections.

Prerequisites for Cluster Configuration

All the host machines in the cluster must have the same operating system
and meet the requirements to run a metadata server.
In addition, all the servers in the cluster must do the following:
• use the same network path to access the metadata server backup location
• be started using a single user account

Note: On a Windows Server, SAS Metadata Server service needs to be

changed over to a User account. It is currently running under System.

90
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

When setting up metadata server clustering, you must use a deployment plan that specif ies a
multiple-machine deployment.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
3-56 Lesson 3 Understanding SAS® Metadata and the Metadata Server

The single user account must be recognized by all of the machines that participate in the cluster.

Configuring a Metadata Server Cluster

To configure the cluster, do the following:

Step1: Configure the initial metadata server to use the network location for
backups and the service login account.
Note: This can be done during the initial configuration of the
metadata server or you can modify an existing metadata
server.
Step 2: Install and configure additional metadata server nodes.

91
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

If you want to conf igure the initial metadata during the initial conf iguration, do the f ollowing in the
SAS Deployment Wizard:
• Override the def ault metadata server backup location and specify the network path to a backup
location that all of the nodes in the cluster can access.
• If necessary (f or example, on Windows), specif y the external account that is used to start the
server (service logon account).

To modif y the conf iguration of an existing metadata server in preparation f or clustering, do the
f ollowing:
• Specif y the network location f or the metadata server back up path. You can use SAS Management
Console and select Metadata Manager  Metadata Utilities  Server Backup 
Backup Configuration.
• Ensure that the metadata server is started with an external account that is recognized
by all the machines that participate in the cluster. On the Windows system, f ollow these steps:
– Stop the metadata server.
– In the Windows Services Manager, open the properties of the SASMeta - Metadata Server
service. On the Log On tab, specify the appropriate external account.
– Start the metadata server.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 3.4 Implementing a SAS Metadata Server Cluster 3-57

Monitoring Clustered Metadata Servers

There are two ways to monitor clustered metadata servers:
• SAS Management Console

• SAS Environment Manager

92
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

SAS Management Console enables you to view the overall status of a metadata server cluster and
to individually monitor each node in the cluster.
• To view the overall status of the cluster: Expand the Metadata Manager plug-in. Right-click the
Active Server node and select Properties. Click the Cluster tab to see the overall status of the
cluster (including the presence or absence of a quorum) and the status of each of the nodes in the
cluster.
• To view more detail about the individual nodes in a cluster: Navigate to Server Manager 
SASMeta  SASMeta - Logical Metadata Server. Expand SASMeta - Logical Metadata
Server. Each node appears on a separate line.

Select a node and connect to it.

Use the tabs on the right pane to view the node’s connections, clients, options, loggers, and log
events. Select Stop to stop only the selected node. Select Pause, Resume, Quiesce, or
Validate. These actions af f ect the entire cluster.

SAS Environment Manager supports monitoring of SAS Metadata Server clusters, ef f ective with
SAS 9.4M2. To view status indicators and metrics f or the cluster:
• On the Resources tab, select Platforms. In the list of platforms, select SAS 9.4 Application
Server Tier. Deployment-wide inf ormation is displayed at the top of the page, including the
message Metadata Clustered: Yes.
Select Monitor and then select a time period to display.
Select Indicators, and then scroll down to display Metadata Cluster Nodes Available, Metadata
Cluster Nodes Def ined, Metadata Cluster Percent Available, and Metadat a Cluster Quorum
Available.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
3-58 Lesson 3 Understanding SAS® Metadata and the Metadata Server

3.06 Multiple Choice Question

If quorum is not achieved in a metadata server clustered environment,
which of the following occurs?
a. The foundation repository is set to Read only.
b. The server is paused to Administration status.
c. The server is paused to Offline status.
d. The server stays available.

93
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

3.07 Multiple Choice Question

If the master node fails, which of the following occurs?
a. The remaining nodes go offline, establish communication with each
other, and select a new master node.
b. One of the remaining nodes immediately performs a backup.
c. The server is paused to offline status until the SAS administrator brings
the master node back online.
d. The metadata server takes itself out of the cluster.

95
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 3.5 Backing Up the SAS Metadata Server 3-59

3.5 Backing Up the SAS Metadata Server

Backing Up the SAS Platform

Here are recommended best practices for ensuring the integrity of the
content that is created and managed by the SAS Platform:
• Always use the metadata server backup facility to back up the repository
manager and metadata repositories.
• Perform regularly scheduled full backups.
• Perform backups before and after major changes.
• Specify a reliable backup destination that is included in daily system
backups.

99
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Note: In some situations, it might be appropriate to back up specific objects or f olders in the
metadata f olders (SAS Folders) tree. In these situations, you can use the promotion tools,
which include the Export SAS Package Wizard, the Import SAS Package Wizard, and the
batch export and import tools.

Suggested Approach for Synchronizing Metadata Backups with Physical Backups

• Back up the metadata server, the SAS Content Server, the SAS Web Inf rastructure Platf orm Data
Server, and the physical f iles concurrently (that is, in the same backup window). One way to do
this is to use the Deployment Backup and Recovery tool.
• Back up the SAS Content Server, the SAS Web Inf rastructure Platf orm Data Server, and the
physical f iles immediately af ter the metadata server is backed up, and do not allow clients to
update metadata while you are perf orming these backups. If you are running the backup on a
batch basis (f or example, as part of a daily schedule), then you can do the f ollowing to implement
this approach:
1. Write a program that uses PROC METAOPERATE to pause the metadata server to an Of f line
state. See “Example of a PROC METAOPERATE Program That Pauses the Metadata Server
to an Of f line State” in SAS 9.4 Intelligence Platform: System Administration Guide, Third
Edition.
You can use this program to pause the metadata server while you back up the SAS Content
Server, the SAS Web Inf rastructure Platf orm Data Server, and associated physical data. If you
use operating system commands to back up the metadata server, then you can use this
program to pause the server bef ore running the backup.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
3-60 Lesson 3 Understanding SAS® Metadata and the Metadata Server

2. Write another program that resumes the metadata server to an Online state. See “Example of
a PROC METAOPERATE Program That Resumes the Metadata Server,” in SAS 9.4
Intelligence Platform: System Administration Guide, Third Edition. You can use this program
af ter using operating system commands to back up the metadata server, or you can use it af ter
backing up the SAS Content Server, the SAS Web Inf rastructure Platf orm Data Server, and
associated physical data.
• If you are running an ad hoc (unscheduled) backup and you need to also back up associated data,
then you can do the f ollowing to prevent clients from updating metadata while you are backing up
the associated data:
1. Use the metadata backup f acility to back up the metadata server. Then immediately use SAS
Management Console to pause the metadata server. As an alternative, you can use SAS
Management Console to temporarily change the registered access mode of the repositories to
ReadOnly.
2. Back up the SAS Content Server, the SAS Web Inf rastructure Platf orm Data Server, and the
physical data.
3. When you are f inished backing up the SAS Content Server, the SAS Web Inf rastructure
Platf orm Data Server, and the physical data, use SAS Management Console to resume the
metadata server (or to return the registered access mode of the repositories to Online).

Note: In addition, you should synchronize the backups with the backup of other physical f iles.

Back Up and Restore Tools

Formal, regularly scheduled backups are scheduled at deployment of your
SAS Platform with these tools:
• Metadata Server Backup Facility in SAS Management Console
• SAS Backup Manager in SAS Environment Manager or Deployment Backup
and Recovery Tool

100
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 3.5 Backing Up the SAS Metadata Server 3-61

SAS Metadata Server Backup Facility

The metadata server backup facility automatically
backs up these files:
• the metadata repositories
• the repository manager
• all of the files in the metadata server
configuration directory
• the journal file

101
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

SAS Metadata Server Backup Facility

The metadata server includes a server-based facility that
• executes in a separate thread while the metadata server is running
• is configured by default to perform automatic scheduled backups
• can also be used to perform ad hoc
backups and roll-forward recovery
• can be managed from the Metadata
Manager plug-in.

102
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

If you use operating system commands to back up your metadata repositories and metadata
server instead of using the metadata server’s backup f acility, then you must be sure to pause
the metadata server to an Of f line state bef ore you perf orm the backup. If the metadata
server is in an Online state or is paused to an Administration state, then the backup files are
not usable.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
3-62 Lesson 3 Understanding SAS® Metadata and the Metadata Server

Note: You can use PROC METAOPERATE to pause the server to an Of f line state before the
backup is taken and to resume the server to an Online state when the backup is complete.

The backup f acility executes in a separate thread while the metadata server is running.
Theref ore, the metadata server does not need to be paused during backups unless certain
options are selected. If journaling is disabled or if the Reorganize Repositories backup
option is selected, the server is paused f or Read-Only use so that queries (but not updates)
can continue to be processed.

In addition to running scheduled backups, the metadata server automatically backs itself up
under certain unscheduled situations. Unscheduled backups use the same server-based
f acility and the same conf iguration options that are used f or scheduled backups.

A backup is run automatically in the f ollowing situations:

• af ter the SAS Deployment Wizard conf igures a metadata server.
• af ter you complete a successf ul recovery of the metadata server.
• if you change the JOURNALTYPE= option in the omaconfig.xml f ile to NONE or SINGLE
(which is not recommended), and later change the option back to ROLL_FORWARD . A
metadata server backup is run automatically when you restart the metadata server.

You can also run an ad hoc backup using the MetadataServer command or the
backupServer.sas program. Backups that are run using these methods use the same server-
based backup f acility and the same backup options that are used f or scheduled backups.

You can schedule a backup using the MetadataServer command or the backupServer.sas
program. First, disable the automatic backups in the Backup Schedule properties.

You cannot reorganize repositories when you run a backup with the MetadataServer
command or the backupServer.sas program.

Automatically Configured Backups

Backups are performed daily at 1:00 a.m.

server local time. On Mondays, the
Reorganize Repositories option is used.

Backups are stored in

/Lev1/SASMeta/MetadataServer/Backups.

Backups are retained for seven days. Each time a

backup is completed successfully, backup files that
are more than seven days old are deleted.
103
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 3.5 Backing Up the SAS Metadata Server 3-63

Note: If the backup is unsuccessf ul, no backups are deleted.

Note: If you do not want backups to be deleted automatically based on a retention policy, select 0
f or the Number of days to retain backups f ield in the Backup Conf iguration.

Note: In a metadata server clustered environment, a network accessible absolute path needs to be
specif ied.

To access the backup schedule, expand Metadata Manager  Metadata Utilities. Right-click
Server Backup and select Backup Schedule.

To access the backup conf iguration, expand Metadata Manager  Metadata Utilities. Right-click
Server Backup and select Backup Configuration.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
3-64 Lesson 3 Understanding SAS® Metadata and the Metadata Server

Reorganize Repositories Option

When metadata is removed from a metadata repository, the record is
removed from both memory and disk. However, the disk space allocated for
the record remains in the data set.
When you use the Reorganize Repositories option as part of a backup, the
unused disk space from previously deleted records is reclaimed.

The Reorganize Repositories option should be used only during

times of little or no user activity. The metadata server is paused
during the reorganization process, and any update transactions
that are issued during this process fail.

104
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Backup Location
By default, the metadata server backup facility writes backup files to the
Backups subdirectory of the metadata server’s configuration directory.

105
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Within the backup location, each set of backup files (along with the associated journal f ile) is stored
in a directory whose name is based on the date and time that the backup is started.

Note: As a best practice, you should modify your backup configuration to specify a storage device
other than the device that is used to store the metadata repositories and server conf iguration
f iles. Specifying a separate device ensures that the backup f iles and their associated journal
f iles (including the most current journal f ile) are available in the event of a disk f ailure.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 3.5 Backing Up the SAS Metadata Server 3-65

Note: Make sure that the Backups directory (or the backup destination that you specify) is included
in your regular system backups.

Backup Retention Policy and Backup History

Each time that a successful backup is completed, previous backups that are
older than the specified number of days are deleted automatically. The
backup history automatically displays the offline status icon for deleted
backups.

deleted backups

106
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

It is strongly recommended that you use operating system tools to copy backups to another location.
These copies are no longer under the control of the backup retention policy. In particular, it is a very
good idea to retain the backups that you did at critical times, such as the initial backup that you did
af ter conf iguration.

If you do not want backups to be deleted automatically based on a retention policy, select 0 f or the
Number of days to retain backups f ield in the Backup Conf iguration. If you make this selection,
you need to delete f iles manually f rom the backup location on a regular basis to ensure disk space
availability.

Note: The of f line status icon is not displayed automatically f or backups that you delete manually.
To update the status icon f or a manually deleted backup, you must access the backup’s
Properties dialog box.

The check mark icon means that the backup or recovery was successf ul. For bac kups, this
icon also means that the backup was determined to be valid the last time the f iles were
checked. A backup is considered valid if all of the f iles are present in the backup location, all
of the f iles have the correct universally unique identif ier (GUID), and all of the f ilenames and
f ile sizes are correct.

The x icon indicates that either the backup or recovery was not successf ul or the backup was
successf ul, but when the f iles were last checked, they were invalid.

The def ault backup schedule specifies a weekly reorganization. It is not necessary to reorganize t he
repositories more f requently than once a week, except in extraordinary situations such as deletions
of a large amount of metadata. The repository reorganization process affects disk space only. It does
not af f ect the memory usage of the metadata server.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
3-66 Lesson 3 Understanding SAS® Metadata and the Metadata Server

If the Reorganize Repositories option is selected, the backup process does the f ollowing:
• pauses the server, placing it in a READONLY state
• copies the metadata server f iles to the backup destination
• re-creates the repository data sets in place, which eliminates the unused disk space in the process
• resumes the server to an ONLINE state

Backing Up a Metadata Server Cluster

The metadata server facility backs up the node that is acting as the master
node.
• In the backup configuration for each node, make sure that you have
specified the same backup destination.
• Make sure that the backup destination is accessible to all of the nodes via
the same network path so that the backup occurs regardless of which
node is the master node.
• The Reorganize Repositories option is ignored.

107
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

The REORG backup option is ignored when you back up a server that was started with the
clustering option. However, you can use this option when you back up a single node that was started
without the clustering option.

To start a single node without the clustering option, use the f ollowing command:

For Linux Server

opt/sas/config/Lev1/SASMeta/MetadataServer/metadataserver.sh -startNoCluster

For Windows Server

D:\SAS\Config\Lev1\SASMeta\MetadataServer\metadataserver.bat -startNoCluster

The node starts as a single, non-clustered metadata server that is paused to the Administration
state. This action is usef ul when you want to perf orm one of the f ollowing administrative tasks on a
node:
• perf orm a metadata server recovery
• back up the metadata server with the REORG option
• run the optimizeIMDB command option of the metadata server script
• run the Metadata Analyze and Repair tools (except f or the Metadata Server Cluster
Synchronization tool, which runs on a server that has been started with clustering)

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 3.5 Backing Up the SAS Metadata Server 3-67

After you perform one of these functions, you must restart the node to place it in the
cluster mode as the master node. Then start the other nodes in the cluster. The master
node updates the other nodes with the new data f rom the recovery, REORG, optimizeIMDB,
or analyze and repair operation.

Recovering the Metadata Server

You can use the Metadata Manager plug-in to recover the metadata
repositories and repository manager.

You can choose to recover

the configuration files.

You can choose to apply updates

stored in the journal file.

108
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

If you need to recover an unresponsive metadata server, ref er to “What to Do if the SAS
Metadata Server Is Unresponsive” in SAS 9.4 Intelligence Platform: System Administration
Guide.

The recovery f acility provides safeguards to ensure the integrity of the backup f iles from which you
are recovering. The recovery operation checks that the bac kup directory contains the correct f iles
and that the f iles have the correct name and f ile sizes. In addition, each backup f ile contains a
universally unique identif ier that is used to make sure that you are recovering f iles f or the correct
metadata server. If any problems exist, the recovery is not started and a warning message is
displayed.

During recovery operations, the metadata server is paused automatically to a RECOVERY state.
The state is similar to an OFFLINE state but more restrictive. Af ter the recovery, the metadata server
perf orms an automatic backup. If the recovery is successful, the metadata server is returned to the
state that it was in bef ore the recovery process.

Note: As of SAS 9.4M1, the metadata server script includes a -recover option. This option starts a
server that is not currently running, and then restores the server’s metadata repository f rom
the most recent backup. The option provides an easy way to recover a server or node that is
unresponsive. The option does not provide roll-forward recovery, recovery of configuration
f iles, or recovery f rom a backup other than the most recent backup.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
3-68 Lesson 3 Understanding SAS® Metadata and the Metadata Server

You can recover f rom a backup that is listed in the backup history pane.

You can also recover f rom backup files stored in an alternate network-accessible location.

Note: When recovering f rom a metadata backup, you replace all of the metadata with the backup
copy. If you might need to restore only a small portion of the metadata, use the Export
Wizard on a regular basis to create package f iles that include metadata and associated
objects if appropriate. If you then need to restore part or all of the package, use the Import
Wizard. The Export and Import Wizards’ f unctionality is also available in batch mode. Ref er
to SAS 9.4 Intelligence Platform: System Administration Guide f or details about how to use
the promotion tools, and the batch export and import tools in particular.

Recovering a Clustered Metadata Server

You can use the metadata server recovery facility only on a single metadata
server node.
Step 1: Stop all of the nodes in the cluster.
Step 2: Start one of the metadata server nodes with the -startNoCluster
option.
Step 3: Use the metadata server recovery facility on the single node.
Step 4: Restart the node and place it in cluster mode.
Step 5: Start all of the other nodes in the cluster.

109
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Recovering conf iguration files from a backup is not recommended for clustered servers.
Backup up conf iguration files could contain node-specific paths or options.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 3.5 Backing Up the SAS Metadata Server 3-69

Af ter you recover the single node, the master node updates the other nodes with the new data f rom
the recovery operation.

3.08 Multiple Choice Question

Which of the following is true if you use operating system commands to
back up your metadata repositories?
a. You must pause the metadata server to an Administration state.
b. The backup executes in a separate thread while the metadata server is
running.
c. You must pause the metadata server to an Offline state before you
perform the backup.
d. You must pause the metadata server for Read-Only use before you
perform the backup.

110
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

3.09 Multiple Choice Question

Which of these items does the metadata server backup facility automatically
back up?
a. foundation repository, web infrastructure Platform Data Server, the
journal file
b. metadata repositories, metadata server configuration directory, Levn
directory, journal file
c. metadata repositories, journal file, metadata server, and web servers
configuration directories
d. metadata repositories, metadata server configuration directory, the
journal file

112
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
3-70 Lesson 3 Understanding SAS® Metadata and the Metadata Server

Practice

9. Exploring the Backup Schedule and Backup Configuration in SAS Management Console
a. In SAS Management Console, on the Plug -ins tab, expand Metadata Manager  Metadata
Utilities. Right-click Server Backup and select Backup Schedule.

When did the last automatic backup occur? Did it invoke the Reorganize Repositories
option?

Click Cancel.

b. Expand Metadata Manager  Metadata Utilities. Right-click Server Backup and select
Backup Configuration. Where are the metadata server backups stored? And how many
days of backups are stored there?

Click Cancel.

c. Locate backup f iles.

For Linux Server

On the sasapp.demo.sas.com machine, navigate to

/opt/sas/config/Lev1/SASMeta/MetadataServer/Backups.

For Windows Server

Use Windows Explorer to navigate to D:\SAS\Config\Lev1\SASMeta\

MetadataServer\Backups.

How many backup subdirectories are there in the Backups directory? Does this match the
number of usable backups in the backup history pane in SAS Management Console?

10. Performing an Ad Hoc Backup

a. Use the Metadata Manager to perf orm an ad hoc backup of the metadata. Provide a
comment when you are prompted.

b. Verif y that the backup is marked with a green check mark in the backup history.

c. Verif y that the backup directory was created and populated in the backup destination.

11. (Optional) Restoring the Metadata

a. On the Folders tab, create a new f older. Include the current time in the name of the f older.
Make a note of the current time.

b. Wait a f ew minutes and create another new f older. Include the current time in the name.

c. Delete the two new f olders.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 3.5 Backing Up the SAS Metadata Server 3-71

d. As a best practice, it is recommended that you pause the metadata server to the
Administration state bef ore you perf orm a recovery. On the Plug-ins tab, expand Metadata
Manager. Right-click Active Server and select Pause  Administration. Provide a
comment and click OK.

e. Expand Metadata Manager  Metadata Utilities and select Server Backup. Right-click the
ad hoc backup that you created in the last practice. Select Recover from This Backup.

f. Provide comments f or the backup history and f or the server that you paused. Use the
ROLLFORWARD transaction option to restore the metadata f rom the last backup to a time
immediately af ter you created the f irst f older but before you created the second f older.

Was the backup successful?

In addition to the ad hoc backup and the restore, what else now appears in the backup
history?

g. Resume the metadata server by expanding Metadata Manager. Right-click Active Server
and select Resume.

h. Switch to the Folders tab. Verif y that only the f irst f older now appears on the Folder tab.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
3-72 Lesson 3 Understanding SAS® Metadata and the Metadata Server

3.6 Solutions
Solutions to Practices
1. Exploring Metadata Pointers in SAS Management Console and the Contents of the
Metadata Server Directory

a. On your Windows machine, log on to SAS Management Console as Ahmed with the
password Student1. (SAS Management Console is listed under the Start menu.)

Connect with the SAS Admin - Linux Server or the SAS Admin - Windows Server
connection prof ile:

b. Where is all the metadata physically stored? Expand the Metadata Manager plug-in.
Select Active Server.

The metadata is stored in repositories. Most metadata is stored in the Foundation repository.
Every metadata server has exactly one Foundation repository.

c. Where is the Foundation repository physically located? Under Active Server, select
Foundation.

The Foundation repository is a f oundation-type repository. The repository path indicates

where the content of the Foundation repository is stored. It is a relative path.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 3.6 Solutions 3-73

d. In what f ormat is the metadata in the repository stored?

For Linux Server

On the sasapp.demo.sas.com machine, navigate to

/opt/sas/config/Lev1/SASMeta/MetadataServer/
MetadataRepositories/Foundation.

Use WinSCP or mRemoteNg located on the Windows desktop.

For Windows Server

Use Windows Explorer to navigate to D:\SAS\Config\Lev1\SASMeta\

MetadataServer\MetadataRepositories\Foundation.

The metadata is stored in specially f ormatted SAS data sets. You should never access these
tables directly. While the metadata server is running, these tables are locked. Any access
(query, update, and so on) to these must be done via the metadata server. If you do not use
the metadata server to access these tables, you risk corrupting the metadata.

Note: Metadata queries that are made using SAS applications, PROC METADATA, batch
tools f or metadata management, or DATA step f unctions are processed by the
metadata server.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
3-74 Lesson 3 Understanding SAS® Metadata and the Metadata Server

2. Checking the Availability of the Metadata Server in SAS Environment Manager

On the SAS Platf orm, the metadata server is the most critical component. It must always be
running and responsive. In this practice, you check the availability and health of the metadata
server.

a. Open Internet Explorer or Google Chrome f rom the Windows machine using the taskb ar.
Select SAS Environment Manager f rom the Windows or Linux f older on the Favorites bar.

b. Sign in to SAS Environment Manager as Ahmed with the password Student1.

c. Click the Resources tab.

d. Click Servers. How many servers are listed? Answers will vary.

e. Click the f ollowing:

12. For Linux Server

sasapp.demo.sas.com SASMeta - Metadata Server

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 3.6 Solutions 3-75

For Windows Server

sasserver.demo.sas.com SASMeta - Metadata Server

Note: You might need to go to the second page of server listings by clicking the arrow at
the bottom right of the page.

Note: You can use the search f ield and enter Metadata Server. Make sure that All Server
Types is selected in the second f ield, and then click the right-pointing arrow at
the f ar right.

f. Look f or the f ollowing metrics for a quick overview:

Availability

Server Health

g. If the metadata server is overusing virtual memory (too much page swapping), that could
indicate trouble, and might cause slow responses. These metrics are helpf ul:

Process Page Faults Per Minute

Time in Calls Per Minute

Not all metrics f or this resource, the metadata server, are displayed by default, such as Time
in Calls Per Minute.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
3-76 Lesson 3 Understanding SAS® Metadata and the Metadata Server

h. Select All Metrics in the drop-down list on the lef t to see a list of all the metrics f or this
resource. (Currently Problem Metrics is displayed in the drop-down list.)

i. Add Time in Calls Per Minute to the list of metrics displayed by clicking the black arrow next
to the metric.

j. Move Time in Calls Per Minute and Process Page Faults Per Minute to the top using the
up arrow to the right of the named metric.

k. Click Apply next to View: Update Default located above the Availability metric and to the
right.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 3.6 Solutions 3-77

Note: You want to know how much the metadata server is having to use disk space
because it does not have enough memory available to it. Paging is when individual
memory segments, or pages, are moved to or f rom the swap area. When memory is
low, portions of a process are moved to use disk space as a temporary place to store
inf ormation that it would normally just hold in memory. This is called swapping to
disk. When a process needs to swap some data f rom disk to memory so that it can
access the data in memory, a page f ault occurs. It is an event that occurs because
the page of memory the process wanted is currently not in memory; it is held on the
swap f ile on the disk. Thus, when a page f ault occurs, the operating system knows
that it needs to swap the data that the process wants back into memory, and will
swap some other existing data f rom memory to the disk to f ree up the required
memory so that there is room f or the required page.
One of the metrics available f rom the OS that describes what a process does when it
enters this memory-constrained state is the number of page f aults (swaps between
disk and memory) per period of time. We can see this metric f or the process
examined here, the SAS Metadata Server.

You expect some degree of virtual memory swapping (page f aults), which is normal,
but if you see a trend of increase over time, then you should probably investigate.

l. The data f or the past eight-hour time period is displayed. Change this to a 30-minute interval.
Use the Last (number)/(Unit) drop-down list to change the length of the time period
displayed. Click OK. (You can use the Previous Page/Next Page buttons to scroll through
earlier time periods as well.)

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
3-78 Lesson 3 Understanding SAS® Metadata and the Metadata Server

m. Select the Metric Data button to display the data underlying the charts.
You see all of the metrics displayed here in a tabular table, whereas with Indicators
selected, there is only a subset showing, unless you add a metric to be displayed (step i).

Note: You can also click the chart icon next to an entry in the table to see a chart of that
metric. However, the chart is dif ferent f rom the indicator chart.

n. Select Alert.

o. Select Configure. How many alerts are conf igured? Seven

How many alerts are active? Five

There are built-in alerts because Extended Monitoring has been enabled in this environment.

Note: Two alerts that might be usef ul are “Metadata Server ERROR message in log” and
“Metadata User Lockout.” If either of these alerts are f ired, you might want to check
the logs f or the metadata server to get more details about why these events are
happening.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 3.6 Solutions 3-79

p. Click Metadata Time in Calls per Minute to look at the alert def inition.

3. Exploring the Initial Connection to the Metadata Server

This practice demonstrates the initial authentication process to the metadata server.

a. On the Windows machine, select Start  All Programs  SAS  SAS Enterprise Guide
8.2. Close the Welcome to SAS Enterprise Guide window. Place the pointer on the f ollowing
in the upper right of the application interf ace:

For Linux Platf orm: sasapp.demo.sas.com

For Windows Platf orm: sasserver.demo.sas.com

You see the user who is logged on.

b. Click the appropriate connection:

For Linux Platf orm: sasapp.demo.sas.com

For Windows Platf orm: sasserver.demo.sas.com

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
3-80 Lesson 3 Understanding SAS® Metadata and the Metadata Server

c. Select the server prof ile that you want to work with, highlight it, and click Modify.

d. Clear the Save login in profile check box.

e. Remove Jacques f rom the User f ield and enter sas. Remove the asterisks f or the password
and enter Student1.

Note: This is the SAS install account. But this account is not linked with a metadata identity.

f. Click Save. Click Yes to modif y the active profile and continue.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 3.6 Solutions 3-81

g. An Error window appears. Click Show Details. How is the user identif ied by the metadata
server?

Note: At initial deployment, the implicit group, PUBLIC, is denied access to all metadata
through the Repository ACT. The authorization layer of the SAS environment is
discussed in a later lesson.

h. Click Close.

i. Click Modify to change the saved Connection Prof ile user back to Jacques. You can select
Save login in profile.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
3-82 Lesson 3 Understanding SAS® Metadata and the Metadata Server

j. Click Save. If needed, the prof ile of choice (Linux or Windows) can be set as the def ault using
the Set Active button. Click Close.

k. Open Internet Explorer or Google Chrome f rom the Windows machine. Select SAS Studio
f rom the Windows or Linux f older on the Favorites bar.

l. Sign in with user ID badguy and the password Student1.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 3.6 Solutions 3-83

m. Now sign in with user ID sas and the password Student1. (You might need to sign in twice
bef ore the message below appears.)

Note: The user account badguy does not exist on the host.
n. Select SAS Environment Manager f rom the Windows or Linux f older on the Favorites bar,
and this time sign in as Ahmed with the password Student1.

o. Select Analyze  Event Center.

What event was generated pertaining to a bad logon? A warning message from the
metadata server log was tracked regarding the badguy login from the Logon Manager.
The Logon Manager is the web application that is surfaced for credential input.

p. Let’s look at the metadata def inition of a user such as Jacques. Click the Administration
tab, which opens in another browser. (You can render the Administration page in another tab
by pressing the Ctrl key and clicking the Administration tab simultaneously.)

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
3-84 Lesson 3 Understanding SAS® Metadata and the Metadata Server

q. Select Users f rom the vertical navigation bar.

r. Click to access a drop-down list on which you can f ilter. Select User.

s. Click Jacques to see the metadata def inition.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 3.6 Solutions 3-85

t. Click the Accounts tab to see the ID that is used and stored with the metadata identity f or
initial authentication to the metadata server.

4. Exploring Connection Profiles

Connection prof iles are stored in f iles on the user’s desktop, but stored passwords are
encrypted. Examine an existing connection profile.

a. Open SAS Management Console and edit the connection prof ile for the system that you are
managing in class.

b. Click Next.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
3-86 Lesson 3 Understanding SAS® Metadata and the Metadata Server

c. On the Edit Connection Profile – SAS Admin – <server> Server, enter Ahmed in the
User ID f ield and Student1 in the Password f ield. Also click the Save user ID and
password in this profile box. Then click Finish to save the prof ile.

d. On the client machine, use Windows Explorer to navigate to

C:\Users\student\AppData\Roaming\SAS\MetadataServerProfiles. View the contents of
SAS Admin – Linux Server.swa or SAS Admin – Windows Server.swa associated with
the class environment that you are managing using a text editor such as Notepad.

What is the value of AllowLocalPassword? True

Note: If the AppData f older is hidden, you can enter the path into Windows Explorer or
unhide the f older. To unhide it, in Windows Explorer, select Organize  Folder 
Search options. On the View tab, select Show hidden files, folders, and drives.
On the View tab, clear the Hide extensions for known file types check box. Click
OK.

e. Open SAS Enterprise Guide. Select File  New  Program. In the Program window, enter
the f ollowing code:
proc pwencode in="Student1";
run;

f. Click Run.

g. On the Log tab, locate the value that begins with {sas002}. Does the value match the
password value in the SAS Admin - <server>.swa f ile?

Note: A password string beginning with {sas002} is encoded using the SAS Proprietary
algorithm.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 3.6 Solutions 3-87

h. Close SAS Enterprise Guide.

i. View the metadata server log. Verif y the SAS Enterprise Guide initial connection to the
metadata server.

1) Open the most recent metadata server log.

For Linux Server

On the sasapp.demo.sas.com machine,

/opt/sas/config/Lev1/SASMeta/MetadataServer/Logs

For Windows Server

D:\SAS\Config\Lev1\SASMeta\MetadataServer\Logs

2) Scroll down closer to the bottom and look for the name of the user ID that was used to
log on to SAS Enterprise Guide. (Otherwise, you can simplif y the search by using the
Find tool f or the name. Hold down the Ctrl key and press F.)

5. Exploring the omaconfig.xml File

The omaconfig.xml f ile is the start-up f ile f or the SAS Metadata Server. You can specif y
changes to standard f eatures of the SAS Metadata Server, the repository manager, and policies
related to internal users in this f ile.

Open the omaconfig.xml f ile.

For Linux Server

On the sasapp.demo.sas.com machine, navigate to

/opt/sas/config/Lev1/SASMeta/MetadataServer.

For Windows Server

Use Windows Explorer to navigate to

D:\SAS\Config\Lev1\SASMeta\MetadataServer.

What is the setting in this f ile that governs saving a password in a connection prof ile?
SASSEC_LOCAL_PW_SAVE= specifies whether users of desktop applications can save
their user IDs and passwords in a local metadata connection profile.

Note: For a f ew solutions desktop clients (for example, SAS Model Manager, SAS Enterprise
Miner, and SAS Forecast Studio), the ability to store credentials in client -side connection
prof iles is instead controlled by the Policy.AllowClientPasswordStorage property. To
access this property, open the Plug-ins tab of SAS Management Console and navigate
to Application Management  Configuration Manager  SAS Application
Infrastructure. Right-click and select Properties  Settings  Policies  Allow client
password storage.

What is the def ault value? Y What other values are possible?
SASSEC_LOCAL_PW_SAVE="1 | Y | T | 0 | N | F"

Note: To f ind the possible values, go to support.sas.com and search Reference Information
for omaconfig.xml.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
3-88 Lesson 3 Understanding SAS® Metadata and the Metadata Server

If you make changes to this f ile, what steps need to be perf ormed?
• Make sure there is a backup of the file.
• The Metadata Server needs to be restarted.

6. Using the Export SAS Package Wizard to Examine Dependencies and Associations
between Metadata Objects

The Export SAS Package Wizard and Import SAS Package Wizard enable you to promote
individual metadata objects or groups of objects f rom one SAS deployment to another or f rom
one f older location to another within the same deployment. The wizards display the associations
and dependencies between metadata objects.

a. In SAS Management Console, on the Folders tab, expand the Orion Star f older. Right-click
the Marketing Department f older and select Export SAS Package.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 3.6 Solutions 3-89

b. Accept the def aults and click Next. (You are not going to create this package, so the location
and options do not matter.)

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
3-90 Lesson 3 Understanding SAS® Metadata and the Metadata Server

c. Under the Data f older, select Orion Star Customers. The Dependencies tab identif ies the
metadata objects on which the Orion Star Customers table depends.

d. Click the Used By tab. The Used By tab identif ies the metadata objects that depend on the
Orion Star Customers table.

e. Click Cancel.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 3.6 Solutions 3-91

7. Using the List Objects Batch Tool

Use the List Objects batch tool (sas-list-objects) to create a list of metadata objects that are
stored in the SAS Folders tree. You can f ilter the list based on criteria such as object name,
object type, folder location, creation date and time, modification date and time, keywords, notes,
and responsible user. You can create the list in text, comma-separated values (CSV), or XML
f ormat.

a. First, f ind the metadata object type f or a stored process. In SAS Management Console,
under the Folders tab, navigate to System  Types. Right-click Stored process and select
Properties. Click the Advanced tab. Find the value f or TypeName. This will be used f or the
type option when using the batch tool.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
3-92 Lesson 3 Understanding SAS® Metadata and the Metadata Server

b. Navigate to the location of the SAS batch tools and run the sas-list-objects batch tool to list
all stored processes in Orion Star  Marketing Department. How many objects were
f ound?

For Linux Server

1. In mRemoteNG, on the sasapp.demo.sas.com machine, use the cd (change directory)

command to navigate to
/opt/sas/SASHome/SASPlatformObjectFramework/9.4/tools.

2. List the contents of the directory.

3. Issue the f ollowing command: ./sas-list-objects -help

This displays the available options for this command.

4. Generate the list of stored processes with the f ollowing options:

./sas-list-objects -host sasapp.demo.sas.com -port 8561 -user Ahmed -password

“Student1” -f olderTree “Orion Star/Marketing Department” -types StoredProcess
-f ormat LIST

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 3.6 Solutions 3-93

For Windows Server

1. Open the command prompt under the Start menu. Navigate to

D:\Program Files\SASHome\SASPlatformObjectFramework\9.4\tools.

2. Change the drive to D.

3. Use the cd (change directory) command to navigate to D:\Program

Files\SASHome\SASPlatformObjectFramework\9.4\tools.

4. Use the dir command to list the contents of the directory.

5. Issue the f ollowing command: sas-list-objects.exe -help

This displays the available options for this command.

6. Generate the list of stored processes with the f ollowing options:

sas-list-objects.exe -host sasserver.demo.sas.com -port 8561 -user Ahmed -

password “Student1” -f olderTree “Orion Star/Marketing Department” -types
StoredProcess -f ormat LIST

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
3-94 Lesson 3 Understanding SAS® Metadata and the Metadata Server

8. Using the BI Lineage Plug-in to Identify Connections between Objects

To generate lineage inf ormation, run a scan on a subset of f olders. The scan examines reports
and inf ormation maps that are stored in the selected f olders. It also identif ies objects (regardless
of their locations in metadata) that are connected to those reports and inf ormation maps.

a. In SAS Management Console, on the Plug -ins tab, right-click BI Lineage and select New
Scan.

b. Enter Orion Star Marketing Department Information Map Scan in the Name f ield.
Click Browse to navigate to Orion Star  Marketing Department  Information Maps.
Click OK  Next  Finish  Yes.

c. Under the BI Lineage plug-in, expand Orion Star Marketing Department Information Map
Scan  Information Maps  SAS Folders  Orion Star  Marketing Department and
select Information Maps. These are the objects that were examined during the lineage
scan.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 3.6 Solutions 3-95

d. Right-click Orion Star Gold Orders Cube and select Lineage.

Note: Lineage identif ies all connected objects regardless of their locations in the metadata.
Reverse lineage includes only those objects in the f olders that were selected f or the
scan.

e. Examine the contents of the Report and Graph tabs.

Note: The Report tab displays the connected objects in a hierarchical view. The Graph tab
displays the connected objects in a process flow view.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
3-96 Lesson 3 Understanding SAS® Metadata and the Metadata Server

There are two types of lineage results: high level and low level. High-level results illustrate
connections between high-level objects such as tables, reports, information maps, cubes,
and stored processes. Low-level results illustrate connections to other low-level objects such
as columns, hierarchies, or data items.

The results that you viewed in the last step are high-level results.

f. Click Cancel.

g. Right-click Orion Star Gold Orders Cube and select Properties. Right-click Average
Quantity and select Low Level Lineage. Examine the Report and Graph tabs.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 3.6 Solutions 3-97

h. Click Cancel.

9. Exploring the Backup Schedule and Backup Configuration in SAS Management Console

a. In SAS Management Console, on the Plug -ins tab, expand Metadata Manager 
Metadata Utilities. Right-click Server Backup and select Backup Schedule.

When did the last automatic backup occur? Did it invoke the Reorganize Repositories
option?

Click Cancel.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
3-98 Lesson 3 Understanding SAS® Metadata and the Metadata Server

b. Expand Metadata Manager  Metadata Utilities. Right-click Server Backup and select
Backup Configuration. Where are the metadata server backups stored? And how many
days of backups are stored there?

Click Cancel.

c. Locate backup f iles.

For Linux Server

On the sasapp.demo.sas.com machine, navigate to

/opt/sas/config/Lev1/SASMeta/MetadataServer/Backups.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 3.6 Solutions 3-99

For Windows Server

Use Windows Explorer to navigate to D:\SAS\Config\Lev1\SASMeta\

MetadataServer\Backups.

How many backup subdirectories are there in the Backups directory? Does this match the
number of usable backups in the backup history pane in SAS Management Console?

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
3-100 Lesson 3 Understanding SAS® Metadata and the Metadata Server

10. Performing an Ad Hoc Backup

a. Use the Metadata Manager to perf orm an ad hoc backup of the metadata. Provide a
comment when prompted.

1) Expand Metadata Manager  Metadata Utilities. Right-click Server Backup and select
Run Backup Now.

2) Provide a comment f or the backup history. Click OK.

3) Click OK.

b. Verif y that the backup is marked with a green check mark in the backup history.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 3.6 Solutions 3-101

c. Verif y that the backup directory was created and populated in the backup destination.

For Linux Server

On the sasapp.demo.sas.com machine, navigate to

/opt/sas/config/Lev1/SASMeta/MetadataServer/Backups. Open the directory
created by the ad hoc backup.

For Windows Server

Use the Windows Explorer to navigate to

D:\SAS\Config\Lev1\SASMeta\MetadataServer\Backups. Open the f older created by
the ad hoc backup.

11. (Optional) Restoring the Metadata

a. On the Folders tab, right-click SAS Folders and select New Folder. Include the current time
in the name of the f older. Make a note of the current time.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
3-102 Lesson 3 Understanding SAS® Metadata and the Metadata Server

1) Enter Added Before Restore in the Name f ield. Click Finish.

2) Verif y that the f older is now listed under SAS Folders.

b. Wait a f ew minutes and create another new f older. Include the current time in the name.

c. Delete the two new f olders.

d. As a best practice, it is recommended that you pause the metadata server to the
Administration state bef ore you perf orm a recovery. On the Plug -ins tab, expand Metadata
Manager. Right-click Active Server and select Pause  Administration. Provide a
comment and click OK.

e. Expand Metadata Manager  Metadata Utilities and select Server Backup. Right-click the
ad hoc backup created in the last practice. Select Recover from This Backup.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 3.6 Solutions 3-103

f. Provide comments f or the backup history and f or the server that you paused. Use the
ROLLFORWARD option to restore the metadata f rom the last backup to a time immediately
af ter you created the f irst f older but before you created the second f older.

1) Click OK.

Was the backup successful? Yes

In addition to the ad hoc backup and the restore, what else now appears in the backup
history?
A backup was automatically done immediately after the recovery.

g. Resume the metadata server by expanding Metadata Manager. Right-click Active Server
and select Resume.

h. Switch to the Folders tab. Verif y that only the f irst f older now appears on the Folder tab.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
3-104 Lesson 3 Understanding SAS® Metadata and the Metadata Server

Solutions to Activities and Questions

3.01 Question – Correct Answer

By default, journaling is not enabled for the metadata server.
 True
 False

The SAS Deployment Wizard sets the value of the JOURNALTYPE= option
to ROLL_FORWARD, which creates a linear journal file that permanently
stores all transactions that have occurred since the most recent backup.
The journal file is written to the same location as the associated backup
files. Each time that a new backup is executed, journaling stops and a new
journal file is started in the new backup location.

19
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

3.02 Multiple Choice Question – Correct Answer

The metadata server knows the location of the Repository Manager because
it is specified in which of the following files?
a. sasv9_usermods.cfg
b. sasv9.cfg
c. omaconfig.xml
d. logconfig.xml

21
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 3.6 Solutions 3-105

3.03 Question – Correct Answer

An alternative to using credentials is to use Integrated Windows
Authentication.
 True
 False

45
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

3.04 Multiple Choice Question – Correct Answer

If you make changes to the omaconfig.xml file, what would you need to do
to ensure that the changes are in effect?
a. nothing
b. Make sure no users are connected to the metadata server.
c. Pause the metadata server.
d. Restart the metadata server.

47
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
3-106 Lesson 3 Understanding SAS® Metadata and the Metadata Server

3.05 Multiple Choice Question – Correct Answer

A SAS user cannot log on to SAS Enterprise Guide. Here is the message that
is received:
What is the problem?

a. The user does not have an LDAP account.

b. The user is using an internal account and therefore cannot be
authenticated to the host.
c. The user does not have a SAS identity, or the SAS identity does not have
the correct fully qualified ID in the corresponding identity definition.
d. There is no group called PUBLIC in metadata.

51
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

3.06 Multiple Choice Question – Correct Answer

If quorum is not achieved in a metadata server clustered environment,
which of the following occurs?
a. The foundation repository is set to Read only.
b. The server is paused to Administration status.
c. The server is paused to Offline status.
d. The server stays available.

94
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 3.6 Solutions 3-107

3.07 Multiple Choice Question – Correct Answer

If the master node fails, which of the following occurs?
a. The remaining nodes go offline, establish communication with each
other, and select a new master node.
b. One of the remaining nodes immediately performs a backup.
c. The server is paused to offline status until the SAS administrator brings
the master node back online.
d. The metadata server takes itself out of the cluster.

96
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

3.08 Multiple Choice Question – Correct Answer

Which of the following is true if you use operating system commands to
back up your metadata repositories?
a. You must pause the metadata server to an Administration state.
b. The backup executes in a separate thread while the metadata server is
running.
c. You must pause the metadata server to an Offline state before you
perform the backup.
d. You must pause the metadata server for Read-Only use before you
perform the backup.

111
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
3-108 Lesson 3 Understanding SAS® Metadata and the Metadata Server

3.09 Multiple Choice Question – Correct Answer

Which of these items does the metadata server backup facility automatically
back up?
a. foundation repository, web infrastructure Platform Data Server, the
journal file
b. metadata repositories, metadata server configuration directory, Levn
directory, journal file
c. metadata repositories, journal file, metadata server, and web servers
configuration directories
d. metadata repositories, metadata server configuration directory, the
journal file

113
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
Lesson 4 Administering Users,
Groups, and Roles

4.1 Administering Users and Groups ................................................................................. 4-3

Practice................................................................................................................. 4-9

4.2 Using Import Macros ................................................................................................. 4-12

Practice............................................................................................................... 4-21

4.3 Exploring Internal Accounts and Internal Authentication Mechanisms ....................... 4-25

Practice............................................................................................................... 4-32

4.4 Administering Roles and Administrative Identities ..................................................... 4-34

Practice............................................................................................................... 4-39

4.5 Solutions ................................................................................................................... 4-44

Solutions to Practices ............................................................................................ 4-44

Solutions to Activities and Questions........................................................................ 4-85

4-2 Lesson 4 Administering Users, Groups, and Roles

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 4.1 Administering Users and Groups 4-3

4.1 Administering Users and Groups

Registering Users
For accountability, each person who uses the SAS environment should have
an individual SAS metadata identity.
Users
This allows the following:
• control over a user’s access to metadata resources
Allen
• control over a user’s access to application features Henri

• the ability to audit individual actions in the metadata layer

• access for each user to a personal folder in the repository

3
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

In order to make access distinctions and track user activity, a security system must know who is
making each request.

Registering Users
A user’s metadata identity includes a copy of the external account that the
user uses to log on to SAS applications.

amoore
bpeters jsmith
pmurphy John
Smith Steve
vrangar smiller
Miller
dsilver mrobert

breynolds jdoe
Mark
efrazier Robert
Jane
Doe
Authentication Provider
Operating System (Windows, UNIX, z/OS) SAS Metadata
LDAP Foundation Repository
Active Directory 4
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
4-4 Lesson 4 Administering Users, Groups, and Roles

On the platf orm, the primary user administration task is to store each user’s external account ID in
the SAS metadata. All of a user’s metadata-layer memberships, permissions, and capabilities are
ultimately tied to the user’s SAS identity.

Note: It is not necessary to store passwords in the SAS metadata f or identif ying a user. SAS
identity is determined by examining stored user IDs, not by examining stored passwords.

Unique Names and IDs

The metadata server enforces certain identity-related constraints.
• You cannot create a user definition that has the same name as an existing
user definition.

• You cannot assign the same fully qualified external account to two
different identities.

5
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Do not use spaces or special characters in the name of a user, group, or role. Not all
components support spaces and special characters in identity names.

Note: In SAS 9.4, you cannot change the name of an existing user, group, or role in SAS
Management Console.

All logons that include a particular ID must be owned by the same identity. This requirement enables
the metadata server to resolve each ID to a single identity. This requirement is case insensitive and
applies to the f ully qualif ied form of the ID.

To enable multiple users to share an account, store the credentials f or that account in a Log on as
part of a group def inition. Then add the users who share the account as members of that group
def inition.

If you give a user two logons that contain the same ID, the logons must be associated with different
authentication domains. Authentication domains are discussed later in this chapter.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 4.1 Administering Users and Groups 4-5

Group Identities
For administration and ease of maintenance and accountability, you should
create group identities.
Groups can be used to do the following:
• assign permissions
• share credentials
• populate roles
Sales
Marketing

6
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Predefined Groups in Metadata

The following groups are predefined:

PUBLIC Group with implicit membership

PUBLIC
that includes everyone who can
access the metadata server
SASUSERS Group with implicit membership
SASUSERS
that includes the members of the
PUBLIC group who have an
individual metadata identity

7
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
4-6 Lesson 4 Administering Users, Groups, and Roles

Initial Connection to the SAS Metadata Server

Only the verification phase varies. The SAS identity phase is always the same.
You need a well-formed user definition for each user who is not a PUBLIC-
only identity.
Authentication by Active Directory,
LDAP, Local Security Authority,
3 PAM, UNIX password file structure
ID and password
PUBLIC 4
Verification phase ID
Host
2
ID and password
5
1 ID
ID and SASUSERS
password Metadata
Server 6
accept ID Identification phase
8
Client
7
SAS Metadata
identity Repository
8
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Users, Groups, and Authentication

All of a user’s metadata-layer memberships, permissions, and capabilities
are ultimately tied to the user's SAS identity. For example:
PUBLIC Implicit memberships
Generic SAS identity
SASUSERS
No SAS identity
PUBLIC Marketing
Direct membership

Susan Jacques Individual SAS identity

Bill

User account? User account?

User account? SAS identity? SAS identity?

9
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 4.1 Administering Users and Groups 4-7

Identity Hierarchy
All of a user’s group memberships are part of the user’s identity.

PUBLIC Self Self

HR Report
Creator

SASUSERS SASUSERS

Finance

PUBLIC PUBLIC

10
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Creating Users and Groups

There are two ways to define user and group identities:
• manually, using the User Manager plug-in in SAS Management Console
or in SAS Environment Manager Administration
• using the user import macros supplied by SAS to import identity
information from an authentication provider

11
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

There are other programmatic methods that can be used to c reate metadata identities.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
4-8 Lesson 4 Administering Users, Groups, and Roles

4.01 Multiple Choice Question

In the identification phase of authentication, the metadata server searches
for which of the following in the metadata repository?
a. fully qualified user ID
b. authentication domain, fully qualified user ID, password
c. fully qualified user ID and password
d. the user’s password only

12
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 4.1 Administering Users and Groups 4-9

Practice

1. Adding a User Manually into Metadata

Add Ben to metadata. Use SAS Environment Manager Administration or the User Manager
plug-in in SAS Management Console.

SAS Environment Manager

a. If you do not already have SAS Environment Manager up, open a web browser and select
SAS Environment Manager f rom the Windows or Linux f older on the Favorites bar.

b. Log on as Ahmed with the password Student1.

c. Click the Administration tab, which opens in another browser.

d. Using the vertical navigation bar, select Users.

e. Click the New user/group button located in the upper right toolbar.

f. Select New User. Enter the name Ben and click Save.

g. Add the f ollowing information under the appropriate drop -down menu categories:

Note: Use the Add button and the plus sign to add inf ormation f or each property.

Note: Be sure to save your changes by clicking the Save button in the bottom right corner
af ter every entry that you make.

Basic Properties:

Name Ben

Display Name Ben

Job Title Power User

External Identities:

External Identity Context IdentityImport

External Identity Identifier P110

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
4-10 Lesson 4 Administering Users, Groups, and Roles

Accounts:
• Windows server: sasserver\Ben
Account User ID
• Linux server: Ben
Def aultAuth
Account Authentication Domain

Contact Information:

Email Type Business

Email Address [email protected]

Phone Type Of f ice

Phone Number +19196775555

Address Type Of f ice

Street 123 Orion Star Boulevard

City Cary

State/Province NC

ZIP/Postal Code 27513

Country USA

h. Save your changes by clicking the Save button in the bottom right corner.

SAS Management Console

a. Right-click the User Manager plug-in and select New  User.

b. Add the f ollowing information:

Name Ben

Display Name Ben

Job Title Power User

E-mail Type Business

E-mail Address [email protected]

Phone Type Of f ice

Phone Number +19196775555

Address Type Of f ice

Street 123 Orion Star Boulevard

City Cary

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 4.1 Administering Users and Groups 4-11

State/Province NC

ZIP/Postal Code 27513

Country USA

External Identity Context IdentityImport

External Identity Identifier P110

• Windows server: sasserver\Ben
Account User ID
• Linux server: Ben

Account Authentication Domain Def aultAuth

2. Using SAS Environment Manager Administration to View Identity Hierarchy

a. If you do not already have SAS Environment Manager up, open a web browser and s elect
SAS Environment Manager f rom the Windows or Linux f older on the Favorites bar.

b. Log on as Ahmed with the password Student1.

c. Click the Administration tab, which opens in another browser.

d. Using the vertical navigation bar Select Users.

e. Click to access a drop-down list on which you can f ilter. Select User.

f. Click Eric to see the metadata def inition.

g. Click the Member Of tab.

Which groups is Eric directly a member of ?

Which groups is Eric indirectly a member of ?

Which groups is Eric implicitly a member of ?

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
4-12 Lesson 4 Administering Users, Groups, and Roles

4.2 Using Import Macros

Importing User and Group Identities

The user import macros enable the batch import and synchronization of
user and group identity information from a provider such as LDAP into the
SAS metadata.
This process follows these general steps:
• Extract information from your authentication provider.
• Extract information from the SAS metadata.
• Compare the sets of tables and identify additions and updates that need
to be made to the metadata.
• Validate the changes.
• Load the updates into the metadata.

17
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

User Import Macros

1. Source specific extraction code extracts
information from the authentication provider.
%MDUIMPC creates the canonical tables.
2. %MDUEXTR extracts information from the
SAS metadata.
3. %MDUCMP compares the two sets of tables
and identifies updates that need to be made
to the metadata.
4. %MDUCHGV validates the changes to make
sure that they will not violate the metadata
server's integrity constraints.
5. %MDUCHGLB loads the updates into
the metadata.
18
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

The synchronization process perf orms two extractions (one f rom your authentication provider and
another f rom the SAS metadata) and then loads updates into the metadata.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 4.2 Using Import Macros 4-13

Canonical tables def ine the standard attributes and associations for identity metadata objects. A
canonical table is a table with a f ixed, predef ined structure constructed to hold user and group
inf ormation.

Back up the metadata bef ore synchronizing user or group inf ormation.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
4-14 Lesson 4 Administering Users, Groups, and Roles

Data Extracted from AD/LDAP

• Keyid must be
unique and
unchanging.
• Tables and columns
must be present
but do not all have
to be used.

In the metadata, the keyid value

is stored as an external identity.

19
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

The keyids in the person table (users), idgrps table (groups and roles), and authdomain table
(authentication domains) tie each of those primary objects to its related inf ormation.

In the metadata, the keyid value is stored as an external identity. For each keyid column, use a
f ixed, enterprise-wide identif ier. For example:
• In the person table, consider using an employee identif ication number, user ID, or
saMAcountName (a def ault schema f or AD).
• In the idgrps table, consider using group names (or LDAP Distinguished Names).
• In the authdomain table, consider using authentication domain names.
The authentication domain name can serve as the keyid because the metadata server enf orces
uniqueness across authentication domain names.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 4.2 Using Import Macros 4-15

External Identities
An external identity is a value used to map the user information in the
SAS metadata to the information from the authentication provider.
An external identity
• must be unique to each user or group and unchanging
• must exist as a field in the user or group information in the authentication
provider and in the SAS metadata
• is used during the synchronization process to compare information stored
in metadata to information from the authentication provider.
Example: An employee account name or employee ID is often used as
the external identity value.

20
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

If you need to perf orm periodic synchronization and want existing users and groups that you created
manually to be included in the process, add the appropriate external identity value to the user or
group metadata identity.

Import Identities into Metadata

Two sets of sample code are provided, importad.sas and importpw.sas.
This code can be modified to meet a site’s requirements. Modifications are
likely required to do the following:
• supply connection information to the metadata server
• supply connection parameters for the Active Directory (AD) server
containing the user and group information
• provide the unique keyid
• filter the users or groups returned

21
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
4-16 Lesson 4 Administering Users, Groups, and Roles

Linux Server

sample programs:
/opt/sas/SASHome/SASFoundation/9.4/samples/base

import macros:
/opt/sas/SASHome/SASFoundation/9.4/sasautos

Windows Server

sample programs:
D:\Program Files\SASHome\SASFoundation\9.4\core\samples

import macros:
D:\Program Files\SASHome\SASFoundation\9.4\core\sasmacro

The usage of these import macros is well documented under “User Import Macros” in the appendix
of SAS 9.4 Intelligence Platform Security Administration Guide.

IMPORTAD.SAS Program
Here are the connection parameters for the Active Directory Server:

host

port

baseDN:
• User search
• Group search

user

password

22
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Here is some inf ormation about this code:

• It uses the SAS interf ace to LDAP (the LDAP CALL Routine interf ace) to extract inf ormation from
Active Directory.
• It ref erences standard Active Directory schemas to identify user and group attributes. If your site
has extended the standard schema, you might need to make changes in section 3 to ref erence
additional or alternate attributes.
• It uses f ilters to segment retrieval. It might be necessary to alter the f ilters to better f i t the contents
of your Active Directory server. The f ilters are def ined in section 3 of the code (user extraction) and
section 4 (group extraction).
• It will not import membership inf ormation f or a group that has more than 1500 members .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 4.2 Using Import Macros 4-17

Additional macro variables that you will change f or each environment:

Macro variable Purpose Notes

Keyidvar External identity value f or each LDAP attribute that contains a unique and
metadata user that this program unchanging value f or each user.
creates

MetadataAuthDomain SAS Authentication Domain Usually, Def aultAuth

WindowsDomain Enables construction of a Prepended to each extracted user ID to

qualif ied user ID in each login yield qualif ied IDs in the f orm supplied-
that this program creates value\user ID

ADExtIDTag A label f or all metadata items that Used in the Context f ield of the external
this program creates identity in metadata

Distinguished Name Search

Active Directory and LDAP reference
objects by their distinguished name.
The import macros accept distinguished
name parameters as the location in the
tree to start searching for users and
groups to import.
Distinguished Name:
Made up of attribute value pairs

Organizational Unit (OU)=US

Domain Component (DC)=na, SAS, com

OU=US,DC=na,DC=SAS,DC=com
23
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

In the example, we are searching f rom the base distinguished name DC=na, DC=SAS, DC=com,
starting at the organizational unit US.

You can use a f ree LDAP/AD browser to view the hierarchy and identif y the required values.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
4-18 Lesson 4 Administering Users, Groups, and Roles

Sof tera LDAP Browser: http://www.ldapadministrator.com/download.htm

Filtering on Distinguished Name

The program calls two in-line macros to do the import. Before the call, you
can filter which users or groups to import. The filters are built in the LDAP
query syntax.
Filter on any attribute defined for
filter="&(region=OH)
a user: only users in the Ohio
(employeeID=*)) ";
%ldapextrpersons region that have an employee ID.

filter="(&(&(displayName>=A) The sample code calls the macro

(displayName<=C)) multiple times for a range of
(employeeID=*) )";
%ldapextrpersons users each time.

24
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 4.2 Using Import Macros 4-19

Here is a usef ul article on LDAP queries:

https://technet.microsoft.com/en-us/library/aa996205(v=exchg.65).aspx

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
4-20 Lesson 4 Administering Users, Groups, and Roles

Imported Identity
Identity information is synchronized from the external provider.

All users and groups participating in

synchronization have an external identity.

ADExtIDTag Keyid

25
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Importing from LDAP/Active Directory

Identifying groups and users to import requires coordination with LDAP
or AD administrator in order to identify the following:
• users and groups to synchronize
• users and groups who will not be synchronized
• (potentially) the creation of new groups to support the synchronization
process

26
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 4.2 Using Import Macros 4-21

Practice

3. Loading Users and Groups with User Import Macros

a. On the client machine, use SAS Management Console to perf orm an ad hoc backup.

1) Select the SAS Admin - Linux Server or SAS Admin - Windows Server prof ile.

2) Log on as Ahmed using the Student1 password.

3) Expand Metadata Manager  Metadata Utilities. Right-click Server Backup and select
Run Backup Now.

4) Provide a comment f or the backup history and click OK.

5) Click OK when the backup is complete.

b. Use SAS Studio to run the LoadUsers.sas program.

1) Open a web browser and select SAS Studio f rom the Windows or Linux f older on the
Favorites bar.

2) Log on as Ahmed with the password Student1.

3) Open and run the LoadUsers.sas program.

For Linux Server

1. Expand File (/opt/sas/Workshop)  spaft.

2. Double-click LoadUsers.sas to bring the program into the Editor window.

For Windows Server

1. Expand File (D:\Workshop)  spaftWIN.

2. Double-click LoadUsers.sas to bring the program into the Editor window.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
4-22 Lesson 4 Administering Users, Groups, an d Roles

4) At the top of the program, there is an OPTIONS statement. Verif y that the values are the
f ollowing:

For Linux Server

options metaserver="sasapp"
metauser="Ahmed"
metapass="Student1";
Note: The host machine value of the metadata server must match the machine name
that is under Server Files and Folders pane on the lef t of the interf ace.

For Windows Server

options metaserver="sasserver"
metauser="Ahmed"
metapass="Student1";
Note: The host machine value of the metadata server must match the machine name
that is under Server Files and Folders pane on the lef t of the interf ace.

• The extids f older holds the tables of user and group inf ormation f rom the external
source.
• The %mduimpc macro def ines canonical tables, and the DATA step is used to extract
data f rom an external source and append them to the tables. However, this program has
the data directly in the DATA step.

Note: Nine users will be added to metadata: Jennifer, Megan, Peter, Alex, Katie,
James, Cecily, Jim, Ray

Note: All the groups in the program will be added to metadata. (You can compare the
inf ormation in the group table to the groups currently listed in the User Manager
plug-in to see this.)

Note: The group members table (&idgrpmemstbla) is adding users to groups based
on the external identity.
• The metids f older holds the tables of user and group inf ormation f rom the metadata.
• The %mduextr macro extracts identity inf ormation f rom metadata and adds them to
user and groups tables in the metids library.
• The updates f older holds the user and group updates.
• The %mducmp macro compares user and group inf ormation to metadata and
populates the updates library with this inf ormation.
• The %mduchgv macro validates changes f rom the tables in the metids library and the
updates library

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 4.2 Using Import Macros 4-23

• The %mduchglb macro loads the changes into metadata.

5) Run the program. Review the log and search f or errors.

Note: You can disregard this warning: Character expression will be truncated when
assigned to character column filter.

c. Use SAS Environment Manager or SAS Management Console to verif y that the new users
and groups were created. Verif y that the group membership is correct.

Group Name Members

Power Users Groups: Application Developers, Data Integrators, Report Content

Creators

Report Content Ellen, Eric, Gloria, Harvey, Jacques, Kari, Stephanie

Creators

Data Integrators Barbara, Bruno, Kari, Marcel, Ole

Application Anita, George, Sally, Samantha

Developers

Group Name Members

Orion Star Users Groups: Finance, Marketing, Sales, Shipping

Analysts Cecily, James

Finance Alex, Jennif er, Katie, Megan, Peter

Marketing Eric, Henri, Jacques, Lynn, Stephanie

Sales Ellen, Gloria, Harvey, Linda, Mark, Robert, Susan

Shipping Ray, Jim

d. The usage of these import macros is well documented under “User Import Macros” in the
appendix of SAS 9.4 Intelligence Platform Security Administration Guide.

The macros and sample programs importad.sas and importpw.sas are located under the
SAS installation directory.

For Linux Server

On the sasapp.demo.sas.com machine, navigate to the sample programs:

/opt/sas/SASHome/SASFoundation/9.4/samples/base

Navigate to the macros:

/opt/sas/SASHome/SASFoundation/9.4/sasautos

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
4-24 Lesson 4 Administering Users, Groups, and Roles

For Windows Server

Use Windows Explorer to navigate to the sample programs:

D:\Program Files\SASHome\SASFoundation\9.4\core\samples

Navigate to the macros:

D:\Program Files\SASHome\SASFoundation\9.4\core\sasmacro

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 4.3 Exploring Internal Accounts and Internal Authentication Mechanisms 4-25

4.3 Exploring Internal Accounts and

Internal Authentication Mechanisms

SAS 9.4 Authentication Mechanisms

Authentication is the process of verifying the identity of a person or process
for security purposes.

External • Host authentication

• Direct LDAP authentication
• Integrated Windows authentication
• Web authentication

Internal • SAS internal authentication

• SAS token authentication

30
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

A supporting f eature of internal authentication mechanisms unif ies the SAS realm and provides a
degree of independence f rom your general computing environment.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
4-26 Lesson 4 Administering Users, Groups, and Roles

Internal Accounts
• Internal accounts are primarily used to connect to the metadata
server and exist only in the metadata.
• They are authenticated by the metadata server.
• They are created by the SAS Deployment Wizard and by the
User Manager plug-in in SAS Management Console or in
SAS Environment Manager Administration.

31
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

By initial policy, these server-level settings f or internal account policies are in ef f ect.
• Accounts do not expire and are not suspended due to inactivity.
• Passwords must be at least six characters, do not have to include mixed case or numbers, and do not
expire.
• The f ive most recent passwords f or an account cannot be reused f or that acco unt.
• There is no mandatory time delay between password changes.
• Af ter three f ailed attempts to log on, an account is locked. If an account is locked because of logon
f ailures, f urther logon attempts cannot be made f or one hour.
• For an account that has a password expiration period, there is a f orced password change on the
f irst use af ter the password is reset by someone other than the account owner.
• An internal account has the f ormat userID@saspw.

If you need to unlock an internal account and you have the necessary host access, do the f ollowing:

1. Edit the adminUsers.txt f ile to create a new unrestricted user by adding the f ully qualif ied user
ID preceded by an asterisk. Restart the metadata server f or the change to take ef f ect.

2. Log on to SAS Management Console with the new unrestricted user and unlock the account.

3. Verif y that the account is unlocked by logging on to SAS Management Console with the account.

Remove the unrestricted user that you added f rom the adminUsers.txt f ile and rest art the metadata
server.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 4.3 Exploring Internal Accounts and Internal Authentication Mechani sms 4-27

SAS Internal Authentication

2
sasadm@saspw
Metadata &password
1 Server
sasadm@saspw
&password
4 login login
accept
Client
login
sasadm
account

login sastrust
account
3
SAS Administrator
Metadata
Repository
32
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Internal Authentication

1. At a logon prompt, sasadm@saspw and password are entered. The client sends those
credentials to the metadata server f or verif ication.

2. The metadata server recognizes that the ID is f or an internal account (because the ID has the
@saspw suf f ix), so the metadata server checks the credentials against its list of internal
accounts.

3. Af ter validating the ID and password, the metadata server accepts the client connection.

4. The connection is accepted using the SAS identity associated with the internal account.

Internal authentication alone is not suf f icient to allow a user access to a standard workspace server
because a host account is required.

Internal accounts are not designed to be used as end users.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
4-28 Lesson 4 Administering Users, Groups, and Roles

SAS Administrator Identity

In default installations, SAS Administrator is an internal user account,
created during the deployment.

SAS Administrator sasadm@saspw

• Has access to all SAS Management Console application capabilities

• Has access to all SAS Environment Manager application capabilities
• Has all capabilities provided by the metadata server regardless of
metadata permission settings, due to membership of the Metadata
Server: Unrestricted role
• Can perform all user management functions and metadata administration
tasks
33
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Other Service Accounts

SAS Trusted User A service identity that can act on behalf of other
sastrust@saspw users.

SAS Environment Manager This account is required for communications

Service Account between the SAS Environment Manager agent and
sasevs@saspw the SAS Environment Manager server. It also
enables SAS Environment Manager plug-ins to
access the SAS Metadata Server.

SAS Anonymous Web User A service identity that functions as a surrogate for
webanon@saspw users who connect without supplying credentials.

34
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

The SAS Anonymous Web User (webanon) is an optional account that can be used to grant web
clients anonymous access to certain SAS Web Inf rastructure Platf orm applications (SAS BI Web
Services and SAS Stored Process Web Application). This anonymous account is conf igured with the
SAS Deployment Wizard and is applicable only when SAS authentication is being used. If web
authentication is used, the web application server processes authentication requests, and this
anonymous account has no ef f ect.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 4.3 Exploring Internal Accounts and Internal Authentication Mechanisms 4-29

For more inf ormation, see “Public Access and Anonymous Access” in SAS 9.4 Intelligence Platform:
Security Administration, Second Edition.

continued...
Metadata Users and Groups
PUBLIC
Initial users
SASUSERS

SAS Administrator
sasadm@saspw

SAS Environment
Manager Service
SAS Trusted User Account
sastrust@saspw sasev@saspw

SAS Demo User

external account

35
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

SAS Trusted User: This is a privileged service account that can act on behalf of other users on a
connection to the metadata server. No user should log on directly as a trusted user, except to
perf orm certain administrative tasks associated with the SAS Inf ormation Delivery Portal.

SAS Administrator: In def ault installations, it is an internal user account that is known only to SAS
and that is authenticated internally in metadata. When internal authentication is used, it is not
necessary f or this user to have a local or network account. The SAS Administrator user account has
privileges that are associated with the Metadata Server: Unrestricted role. In addition, the SAS
Administrator account is initially a member of the SAS Administrators group.

SAS Environment Manager Service Account: Ef f ective with SAS 9.4M1, the SAS Environment
Manager Service Account is required f or communications between the SAS Environment Manager
agent and the SAS Environment Manager server. The account also enables SAS Environment
Manager plug-ins to access the SAS Metadata Server.

This account is an internal user account that is known only to SAS and that is authenticated
internally in metadata. The account has privileges that are associated with the Metadata Server:
Unrestricted role and is initially a member of the SAS Administrators group and the SAS
Environment Manager Guests group.

Optional Accounts

SAS Demo User: Serves as a generic end user when you are testing any of the SAS client
applications. The def ault user ID is sasdemo, and the user’s account is def ined in metadata and in
the operating system of the metadata server machine and the workspace server machine.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
4-30 Lesson 4 Administering Users, Groups, and Roles

SAS Anonymous Web User: Is used to grant clients access to applicable SAS Web Inf rastructure
Platf orm components. When web clients request access to web services, they are not prompted for
credentials but instead are granted access under this user account. In def ault installations, this user
is an internal user.

continued...
Metadata Users and Groups
PUBLIC Initial
Initial users groups
SASUSERS
SAS System
SAS Administrator
sasadm@saspw
Services
SAS Trusted
User SAS
SAS Environment
Manager Service Account SAS EV App
Administrators
sasev@saspw Server Tier SAS Administrator
Users
SAS EV
SAS Trusted User Service SAS EV Service
sastrust@saspw SAS EV Super Users Account Account
SAS SAS General
Administrator
Servers
SAS EV sassrv and pw
Guests
SAS Trusted
SAS User
Administrator

36
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

SAS Administrators: a standard group f or metadata administrators. By default, this group is

granted broad access to the metadata and has all roles other than the Metadata Server: Unrestricted
role.
SAS System Services: a standard group f or service identities that need to read server def initions or
other system resources.

SAS General Servers: a standard group whose members can be used f or launching stored process
servers and pooled workspace servers.

SAS Environment Manager User groups: standard groups f or SAS Environment Manager users.
These groups are new with SAS 9.4M1. The groups include SAS Environment Manager Guests,
SAS Environment Manager App Server Tier Users, and SAS Environment Manager Super Users.
Users that are members of these groups are mapped to user def initions in SAS Environment
Manager with corresponding SAS Environment Manager roles. For more inf ormation, see
“Controlling Access to SAS Environment Manager” in SAS Environment Manager: User’s Guide.

There might be other initial groups depending on your SAS so ftware and solutions.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 4.3 Exploring Internal Accounts and Internal Authentication Mechanisms 4-31

Metadata Users and Groups

Initial users PUBLIC Initial
groups
SASUSERS
SAS Administrator SAS
sasadm@saspw Administrators
SAS System SAS Administrator
SAS Environment Manager Services
Service Account
sasev@saspw SAS Trusted SAS EV
Service
User SAS General
Account
SAS Trusted User
sastrust@saspw Servers
sassrv and pw
SAS EV App Server
Tier Users SAS Trusted
SAS EV Super Users Data Integrators User
SAS EV
SAS Service
Administrator Account
Report Content
Application
Creators
Developers
SAS EV
Guests
Orion Star …
SAS
Administrator Users
Analysts
Sales
Marketing custom groups
Managers

37
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
4-32 Lesson 4 Administering Users, Groups, and Roles

Practice

4. Running Metadata Inventory Reports

These stored processes generate reports that display inf ormation about the metadata that is
stored on the SAS Metadata Server, such as Groups Roles and Users Metadata Content.
Because we added users and groups in the previous section, we want to ensure that the
imported identities show up in the reports by manually running log collection, log centralization,
and the APM ETL processes.

a. Log on to SAS Environment Manager as Ahmed using the password Student1 if not already
logged on.

b. Select Resources  Browse  Services and search f or collection.

c. Run the log collection.

For Linux Server

1. Select sasapp.demo.sas.com Log Collection  Control.

In the Quick Control section, select Collect f rom the Control Action drop-down menu
and click the arrow to the right to run the collection process.

2. Go back to Resources  Services and search on collection again to collect the logs
on the middle tier machine sasmid.demo.sas.com.

Select sasmid.demo.sas.com  Control.

In the Quick Control section, select Collect f rom the Control Action drop-down menu
and click the arrow to the right to run the collection process.

For Windows Server

1. Select sasserver Log Collection  Control.

2. In the Quick Control section, select Collect f rom the Control Action drop-down menu
and click the arrow to the right to run the collection process.

d. Af ter the log collection has run, run the Log Centralization service to collect the logs from
the local landing zone to a landing zone on the SAS Environment Manager Enablement Kit
Server.

1) Select Resources  Browse  Services and search f or cent.

2) Select Log Centralization  Control.

3) Next to Control Action, select Run f rom the drop-down menu and click the arrow to the
right to run the centralization process. Wait f or the process to complete.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 4.3 Exploring Internal Accounts and Internal Authentication Mechanisms 4-33

e. Finally, run the APM ETL process, which parses the logs in the central landing zone.
1) Go to Resources  Browse  Service and search f or APM. (Or you might see it at the
top of the list.)

2) Select the APM ETL Processing service and then select Control.

3) Select Run f rom the Control Action drop-down menu and click the arrow to the right to
run the collection process. Wait f or the process to complete.

f. Go to the Report Center under the Analyze tab.

g. Expand Products  SAS Environment Manager  Dynamic Reports  Metadata
Inventory.

h. Click the Groups Roles and Users stored process. Click Run. You should see the newly
added users.

i. Expand Products  SAS Environment Manager  Nightly Reports  Audit Reports

(Log Forensic).

j. Run the Group Changes and User Accounts Added stored processes to see what was
logged when users were added.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
4-34 Lesson 4 Administering Users, Groups, and Roles

4.4 Administering Roles and

Administrative Identities

What Are Metadata Roles?

Roles determine which user interface elements (such as buttons, tabs, and
menu items) are visible to which users. For example, role memberships
determine who can see the Server Manager plug-in in SAS Management
Console, or who can see the Compare Data Task as a menu choice in
SAS Enterprise Guide.
Here are some applications that
support roles:
• SAS Add-In for Microsoft Office
• SAS Enterprise Guide
• SAS Management Console
• SAS Studio
• SAS Web Report Studio
• SAS Visual Analytics

41
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Roles can be accessed and managed f rom the Administration page in SAS Environment Manager or
the User Manager plug-in in SAS Management Console.

Not all applications have roles.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 4.4 Administering Roles and Administrative Identities 4-35

Role Capabilities
The various features in applications that are under role management are
called capabilities. Each role has application capabilities that are assigned
to it.

no capabilities selected

some capabilities selected

all capabilities selected

42
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Not all application f eatures are under role management. Each application that supports roles
provides a f ixed set of capabilities. You cannot convert a f eature that is not a capability into a
capability.

You can add existing roles to a current role under the Contributing Roles tab. Capabilities f rom a
contributing role cannot be removed individually.

Role Features
Below are some key points of metadata-based roles.
• Roles do not protect data or metadata. Roles control which features in a
particular application are available to which users.
• Having a certain capability is not an alternative to meeting permission
requirements.
• Capabilities are additive. There are no negative capabilities (capabilities
that limit what a user can do). It is not possible to deny a capability.
(Capabilities are either granted or not granted.) For example, if a group is
in two roles, that group has all the capabilities from both roles.

43
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
4-36 Lesson 4 Administering Users, Groups, and Roles

Roles
The initial configuration of the software includes some predefined roles.
• If these roles meet your needs, assign the correct membership.
• If these roles do not meet your needs, create new roles, assign
appropriate membership, and explicitly select application capabilities and
designate contributing roles.

Do not change the name of predefined roles.

44
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

SAS Management Console Roles

There are two predefined roles:

Management Console: • Provides access to the Folders tab and all of

Advanced the plug-ins under role management.
• Default member: SAS Administrators

Management Console: • Provides access to the Folders tab,

Content Management User Manager, Library Manager,
and Authorization Manager plug-in.
• Default member: SASUSERS

Note: In order to access SAS Environment Manager Administration, you

must be a member of a Management Console role.

45
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

The capabilities f or the SAS Management Console roles also af f ect controlling access to modules on
the Administration page of SAS Environment Manager:
• Data Library Manager controls access to the Libraries module.
• Folders View controls access to the Folders module.
• Server Manager controls access to the Servers module.
• User Manager controls access to the Users module.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 4.4 Administering Roles and Administrative Identities 4-37

To control which SAS Management Console plug -ins (and the Folders tab) are under role
management, select Tools  Plug-in Manager. Only unrestricted users can access the Plug -in
Manager.

Administrative Roles
In addition to the client application roles, the following implicit metadata
server roles are defined at installation:
Metadata Server: All capabilities provided by the metadata server regardless
Unrestricted of metadata permission settings

Metadata Server: Create, update, and delete users, groups, roles, internal
User Administration accounts, logins, and authentication domains

Metadata Server: Administration of the metadata server (monitor, stop,

Operation pause, resume, quiesce) and its repositories (add, register,
unregister, delete)

46
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

The metadata server roles have implicit capabilities. This means that the def ault capabilities for
these roles cannot be viewed or modif ied. However, additional capabilities can be added to these
roles.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
4-38 Lesson 4 Administering Users, Groups, and Roles

Unrestricted users can use only those log ons that are assigned to them (or to groups to which they
belong). They do not automatically have implicit capabilities that are provided by components other
than the metadata server.

Two Levels of Administrative Users

Administrative users have special abilities and privileged access to metadata
based on their assignments to roles. There are two basic levels of
administrative users.

Administrators • Have metadata access capabilities that

a typical end user does not have.
• Are subject to metadata layer access controls.

Unrestricted Users • Have unrestricted access to metadata.

• Can perform tasks when the metadata server is
paused for administration.

47
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Administrative Tasks
Many administrative tasks have permission requirements in addition to
capability requirements. For example, to operate servers other than the
metadata server, you need the Administer permission.

If a user needs to function as both an administrator and as a non-

administrator, create two user definitions as follows:
• one definition that is based on an internal account and is a member of the
SAS Administrators group, and if needed, the Metadata Server:
Unrestricted role
• another definition based on an external account and not a member of the
SAS Administrators group

48
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 4.4 Administering Roles and Administrative Identities 4-39

Practice

5. Exploring SAS Enterprise Guide Roles

You can use SAS Environment Manager Administration or SAS Management Console f or this
practice.

SAS Environment Manager

a. In SAS Environment Manager Administration, use the vertical navigation bar to select Users.

b. Click to access a drop-down list on which you can f ilter. Select Role.

c. Open the properties of the Enterprise Guide: Advanced role by right-clicking the role and
selecting Open.
d. Remove the group PUBLIC as the current member.
1) Navigate to the Members tab.

2) Click the Edit button in the upper right toolbar.

3) Highlight PUBLIC and move the identity to the lef t by selecting the arrow pointing to the
lef t. Click OK.
4) Click the Save button in the bottom right corner.
e. Click Enterprise Guide: Analysis to see the role.
f. Add Gloria to the Current Members.
1) Navigate to the Members tab.

2) Click the Edit button in the upper right toolbar.

3) Enter Gloria in the search f ield. Highlight Gloria on the lef t and move the name to the
right by selecting the arrow pointing to the right. Click OK.
4) Click the Save button in the bottom right corner.
g. Open SAS Enterprise Guide. Jacques cannot connect because he is not in a role that
provides him any capabilities in Enterprise Guide. Click Close.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
4-40 Lesson 4 Administering Users, Groups, and Roles

h. Change the connection to Gloria and click SAS and Connect. Click View Capabilities in
the Connections window.

Compare the list of authorized f unctions to the list of capabilities in the Enterprise Guide:
Analysis role. Do the lists match?
i. Close SAS Enterprise Guide.
j. In SAS Environment Manager, open the properties of the Enterprise Guide: Advanced role
and add the group PUBLIC back to Current Members. Save the changes.
k. Open the properties of the Enterprise Guide: Analysis role. Remove Gloria f rom Current
Members. Save the changes.

SAS Management Console

a. In the User Manager plug-in in SAS Management Console, open the properties of the
Enterprise Guide: Advanced role. Remove the group PUBLIC as a current member. Click
OK.
b. Open the properties of the Enterprise Guide: Analysis role. Add Gloria to the Current
Members list box. Click OK.
c. Open SAS Enterprise Guide. Jacques cannot connect because he is not in a role that
provides him any capabilities in Enterprise Guide. Click Close.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 4.4 Administering Roles and Administrative Identities 4-41

d. Change the connection to Gloria and click SAS and Connect. Click View Capabilities in
the Connections window. Compare the list of authorized f unctions to the list of capabilities in
the Enterprise Guide: Analysis role. Do the lists match?

e. Close SAS Enterprise Guide.

f. In the User Manager plug-in in SAS Management Console, open the properties of the
Enterprise Guide: Advanced role. Add PUBLIC to the Current Members list box. Click OK.
g. Open the properties of the Enterprise Guide: Analysis role. Remove Gloria f rom the
Current Members list box. Click OK.

6. Creating a Dual User

a. On the Windows machine, use SAS Management Console to perf orm an ad hoc backup.

1) Select the SAS Admin - Linux Server or SAS Admin - Windows Server prof ile.

2) Log on as Ahmed using the Student1 password.

3) Expand Metadata Manager  Metadata Utilities. Right-click Server Backup and select
Run Backup Now.

4) Provide a comment f or the backup history and click OK.

5) Click OK when the backup is complete.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
4-42 Lesson 4 Administering Users, Groups, and Roles

b. Christina needs to connect to the metadata server as an unrestricted user sometimes and as
a regular user other times. On the Administration page in SAS Environment Manager or on
the User Manager plug-in in SAS Management Console, create the f ollowing two metadata
identities:

Name: Christina AdminChristina

Display Name: Christina Administrator | Christina

Groups and Data Integrators SAS Administrators

Roles:
Orion Star Users Metadata Server: Unrestricted

Accounts: User ID: Internal User ID:

AdminChristina@saspw
Windows Server: sasserver\Christina
Password: Student1
Linux Server: Christina

Do not store the password!

Authentication Def aultAuth

Domain:

c. Log on to SAS Management Console. Use the external Christina account with the Student1
password.

Were you successf ul? If not, what is the problem?

Note: This is a troubleshooting situation. Either the ID or password is incorrect. Because

we are using Local User Accounts on Windows and /etc/password on Linux f or
authentication, you can check in the operating system to see what her account is.

d. Open a second instance of SAS Management Console and log on using the
AdminChristina@saspw account.

Were you successf ul? Why did you not have any problems with logging on this time?

How are the two instances of SAS Management Console similar? How are they dif ferent?

7. (Optional) Creating a Role

Create a role that enables the Data Integrators group to have access to the BI Lineage plug -in
and permission to view scan results. There are three steps:
• Enable role-based access f or the BI Lineage plug -in.
• Create the role so that the Data Integrators group can see a limited number of plug -ins in SAS
Management Console, including the BI Lineage plug -in.
• Give the group permission to view scan results.

a. Log on to SAS Management Console as Ahmed. The BI Lineage plug-in by def ault is not
under role management. Select Tools  Plug-in Manager. Enable role-based access f or
the BI Lineage plug-in by selecting the box next to the plug-in. Click OK. Click Yes in the
pop-up box to save changes.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 4.4 Administering Roles and Administrative Identities 4-43

b. In the User Manager plug-in, create the f ollowing role:

• Name: BI Lineage Scan
• Description: Members of this role can view scan results.
• Members: Data Integrators
• Capabilities (expand Management Console 9.4  Plug-ins): Select Data Library
Manager, User Manager, BI Lineage, and Folder View.
Click OK to save new role.
c. You must update the BI Lineage repository’s Default ACT to grant ReadMetadata
permissions.
1) On the Plug-ins tab, select BILineage f rom the Repository drop-down list.
2) Expand the Authorization Manager plug-in. Expand the Access Control Templates
f older. Access the properties window f or the Def ault ACT.
3) Click the Permission Pattern tab. Click Add and select the Data Integrators group.
When you add the group, the Authorization Manager automatically grants the group the
ReadMetadata permission.
4) Click OK.
d. Verif y that a member of the Data Integrators group can see the BI Lineage plug-in in SAS
Management Console and can view scan results. Log on to SAS Management Console as
Kari, a member of the group.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
4-44 Lesson 4 Administering Users, Groups, and Roles

4.5 Solutions
Solutions to Practices
1. Adding a User Manually into Metadata

Add Ben to metadata. Use SAS Environment Manager Administration or the User Manager
plug-in in SAS Management Console.

SAS Environment Manager

a. If you do not already have SAS Environment Manager up, o pen a web browser and select
SAS Environment Manager f rom the Windows or Linux f older on the Favorites bar.

b. Log on as Ahmed with the password Student1.

c. Click the Administration tab, which opens in another browser.

d. Select Users.

e. Click the New user/group button located in the upper right toolbar.

f. Select New User. Enter the name Ben and click Save.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 4.5 Solutions 4-45

g. Add the f ollowing information under the appropriate categories:

Note: Use the edit button and the plus sign to add inf ormation f or each property.

Basic Properties:

Name Ben

Display Name Ben

Job Title Power User

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
4-46 Lesson 4 Administering Users, Groups, and Roles

External Identities:

External Identity Context IdentityImport

External Identity Identifier P110

Accounts:
• Windows server: sasserver\Ben
Account User ID
• Linux server: Ben

Def aultAuth
Account Authentication
Domain

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 4.5 Solutions 4-47

Contact Information:

Email Type Business

Email Address [email protected]

Phone Type Of f ice

Phone Number +19196775555

Address Type Of f ice

Street 123 Orion Star Boulevard

City Cary

State/Province NC

ZIP/Postal Code 27513

Country USA

h. Save your changes by clicking the Save button in the bottom right corner.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
4-48 Lesson 4 Administering Users, Groups, and Roles

SAS Management Console

a. Right-click the User Manager plug-in and select New  User.

b. Add the f ollowing information:

Name Ben

Display Name Ben

Job Title Power User

Email Type Business

Email Address [email protected]

Phone Type Of f ice

Phone Number +19196775555

Address Type Of f ice

Street 123 Orion Star Boulevard

City Cary

State/Province NC

ZIP/Postal Code 27513

Country USA

External Identity Context IdentityImport

External Identity Identifier P110

• Windows server: sasserver\Ben
Account User ID
• Linux server: Ben

Account Authentication Domain Def aultAuth

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 4.5 Solutions 4-49

2. Using SAS Environment Manager Administration to View the Identity Hierarchy

a. If you do not already have SAS Environment Manager up, open a web browser and s elect
SAS Environment Manager f rom the Windows or Linux f older on the Favorites bar.

b. Log on as Ahmed with the password Student1.

c. Click the Administration tab, which opens in another browser.

d. Select Users.

e. Click to access a drop-down list on which you can f ilter. Select User.

f. Click Eric to see the metadata def inition.

g. Click the Member Of tab.

Which groups is Eric directly a member of ? Marketing, Marketing Managers, Report

Content Creators

Which groups is Eric indirectly a member of ? Orion Star Users, Power Users

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
4-50 Lesson 4 Administering Users, Groups, and Roles

Which groups is Eric implicitly a member of ? PUBLIC, SASUSERS

3. Loading Users and Groups with User Import Macros

a. On the Windows machine, use SAS Management Console to perf orm an ad hoc backup.

1) Select the SAS Admin - Linux Server or SAS Admin - Windows Server prof ile.

2) Log on as Ahmed using the Student1 password.

3) Expand Metadata Manager  Metadata Utilities. Right-click Server Backup and select
Run Backup Now.

4) Provide a comment f or the backup history and click OK.

5) Click OK when the backup is complete.

b. Use SAS Studio to run the LoadUsers.sas program.

1) Open a web browser and select SAS Studio f rom the Windows or Linux f older on the
Favorites bar.

2) Log on as Ahmed with the password Student1.

3) Open and run the LoadUsers.sas program.

For Linux Server

1. Expand File (/opt/sas/Workshop)  spaft.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 4.5 Solutions 4-51

2. Double-click LoadUsers.sas to bring the program into the Editor window.

For Windows Server

1. Expand File (D:\Workshop)  spaftWIN.

2. Double-click LoadUsers.sas to bring the program into the Editor window.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
4-52 Lesson 4 Administering Users, Groups, and Roles

4) At the top of the program, there is an OPTIONS statement. Verif y that the values are the
f ollowing:

For Linux Server

options metaserver="sasapp"
metauser="Ahmed"
metapass="Student1";
Note: The host machine value of the metadata server must match the machine name
that is under Server Files and Folders pane on the lef t of the interf ace.

For Windows Server

options metaserver="sasserver"
metauser="Ahmed"
metapass="Student1";
Note: The host machine value of the metadata server must match the machine name
that is under Server Files and Folders pane on the lef t of the interf ace.

• The extids f older holds the tables of user and group inf ormation f rom the external
source.
• The %mduimpc macro def ines canonical tables, and the DATA step is used to extract
data f rom an external source and append them to the tables. However, this program
has the data directly in the DATA step.

Note: Nine users will be added to metadata: Jennifer, Megan, Peter, Alex, Katie,
James, Cecily, Jim, Ray

Note: All the groups in the program will be added to metadata. (You can compare the
inf ormation in the group table to the groups currently listed in the User
Manager plug-in to see this.)

Note: The group members table (&idgrpmemstbla) is adding users to groups based
on the external identity.
• The metids f older holds the tables of user and group inf ormation f rom the metadata.
• The %mduextr macro extracts identity inf ormation f rom metadata and adds them to
user and groups tables in the metids library.
• The updates f older holds the user and group updates.
• The %mducmp macro compares user and group inf ormation to metadata and
populates the updates library with this inf ormation.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 4.5 Solutions 4-53

• The %mduchgv macro validates changes f rom the tables in the metids library and the
updates library
• The %mduchglb macro loads the changes into metadata.

5) Run the program. Review the log and search f or errors.

Note: You can disregard this warning: Character expression will be truncated when
assigned to character column filter.

c. Use SAS Environment Manager or SAS Management Console to verif y that the new users
and groups were created. Verif y that the group membership is correct.

Group Name Members

Power Users Groups: Application Developers, Data Integrators, Report

Content Creators

Report Content Ellen, Eric, Gloria, Harvey, Jacques, Kari, Stephanie

Creators

Data Integrators Barbara, Bruno, Kari, Marcel, Ole

Application Anita, George, Sally, Samantha

Developers

Group Name Members

Orion Star Users Groups: Finance, Marketing, Sales, Shipping

Analysts Cecily, James

Finance Alex, Jennif er, Katie, Megan, Peter

Marketing Eric, Henri, Jacques, Lynn, Stephanie

Sales Ellen, Gloria, Harvey, Linda, Mark, Robert, Susan

Shipping Ray, Jim

d. The usage of these import macros is well documented under “User Import Macros” in the
appendix of SAS 9.4 Intelligence Platform Security Administration Guide.

The macros and sample programs importad.sas and importpw.sas are located under the
SAS installation directory.

For Linux Server

On the sasapp.demo.sas.com machine, navigate to the sample programs:

/opt/sas/SASHome/SASFoundation/9.4/samples/base

Navigate to the macros:

/opt/sas/SASHome/SASFoundation/9.4/sasautos

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
4-54 Lesson 4 Administering Users, Groups, and Roles

For Windows Server

Use Windows Explorer to navigate to the sample programs:

D:\Program Files\SASHome\SASFoundation\9.4\core\samples

Navigate to the macros:

D:\Program Files\SASHome\SASFoundation\9.4\core\sasmacro

4. Running Metadata Inventory Reports

These stored processes generate reports that display inf ormation about the metadata that is
stored on the SAS Metadata Server, such as Groups Roles and Users Metadata Content.
Because we added users and groups in the previous section, we want to ensure that the
imported identities show up in the reports by manually running log collection, log centralization,
and the APM ETL processes.

a. Log on to SAS Environment Manager as Ahmed using the password Student1 if not already
logged on.

b. Select Resources  Browse  Services and search f or collection.

c. Run the log collection.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 4.5 Solutions 4-55

For Linux Server

1. Select sasapp.demo.sas.com Log Collection  Control.

In the Quick Control section, select Collect f rom the Control Action drop-down menu
and click the arrow to the right to run the collection process.

2. Go back to Resources  Services and search on collection again to collect the logs
on the middle tier machine sasmid.demo.sas.com.

Select sasmid.demo.sas.com  Control.

In the Quick Control section, select Collect f rom the Control Action drop-down menu
and click the arrow to the right to run the collection process.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
4-56 Lesson 4 Administering Users, Groups, and Roles

For Windows Server

Select sasserver Log Collection  Control.

In the Quick Control section, select Collect f rom the Control Action drop-down menu
and click the arrow to the right to run the collection process.

d. Af ter the log collection has run, run the Log Centralization service to collect the logs from
the local landing zone to a landing zone on the SAS Environment Manager Enablement Kit
Server.

1) Select Resources  Browse  Services and search f or cent.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 4.5 Solutions 4-57

2) Select Log Centralization  Control.

3) Next to Control Action, select Run f rom the drop-down menu and click the arrow to the
right to run the centralization process. Wait f or the process to complete.

e. Finally, run the APM ETL process, which parses the logs in the central landing zone.

1) Go to Resources  Browse  Service and search f or APM. (Or you might see it at the
top of the list.)

2) Select the APM ETL Processing service and then select Control.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
4-58 Lesson 4 Administering Users, Groups, and Roles

3) Select Run f rom the Control Action drop-down menu and click the arrow to the right to
run the collection process. Wait f or the process to complete.

f. Go to the Report Center under the Analyze tab.

g. Expand Products  SAS Environment Manager  Dynamic Reports  Metadata

Inventory.

h. Click the Groups Roles and Users stored process. Click Run. You should see the newly
added users.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 4.5 Solutions 4-59

i. Expand Products  SAS Environment Manager  Nightly Reports  Audit Reports

(Log Forensic).

j. Run the Group Changes and User Accounts Added stored processes to see what was
logged when users were added.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
4-60 Lesson 4 Administering Users, Groups, and Roles

5. Exploring SAS Enterprise Guide Roles

You can use SAS Environment Manager or SAS Management Console f or this practice.

SAS Environment Manager

a. In SAS Environment Manager Administration, use the vertical navigation bar to select Users.

b. Click to access a drop-down list on which you can f ilter. Select Role.

c. Open the properties of the Enterprise Guide: Advanced role by clicking the role.
d. Remove the group PUBLIC as the current member.
1) Navigate to Members.

2) Click the Edit button in the upper right toolbar.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 4.5 Solutions 4-61

3) Highlight PUBLIC and move the identity to the lef t by selecting the arrow pointing to the
lef t. Click OK.

4) Click the Save button in the bottom right corner.

e. Select the Enterprise Guide: Analysis role.
f. Add Gloria to the Current Members.
1) Navigate to the Members tab.

2) Click the Edit button in the upper right toolbar.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
4-62 Lesson 4 Administering Users, Groups, and Roles

3) Enter Gloria in the search f ield. Highlight Gloria on the lef t and move the name to the
right by selecting the arrow pointing to the right. Click OK.

4) Click the Save button in the bottom right corner.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 4.5 Solutions 4-63

g. Open SAS Enterprise Guide. Jacques cannot connect because he is not in a role that
provides him any capabilities in Enterprise Guide. Click Close.

h. Change the connection to Gloria and click SAS and Connect. Click View Capabilities in
the Connections window.

Compare the list of authorized f unctions to the list of capabilities in the Enterprise Guide:
Analysis role. Do the lists match? Yes

i. Close SAS Enterprise Guide.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
4-64 Lesson 4 Administering Users, Groups, and Roles

j. In SAS Environment Manager, open the properties of the Enterprise Guide: Advanced role
and add the group PUBLIC back to Current Members. Save the changes.

k. Open the properties of the Enterprise Guide: Analysis role. Remove Gloria f rom Current
Members. Save the changes.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 4.5 Solutions 4-65

SAS Management Console

a. In the User Manager plug-in in SAS Management Console, open the properties of the
Enterprise Guide: Advanced role. Remove the group PUBLIC as a current member. Click
OK.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
4-66 Lesson 4 Administering Users, Groups, and Roles

b. Open the properties of the Enterprise Guide: Analysis role. Add Gloria to the Current
Members list box. Click OK.

c. Jacques cannot connect because he is not in a role that provides him any capabilities in
Enterprise Guide. Click Close.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 4.5 Solutions 4-67

d. Change the connection to Gloria and click SAS and Connect. Click View Capabilities in
the Connections window. Compare the list of authorized f unctions to the list of capabilities in
the Enterprise Guide: Analysis role. Do the lists match? Yes

e. Close SAS Enterprise Guide.

f. In the User Manager plug-in in SAS Management Console, open the properties of the
Enterprise Guide: Advanced role. Add PUBLIC to the Current Members list box. Click OK.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
4-68 Lesson 4 Administering Users, Groups, and Roles

g. Open the properties of the Enterprise Guide: Analysis role. Remove Gloria f rom the
Current Members list box. Click OK.

6. Creating a Dual User

a. On the Windows machine, use SAS Management Console to perf orm an ad hoc backup.

1) Select the SAS Admin - Linux Server or SAS Admin - Windows Server prof ile.

Log on as Ahmed using the Student1 password.

2) Expand Metadata Manager  Metadata Utilities. Right-click Server Backup and select
Run Backup Now.

3) Provide a comment f or the backup history and click OK.

4) Click OK when the backup is complete.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 4.5 Solutions 4-69

b. Christina needs to connect to the metadata server as an unrestricted user sometimes and as
a regular user other times. On the Administration page in SAS Environment Manager, or the
User Manager plug-in in SAS Management Console, create the f ollowing two metadata
identities:

Name: Christina AdminChristina

Display Name: Christina Administrator | Christina

Groups and Data Integrators SAS Administrators

Roles:
Orion Star Users Metadata Server: Unrestricted

Accounts: User ID: Internal User ID:

AdminChristina@saspw
Windows Server: sasserver\Christina
Password: Student1
Linux Server: Christina

Do not store the password!

Authentication Def aultAuth

Domain:

SAS Environment Manager

1) In SAS Environment Manager, go to the Administration page. From the vertical

navigation bar select Users.

2) Click the Add User/Group/Role button in the upper right toolbar and select New
User.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
4-70 Lesson 4 Administering Users, Groups, and Roles

3) Enter Christina in the Name and Display name f ields and click Save.

4) Navigate to the Member Of tab.

5) Click the Edit button in the upper right toolbar.

6) Enter Orion in the search f ield. Highlight Orion Star Users and use the arrow pointing to
the right to move the identity to the Direct member of pane.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 4.5 Solutions 4-71

7) Enter Data I in the search f ield. Highlight Data Integrators and use the arrow pointing to
the right to move the identity to the Direct member of pane.

8) Click the Save button.

9) Navigate to the Accounts tab.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
4-72 Lesson 4 Administering Users, Groups, and Roles

10) Click the Edit button and then the Add button in the upper right toolbar.

11) Enter the user ID that is appropriate f or the server. Click the Save button.

For Linux Server

Christina

For Windows Server

sasserver\Christina

12) Click Save.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 4.5 Solutions 4-73

13) Create AdminChristina. Begin by clicking the Add User/Group/Role button in the
upper right toolbar and selecting New User.

14) Enter AdminChristina in the Name f ield and Administrator | Christina in the Display
Name f ield and click Save.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
4-74 Lesson 4 Administering Users, Groups, and Roles

15) Navigate to the Member Of tab.

16) Click the Edit button in the upper right toolbar.

17) Enter SAS Administrators in the search f ield. Highlight SAS Administrators and use
the right-pointing arrow to move the identity to the Direct member of pane.

18) Enter Metadata in the search f ield. Highlight Metadata Server: Unrestricted and use
the right-pointing arrow to move the identity to the Direct member of pane.

19) Click the Save button.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 4.5 Solutions 4-75

20) Navigate to the Accounts tab.

21) Click the Add button in the upper right toolbar.

22) Click the button to the right of Internal Account to create an internal account.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
4-76 Lesson 4 Administering Users, Groups, and Roles

23) Enter Student1 in the Password f ield and again in the Confirm password f ield.
Click Save.

SAS Management Console

1) Right-click User Manager and select New  User.

2) Enter Christina in the Name and Display Name f ields.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 4.5 Solutions 4-77

3) Click the Groups and Roles tab. Hold down the Ctrl key. Select Orion Star Users and
Data Integrators. Click the right-pointing arrow to move these to the Member of list box.

4) Click the Accounts tab and click New.

5) Enter the f ollowing:

• Christina as the user ID f or the LNX server

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
4-78 Lesson 4 Administering Users, Groups, and Roles

• sasserver\Christina f or the user ID f or the Windows server

6) Verif y that the authentication domain is DefaultAuth. Click OK  OK.

7) Create the AdminChristina identity. Begin by right-clicking User Manager and selecting
New  User.

8) Enter AdminChristina in the Name f ield. Enter Administrator | Christina in the

Display Name f ield.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 4.5 Solutions 4-79

9) Click the Groups and Roles tab. Hold down the Ctrl key. Select Metadata Server:
Unrestricted and SAS Administrators. Click the right-pointing arrow to move these to
the Member of list box.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
4-80 Lesson 4 Administering Users, Groups, and Roles

10) Click the Accounts tab and click Create Internal Account. This is located at the bottom.
Verif y that the internal user ID is AdminChristina@saspw. Enter Student1 in the New
Password and Confirm Password f ields. Click OK twice.

c. Log on to SAS Management Console. Use the external Christina account with the Student1
password.

Were you successf ul? If not, what is the problem?

Note: This is a troubleshooting situation. Either the ID or password is incorrect. Because we

are using Local User Account on Windows and /etc/password on Linux f or
authentication, you can check in the operating system to see what her account is.

In the OS, there is no Christina. She originally went by Christina.

d. Open a second instance of SAS Management Console and log on. Use the
AdminChristina@saspw account.

Were you successf ul? Why did you not have any problems with logging on this time?

This is an internal account. You create the ID and password, and it is authenticated
only with metadata and does not go out to an external authentication mechanism.

How are the two instances of SAS Management Console similar? There are some of the
same plug-ins.

How are they dif ferent? There are many more available plug-ins for
AdminChristina@saspw.

7. (Optional) Creating a Role

Create a role that enables the Data Integrators group to have access to the BI Lineage plug -in
and permission to view scan results. There are three steps:
• Enable role-based access f or the BI Lineage plug -in.
• Create the role so that the Data Integrators group can see a limited number of plug-ins in SAS
Management Console, including the BI Lineage plug -in.
• Give the group permission to view scan results.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 4.5 Solutions 4-81

a. Log on to SAS Management Console as Ahmed. The BI Lineage plug-in by def ault is not
under role management. Select Tools  Plug-in Manager. Enable role-based access f or
the BI Lineage plug-in by selecting the box next to the plug -in. Click OK. Click Yes in the
pop-up box to save changes.

b. In the User Manager plug-in, create the f ollowing role:

• Name: BI Lineage Scan
• Description: Members of this role can view scan results.
• Member: Data Integrators
• Capabilities (expand Management Console 9.4  Plug-ins): Data Library Manager,
User Manager and BI Lineage plug-ins, and Folder View

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
4-82 Lesson 4 Administering Users, Groups, and Roles

Click OK to save the new role.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 4.5 Solutions 4-83

c. You must update the BI Lineage repository’s Default ACT to grant ReadMetadata
permissions.

1) On the plug-ins tab, select BILineage f rom the Repository drop-down list.

2) Expand the Authorization Manager plug-in. Expand the Access Control Templates
f older. Open the properties window f or the Def ault ACT.

3) Click the Permission Pattern tab. Click Add and select the Data Integrators group.
When you add the group, the Authorization Manager automatically grants the group the
ReadMetadata permission.

4) Click OK.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
4-84 Lesson 4 Administering Users, Groups, and Roles

d. Verif y that a member of the Data Integrators group can see the BI Lineage plug -in in SAS
Management Console and can view scan results. Log on to SAS Management Console as
Kari, a member of the group.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 4.5 Solutions 4-85

Solutions to Activities and Questions

4.01 Multiple Choice Question – Correct Answer

In the identification phase of authentication, the metadata server searches
for which of the following in the metadata repository?
a. fully qualified user ID
b. authentication domain, fully qualified user ID, password
c. fully qualified user ID and password
d. the user’s password only

13
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
4-86 Lesson 4 Administering Users, Groups, and Roles

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
Lesson 5 Managing SAS®
Compute Servers and Spawners
5.1 Understanding SAS Compute Servers ......................................................................... 5-3
Demonstration: Monitoring SAS Servers and Sessions from SAS Management
Console ........................................................................................ 5-20
Practice............................................................................................................... 5-23

5.2 Exploring Credential Management ............................................................................. 5-30

Demonstration: Configuring Access to a Database in SAS Management Console
(Optional)...................................................................................... 5-36
Practice............................................................................................................... 5-46

5.3 Administering Server Logging ................................................................................... 5-47

Demonstration: Viewing Metadata Server Logging in SAS Management Console ........... 5-58
Practice............................................................................................................... 5-63

5.4 Solutions ................................................................................................................... 5-69

Solutions to Practices ............................................................................................ 5-69
Solutions to Activities and Questions........................................................................ 5-99
5-2 Lesson 5 Managing SAS® Compute Servers and Spawners

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 5.1 Understanding SAS Compute Servers 5-3

5.1 Understanding SAS Compute Servers

SAS Servers
SAS Servers Whether users enter their own code, execute
Metadata Server a stored process, or enable SAS applications to
generate code for them, the code is executed
SAS Workspace Server on a SAS server. Each server type has different
SAS Pooled Workspace capabilities.
Server
SAS Stored Process
Server
SAS Grid Servers
SAS OLAP Server

SAS LASR Analytic

Server

3
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

SAS Workspace Server

Most code generated by SAS applications is executed on a workspace server.
A workspace server is a SAS session that executes SAS code to do the
following:
• access data libraries
• perform tasks using the SAS language
• retrieve results

4
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
5-4 Lesson 5 Managing SAS® Compute Servers and Spawners

SAS Workspace Server

By default, the following events occur:
• The object spawner launches a workspace server under the user’s
credentials.
• The user’s credentials are authenticated by the host operating system.
•The workspace server is shut down when the client application is shut
down.
Note: You can convert a standard workspace server to use SAS Token
Authentication.
Note: In some cases, you can convert a standard workspace server to use
Integrated Windows Authentication.

5
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

SAS token authentication is when the metadata server generates and validates a single-use identity
token for each authentication event.

Connecting to a SAS Workspace Server

3

4
i
Metadata Server
2

SAS Enterprise Guide

Metadata
Repositories

7
Authentication Provider
(LDAP, Active Directory, Local Security Authority,
Object PAM, UNIX password file structure, or other provider)
Spawner

13
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d . ...

1. Using the established connection to the metadata server, SAS Enterprise Guide requests access
to a workspace server.
2. The metadata server searches the metadata for the workspace server in question.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 5.1 Understanding SAS Compute Servers 5-5

3. The metadata server retrieves the name of the machine hosting the workspace server, the port
on which the object spawner listens for request for this server, and the authentication domain
associated with the workspace server.
4. The connection information is returned to SAS Enterprise Guide.
5. SAS Enterprise Guide uses the connection information to make the request for a workspace
server. If the authentication domain for the server matches that of the initial inbound login, SAS
Enterprise Guide passes along the credentials as well.
Note: If the server is assigned a different authentication domain, SAS Enterprise Guide
searches its in-memory list of credentials for Jacques for credentials with the appropriate
authentication domain. If none is found, SAS Enterprise Guide queries the metadata
server for credentials for Jacques for that particular authentication domain (outbound
login). If none is found, Jacques is prompted for credentials.
6. The object spawner sends Jacques’ credentials to its authentication provider. The default
authentication provider is the host.
7. The authentication provider verifies that the credentials are valid.

Connecting to a SAS Workspace Server

i
Metadata Server
SAS Enterprise Guide

Metadata
Repositories

10 9

8
Authentication Provider
(LDAP, Active Directory, Local Security Authority,
Object PAM, UNIX password file structure, or other provider)
Spawner

16
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d . ...

8. The object spawner launches the workspace server. It uses the launch command that was
retrieved from the metadata at start-up. The workspace server runs under the credentials
provided by SAS Enterprise Guide and authenticated by the host.
9. The object spawner provides SAS Enterprise Guide with a TCP connection to the workspace
server session.
10. SAS Enterprise Guide communicates directly with the workspace server.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
5-6 Lesson 5 Managing SAS® Compute Servers and Spawners

Connecting to a SAS Workspace Server

i
Metadata Server
SAS Enterprise Guide

Metadata
Repositories

Results returned Code submitted

Authentication Provider
(LDAP, Active Directory, Local Security Authority,
Object PAM, UNIX password file structure, or other provider)
Spawner

17
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d . ...

11. SAS Enterprise Guide submits one or more requests for processing. Results are returned to SAS
Enterprise Guide as appropriate.

Connecting to a SAS Workspace Server

i
Metadata Server

Metadata
Repositories

Authentication Provider
(LDAP, Active Directory, Local Security Authority,
Object PAM, UNIX password file structure, or other provider)
Spawner

18
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

12. After Jacques closes SAS Enterprise Guide, the workspace server session ends.
Note: The connection could close earlier if there is a TCP time-out.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 5.1 Understanding SAS Compute Servers 5-7

Workspace Server Pooling

In pooling, a set of workspace server processes are
• made available to process certain types of requests
• reused for subsequent requests
• owned by a shared identity.

19
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Workspace Server Pooling

The primary purpose of workspace server pooling is to enhance
performance by avoiding the time associated with launching
workspace servers on demand.

In general, pooling is used when a relational information map is

queried, processed, opened, or used indirectly through a report.

20
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
5-8 Lesson 5 Managing SAS® Compute Servers and Spawners

What Is a SAS Stored Process?

A SAS Stored Process has the following characteristics:
• is a SAS program that is hosted on a server or in metadata and registered
in metadata
• can be executed by many of the platform for SAS Business Analytics
applications
• consists of a SAS program along with a metadata definition that describes
how the stored process should execute

+ i =
21
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

The stored process metadata properties determine which type of server the stored process is
executed on, where the source code is stored, and the type of output that is produced.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 5.1 Understanding SAS Compute Servers 5-9

Executing a Stored Process

Stored processes are typically executed on a stored process server but can
also be executed on a workspace server.

22
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
5-10 Lesson 5 Managing SAS® Compute Servers and Spawners

SAS Stored Process Server

SAS Stored Process Servers interact with SAS by executing stored processes.
Each stored process server
• handles multiple users
• is reused for subsequent requests
• is owned by a shared identity
• includes load-balancing settings that the object spawner uses to distribute
requests between the server processes.

23
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Connecting to a Stored Process Server

3

4
i 2
Metadata Server
SAS Enterprise Guide

Metadata
Repositories
5
6

9 Authentication Provider
Object
Spawner (LDAP, Active Directory, Local Security Authority,
PAM, UNIX password file structure, or other provider)

33
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d . ...

1. Using the established connection, SAS Enterprise Guide requests access to a stored process
server.
2. The metadata server searches the metadata for the stored process server in question.
3. The metadata server retrieves the machine name hosting the stored process server, the port on
which the object spawner listens for request for this server, and a token.
Note: A SAS identity token is a single-use, proprietary software representation of an identity.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 5.1 Understanding SAS Compute Servers 5-11

4. The connection information is returned to SAS Enterprise Guide.

5. SAS Enterprise Guide uses the connection information and the token provided by the metadata
server to make the request for a stored process server.
6. The object spawner sends the token to the metadata server for verification.
7. The metadata server verifies that the token is valid.
8. If there is no stored process server currently available and more can be spawned, the object
spawner sends the shared credentials (typically, sassrv) to the host for authentication.
Note: During its own start-up, the object spawner not only retrieves the launch command for
the stored process server from the metadata, but also the shared credentials, user ID,
and password.
9. The authentication provider authenticates the credentials.

Connecting to a Stored Process Server

i
Metadata Server
SAS Enterprise Guide

Metadata
Repositories
11
13 12

10
Authentication Provider
(LDAP, Active Directory, Local Security Authority,
Object PAM, UNIX password file structure, or other provider)
Spawner

37
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d . ...

10. The object spawner launches the stored process server. It uses the launch command that it
retrieved from the metadata at start-up. The stored process server runs under shared
credentials.
11. The object spawner provides SAS Enterprise Guide with a TCP connection to the stored process
server. During the execution of the stored process, metadata server requests are done as an
individual user, and operating system requests are done as the shared account.
12. SAS Enterprise Guide communicates directly with the stored process server. SAS Enterprise
Guide submits a request to execute a stored process.
13. The results from the stored process are returned to SAS Enterprise Guide as appropriate.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
5-12 Lesson 5 Managing SAS® Compute Servers and Spawners

Connecting to a Stored Process Server

i
Metadata Server
SAS Enterprise Guide

Metadata
Repositories

Authentication Provider
(LDAP, Active Directory, Local Security Authority,
Object PAM, UNIX password file structure, or other provider)
Spawner

38
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d . ...

After the execution of the stored process is complete, the stored process server is available for
reuse by other requests from the same or a different user.

Connecting to a Stored Process Server

16

14
i 15
Metadata Server
SAS Enterprise Guide
17

Metadata
Repositories
19
18

20

Authentication Provider
(LDAP, Active Directory, Local Security Authority,
Object PAM, UNIX password file structure, or other provider)
Spawner

46
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d . ...

14. Using the established connection, SAS Enterprise Guide requests access to a stored process
server.
15. The metadata server searches the metadata for the stored process server in question.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 5.1 Understanding SAS Compute Servers 5-13

16. The metadata server retrieves the machine name hosting the stored process server, the port on
which the object spawner listens for request for this server, and a token.
Note: A SAS identity token is a single-use, proprietary software representation of an identity.
17. The connection information is returned to SAS Enterprise Guide.
18. SAS Enterprise Guide makes the request for a stored process server. It uses the connection
information and the token provided by the metadata server.
19. The object spawner sends the token to the metadata server for verification.
20. The metadata server verifies that the token is valid.

Connecting to a Stored Process Server

i
Metadata Server
SAS Enterprise Guide

Metadata
Repositories

23 22 21

Authentication Provider
(LDAP, Active Directory, Local Security Authority,
Object PAM, UNIX password file structure, or other provider)
Spawner

50
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d . ...

21. If there is an available stored process server, the object spawner provides SAS Enterprise Guide
with a TCP connection to the stored process server.
22. SAS Enterprise Guide communicates directly with the stored process server to submit a request
to execute a stored process.
23. The results from the stored process are returned to SAS Enterprise Guide as appropriate.
Note: The stored process server can be reused by the same user or by a different user.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
5-14 Lesson 5 Managing SAS® Compute Servers and Spawners

Connecting to a Stored Process Server

i
Metadata Server

Metadata
Repositories

Authentication Provider
(LDAP, Active Directory, Local Security Authority,
Object PAM, UNIX password file structure, or other provider)
Spawner

51
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

After the execution of the stored process is complete, the stored process server i s available for
reuse by other requests.

Stored Process Server

By default, the stored process server is configured with
• one connection
This is the port on which an object spawner
• three multibridge connections.
listens for stored process server requests.

Each multibridge connection maps to a stored

process server process and uses the specified
port to communicate with applications.

52
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 5.1 Understanding SAS Compute Servers 5-15

SAS 9.4 Authentication Mechanisms

Authentication is the process of verifying the identity of a person or process
for security purposes.

External • Host authentication

• Direct LDAP authentication
• Integrated Windows Authentication
• Web authentication
Internal • SAS internal authentication
• SAS token authentication

53
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

SAS Token Authentication

SAS token authentication is when the metadata server generates and
validates a single-use identity token for each authentication event. This
enables the following SAS processing servers to accept users who are
already connected to the metadata server:
• OLAP server
• stored process server
•pooled workspace server
The workspace server can also use SAS Token Authentication.

54
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
5-16 Lesson 5 Managing SAS® Compute Servers and Spawners

SAS Token Authentication

Metadata Server
(generates identity tokens)
1
request for
5
identity token
accept
2 4
identity token identity token

Client that 3
already has a identity token
connection to the 6 Target Server
metadata server accept

55
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

SAS Token Authentication is when the metadata server generates and validates a single-use identity
token f or each authentication event. This enables participating SAS servers to accept users who are
already connected to the metadata server.
1. The user initiates a request that requires access to a target server (f or example, a request in
SAS Enterprise Guide to open a cube associated with the OLAP server). Using the existing
connection to the metadata server, the client requests an identity token f or the target server.
2. The metadata server generates the token and returns it to the client.
3. The client sends the token to the target server.
4. The target server sends the token back to the metadata server f or validation.
5. The metadata server validates the token and returns an acceptance message and a
representation of the user to the target server.
6. The target server accepts the connection.
Here are the benefits of SAS token authentication:
• Individual, external accounts for credential-based authentication are not required.
• SAS copies of individual, external passwords do not need to be stored in the metadata.
• Reusable credentials are not transmitted across the network.
• Metadata layer evaluations are based on the requesting user’s identity.
The limitations of using SAS token authentication are as follows:
• Host access is based on a shared login, if implemented for use on a standard workspace server.
• It is available only for metadata-aware connections to the target server.
• This authentication is not available for access to third-party database servers.
Because SAS token authentication essentially uses a shared login (typically, sassrv), host access to
resources is based on access rights associated with that ac count.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 5.1 Understanding SAS Compute Servers 5-17

Converting a standard workspace server to use SAS token authentication requires some changes to
the server’s metadata.
In the Properties window for the logical workspace server, select SAS token authentication on the
Options tab.

In the Properties window for the physical workspace server, select Launch credentials on the
Options tab.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
5-18 Lesson 5 Managing SAS® Compute Servers and Spawners

SAS Object Spawners

Workspace servers and stored process servers are initialized by the
SAS Object Spawner.
An object spawner does the following:
• runs on each machine where you want to run
a workspace server or stored process server
• listens for requests and launches servers,
as necessary

56
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

SAS Object Spawners

When the object spawner starts, it uses the information in its metadata
configuration file to access the metadata server. The file is named
metadataConfig.xml, by default.

Metadata SAS Metadata

configuration file 1 Object Spawner 2 Server

57
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 5.1 Understanding SAS Compute Servers 5-19

If changes are made to the server or spawner configurations, the spawner can be refreshed in order
to pick up and apply these new changes. The refresh reinitializes the spawner and forces it to reread
its configuration in the metadata. As part of this refresh, the spawner quiesces any servers that it has
started. The servers shut down when their clients have completed their work.
To refresh an object spawner, follow these steps:
1. Expand the Server Manager node  Object Spawner. Then right-click the Object Spawner
machine name node.
2. From the pop-up menu, select Connect.
3. Right-click the Object Spawner node again. From the pop-up menu, select Refresh Spawner.
4. In the confirmation dialog box, click Yes.
Note: When an object spawner manages more than one SAS Application Server context, you can
refresh a specific application server by selecting Refresh Application Server.

SAS Object Spawners

During start-up, the object spawner retrieves, from the metadata, information
about how to launch the servers.
Spawner

sassrv sassrv <user> sassrv

Pooled Stored Workspace

Workspace Server
Workspace Process Server
(standard using SAS token authentication)
Server Server (standard)

58
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
5-20 Lesson 5 Managing SAS® Compute Servers and Spawners

Monitoring SAS Servers and Sessions from SAS Management

Console
This demonstration illustrates how to monitor SAS servers and sessions from SAS Management
Console.
1. In SAS Management Console, right-click the Server Manager plug-in and select Options.
Select Active, Inactive and Ended and click OK.

2. Expand the Server Manager plug-in and then select SASApp  - Logical Workspace Server
 SASApp - Workspace Server  sasserver.demo.sas.com or sasapp.demo.sas.com.
Right-click sasserver.demo.sas.com or sasapp.demo.sas.com and select Connect.

3. Connect also to the stored process server. Expand SASApp - Logical Stored Process
Server  SASApp - Stored Process Server. Right-click sasserver.demo.sas.com and
select Connect. Notice that the tabs become active when you are connected.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 5.1 Understanding SAS Compute Servers 5-21

4. On the Folders tab, navigate to Orion Star  Marketing Department  Stored Processes.
Right-click Analysis of Product Orders by Gender and click Properties.

5. On the Execution tab, select Stored process server only. Click OK.

6. Start a SAS Enterprise Guide session, select Start  All Programs  SAS  SAS Enterprise
Guide 8.2.
7. In the Server list, expand Servers  SASApp.
8. In SAS Management Console, return to the Plug-ins tab select the host level server (sasserver
or sasapp.demo.sas.com) under SASApp – Workspace Server. Locate the process running
under Jacques’ credentials on the right side of the window. What is the process ID?

9. In SAS Enterprise Guide, select SAS Folders, on the vertical navigation bar. Navigate to
Orion Star  Marketing Department  Stored Processes. Double-click Analysis of Product
Order by Gender and create a new project.

When the Project tab opens, click Run to execute the stored process.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
5-22 Lesson 5 Managing SAS® Compute Servers and Spawners

10. Switch back to SAS Management Console. Expand the host level server (sasserver or
sasapp.demo.sas.com) under SASApp – Stored Process Server. What is the process ID of
the Stored Process Server? Find the process on the operating system. (Use the Task Manager
on Windows and ps -elf | grep <PID> on Linux.) Who is the process owner?
11. Click the process ID and click the Sessions tab.
Are any sessions listed? If not, why not?
12. Return to SAS Enterprise Guide and rerun the stored process. While the stored process
executes, return to SAS Management Console and select the stored process server PID.
Was a new process started?

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 5.1 Understanding SAS Compute Servers 5-23

Practice

1. Exploring the Object Spawner

a. Open the metadataConfig.xml file that the object spawner reads at start-up.

For Linux Server

On the sasapp.demo.sas.com machine, navigate to

/opt/sas/config/Lev1/ObjectSpawner.
Open metadataConfig.xml with gedit or vi in MRemoteNG, or use WINSCP.

For Windows Server

Use Windows Explorer to navigate to D:\SAS\Config\Lev1\ObjectSpawner.

Open metadataConfig.xml with Notepad++. (Right-click the file and select Edit with
Notepad++.)

What account does the object spawner use to connect to the metadata server?
b. Use SAS Environment Manager or SAS Management Console to look at the metadata
properties of the object spawner. Use the credentials of Ahmed with the password
Student1.

SAS Environment Manager

1) On the Administration page, click Side menu and select Servers.

2) Right-click the following:

For Linux Server

Object Spawner - sasapp

For Windows Server

Object Spawner - sasserver

Then select Open to view metadata properties.

3) From the drop-down menu, select Servers.
Which servers is the object spawner responsible for starting?

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
5-24 Lesson 5 Managing SAS® Compute Servers and Spawners

SAS Management Console

1) Expand Server Manager.

2) Right-click the following:

For Linux Server

Object Spawner - sasapp

For Windows Server

Object Spawner - sasserver

Then select Properties.

3) Click the Servers tab.
Which servers is the object spawner responsible for starting?
c. Use SAS Environment Manager to view metrics for the object spawner.
1) On the Resources tab, select the following:

For Linux Server

sasapp.demo.sas.com Object Spawner - sasapp

For Windows Server

sasserver.demo.sas.com Object Spawner - sasserver

2) Find the following metrics:

Current Clients: shows how many clients are currently connected to the object spawner.
Current Servers: shows how many servers of any type this object spawner has currently
launched.
Total Servers: shows how many servers of any type have been started by this object
spawner since it was launched.
3) You can use the up arrow to sequentially position the metrics next to each other on
the Monitor page. Click the Apply button located at the top right of the Indicator Charts.
d. Create a Server’s Launched by Object Spawner availability summary portlet.
1) On the left side of the Dashboard page, select Availability Summary in the Add
content to this column field and click the plus icon.
2) Click the Configure icon to display the Dashboard Settings page for the portlet.
3) Click Add to List in the selected Resources area.
4) In the View field, select Services. In the Filter By Name field, enter spawner and
click .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 5.1 Understanding SAS Co mpute Servers 5-25

5) Select all workspace servers, pooled workspace servers, and stored process servers.
(You should have selected six of the seven available.) Click the right-pointing arrow
to move them to the Add Resources pane. Click OK.
6) Specify the name Spawned Servers in the Description field. Click OK.
7) Move the Spawned Servers availability summary portlet just below the OS and SAS
Server Tier availability summary portlet. Click the heading and drag it to the location.

2. Identifying the Command Line, Shared ID, and Port of the Workspace Server and Stored
Process Server
Use SAS Environment Manager or SAS Management Console to look at metadata properties of
the servers.

SAS Environment Manager

a. On the Administration page, click Servers. Expand SASApp  SASApp - Logical

Workspace Server, and click SASApp - Workspace Server.
Click the Options tab. What command is used by the object spawner to start the workspace
server?
Click the Connection tab. What port does the object spawner listen on for requests for the
workspace server?
b. On the Administration page, click Servers. Expand SASApp  SASApp - Logical Stored
Process Server and click SASApp - Stored Process Server.
Click the Options tab. What command is used by the object spawner to start the stored
process server? What shared ID does the object spawner use to launch the stored process
server?
Click the Connection tab. What port does the object spawner listen on for requests for the
stored process server?

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
5-26 Lesson 5 Managing SAS® Compute Servers and Spawners

SAS Management Console

a. Under Server Manager, expand SASApp  SASApp - Logical Workspace Server.

Right-click SASApp - Workspace Server and select Properties. Click the Options tab.
What command is used by the object spawner to start the workspace server?
What port does the object spawner listen on for requests for the workspace server?
b. Under Server Manager, expand SASApp  SASApp - Logical Stored Process Server.
Right-click SASApp - Stored Process Server and select Properties. Click the Options tab.
What command is used by the object spawner to start the stored process server?
What shared ID does the object spawner use to launch the stored process server?
What port does the object spawner listen on for requests for the stored process server?
3. Locating the Shared ID Credentials

SAS Environment Manager

a. On the Administration page, click Users.

b. In the search field, enter SAS General Servers.
c. Click SAS General Servers.
On the Properties tab, what is the description of this group?
On the Accounts tab, what account is attached to this group?
On the Members tab, who is the member of this group?
Note: Members of a group can access credentials stored on a group. Because the object
spawner connects to the metadata server with the sastrust@saspw account, the
object spawner is a member of the SAS General Server group.

SAS Management Console

a. Expand User Manager.

b. Right-click SAS General Servers and select Properties.
What is the description of this group?
Who is the member of this group?
What account is attached to this group?
Note: Members of a group can access credentials stored on a group. Because the object
spawner connects to the metadata server with the sastrust@saspw account, the
object spawner is a member of the SAS General Servers group.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 5.1 Understanding SAS Compute Servers 5-27

4. Running Stored Processes from the Report Center about Server Activity
a. Select Analyze  Report Center.

To create a report, click the stored process entry. The viewing pane of the Report Center
window displays prompts for the information in the report. You can select the categories of
inputs on the left side of the display area to fully customize the report. Click Run to produce
the report.
b. Select Products  SAS Environment Manager  Nightly Reports  ARM Performance
Reports.
The following reports can be useful regarding SAS servers:

User - Server Activity by User

How many SAS servers have been used and within what period of time?
5. (Optional) Adding a Saved Chart Portlet on the Dashboard in SAS Environment Manager
The Saved Chart portlet displays a rotation of all the resource metric charts that you have saved.
The process of creating this type of portlet consists of navigating to the resources that you want
to chart, finding the metric charts that you want to display, and saving them to your dashboard.
When you create the portlet, all your saved charts automatically appear.
a. Make sure that you are logged on to SAS Environment Manager as Ahmed and are using
the password Student1.
b. Create a Free Memory chart.
1) Select Resources  Browse.
2) On the Resources page, select Platforms.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
5-28 Lesson 5 Managing SAS® Compute Servers and Spawners

3) Click the following:

For Linux Server

sasapp.demo.sas.com

For Windows Server

sasserver.demo.sas.com
4) Scroll down to the Free Memory chart.
5) Click Free Memory.
6) On the Metric Chart page, select Save Chart to Dashboards.
7) Select Ahmed and click Add.
8) Go to Dashboards to see the chart saved. It is displayed on the left side.
c. Create a Number of Spawned Servers chart.
1) Select Resources  Browse  Servers.
2) In the All Server Types field, select SAS Object Spawner 9.4.
3) Click the arrow at the right of the filter fields.
4) Click the following:

For Linux Server

sasapp.demo.sas.com Object Spawner - sasapp

For Windows Server

sasserver.demo.sas.com Object Spawner - sasserver

5) Scroll down to the Current Servers chart.

6) Click Current Servers.
7) On the Metric Chart page, select Save Chart to Dashboards.
8) Select Ahmed and click Add.
9) Go to Dashboards to see the chart saved. It is added to the charts list of the Saved
Charts portlet.
Note: You can toggle between the two saved charts or remove them from the pane on
the left of the Saved Charts portlet.
d. Create a Metadata Server Clients Per Minute chart.
1) Select Resources  Browse  Servers.
2) In the All Groups field, select SAS Metadata Servers.
3) Click the arrow at the right of the filter fields.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 5.1 Understanding SAS Compute Servers 5-29

4) Click the following:

For Linux Server

sasapp.demo.sas.com SASMeta - Metadata Server

For Windows Server

sasserver.demo.sas.com SASMeta - Metadata Server

5) On the left side of the Resource Detail page, select All Metrics from the drop-down
menu.
6) In the table of metrics, find Total Clients per Minute and position your mouse pointer
on the information icon .
7) From the tooltip, select View Full Chart. The Metric Chart page appears.
8) On the Metric Chart page, select Save Chart to Dashboards.
9) Select Ahmed and click Add.
10) Go to Dashboards to see the chart saved. It is added to the charts list of the Saved
Charts portlet.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
5-30 Lesson 5 Managing SAS® Compute Servers and Spawners

5.2 Exploring Credential Management

How Logons Are Used

Purpose

1. To enable the metadata server to match an incoming user ID with a

particular SAS identity (inbound use)
SAS identity

Joe: ID and
password

Metada ta Server
</>
i ID

SAS identity
Internal acct:
sasadm@saspw
and password
Metada ta Server
</>
i ID/password

63
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Joe’s logon is only for inbound use to determine his metadata identity. His password is available
(cached in the user context, not stored in the metadata) but is not used to determine his identity. This
logon should be in DefaultAuth, but that relationship is not used in determining his metadata identity.

How Logons Are Used

Purpose

2. To designate one host account as the account under which a

particular server runs and to make that account's ID and password
available to the spawner (SAS Token Authentication)

Stored Process
Server

SAS General Servers group’s logins:

sassrv and password Pooled Workspace Server

Workspace Server
(standard using SAS
Token Authentication)

64
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 5.2 Exploring Credential Management 5-31

The designated launch credential for each of the depicted processing servers is stored on the SAS
General Servers group definition. In this example, the servers all use the same credential s. Logons
that contain designated launch credentials are usually in the DefaultAuth authentication domain,
because these processing servers are usually in DefaultAuth. However, those logons are directly
paired with each server, not looked up by authentication domain. B ecause the authentication domain
assignment for these logons is not used, the figure does not depict that assignment.

How Logons Are Used

Purpose

3. To enable clients to seamlessly obtain user credentials for disparate

systems for outbound use, logins are stored in metadata: User ID,
Password, Authentication domain.

JoeOra and
password

OracleAuth Oracle DBMS

GroupOra and
password

Note: An example of outbound use is a DBMS or workspace server on a machine

with separate authentication from where the metadata server resides.
65
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Joe’s second logon provides seamless access to Oracle using an individual account. This logon
includes a password and must be in the Oracle server's authentication domain. The ETL group's
logon is a shared logon f or the Oracle server. Joe’s personal Oracle logon has a higher priority.
Note: If you choose to store passwords for the workspace server, the relationships would be
comparable to the depiction of the Oracle DBMS, OracleAuth authentication domain, and
Oracle logons. For example, you might put the workspace server in WorkspaceAuth and
create individual and group logons in that authentication domain.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
5-32 Lesson 5 Managing SAS® Compute Servers and Spawners

Outbound Logons
Outbound logons can be defined on the Accounts tab of individual and
group identities and must include these items:
• a fully qualified external account
• password
• authentication domain

66
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Clients use authentication domain assignments to determine which credentials are valid f or which
servers. The target server validates the client-supplied credentials against its authentication
provider.
In most deployments of the platform f or SAS Business Analytics, passwords for external accounts
need to be stored in the metadata to support these types of access only:
• seamless access to an external database
• seamless access to the standard workspace server in a mixed provider environment where
Integrated Windows Authentication and SAS token authentication is not applicable

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 5.2 Exploring Credential Management 5-33

Authentication Domains
An authentication domain is a SAS metadata object that pairs logons with
the server definitions where those credentials are correctly authenticated.

67
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

For example, an Oracle server definition and the SAS copies of Oracle credentials (outbound
logons) have the same authentication domain value (for example, “OracleAuth”) if those credentials
authenticate on that Oracle server. Authentication domains can be managed using the Server
Manager plug-in or the User Manager plug-in. Right-click the plug-in and select Authentication
Domains.

5.01 Multiple Choice Question

How many authentication domains do you need to define in the metadata?
a. one for each registered user
b. one for each registered server
c. one for each metadata server
d. one for each server that requires different credentials

68
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
5-34 Lesson 5 Managing SAS® Compute Servers and Spawners

Credential Management
Each client application maintains an in-memory list of credentials
(user context) for each connected user. The list includes the following:
• credentials provided when the application is launched (cached credentials)
• credentials provided interactively during the session (prompting)
• retrieval of credentials from metadata, either from the user’s account
properties or from a group’s account properties in the user’s identity
hierarchy
Example: Contents of a User Context
User ID Password Authentication Domain

myWINID DefaultAuth

GroupDBMSid ******* DBMSauth

70
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Note: Credentials from a user or group's metadata definition are not included in the initial list that is
created when a user logs on. Instead, such credentials are added to the list dynamically
(when and if they are needed during the user's session).

Connection to DBMS Data Libraries

Three authentications and permissions take place when accessing DBMS
data:
• Metadata authentication
• SAS Workspace Server authentication
• DBMS authentication

71
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Three authentications and permissions take place when accessing DBMS data. Metadata
authentication is the first, and this is mainly for the metadata server to know who is requesting the
data and verify that the user has metadata permissions to the data.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 5.2 Exploring Credential Management 5-35

Workspace server authentication is the second authentication. If metadata permissions allow the
user to access the workspace server, then the metadata server retrieves and passes the user’s
credentials to the host OS of the SAS workspace server for authentication (via the object spawner).
When the first two authentications and authorizations have been met, the metadata server fetches
the corresponding metadata stored DBMS credentials to pass to the DBMS for authentication (these
credentials must be stored in metadata via groups for shared credentials or at the individual user
level, except when using SQL Server Windows Integration Authentication).
Next, the DBMS system controls which data the credentials have permission to access. SAS cannot
and will not override the DBMS permissions on DBMS data. However, SAS can add or enhance
DBMS data permissions through metadata permissions.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
5-36 Lesson 5 Managing SAS® Compute Servers and Spawners

Configuring Access to a Database in SAS Management

Console (Optional)
This demonstration illustrates how to create a group for the purposes of storing credentials that
access a database server, define a database server, and register a library in SAS Management
Console.
1. In SAS Management Console, define a group that stores credentials that authenticate to a
database server.
Right-click the User Manager plug-in and select New  Group.

2. On the General tab, enter the group name Oragroup.

3. Click the Members tab. Clear the Show Groups box. Add the first four users that are listed by
pressing and holding the Shift key while highlighting the names. Click the right-pointing arrow.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 5.2 Exploring Credential Management 5-37

4. Click the Accounts tab and click New.

5. Enter the following:

• oracleid for User ID
• Student1 for Password twice
Click New next to Authentication Domain to create a new Authentication Domain that will also
be attached to the registered database server and libraries.

6. Enter OraAuth. Click OK.

7. Click OK to create the group.

8. Define the Oracle server.
Right-click Server Manager and select the New Server option to access the New Server
Wizard.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
5-38 Lesson 5 Managing SAS® Compute Servers and Spawners

9. Select Oracle Server from the Database Servers list. Click Next.

10. Enter an appropriate server name in the Name field (for example, Oracle Server). You also have
the option of supplying a description. Click Next.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 5.2 Exploring Credential Management 5-39

11. The server properties that are displayed in the window are default values and should not be
changed. To change the Associated Machine property, click the down arrow at the right of the
field and select the appropriate server from the drop-down list.
Click Next.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
5-40 Lesson 5 Managing SAS® Compute Servers and Spawners

12. Enter the following connection properties:

Path to the Oracle server: newserver10G. (This value is contained in the tnsnames.ora file
generated during the Oracle installation. The file is stored in an Oracle installation directory such
as /opt/oracle/app/oracle/product/10.2.0/db_1/network/admin/tnsnames.ora. The alias for
the connection information is contained in this file.)
Authentication Domain: Click the arrow at the right of the field and select the Authentication
domain that you created when creating the Oracle group. This enables the appropriate Oracle
user ID and password to be used with this server.
Click Next.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 5.2 Exploring Credential Management 5-41

13. Click Finish.

14. Def ine an Oracle library.

Expand the Data Library Manager plug-in. Right-click Libraries and select the New Library
option to access the New Library Wizard.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
5-42 Lesson 5 Managing SAS® Compute Servers and Spawners

15. Select Oracle Library under Database Data. Click Next.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 5.2 Exploring Credential Management 5-43

16. Enter Oracle Library in the Name field. Click Next.

17. Move SASApp so that this library is assigned to the SASApp server context. Click Next.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
5-44 Lesson 5 Managing SAS® Compute Servers and Spawners

18. Enter oracle as the libref. Click Next.

19. The database server is Oracle Server. For the database schema name, add Scott. Click Next.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 5.2 Exploring Credential Management 5-45

20. Click Finish.

21. Right-click Oracle Library and select Display LIBNAME Statement.

The interface generated the LIBNAME statement that will be processed when a user in that
group is accessing Oracle tables from this library, but the user is not prompted.
Note: If you are logged on as the unrestricted user, you are prompted because the unrestricted
user cannot retrieve passwords from metadata.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
5-46 Lesson 5 Managing SAS® Compute Servers and Spawners

Practice

6. Maintaining Passwords for End Users in Metadata

If users have logons to third-party database servers, their IDs and passwords are stored in
metadata. They need to update their passwords according to company security policy. This can
be done through the following applications: SAS Personal Login Manager and SAS Enterprise
Guide.
Maintaining Passwords with SAS Personal Login Manager:
a. Select Start  All Programs  SAS  SAS Personal Login Manager 9.4.
b. Log on using the SAS Admin - Linux Server or SAS Admin - Windows Server connection
profile as Marcel with the password Student1.
c. Where in SAS Management Console can you find what is displayed in the SAS Personal
Login Manager? ______________________ In SAS Environment Manager? _____________
d. Can Marcel modify an existing login?
e. Can Marcel add a new login?
f. Can Marcel add a new authentication domain?

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 5.3 Administering Server Logging 5-47

5.3 Administering Server Logging

SAS Server and Spawner Logging

The SAS servers and spawners generate messages as events occur. These
messages can be of different severity levels from informational to severe. They
can be directed to a number of different locations, including the following:
• log files
• operating system logs
• SAS Management Console

76
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

The SAS logging facility is a flexible, configurable framework that you can use to collect, categorize,
and filter events and write them to a variety of output devices. The facility logs information in support
of the following:
• problem diagnosis and resolution
• performance and capacity management
• auditing and regulatory compliance

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
5-48 Lesson 5 Managing SAS® Compute Servers and Spawners

Configuring Server Logging

Logging for each server is enabled by a system option and configured in an
XML file.
• The LOGCONFIGLOC= system option is specified in the server’s sasv9.cfg
file and points to the logging configuration file.
• The logging configuration file is an XML file that configures what messages
are captured and where they are sent.

LOGCONFIGLOC=“path to logconfig.xml” < >

sasv9.cfg logconfig.xml

77
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Initial logging settings for each SAS server are detailed in SAS 9.4 Intelligence Platform: System
Administration Guide under System Monitoring and Logging  Administering Logging for
SAS Servers  Initial Logging Configuration for SAS Servers.

Loggers and Appenders

Loggers and appenders define what messages are captured and where they
are sent.
Loggers Use a hierarchical system to categorize log events. They can be
configured to go to multiple appenders.
Appenders Represent a specific output destination for messages, including fixed
files, rolling files, operating system facilities, and client applications.

78
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 5.3 Administering Server Logging 5-49

Loggers
SAS server logger names begin with one of the categories shown in the left
column below, which process the following types of events:
Admin Relevant to systems administrators and computer operators
App Related to specific applications
Audit Related to user authentication and security administration
IOM For servers that use Integrated Object Model (IOM) workspace server
interface
Perf Related to system performance

Settings of the Root logger are inherited by all other loggers by default.

79
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

The App loggers process logs events related to specific applications such as metadata servers,
OLAP servers, stored process servers, and workspace servers.
The IOM interface provides access to SAS Foundation features such as the SAS language, SAS
libraries, the server file system, results content, and formatting services. IOM servers include
metadata servers, OLAP servers, stored process servers, and workspace servers .
Below is a list of some sample loggers that are useful for monitoring the metadata server and
metadata.
App.Meta is the parent logger for metadata server events. Logging levels that are defined for this
logger are inherited by its child loggers unless they are explicitly overridden. Here are some
examples:
• App.Meta.CM, which logs change management events, including check-in and check-out
• App.Meta.IO, which logs low-level input and output activity
• App.Meta.Mgmt, which logs metadata server management activity such as server operation
actions, creating and deleting repositories, modifying repository access modes, and repository
backup and migration
Audit.Meta.Security is the parent logger for metadata server security events. No events are written
directly to this logger. Logging levels that are defined for this logger are inherited by its child loggers
unless the levels are explicitly overridden. Examples are Audit.Meta.Security.AccCtrlAdm,
Audit.Meta.security.GrpAdm, Audit.Meta.Security.UserAdm.
Perf.Meta.Expensive logs requests that take longer than a specified time threshold so that
application developers and administrators can identify high-cost metadata requests. The
performance threshold is 30 seconds. (This is new in SAS 9.4.)
Admin.Operations processes log events that are related to server operations, such as starting,
pausing, and stopping an instance of a workspace server.
Audit.Authentication processes log events for server authentication requests.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
5-50 Lesson 5 Managing SAS® Compute Servers and Spawners

Diagnostic Levels
Log events have an associated diagnostic level.
TRACE Fine-grained informational events intended for SAS Technical Support

DEBUG Fine-grained informational events useful in debugging an application

and intended for SAS Technical Support
INFO Informational events that highlight the process of an application
WARN Warning events or minor problems that are external to the application

ERROR Error events that might still enable the application to continue running

FATAL Very severe events that most likely cause the application to end

80
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

The logging levels are listed from the lowest (most detailed) to the highest: TRACE, DEBUG, INFO,
WARN, ERROR, FATAL.

Appenders
SAS has several appender classes for processing messages.
IOMServerAppender An IOM server appender to log messages from any IOM
server
FileAppender File appenders for writing log messages to a file on disk
RollingFileAppender
UNIXFacilityAppender Appenders to write to Windows, UNIX, and z/OS
WindowsEventAppender operating system logs
ZOSFAcilityAppender
ConsoleAppender Appenders to log messages to an operating system
ZOSWtoAppender console
Note: Log files are not deleted from log directories by default.
81
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 5.3 Administering Server Logging 5-51

Appender specifications can include additional parameters to specify the following:

• file name (fileNamePattern)
• file header information (HeaderPattern)
• layout of messages in file (ConversionPattern)
These parameters typically use conversion characters referenced with a preceding percent sign,
including the following:

Conversion Description
Character

d Date of logging event

The date conversion specifier, %d, can be followed by a set of braces that contains
a date and time pattern string such as %d{HH:mm:ss, SSS} or %d{DATE}.

t Identifier for the thread that generated logging event

m Application-supplied message lines associated with the logging event

c Used to trigger the output of the logger name of the logging event

p Used to trigger the output of the level of the logging event

S Used to trigger the output of various pieces of system information and must be
followed by the key for the system information desired, placed between braces such
as %S{os_name}
Valid system information keys include the following:
• host_name
• os_name
• os_version
• user_name: identity that owns the process and not client identity associated with
current thread
• startup_cmd

u Client identity associated with current thread

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
5-52 Lesson 5 Managing SAS® Compute Servers and Spawners

IOMServerAppender and SAS Management Console

The IOM server appender writes log messages from IOM servers to a
volatile run-time cache. The contents of the cache are available for display in
SAS Management Console.
Use the Server Manager options to specify a message level or threshold
filter level.

82
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Note: In the current version (9.4M5), nothing shows up in the log viewer for the various servers,
such as the object spawner, metadata server, and connect spawner. A hot fix is planned for
this issue.
The option settings filter the events that are already generated, based on the server’s logging
settings.

Message Level Specifies a specific level of messages to be displayed in SAS

Management Console.

Threshold Level Specifies the lowest level of messages to be displayed in SAS

Management Console.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 5.3 Administering Server Logging 5-53

How Did the Message Make It to the Log?

Event type is Audit, so send to Audit Logger. Audit Logger decides:
level INFO >= threshold INFO.

Event is passed to referenced Appender: AuditTimeBasedRollingFile.

Appender decides: level INFO >= THRESHOLD INFO.

Message is written to the log file.

83
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

In addition to filtering log events based on thresholds that are assigned to loggers or appender
def initions, the logging facility enables you to use f ilter classes to filter log events based on one of
the f ollowing: a character string in the message, a single threshold, a range of thresholds, and a
combination of strings and thresholds.
Common Terminology
Log event: an occurrence that is reported by a program f or possible inclusion in a log.
Filter: a set of character strings or thresholds, or a combination of strings and
thresholds that you specif y. Log events are compared to the f ilter to determine
whether they should be processed.
Message category: a classif ication f or messages that are produced by a SAS subsystem. Message
categories f or the logging f acility are administrative messages, application-
specif ic messages, audit messages, IOM messages, and perf ormance
messages.
Threshold: the lowest event level that is processed. Log events whose levels are below the
threshold are ignored.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
5-54 Lesson 5 Managing SAS® Compute Servers and Spawners

Logging Process
Stop Processing Stop Processing
Event Event

Log Event Log Event

Log Event
<Threshold < Threshold
For Logger For Appender
or Filter

Route to Log Event

Log Event >=Threshold
Logger Based Logger >=Threshold Appender For
On Name For Logger Appender

Output Destination
84
C o p yri gh t © SAS In sti tu te In c. Al l ri gh ts re se rve d .

1. A SAS process (for example, a SAS server process) issues a log event. Each event includes
the following attributes: name that indicates the message category, diagnostic level, and
message.
2. The log event is routed to a logger based on the event’s name.
3. The log event’s diagnostic level is compared to the threshold that is specified for the logger
in the logging configuration. If the event’s level is at or above the specified threshold, then
processing continues. If the level is below the threshold, then the event is ignored.
If no threshold is specified for the event’s logger, then the event inherits the threshold setting of
the nearest ancestor logger. For example, if an Audit.Meta.Security event is being processed,
then inheritance occurs as follows:
a. The event’s level is compared to the threshold for the Audit.Meta.Security logger.
b. If no threshold is specified for Audit.Meta.Security, then the threshold for Audit.Meta is
applied.
c. If no threshold is specified for Audit.Meta, then the threshold for Audit is applied.
d. If no threshold is specified for Audit, then the threshold for Root is applied.
If no threshold is assigned to the logger or its ancestors, then the event is ignored.
4. The log event is processed by the appenders that are assigned to the logger. Each appender
processes the log event. If the appender configuration includes a
a. threshold, the event’s level is compared to the threshold
b. filter, the event is compared to the f iltering criteria.
5. If the log event passes the filter and threshold f or the appender, it is written to the output
destination.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 5.3 Administering Server Logging 5-55

Note: Multiple appenders can be associated with a single logger. An event that passes the
logger might be written to one appender, but not to another. For example, a warning
might be written to a log f ile, but not to the terminal window.

Modifying Server Logging Configurations

The best practice is to use the initial logging configuration files created
by the SAS Deployment Wizard.
If necessary, you can use the following methods for modifying server logging
configurations:
• adjust logging levels dynamically using the Server Manager plug-in
• use alternative logging configuration files provided for troubleshooting
• modify the server’s logconfig.xml file

85
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Adjusting Logging Levels Dynamically

The dynamic changes affect all logging produced by the server in question,
but do not modify the logconfig.xml file. The changes persist until changed
dynamically or the server is restarted.

86
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

By default, the Audit.Meta logger inherits the Information logging level from its parent, Audit. You can
assign a different level for this logger.
When the server is restarted, it rereads the logconfig.xml file.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
5-56 Lesson 5 Managing SAS® Compute Servers and Spawners

Alternative Logging Configuration Files

To assist in troubleshooting, alternative logging configuration files are
provided for some servers, including metadata servers, OLAP servers,
pooled workspace servers, stored process servers, and workspace servers.
• The files are named logconfig.trace.xml.
• Messages are written to the server’s rolling log file.

Performance issues can result from using these files.

Do not modify the logconfig.trace.xml logging configuration files
unless you are requested to do so by SAS Technical Support.

87
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Note: Alternate logging configuration files named logconfig.apm.xml are provided and used if the
SAS Environment Manager Service Architecture is enabled.
Using Alternative Logging Configuration Files
To use an alternative logging configuration file, follow thes e steps:
1. Stop the server if it is running.
2. Rename the server’s logconfig.xml file as logconfig_orig.xml.
3. Rename the server’s logconfig.trace.xml file as logconfig.xml.
4. Restart the server if necessary.
5. When troubleshooting is complete, stop the server if it is running. Rename logconfig.xml as
logconfig.trace.xml and logconfig_orig.xml as logconfig.xml. Restart the server if necessary.

Make backup copies of any files before modifying them.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 5.3 Administering Server Logging 5-57

Modifying logconfig.xml Files

The following are some examples of changes that you might want to make
to a server’s log configuration file:
• Configure the RollingFileAppender to use a different log file name or to
store the files in a different location.
• Configure a different message layout for an appender.

If you choose to modify the server’s logconfig.xml file, make a backup

copy first.

88
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

For more information about the SAS logging facility, refer to SAS 9.4 Logging: Configuration
and Programming Reference.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
5-58 Lesson 5 Managing SAS® Compute Servers and Spawners

Viewing Metadata Server Logging in SAS Management

Console
This demonstration illustrates how to view logging for the metadata server under the Server
Manager plug-in.
1. In SAS Management Console, expand Server Manager  SAS Meta  SASMeta - Logical
Metadata Server. Right-click SASMeta - Metadata Server and select Connect.

2. The tabs on the right are no longer unavailable. Click the Clients tab. The tab lists the user, host,
and entry time for each client connected to the metadata server.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 5.3 Administering Server Logging 5-59

3. Click the Options tab. The tab lists the name, description, value, and category for the server and
spawner options, counters, and properties.

4. Click the Loggers tab. The tab lists the logging services that are in use for the server, as well as
the logging level that is captured, or inherited. This is configured for the IOM Server Appender in
the logconfig.apm.xml for the metadata server.
Note: The logconfig.apm.xml is in use because Extended Monitoring has been enabled in this
environment.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
5-60 Lesson 5 Managing SAS® Compute Servers and Spawners

5. For example, Perf shows a level of <inherited>. It is inheriting the level from <Root> of Error.
Right-click Perf and select Properties.

You can assign a different diagnostic level here. The dynamic changes affect all logging
produced by the server in question, but do not modify the logging configuration file that is read at
server start-up. The changes persist until changed dynamically or the server is restarted.

6. Click Cancel.
7. Click the Log tab. The tab displays the log for the server when configured to do so.

8. To configure this, right-click the Server Manager plug-in and select Options.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 5.3 Administering Server Logging 5-61

9. Click the Logging tab.

10. Select Information for Threshold Level. Click OK.

11. Let’s look at the logconfig.xml f or the SAS Metadata Server.

For Linux Server

You can use WinSCP or mRemoteNG.

On the sasapp.demo.sas.com machine, navigate to
/opt/sas/config/Lev1/SASMeta/MetadataServer.
Open sasv9_usermods.cfg.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
5-62 Lesson 5 Managing SAS® Compute Servers and Spawners

For Windows Server

Navigate to D:\SAS\Config\Lev1\SASMeta\MetadataServer.
Open sasv9_usermods.cfg.

Because the service architecture was enabled, SAS servers are directed to use the
logconfig.apm.xml files for logging configuration.
Close the file.
12. Open the logconfig.apm.xml f or the SAS Metadata Server. Review the appenders and
loggers.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 5.3 Administering Server Logging 5-63

Practice

7. Examining Details about Enabling Trace Logging for Object Spawner

a. Open a web browser on the Windows machine. Go to the SAS Documentation site:
http://support.sas.com.
b. Click Documentation.

c. Search the SAS Intelligence Platform documentation. Enter enable object spawner trace
logging and click Search.

d. Click the result named Enable More Detailed Logging for SAS Object Spawner
Troubleshooting.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
5-64 Lesson 5 Managing SAS® Compute Servers and Spawners

e. (Optional) You can choose to temporarily increase the logging level dynamically in
SAS Management Console (the second bullet).

Note: Setting the logging level to DEBUG or TRACE results in performance issues. Do not
set the Object Spawner logging level to either without consulting with SAS Technical
Support first.
8. Auditing Data Access
A common request to SAS administrators is to be able to log and report on which users are
accessing SAS tables. The relevant information needs to be captured, which is the user, the
table, and the date and time that the table was accessed. The SAS logging facility includes a
logger for auditing access to SAS libraries, which supports the ability to log who has accessed
data in a SAS library, including SAS tables and database tables accessed via a SAS LIBNAME.
The AUDIT.DATA logger records who has opened, deleted, or renamed a table.
In our environment, there is a file named logconfig.apm.trace.data.xml in the stored process
server directory. This is identical to the logconfig.apm.xml file that is used in the environment,
except the logger, Audit.Data.Dataset, is defined and a RollingFileAppender named
TimeBasedRollingFileAudit is defined.
In this practice, you review the file and then use that file for the logging configuration of the
stored process server. You could use the existing RollingFileAppender, but instead you write to a
new directory location that will hold only data access entries in its log files.
a. Open logconfig.apm.trace.data.xml to view the Audit.Data.Dataset logger and the
TimeBased RollingFileAudit appender.

For Linux Server

You can use WinSCP or mRemoteNG for this practice.

On the sasapp.demo.sas.com machine, navigate to
/opt/sas/config/Lev1/SASApp/StoredProcessServer.
Open logconfig.apm.trace.data.xml.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 5.3 Administering Server Logging 5-65

For Windows Server

Navigate to D:\SAS\Config\Lev1\SASApp\StoredProcessServer. Open

logconfig.apm.trace.data.xml.

b. The second appender defined is the TimeBasedRollingFileAudit appender.

Scroll down further until you see Audit Data message logger.

The new logger routes Audit.Data.Dataset messages with a diagnostic level of TRACE and
above (TRACE, DEBUG, INFO, WARN, ERROR, and FATAL) to the appender named
TimeBasedRollingFileAudit.
The appender definition determines where the logger messages are written and what format
is used for the written messages. Note the following:
• The appender name matches the name specified in the appender tag of the logger
definition (TimeBasedRollingFileAudit).
• The ConversionPattern parameter value specifies the log message. This is the same as
what is written to an existing log file with the addition of LOGGER=%c. So the entry in the
log file includes the text LOGGER= and the name of the logger, Audit.Data.Dataset. (The
%c is a conversion character that writes out the logger name.)
• The FileNamePattern parameter value specifies where the log file will be written out and
what the name of the log file will be.

For Linux Server

name=”FileNamePattern”
value=”/opt/sas/config/Lev1/SASApp/StoredProcessServer/AuditLogs

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
5-66 Lesson 5 Managing SAS® Compute Servers and Spawners

For Windows Server

name=”FileNamePattern”
value=”D:\SAS\Config\Lev1\SASApp\StoredProcessServer\AuditLogs

Close logconfig.apm.trace.data.xml without making any changes.

c. The AuditLogs directory needs to be created.

For Linux Server

On the sasapp.demo.sas.com machine, navigate to

/opt/sas/config/Lev1/SASApp/StoredProcessServer.
Create the AuditLogs directory. Verify that SAS Users and the sassrv account can
write to this location.

For Windows Server

Navigate to D:\SAS\Config\Lev1\SASApp\StoredProcessServer.
Create the AuditLogs directory. Verify that SAS Users and the sassrv account can
write to this location.

d. Modify the sasv9_usermods.cfg file to point to the different logging configuration file.
Note: In this environment, the SAS Environment Manager service architecture framework is
configured so that the logging configuration points to logconfig.apm.xml.

For Linux Server

1. On the sasapp.demo.sas.com machine, navigate to

/opt/sas/config/Lev1/SASApp/StoredProcessServer.

2. Open sasv9_usermods.cfg and find the value for the logconfigloc system option.

3. Modify the logconfigloc value so that the logconfig.apm.trace.data.xml file is

used.

4. Save and close.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 5.3 Administering Server Logging 5-67

For Windows Server

1. Navigate to D:\SAS\Config\Lev1\SASApp\StoredProcessServer. Open

sasv9_usermods.cfg and find the value for the logconfigloc system option.

2. Modify the logconfigloc value so that the logconfig.apm.trace.data.xml file is used.

3. Save and close.

e. Refresh the object spawner in SAS Management Console and validate that the stored
process server is still operational.
1) Expand the Server Manager plug-in and then select the following:
For Linux Server: Object Spawner - sasapp. Right-click sasapp.demo.sas.com and
select Connect.
For Windows Server: Object Spawner - sasserver. Right-click
sasserver.demo.sas.com and select Connect.
2) Right-click the following:
For Linux Server: sasapp.demo.sas.com and select Refresh Spawner.
For Windows Server: sasserver.demo.sas.com and select Refresh Spawner.
3) Click Yes to continue.
4) Expand SASApp  SASApp - Logical Stored Process Server  SASApp - Stored
Process Server. Right-click the following:
For Linux Server: sasapp.demo.sas.com and select Validate.
For Windows Server: sasserver.demo.sas.com and select Validate.
5) Click OK.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
5-68 Lesson 5 Managing SAS® Compute Servers and Spawners

f. Run a stored process and check the audit log.

1) Open a web browser on the Windows machine and select SASWebReportStudio from
the Windows or Linux folder on the Favorites bar. Log on as Ahmed using the password
Student1.
2) Select Open on the Getting Started page.

3) Navigate to Orion Star  Marketing Department  Stored Processes.

4) Highlight Analysis of Product Orders by Gender and click Open.
5) Check the log.

For Linux Server

Navigate to /opt/sas/config/Lev1/SASApp/StoredProcessServer/AuditLogs and

open the log file.
Note the TRACE level of logging that shows Ahmed has accessed data on the server.

For Windows Server

Navigate to D:\SAS\Config\Lev1\SASApp\StoredProcessServer\AuditLogs and

open the log file.
Note the TRACE level of logging that shows Ahmed has accessed data on the server.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 5.4 Solutions 5-69

5.4 Solutions
Solutions to Practices
1. Exploring the Object Spawner
a. Open the metadataConfig.xml file that the object spawner reads at start-up.

For Linux Server

On the sasapp.demo.sas.com machine, navigate to

/opt/sas/config/Lev1/ObjectSpawner.
Open metadataConfig.xml with gedit or vi in MRemoteNG, or use WINSCP.

For Windows Server

Use Windows Explorer to navigate to D:\SAS\Config\Lev1\ObjectSpawner.

Open metadataConfig.xml with Notepad++. (Right-click on file and select Edit with
Notepad++.)

What account does the object spawner use to connect to the metadata server?
sastrust@saspw
b. Use SAS Environment Manager or SAS Management Console to look at the metadata
properties of the object spawner. Use the credentials of Ahmed with the password
Student1.

SAS Environment Manager

1) On the Administration page, click Side menu and select Servers.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
5-70 Lesson 5 Managing SAS® Compute Servers and Spawners

2) Right-click the following:

For Linux Server

Object Spawner - sasapp

For Windows Server

Object Spawner - sasserver

Then select Open to view metadata properties.

3) From the drop-down menu, select Servers.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 5.4 Solutions 5-71

Which servers is the object spawner responsible for starting?

SAS Management Console

1) Expand Server Manager.

2) Right-click the following:

For Linux Server

Object Spawner - sasapp

For Windows Server

Object Spawner - sasserver

Then select Properties.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
5-72 Lesson 5 Managing SAS® Compute Servers and Spawners

3) Click the Servers tab.

Which servers is the object spawner responsible for starting?

c. Use SAS Environment Manager to view the metrics for the object spawner.
1) On the Resources tab, select the following:

For Linux Server

sasapp.demo.sas.com Object Spawner - sasapp

For Windows Server

sasserver.demo.sas.com Object Spawner - sasserver

2) Find the following metrics:

Current Clients shows how many clients are currently connected to the object spawner.
Current Servers shows how many servers of any type this object spawner has currently
launched.
Total Servers shows how many servers of any type have been started by this object
spawner since it was launched.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 5.4 Solutions 5-73

3) You can use the up arrow to sequentially position the metrics next to each other on
the Monitor page. Click the Apply button located at the top right of the Indicator Charts.

d. Create a Server’s Launched by Object Spawner availability summary portlet.

1) On the left side of the Dashboard page, select Availability Summary in the Add
content to this column field and click the plus icon.

2) Click the Configure icon to display the Dashboard Settings page for the portlet.

3) Click Add to List in the selected Resources area.

4) In the View field, select Services. In the Filter By Name field, enter spawner and
click .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
5-74 Lesson 5 Managing SAS® Compute Servers and Spawners

5) Select all workspace servers, pooled workspace servers, and stored process servers.
(You should have selected six of the seven available.) Click the right-pointing arrow
to move them to the Add Resources pane. Click OK.

6) Specify the name Spawned Servers in the Description field. Click OK.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 5.4 Solutions 5-75

7) Move the Spawned Servers availability summary portlet just below the OS and SAS
Server Tier availability summary portlet. Click the heading and drag it to the location.

2. Identifying the Command Line, Shared ID, and Port of the Workspace Server and Stored
Process Server
Use SAS Environment Manager or SAS Management Console to look at metadata properties of
the servers.

SAS Environment Manager

a. On the Administration page, click Servers. Expand SASApp  SASApp - Logical

Workspace Server, and click SASApp - Workspace Server.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
5-76 Lesson 5 Managing SAS® Compute Servers and Spawners

Click the Options tab. What command is used by the object spawner to start the workspace
server?

For Linux Server

/opt/sas/config /Lev1/SASApp/WorkspaceServer/WorkspaceServer.sh

For Windows Server

"D:\SAS\Config\Lev1\SASApp\WorkspaceServer\WorkspaceServer.bat"

Click the Connection tab. What port does the object spawner listen on for requests for the
workspace server?

b. On the Administration page, click Servers. Expand SASApp  SASApp - Logical Stored
Process Server and click SASApp - Stored Process Server.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 5.4 Solutions 5-77

Click the Options tab. What command is used by the object spawner to start the stored
process server? What shared ID does the object spawner use to launch the stored process
server?

For Linux Server

/opt/sas/config /Lev1/SASApp/StoredProcessServer/StoredProcessServer.sh

For Windows Server

"D:\SAS\Config\Lev1\SASApp\StoredProcessServer\StoredProcessServer.bat"

For Linux Server

sassrv

For Windows Server

sasserver\sassrv

Click the Connection tab. What port does the object spawner listen on for requests for the
stored process server?

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
5-78 Lesson 5 Managing SAS® Compute Servers and Spawners

SAS Management Console

a. Under Server Manager, expand SASApp  SASApp - Logical Workspace Server.

Right-click SASApp - Workspace Server and select Properties. Click the Options tab.
What command is used by the object spawner to start the workspace server?

For Linux Server

/opt/sas/config /Lev1/SASApp/WorkspaceServer/WorkspaceServer.sh

For Windows Server

"D:\SAS\Config\Lev1\SASApp\WorkspaceServer\WorkspaceServer.bat"

What port does the object spawner listen on for requests for the workspace server? 8591

b. Under Server Manager, expand SASApp  SASApp - Logical Stored Process Server.
Right-click SASApp - Stored Process Server and select Properties. Click the Options tab.
What command is used by the object spawner to start the workspace server?

For Linux Server

/opt/sas/config /Lev1/SASApp/StoredProcessServer/StoredProcessServer.sh

For Windows Server

"D:\SAS\Config\Lev1\SASApp\StoredProcessServer\StoredProcessServer.bat"

What shared ID does the object spawner use to launch the stored process server?

For Linux Server

sassrv

For Windows Server

sasserver\sassrv

What port does the object spawner listen on for requests for the stored process server? 8601

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 5.4 Solutions 5-79

3. Locating the Shared ID Credentials

SAS Environment Manager

a. On the Administration page, click Users.

b. In the search field, enter SAS General Servers.
c. Click SAS General Servers.
On the Properties tab, what is the description of this group?

On the Accounts tab, what account is attached to this group?

For Linux Server

sassrv

For Windows Server

sasserver\sassrv

On the Members tab, who is the member of this group?

Note: Members of a group can access credentials stored on a group. Because the object
spawner connects to the metadata server with the sastrust@saspw account, the
object spawner is a member of the SAS General Server group.

SAS Management Console

a. Expand User Manager.

b. Right-click SAS General Servers and select Properties.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
5-80 Lesson 5 Managing SAS® Compute Servers and Spawners

What is the description of this group? Allows members to be used for launching stored
process servers and pooled workspace servers
Who is the member of this group? SAS Trusted User
What account is attached to this group?

For Linux Server

sassrv

For Windows Server

sasserver\sassrv

Note: Members of a group can access credentials stored on a group. Because the object
spawner connects to the metadata server with the sastrust@saspw account, the
object spawner is a member of the SAS General Servers group.
4. Running Stored Processes from the Report Center about Server Activity
a. Select Analyze  Report Center.

To create a report, click the stored process entry. The viewing pane of the Report Center
window displays prompts for the information in the report. You can select the categories of
inputs on the left side of the display area to fully cus tomize the report. Click Run to produce
the report.
b. Select Products  SAS Environment Manager  Nightly Reports  ARM Performance
Reports.
The following reports can be useful regarding SAS servers:

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 5.4 Solutions 5-81

User - Server Activity by User

How many SAS servers have been used and within what period of time?
Answers will vary.

5. (Optional) Adding a Saved Chart Portlet on the Dashboard in SAS Environment Manager
The Saved Chart portlet displays a rotation of all the resource metric charts that you have saved.
The process of creating this type of portlet consists of navigating to the resources that you want
to chart, finding the metric charts that you want to display, and saving them to your dashboard.
When you create the portlet, all your saved charts automatically appear.
a. Make sure that you are logged on to SAS Environment Manager as Ahmed using the
password Student1.
b. Create a Free Memory chart.
1) Select Resources  Browse.
2) On the Resources page, select Platforms.
3) Click the following:

For Linux Server

sasapp.demo.sas.com

For Windows Server

sasserver.demo.sas.com

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
5-82 Lesson 5 Managing SAS® Compute Servers and Spawners

4) Scroll down to the Free Memory chart.

5) Click Free Memory.

6) On the Metric Chart page, select Save Chart to Dashboards.

7) Select Ahmed and click Add.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 5.4 Solutions 5-83

8) Go to Dashboards to see the chart saved. It is displayed on the left side.

c. Create a Number of Spawned Servers chart.

1) Select Resources  Browse  Servers.
2) In the All Server Types field, select SAS Object Spawner 9.4.

3) Click the arrow at the right of the filter fields.

4) Click the following:

For Linux Server

sasapp.demo.sas.com Object Spawner - sasapp

For Windows Server

sasserver.demo.sas.com Object Spawner - sasserver

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
5-84 Lesson 5 Managing SAS® Compute Servers and Spawners

5) Scroll down to the Current Servers chart.

6) Click Current Servers.

7) On the Metric Chart page, select Save Chart to Dashboards.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 5.4 Solutions 5-85

8) Select Ahmed and click Add.

9) Go to Dashboards to see the chart saved. It is added to the charts list of the Saved Charts
portlet.

Note: You can toggle between the two saved charts or remove them from the pane on
the left of the Saved Charts portlet.
d. Create a Metadata Server Clients Per Minute chart.
1) Select Resources  Browse  Servers.
2) In the All Groups field, select SAS Metadata Servers.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
5-86 Lesson 5 Managing SAS® Compute Servers and Spawners

3) Click the arrow at the right of the filter fields.

4) Click the following:

For Linux Server

sasapp.demo.sas.com SASMeta - Metadata Server

For Windows Server

sasserver.demo.sas.com SASMeta - Metadata Server

5) On the left side of the Resource Detail page, select All Metrics from the drop-down
menu.

6) In the table of metrics, find Total Clients per Minute and position your mouse pointer
on the information icon .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 5.4 Solutions 5-87

7) From the tooltip, select View Full Chart. The Metric Chart page appears.

8) On the Metric Chart page, select Save Chart to Dashboards.

9) Select Ahmed and click Add.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
5-88 Lesson 5 Managing SAS® Compute Servers and Spawners

10) Go to Dashboards to see the chart saved. It is added to the charts list of the Saved
Charts portlet.

6. Maintaining Passwords for End Users in Metadata

If users have logons to third-party database servers, their IDs and passwords are stored in
metadata. They need to update their passwords according to company security policy. This can
be done through the following applications: SAS Personal Login Manager and SAS Enterprise
Guide.
Maintaining Passwords with SAS Personal Login Manager:
a. Select Start  All Programs  SAS  SAS Personal Login Manager 9.4.

b. Log on using the SAS Admin - Linux Server or SAS Admin - Windows Server connection
profile as Marcel and with the password Student1.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 5.4 Solutions 5-89

c. Where in SAS Management Console can you find what is displayed in the SAS Personal
Login Manager? On the Accounts tab of a user definition
In SAS Environment Manager? On the Accounts properties of a user definition in the
Administration page
d. Can Marcel modify an existing login? Yes, Marcel can right-click and edit the current
login.
e. Can Marcel add a new login? Yes, by right-clicking the white area and selecting New
from the pop-up menu, using the Edit menu bar, or clicking the Add a New Login
button on the toolbar.
f. Can Marcel add a new authentication domain? No
7. Examining Details about Enabling Trace Logging for Object Spawner
a. Open a web browser on the Windows machine. Go to the SAS Documentation site:
http://support.sas.com.
b. Click Documentation.

c. Search the SAS Intelligence Platform documentation. Enter enable object spawner trace
logging and click Search.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
5-90 Lesson 5 Managing SAS® Compute Servers and Spawners

d. Click the result named Enable More Detailed Logging for SAS Object Spawner
Troubleshooting.

e. (Optional) You can choose to temporarily increase the logging level dynamically in
SAS Management Console (the second bullet).

Note: Setting the logging level to DEBUG or TRACE results in performance issues. Do not
set the Object Spawner logging level to either without consulting with SAS Technical
Support first.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 5.4 Solutions 5-91

8. Auditing Data Access

A common request to SAS administrators is to be able to log and report on which users are
accessing SAS tables. The relevant information needs to be captured, which is the user, the
table and the date and time that the table was accessed. The SAS logging facility includes a
logger for auditing access to SAS libraries that supports the ability to log who has accessed data
in a SAS library, including SAS tables and database tables accessed via a SAS LIBNAME. The
AUDIT.DATA logger records who has opened, deleted, or renamed a table.
In our environment, there is a file named logconfig.apm.trace.data.xml in the stored process
server directory. This is identical to the logconfig.apm.xml file that is used in the environment,
except the logger, Audit.Data.Dataset, is defined and a RollingFileAppender named
TimeBasedRollingFileAudit is defined.
In this practice, you review the file and then use that file for the logging configuration of the
stored process server. You could use the existing RollingFileAppender, but instead you write to a
new directory location that will hold only data access entries in its log files.
a. Open logconfig.apm.trace.data.xml to view the Audit.Data.Dataset logger and the
TimeBased RollingFileAudit appender.

For Linux Server

You can use WinSCP or mRemoteNG for this practice.

On the sasapp.demo.sas.com machine, navigate to
/opt/sas/config/Lev1/SASApp/StoredProcessServer.

Open logconfig.apm.trace.data.xml.

For Windows Server

Navigate to D:\SAS\Config\Lev1\SASApp\StoredProcessServer. Open

logconfig.apm.trace.data.xml.

b. The second appender defined is the TimeBasedRollingFileAudit appender.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
5-92 Lesson 5 Managing SAS® Compute Servers and Spawners

Scroll down further until you see Audit Data message logger.

The new logger routes Audit.Data.Dataset messages with a diagnostic level of TRACE and
above (TRACE, DEBUG, INFO, WARN, ERROR, and FATAL) to the appender named
TimeBasedRollingFileAudit.
The appender definition determines where the logger messages are written and what format
is used for the written messages. Note the following:
• The appender name matches the name specified in the appender tag of the logger
definition (TimeBasedRollingFileAudit).
• The ConversionPattern parameter values specifies the log message. This is the same as
what is written to an existing log file with the addition of LOGGER=%c. So the entry in the
log file includes the text LOGGER= and the name of the logger, Audit.Data.Dataset. (The
%c is a conversion character that writes out the logger name.)
• The FileNamePattern parameter value specifies where the log file will be written out and
what the name of the log file will be.

For Linux Server

name=”FileNamePattern”
value=”/opt/sas/config/Lev1/SASApp/StoredProcessServer/ AuditLogs

For Windows Server

name=”FileNamePattern”
value=”D:\SAS\Config\Lev1\SASApp\StoredProcessServer\AuditLogs

Close logconfig.apm.trace.data.xml without making any changes.

c. The AuditLogs directory needs to be created.

For Linux Server

On the sasapp.demo.sas.com machine, navigate to
/opt/sas/config/Lev1/SASApp/StoredProcessServer.
Create the AuditLogs directory. Verify that SAS Users and the sassrv account can
write to this location.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 5.4 Solutions 5-93

For Windows Server

Navigate to D:\SAS\Config\Lev1\SASApp\StoredProcessServer.
Create the AuditLogs directory. Verify that SAS Users and the sassrv account can
write to this location.

d. Modify the sasv9_usermods.cfg file to point to the different logging configuration file.
Note: In this environment, the SAS Environment Manager service architecture framework is
configured so that the logging configuration points to logconfig.apm.xml.

For Linux Server

1. On the sasapp.demo.sas.com machine, navigate to

/opt/sas/config/Lev1/SASApp/StoredProcessServer.

2. Open sasv9_usermods.cfg and find the value for the logconfigloc system option.

3. Modify the logconfigloc value so that the logconfig.apm.trace.data.xml file is

used.

4. Save and close.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
5-94 Lesson 5 Managing SAS® Compute Servers and Spawners

For Windows Server

1. Navigate to D:\SAS\Config\Lev1\SASApp\StoredProcessServer. Open

sasv9_usermods.cfg and find the value for the logconfigloc system option.

2. Modify the logconfigloc value so that the logconfig.apm.trace.data.xml file is used.

3. Save and close.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 5.4 Solutions 5-95

e. Refresh the object spawner in SAS Management Console and validate that the stored
process server is still operational.
1) Expand Server Manager plug-in and select the following:
For Linux Server: Object Spawner -sasapp. Right-click sasapp.demo.sas.com and
select Connect.
For Windows Server: Object Spawner - sasserver. Right-click
sasserver.demo.sas.com and select Connect.

2) Right-click the following:

For Linux Server: sasapp.demo.sas.com and select Refresh Spawner.
For Windows Server: sasserver.demo.sas.com and select Refresh Spawner.

3) Click Yes to continue.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
5-96 Lesson 5 Managing SAS® Compute Servers and Spawners

4) Expand SASApp  SASApp - Logical Stored Process Server  SASApp - Stored

Process Server. Right-click the following:
For Linux Server: sasapp.demo.sas.com and select Validate.

For Windows Server: sasserver.demo.sas.com and select Validate.

5) Click OK.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 5.4 Solutions 5-97

f. Run a stored process and check the audit log.

1) Open a web browser on the Windows machine and select SASWebReportStudio from
the Windows or Linux folder on the Favorites bar. Log on as Ahmed using the password
Student1.
2) Select Open on the Getting Started page.

3) Navigate to Orion Star  Marketing Department  Stored Processes.

4) Highlight Analysis of Product Orders by Gender and click Open.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
5-98 Lesson 5 Managing SAS® Compute Servers and Spawners

5) Check the log.

For Linux Server

Navigate to /opt/sas/config/Lev1/SASApp/StoredProcessServer/AuditLogs and

open the log file.
Note the TRACE level of logging that shows Ahmed has accessed data on the server.

For Windows Server

Navigate to D:\SAS\Config\Lev1\SASApp\StoredProcessServer\AuditLogs and

open the log file.
Note the TRACE level of logging that shows Ahmed has accessed data on the server.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 5.4 Solutions 5-99

Solutions to Activities and Questions

5.01 Multiple Choice Question – Correct Answer

How many authentication domains do you need to define in the metadata?
a. one for each registered user
b. one for each registered server
c. one for each metadata server
d. one for each server that requires different credentials

69
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
5-100 Lesson 5 Managing SAS® Compute Servers and Spawners

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
Lesson 6 Securing Metadata
6.1 Reviewing Metadata Security ....................................................................................... 6-3
Demonstration: Exploring the Repository ACT........................................................... 6-12
Practice............................................................................................................... 6-18

6.2 Exploring Metadata Permissions and ACTs................................................................ 6-25

Demonstration: Identifying Applicable Permissions .................................................... 6-34
Practice............................................................................................................... 6-37

6.3 Customizing SAS Folders .......................................................................................... 6-45

Practice............................................................................................................... 6-53

6.4 Solutions ................................................................................................................... 6-72

Solutions to Practices ............................................................................................ 6-72
Solutions to Activities and Questions...................................................................... 6-155
6-2 Lesson 6 Securing Metadata

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 6.1 Reviewing Metadata Security 6-3

6.1 Reviewing Metadata Security

SAS Metadata Authorization

The SAS Platform implements a SAS Advanced Analytic Platform
Applications and interfaces
metadata-based authorization layer,
which provides an abstraction from the
underlying digital and physical resources
Metadata Layer
used in this advanced analytic platform.
• The metadata layer supplements
protections from the host Digital Resources
environment and other systems. Tables, reports, models, and so on

• In order to access a resource, a user Physical Resources

servers, databases, and so on
must have sufficient access in all
layers that are relevant.

3
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Authorization is the process of determining which users have which permissions for which
resources.
The metadata layer of fers a number of benef its, including but not limited to the f ollowing:
• tighter integration across platform applications and interfaces
• flexibility and portability in underlying implementation
• enterprise level security and governance

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
6-4 Lesson 6 Securing Metadata

Metadata Authorization Layer

The outcome of the authorization process is a decision that either grants or denies
a specific action on a specific resource, based on the user’s identity and group
memberships.

REPOS

Applications
server

Stored process
Library
Web
D/B DAV O/S

4
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d . ...

Across authorization layers, protections are cumulative. To perform a task, a user must have
sufficient access in all applicable layers.
Some clients enable power users to create and run SAS programs that access data directly,
bypassing metadata-layer controls. It is essential to manage physical layer access in addition to
metadata-layer controls.

Access Management
You can use the metadata authorization layer to manage access to the following
resources:

Logical
Server
Folder
Stored
Process
Application
Server
Identity
Report

Library

Repository
Table
5
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 6.1 Reviewing Metadata Security 6-5

Access to a SAS metadata resource is controlled by granting or denying the metadata permissions
that are enf orced f or the resource.

Metadata Authorization
The metadata authorization model is object-centric, not identity-centric. The
effective permissions are viewed and managed through the authorization of the
metadata properties.

SAS Management Console

right-click  Properties 
Authorization tab

SAS Environment Manager

Administration
click  Authorization tab

6
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

To programmatically define or query authorization settings, use either batch tools or DATA step
functions.

Metadata Permissions
In the metadata layer, the following permissions are always enforced:
• ReadMetadata (RM), which controls the ability to see an object or
navigate past a folder
• WriteMetadata (WM), which controls the ability to edit, delete, rename,
or change permissions on an item

7
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Other permissions are specialized and af f ect only certain types of items.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
6-6 Lesson 6 Securing Metadata

To examine a user’s permissions, do not begin by finding the user definition. Instead, begin by
navigating to the object that you want to examine.

Three Levels of Granularity

You can set permissions at the following levels of granularity:
• Repository-level controls act as a gateway and as parent-of-last-resort.
• Object-level controls manage access to a specific object.
• Fine-grained controls affect access to subsets of data within a resource.

8
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Repository-level controls are managed from the permission pattern of the repository ACT
(Default ACT).
You can define object-level controls individually (as explicit settings) or in patterns (by applying
access control templates).
To establish fine-grained controls, you add constraints called permission conditions to explicit grants
of the Read or Select permission. Fine-grained controls are supported for only some objects,
including SAS Information Maps, SAS OLAP cubes, and metadata-bound data sets.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 6.1 Reviewing Metadata Security 6-7

Repository ACT
Repository-level controls are managed from the permission pattern of the
repository ACT (default ACT).
• A user must have ReadMetadata and
WriteMetadata in the repository ACT
to navigate and create an object
anywhere in the metadata.

9
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Repository ACT
The repository ACT is a template that is designated to provide repository-
level controls.
• Permissions on the repository ACT are applied indirectly to all objects in
the metadata.
• If there are no direct settings on the object or on any of that object’s parents,
then the repository ACT determines the outcome.
• If the repository ACT’s pattern neither grants nor denies the permissions, then
the permission is denied.
• If there is no repository ACT, all permissions are granted.

10
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

You should always have a designated repository ACT.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
6-8 Lesson 6 Securing Metadata

Two Relationship Networks

Permission settings are conveyed across two distinct relationship networks:
• Identity relationships network
• Object inheritance
System Objects BI Contents Relational Data OLAP Data

Self Repository
ACT

Root
HR Report Application Folder
Server
Creator User ACT
Group Parent
Role Logical Folder
Server Shared
SASUSERS Table Library
Definition OLAP
Cube
Schema

Server Dimension
Stored Report Infor-
process mation
Finance Map
Level Hierarchy Measure
Connection Column

Level Hierarchy
PUBLIC
11
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Identity Relationships Network

In the identity relationships network, permissions that you assign to one
identity can affect many other identities.

Self

HR Report
Creator

SASUSERS

Finance

PUBLIC

12
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

From top to bottom, the elements in the diagram are ordered as follows:
• from highest precedence (hardest to override) to lowest precedence (easiest to override)
• from narrowest impact (most specific) to broadest impact (least specific)
For example, if you grant a group access to a report, that grant applies to everyone who is a
member of the group. This relationship network is governed by a precedence order that starts with

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 6.1 Reviewing Metadata Security 6-9

the primary (usually individual) identity, can incorporate multiple levels of nested group
memberships, and ends with implicit memberships in SASUSERS and then PUBLIC.
To avoid introducing unnecessary complexity, do not make PUBLIC or SASUSERS a member of
another group. This is not an issue for roles.

Object Inheritance
In object inheritance, permissions that you set on one object can affect
many other objects.
Explicit controls and ACTS have priority over settings on the object’s parent
(inheritance). System Objects BI Contents Relational Data
Repository
ACT

Root
Application Folder
Server
User ACT
Group Parent
Role Logical Folder
Server
Table Library

Server
Stored Report Infor-
process mation
Map

Connection Column

13
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

From top to bottom, the elements in the diagram are ordered as follows:
• from highest precedence (hardest to override) to lowest precedence (easiest to override)
• from narrowest impact (most specific) to broadest impact (least specific)
For example, a report inherits permissions from the folder in which the report is located. This
network is a simple f older tree, with exceptions such as the f ollowing:
• The root folder is not the ultimate parent. This folder inherits from the repository (through the
permission pattern of the repository ACT).
• The root folder is not a universal parent. Some system resources (such as application servers,
identities, and ACTs) are not in the folder tree. For these items, the repository ACT is the
immediate and only parent.
• Inheritance within a table or cube follows the data structure. For example, neither table columns
nor cube dimensions have folders as immediate parents. Instead, a column inherits from its parent
table and a dimension inherits from its parent cube.
• Inheritance does not flow through specialty folders such as favorites folders, virtual folders, or
search folders.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
6-10 Lesson 6 Securing Metadata

The diagram depicts a separated view of the object inheritance paths. The arrows on the slide flow
from child to parent.
In the metadata layer, parent objects convey their effective permissions to child objects. Children
inherit the net effect of their parents’ access controls, not the access controls themselves.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 6.1 Reviewing Metadata Security 6-11

Below is the integrated view of the object inheritance paths. The arrows in the diagram below flow
from parent to child. For example, a folder conveys its effective permissions to the items that it
contains.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
6-12 Lesson 6 Securing Metadata

Exploring the Repository ACT

This demonstration illustrates how to use SAS Environment Manager and SAS Management
Console to view the Repository ACT and identify the security applied to objects coming from the
Repository ACT’s permission pattern.
1. Sign in to SAS Environment Manager as Ahmed with the password Student1, if you are not
already signed in.
2. On the Administration page, click Folders. Expand SAS Folders  System  Security 
Access Control Templates.

3. Click Default ACT. This brings you to the metadata properties page, and the basic properties are
displayed. Select ACT: Usage tab.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 6.1 Reviewing Metadata Security 6-13

4. Click the pencil at the top right of the window to edit the Usage properties. The Designate
Repository ACT appears. The box has a check mark, which signifies that this ACT is used for
the Repository ACT. Click Cancel to exit.

5. Click the ACT: Pattern tab.

The repository ACT is a template that is designated to provide repository-level controls.

• A user must have RM and WM permission in the repository ACT to create an object anywhere
in the metadata. This is SASUSERS.
• Anyone who has a metadata identity is automatically in PUBLIC and also a member of
SASUSERS. (SASUSERS is a subset of PUBLIC.) ReadMetadata and WriteMetadata are
denied for PUBLIC. When you log on to SAS Enterprise Guide with an account that was not
associated with a metadata identity, the person logged on is recognized as belonging to
PUBLIC and denied access to all metadata.
• Permissions on the repository ACT are applied indirectly to all objects in the metadata.
• You can select the Use abbreviations box to abbreviate the permission name so that you can
see more across the page.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
6-14 Lesson 6 Securing Metadata

6. Click the Authorization tab to view the permissions on this object.

The Authorization screen shows the security on this object. Every metadata object has the
Authorization screen as part of its properties.
• The hollow square next to the permission represents that the permission is coming from an
ACT applied to the object.
• The filled-in diamond represents that this is an explicit denial. So PUBLIC has an explicit
denial of WriteMetadata, which means that due to identity hierarchy, SASUSERS also has a
denial of WriteMetadata on this object. SAS administrators would have a denial of
WriteMetadata as well if there was not a direct control of a grant, either by an ACT applied to
this object or an explicit grant.
7. To find out what ACT is applied to this object, the Default ACT, click the Direct ACT tab. The
SAS Administrator Settings ACT are applied to the Default ACT.

8. Look at the properties of the repository ACT in SAS Management Console. Log on to SAS
Management Console as Ahmed with the password Student1, if not already logged on.
SAS Management Console can be used to manage ACTs in the Authorization Manager plug-in.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 6.1 Reviewing Metadata Security 6-15

9. Click the Plug-ins tab. Expand Authorization Manager  Access Control Templates.

10. Right-click Default ACT. Notice that the box next to Repository ACT is selected, which signifies
that this ACT is used for the Repository ACT.

11. Select Properties.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
6-16 Lesson 6 Securing Metadata

12. Click the Permission Pattern tab. This is the template of permissions that is automatically
applied to all the metadata. Highlight PUBLIC. Notice that ReadMetadata and WriteMetadata are
denied.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 6.1 Reviewing Metadata Security 6-17

13. Highlight SASUSERS. Anyone who has a metadata identity is automatically in PUBLIC and also
a member of SASUSERS. SASUSERS is a subset of PUBLIC, but this group has ReadMetadata
and WriteMetadata permissions coming from the repository ACT.

Note: The types of permissions and how they are represented in the interfaces are discussed
in the next section.
14. Click Cancel.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
6-18 Lesson 6 Securing Metadata

Practice

1. Exploring Identity Hierarchy and Object Inheritance on a Folder

Verify that you are logged on to SAS Management Console as Ahmed. Run an ad hoc backup,
with the following comment: Backup Before Adding Security on Chocolate Enterprises.
Note: You have the option of using SAS Environment Manager Administration or SAS
Management Console for the practices in this lesson. There are step-by-step
instructions. However, the solutions offer more steps and display captures.

SAS Environment Manager

a. Open a web browser from the Windows machine using the tas kbar. Select SAS
Environment Manager from the Windows or Linux folder on the Favorites bar. Sign in as
Ahmed with the password Student1.

b. Click the Administration tab. The Folders page is the initial view. If you are already on the
Administration page and another view, select Folders from the navigation bar. Click the
Chocolate Enterprises folder to get to the metadata properties and click the Authorization
tab. To edit the authorization settings, click the pencil at the top right of the window.

c. Highlight one of the identities and click Delete all explicit settings for selected identity.
Can you remove any of the groups listed under Users and Groups? Why or why not?
d. Add the following three group identities: Application Developers, Data Integrators, and
Report Content Creators.

1) Click the Add button + in the upper right toolbar to open the Add Identities window.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 6.1 Reviewing Metadata Security 6-19

2) Select each group and move it from the list of the available identities to Identities to add
using the arrow between the two sections. When all three groups have been added,
click OK.
Tips:
• Select Groups from the Show list.
• Enter a few letters of the group name in the Filter box.
• Press the Ctrl key to select multiple groups before clicking the arrow to move.
3) Click Save.
What permission is automatically granted to an identity when added?
Note: While in the Edit Authorization window, you can click a permission field, and a
window appears that identifies the type of permission and where it comes from.
e. On the Administration page, click Users. Select Application Developers and click the
Member Of tab.

What group is Application Developers a member of?

f. In the list of identities on the left, click Power Users and select Members.
Who are members of the Power Users group?
You can select the arrow to the left of each group to see the users that are members of each
group.
g. Click Folders in the navigation bar and return to the Authorization properties of the
Chocolate Enterprises folder. Click the pencil to enter Edit mode.
h. Remove the three group identities (Application Developers, Data Integrators, and Report
Content Creators) from the Authorization properties.
1) Click the row with the authorization settings for each group and then click Delete all
explicit settings for the selected identity, .
2) Click Yes when prompted in the pop-up window.
Note: You can also click the permissions that have explicit settings and change the
setting to no explicit control.
3) Repeat for the remaining group identities.
4) Click Save.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
6-20 Lesson 6 Securing Metadata

i. Click the pencil to enter Edit mode to add Power Users to the authorization of the
Chocolate Enterprises folder.

1) Click the Add button + in the upper right toolbar to open the Add Identities window.
2) Select the Power Users group and move it from the list of the available identities to
Identities to add using the arrow between the two sections and click OK.
Tips:
• Select Groups from the Show list.
• Enter a few letters of the group name in the Filter box.
3) Click Save.
j. The ReadMetadata permission is automatically granted. You need to give grants for the
WriteMemberMetadata, CheckInMetadata, and Read permissions.
1) Click in the WMM, CM, and R permissions for Power Users and select Grant. Click
Save.

k. Use the Permissions Inspector to look up the effective permissions for any identity. The
Permissions Inspector is represented by the button in the upper right toolbar of the
Authorization page of the object that you are inspecting (in this case, the Chocolate
Enterprises folder).
l. Enter Kari in the field and select Kari from the drop-down list.
Kari’s effective permissions for this object (Chocolate Enterprises folder) are displayed. She
is a member of the Data Integrators group, which is a member of the Power Users group.
The same permissions are applied indirectly for Kari through her identity hierarchy.
m. Click Close.
n. Click Folders in the navigation bar then move to the Chocolate Enterprises  Data folder.
Click the Authorization tab on the Data folder and then click the pencil to enter Edit
mode.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 6.1 Reviewing Metadata Security 6-21

o. Examine the permissions for Power Users.

Where do these permissions come from?
Note: There is also an indirect grant of WriteMetadata. A grant (or deny) of WMM on a
folder becomes an inherited grant (or deny) of WM on the objects in that folder. This
is discussed in the next section.
p. Can you remove the Power Users group from the Authorization page of the Data folder?
Why not?
q. (Optional) If you do not want Power Users to modify or delete these folders below the
Chocolate Enterprises folder, select Deny for WriteMetadata. (Notice that
WriteMemberMetadata switches automatically to indirect deny.) Then select Grant for
WriteMemberMetadata. Be sure to save your changes.

SAS Management Console

a. Go to the Authorization tab of the Chocolate Enterprises folder. (Right-click Chocolate

Enterprises and select Properties.)
Can you remove any of the groups listed under Users and Groups? Why or why not?
b. Add the following three groups to the Authorization tab: Application Developers, Data
Integrators, and Report Content Creators.
Note: You can hold down the Ctrl key and highlight all three at once, and then select the
single arrow to move them over to the Selected Identities list.
What permission is automatically granted to an identity when added?
c. Highlight Data Integrators and select Properties. This accesses the properties of the Data
Integrators group, but as Read-only.
d. Click the Groups and Roles tab.
What group is Data Integrators a member of?
e. Highlight Power Users and select Properties.
Who are members of the Power Users group?
f. Click Cancel and then Close to return to the Chocolate Enterprises folder properties.
g. Remove the three groups (Application Developers, Data Integrators, and Report Content
Creators) from the Users and Groups window.
h. Add Power Users to the Authorization tab.
i. The ReadMetadata permission is automatically granted, and you need to give grants for the
WriteMemberMetadata, CheckInMetadata, and Read permissions. Do not click OK. You
need to stay on the Authorization tab to get to the Advanced button referenced in j.
j. Click the Advanced button.
k. Click the Explore Authorizations tab. Enter Kari in the Name or Display Name field.
Click Search Now. Kari’s effective permissions for this item are displayed. She is a member
of the Data Integrators group, which is a member of the Power Users group. The same
permissions are applied indirectly for Kari through her identity hierarchy.
l. Click OK twice to return to the Chocolate Enterprises folder.
m. Go to the Authorization tab of the Data folder under the Chocolate Enterprises folder.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
6-22 Lesson 6 Securing Metadata

n. Highlight Power Users.

Where do these permissions come from?
o. Can you remove the Power Users group from the Authorization tab of the Data folder?
Why not?
Note: There is also an indirect grant of WriteMetadata. A grant (or deny) of WMM on a
folder becomes an inherited grant (or deny) of WM on the objects in that folder. This
is discussed in the next section.
p. (Optional) If you do not want Power Users to modify or delete these folders below the
Chocolate Enterprises folder, select Deny for WriteMetadata (notice that
WriteMemberMetadata switches automatically to indirect deny) and then select Grant for
WriteMemberMetadata.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 6.1 Reviewing Metadata Security 6-23

6.01 Multiple Choice Question

What would happen if you remove the repository ACT?
a. All permissions are denied.
b. Nothing. Permissions will come from somewhere else.
c. All permissions are granted.
d. Permissions come from the SAS Folders Authorization tab.

17
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Setup for the Question

Given the Authorization tab for the Marketing Department folder, which
identities are on the Authorization tab of any item stored directly under
that folder?

19
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
6-24 Lesson 6 Securing Metadata

6.02 Multiple Choice Question

Given the Authorization tab for the Marketing Department folder, which
identities are on the Authorization tab of any item stored directly under
that folder?
a. only the identities that need access to the item
b. only the identities added on the specific item
c. only the identities from the Marketing Department Authorization tab
d. the identities from the Marketing Department folder and any added on
that specific item

20
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 6.2 Exploring Metadata Permissions and ACTs 6-25

6.2 Exploring Metadata Permissions and

ACTs

How Are Permissions Set?

The check box color on the Authorization tab on the properties of a
metadata object in SAS Management Console indicates
how the permission was assigned.

Direct control: Control set directly on the target object and

explicit assigned directly to identity
(WHITE)
Direct control: Control set directly on the target object and
ACT (GREEN) assigned directly to identity
Indirect setting Comes from someone else (a group that has
(GRAY) an explicit or ACT setting) or from somewhere
else (a parent object, repository ACT)

23
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
6-26 Lesson 6 Securing Metadata

The Search tab in SAS Management Console returns results based on the individual user’s
permissions on individual objects and ignores the permissions on the folder navigation to the object.
In other words, if the user is denied RM on the metadata folder path to the object but granted RM on
the object, the Search tab returns the object even though the user cannot access it through the
metadata folders.

How Are Permissions Set?

The shape on the Authorization properties of a metadata object in
SAS Environment Manager indicates how the permission was assigned.

Direct control: ACT Direct control: explicit

Indirect Setting
(no shape)

24
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Icon Meaning

Deny from an explicit control

Deny from an applied ACT

Deny from an indirect source (such as a parent group or parent object)

Grant from an explicit control

Grant from an applied ACT

Grant from an indirect source (such as a parent group or parent object)

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 6.2 Exploring Metadata Permissions and ACTs 6-27

ACTs
Each ACT consists of a pattern of grants and denials that are assigned
to different users and groups.
• In SAS Management Console, ACTs
are created and managed using the
Authorization Manager plug-in.

• In SAS Environment Manager, ACTs

are created and managed from the
Folders module on the Administration
page: SAS Folders  System 
Security  Access Control Templates.

25
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Do not confuse an ACT’s Authorization tab with its Permission Pattern tab in SAS
Management Console. Authorization tabs control who can modify the item in question. The
Authorization tab on an ACT controls who can modify the ACT, including the permission
pattern.

Default ACT Acts as the repository ACT initially. This ACT provides registered
users RM and WM permission at the repository level.

Private User Folder Applied automatically to each user’s personal folder in conjunction
ACT with explicit settings to grant the user RM, WMM, CM, and R
permission.

SAS Administrator Used to grant the SAS Administrators group and SAS System
Settings ACT Services group access to metadata.

If you have the SAS Information Delivery Portal at your site, you have the Portal ACT. You might
need to alter the membership of the Portal ACT.
Note: The permission patterns of these predefined ACTs should not be modified.
Note: If you need to modify the repository ACT, a best practice is to not change the current
repository ACT. Create a new ACT with the settings that you want, and designate it as the
repository ACT. This enables you to revert to the previous repository ACT, if needed.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
6-28 Lesson 6 Securing Metadata

Applying an ACT
When you apply an ACT to an object, the ACT settings are added to the
object’s protections.

26
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Metadata Permissions (Review)

The permissions list on each Authorization tab includes at least two
permissions:

ReadMetadata (RM) Controls the ability to view an item or navigate

past a folder.
WriteMetadata (WM) Controls the ability to edit, delete, rename, or
changes permissions on an item.

Other permissions are specialized and affect only certain types of items.

27
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Only permissions relevant to the item are displayed on the Authorization tab.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 6.2 Exploring Metadata Permissions and ACTs 6-29

WriteMemberMetadata Permission
The WriteMemberMetadata (WMM) permission affects only metadata
folders.
WriteMemberMetadata (WMM) Provides control for adding and
removing objects from a folder.

A grant (or deny) of WMM on a folder becomes an inherited grant (or deny)
of WM on the objects in that folder. WMM is not inherited from one folder
to another.

28
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Note: Anyone who has a grant of WM on a folder should not be denied WMM on that same folder.
Note: If WMM is not set directly on a folder, the WMM setting mirrors the WM setting. WMM is
never inherited from a parent object.

CheckInMetadata Permission
Change management is a SAS Data Integration Studio feature.
CheckInMetadata (CM) Check in and check out items in a change-managed
area.
In any change-managed areas of a foundation repository, change-managed
users should have CM instead of WM and WMM.

29
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
6-30 Lesson 6 Securing Metadata

Administer Permission
Administer (A) Monitor an OLAP server; stop, pause, resume, refresh, or
quiesce a server or spawner.

For the metadata server, the ability to stop, pause, resume, and quiesce is
managed by the Metadata Server: Operation role, not by the Administer
permission.

30
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

New permissions in SAS 9.4M2:

Implicit capabilities enable a member of the MetadataServer: User Administration role to manage the
membership of groups and roles and the accounts of users and groups. These tasks can now be
delegated to additional users:
• ManageMemberMetadata (MMM): Alter the membership of a group or role. This permission
applies only to groups and roles. Any user or group that is granted this permission will have the
ability to change membership of the group or role to which it is applied. Granting the
WriteMetadata permission indirectly grants the ManageMemberMetadata permission. This
permission can also be explicitly granted independent of the WriteMetadata permission.
• ManageCredentialsMetadata (MCM): Alter the account information for a user or group. This
permission applies only to users and groups. Any user or group that is granted this permission will
have the ability to administer the logon information for the user or groups to which it is applied.
Granting the WriteMetadata permission can also be explicitly granted independent of the
ManageCredentialsMetadata permission.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 6.2 Exploring Metadata Permissions and ACTs 6-31

Data Permissions
Read (R) Read data via certain objects (for example, cubes, information
maps, LASR tables, or data accessed via the metadata LIBNAME
engine (MLE)).
Create (C) Add data via the metadata LIBNAME engine.

Write (W) Update data via certain objects: data accessed via publishing
channels or the metadata LIBNAME engine.
Delete (D) Delete data via the metadata LIBNAME engine.

31
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Some clients such as SAS Data Integration Studio and SAS Enterprise Guide enable users
to create and run SAS programs that access data directly and bypass metadata layer
controls. Using metadata-bound libraries will disable these users by passing metadata library
controls.

Data Permissions for Metadata-Bound Libraries

For secured library objects and secured table objects, SAS enforces the following special metadata-
layer permissions:

Select (S) Read rows within a physical table.

Delete (D) Delete rows in a physical table.

Insert (I) Add rows to a physical table.

Update (U) Update rows in a physical table.

Create Table (CT) Create new physical table.

Drop Table (DT) Delete a physical table.

Alter Table (AT) Replace a physical table.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
6-32 Lesson 6 Securing Metadata

Relative Precedence of Access Controls

32
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Explicit and ACT settings on an object always have priority over settings on the object’s parent.

Authorization Decision Flowchart

On the item
Does the user have an explicit grant or denial of Gra nt Permission
Deny No
this permission? condition?
No Yes

Deny
Is there an ACT whose pattern explicitly grants Gra nt
or denies this permission to the user?
Several such ACTs, at Several such ACTs,
No
least one has a denial. No none have a denial.

Is there a grant or denial that applies to the user

Deny
because of his or her group memberships? Permission
Gra nt No
Consider only the explicit and ACT settings that are closest
condition?
to the user.
Any other tie. Tie with an Yes
explicit grant and
No no explicit denial.

On the item’s immediate parent

Deny
What is the user’s effective setting for this
Gra nt
permission?

33
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 6.2 Exploring Metadata Permissions and ACTs 6-33

Permission conditions constrain explicit grants of the Read permission on OLAP dimensions (limiting
access to members) or information maps (limiting access to rows). On the Authorization tab, the
presence of an Edit Condition or Edit Authorization button indicates that a permission condition is
assigned to the currently selected user or group.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
6-34 Lesson 6 Securing Metadata

Identifying Applicable Permissions

This demonstration illustrates how to use SAS Management Console to identity the applicable
permissions for an item.
1. In SAS Management Console, on the Plug-ins tab, expand Server Manager.
2. Right-click SASApp and select Properties.

3. Click the Authorization tab. Only the RM, WM, CM, and A permissions are listed.

4. Click Cancel.
5. Click the Folders tab.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 6.2 Exploring Metadata Permissions and ACTs 6-35

6. Expand System and select Types.

7. Right-click Application server and select Properties.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
6-36 Lesson 6 Securing Metadata

8. Click the Advanced tab. The ApplicablePermissions property identifies the permissions that
are applicable to this type of item.

9. Click Cancel.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 6.2 Exploring Metadata Permissions and ACTs 6-37

Practice

2. Assigning WriteMetadata and WriteMemberMetadata Permissions

Log on to SAS Management Console as Ahmed. Run an ad hoc backup, with a comment of
Before adding parent and child folders.

SAS Environment Manager

a. On the Administration page, select Folders in the navigation bar.

b. Right-click the Chocolate Enterprises folder and select New Folder. Name the new folder
Parent and click Save.

c. Click the Parent folder and click the Authorization tab.

d. Click the pencil to enter Edit mode.
e. Add an explicit grant of WM permission for PUBLIC. Click in the WriteMetadata field for
PUBLIC and select Grant from the list. How does this affect WMM permission for PUBLIC?
f. Click in the WriteMemberMetadata f ield f or PUBLIC and select Show Origins.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
6-38 Lesson 6 Securing Metadata

g. Change the explicit grant of WriteMetadata for PUBLIC back to no explicit control by
clicking the WriteMetadata field and selecting the option.
How does this affect WMM permission for PUBLIC?
h. Add an explicit grant of WMM permission for PUBLIC.
How does this affect WM permission for PUBLIC?
i. Remove the explicit WMM permission grant for PUBLIC.
How does this affect WM permission for PUBLIC?
j. Click Cancel to ensure that changes are not saved.
k. Add Alex to the Authorization page for the Parent folder with an explicit denial of WM
permission and an explicit grant of WMM permission.
1) Click the pencil to enter Edit mode on the Parent folder’s Authorization tab again.

2) Click the Add button + in the upper right toolbar to open the Add Identities window.

3) Move Alex from the list of the available identities to Identities to add using the arrow
between the two sections and click OK.
Tips:
• Select Groups from the Show list.
• Enter a few letters of the group name in the Filter box.

4) Select Deny for WriteMetadata and Grant for WriteMemberMetadata.

5) Click Save.
6) Click Close.

l. In the list of folders, right-click the Parent folder and select New Folder. Name the new folder
Child and click Save.
m. Click the Child folder and click the Authorization tab.
What are the settings for WM permission and WMM permission for Alex?
n. Do not log off from SAS Environment Manager.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 6.2 Exploring Metadata Permissions and ACTs 6-39

o. Log on to SAS Management Console as Alex using the password Student1. (You cannot do
steps q through s in SAS Environment Manager because Alex is not a member of any role in
SAS Environment Manager and thus cannot authenticate to the Environment Manager
Server.)
Note: You can open another SAS Management Console session by selecting Start 
SAS Management Console. Or you can disconnect as Ahmed in the current
session by selecting File  Connection Profile and reconnecting as Alex.
p. Right-click My Folder. Are the following actions available or unavailable: New Folder, New
Stored Process, Rename, and Delete?
q. Right-click the Chocolate Enterprises folder. Are the following actions available or
unavailable: New Folder, New Stored Process, Rename, and Delete?
r. Right-click the Parent folder. Are the following actions available or unavailable: New Folder,
New Stored Process, Rename, and Delete?
s. In SAS Environment Manager, delete the Parent folder.
1) Right-click the Parent folder and select Delete. Click Delete in the confirmation window.
Can you delete the Parent folder?
2) Right-click the Child folder and select Delete.
3) Click Delete to confirm the delete request.
4) Right-click the Parent folder and select Delete.
5) Click Delete to confirm the delete request.

SAS Management Console

a. On the Folders tab, right-click Chocolate Enterprises and select New Folder. Create a new
folder named Parent.
b. Right-click the Parent folder. Select Properties and click the Authorization tab. Select
PUBLIC and add an explicit grant of WM permission. How does this affect WMM permission
for PUBLIC?
c. Select the Grant box for WriteMetadata for PUBLIC again to clear the explicit setting. How
does this affect WMM permission for PUBLIC?
d. Add an explicit grant of WMM permission for PUBLIC. How does this affect WM permission
for PUBLIC?
e. Remove the explicit WMM permission grant for PUBLIC. How does this affect WM
permission for PUBLIC?
f. Add Alex to the permissions list for the Parent folder with an explicit denial of WM permission
and an explicit grant of WMM permission.
g. Right-click the Parent folder and select New Folder. Create a new folder named Child.
h. On the Authorization tab of the Child folder, select Alex. What are the settings for WM
and WMM permissions?
i. Log on to SAS Management Console as Alex using the password Student1.
Note: You can open another SAS Management Console session by selecting Start 
SAS Management Console. Or you can disconnect as Ahmed in the current
session by selecting File  Connection Profile and reconnecting as Alex.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
6-40 Lesson 6 Securing Metadata

j. Right-click My Folder. Are the following actions available or unavailable: New Folder, New
Stored Process, Rename, and Delete?
k. Right-click the Chocolate Enterprises folder. Are the following actions available or
unavailable: New Folder, New Stored Process, Rename, and Delete?
l. Right-click the Parent folder. Are the following actions available or unavailable: New Folder,
New Stored Process, Rename, and Delete?
m. Delete the Parent folder. You need to log on as Ahmed to delete the Parent folder because
Alex does not have the authorization to do so.
3. Adjusting Conflicting Permission Settings
You can use SAS Environment Manager or SAS Management Console to do this practice. Refer
to the solutions for step-by-step instructions.
a. Create two new metadata groups named Group A and Group B. Assign Harvey as a
member to both groups.
b. Create an ACT named Allow Group A, which grants RM permission to Group A.
c. Apply the Allow Group A ACT to the Shared Data folder (on the Authorization tab in SAS
Management Console, or the Direct ACTs tab in SAS Environment Manager).
d. Add Group B to the Authorization of the Shared Data folder and deny RM permission.
e. What is the effective permission for Harvey on the Shared Data folder?
Note: Use the Permissions Inspector in SAS Environment Manager.
Note: Use the Advanced option on the Authorization tab in SAS Management Console.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 6.2 Exploring Metadata Permissions and ACTs 6-41

6.03 Multiple Choice Question

What is the effect of explicitly denying PUBLIC RM?
a. Only PUBLIC is affected, and the settings for the other users and groups
remain unchanged.
b. Only PUBLIC and SASUSERS are affected, and the settings for the other
users and groups remain unchanged.
c. PUBLIC is denied RM, which overrides all explicit, ACT, and indirect
settings for the other users and groups.
d. PUBLIC is denied RM, which overrides all indirect settings for the other
users and groups but does not override explicit or ACT settings for other
users and groups.

37
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

6.04 Multiple Choice Question

If an ACT includes settings for Ellen and you apply the ACT to an object that
already lists Ellen on the authorization of an object, what happens to Ellen’s
permissions?
a. The settings from the ACT take precedence.
b. The settings from the ACT are ignored.
c. Explicit settings are not affected and indirect settings are changed to
ACT settings.
d. The settings from the groups in her identity hierarchy take precedence.

39
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
6-42 Lesson 6 Securing Metadata

Setup for the Question

You are given only these settings for the authorization of an object and Eric’s
identity hierarchy:

User or Group Permission Setting

HR Explicit grant RM
Report Creator ACT deny RM
SASUSERS Indirect grant RM
PUBLIC Indirect deny RM

Note: There are no other groups listed

on the Authorization properties.

41
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

6.05 Multiple Choice Question

What is Eric’s effective permission?
a. Grant RM because explicit settings take precedence over ACTs
b. Deny RM because ACT settings take precedence over explicit settings
c. Deny RM because when there is a conflict at the same level of an
identity hierarchy, the outcome is a denial
d. Grant RM because when there is a conflict at the same level of an
identity hierarchy, the outcome is a grant

42
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 6.2 Exploring Metadata Permissions and ACTs 6-43

Setup for the Question

You are given only these settings for the authorization of an object and
Eric’s identity hierarchy:
User or Group Permission Setting
HR ACT grant RM
Report Creator ACT deny RM
SASUSERS Indirect grant RM
PUBLIC Indirect deny RM

Note: There are no other groups listed

on the Authorization properties.

44
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

6.06 Multiple Choice Question

What is Eric’s effective permission?
a. Grant RM because grants take precedence over denials
b. Deny RM because denial settings take precedence over grants
c. Deny RM because when there is a conflict at the same level of an
identity hierarchy and both permissions are ACTs (or both are explicit),
the outcome is a denial
d. Grant RM because when there is a conflict at the same level of an
identity hierarchy and both permissions are ACTs (or both are explicit),
the outcome is a grant

45
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
6-44 Lesson 6 Securing Metadata

Setup for the Question

You are given only these settings for the authorization of an object and
Eric’s identity hierarchy:

User or Group Permission Setting

Finance Explicit grant RM
Report Creator ACT deny RM
SASUSERS Indirect grant RM
PUBLIC Indirect deny RM

Note: There are no other groups listed

on the Authorization properties.

47
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

6.07 Multiple Choice Question

What is Eric’s effective permission?
a. Grant RM because explicit grants always take precedence over denials
b. Deny RM because the denial setting is coming from a direct group and
take precedence over grants from an indirect group
c. Deny RM because grants coming from an ACT always take precedence
d. Grant RM because the HR group inherits the Explicit grant of RM from
the Finance Group

48
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 6.3 Customizing SAS Folders 6-45

6.3 Customizing SAS Folders

Creating Custom Folders

Administrators can use the Folder view to do the following:
• set up a custom folder structure for users
• import and export metadata and associated files
• set permissions on folders and their content

Note: SAS Folders inherit security permissions from parent folders if no

object-level controls are applied.

51
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

SAS Folders are used to organize and secure SAS metadata.

SAS Folders exist only in SAS metadata. There is no corresponding representation, such as a
directory/f older structure in the operating system.

Creating Custom Folders

Here are some guidelines for setting up the SAS Folders structure:
• Keep the folder structure as simple as possible.
• Develop a folder structure that reflects the organization of your work.
• Develop a folder structure that reflects the access rules that you want to
enforce.
Example: Business Unit Separation Example: Regional Separation, Designated Content Creators

PUBLIC
SASUSERS
SAS Administrators

SAS System Services

Marketing Sales

52
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
6-46 Lesson 6 Securing Metadata

Your f older structure could ref lect the f ollowing:

• your company’s internal organization. For example, each division or department could have its
own high-level folder.
• types of business activities. For example, you could have separate folders for human resources,
sales, research and development, and marketing.
• geography. For example, each country, sales region, or regional office could have its own folder.
• categories of products. For example, each product line or product group could have its own folder.
• time periods. For example, you could have a folder for each year, quarter, or month.
• categories of users. Generally, this type of folder structure is necessary only in large organizations
that have a clear separation of responsibilities (for example, separate teams for data preparation,
map creation, and report creation).
• change-control status. If you have just one deployment of the SAS Intelligence Platform (instead
of separate deployments for development, test, and production), then you might want to use
folders to separate production-status content from content that is in the development or testing
stage. To do so, you can set up separate sets of folders for development, test, and production.
Then you can use the promotion tools to move content from development to test and from test to
production.
Note: Do not set up f olders based on SAS client applications. It is not necessary or desirable to
organize objects based on which SAS client applications were used to create them.
Organizing f olders on this basis can complicate administration tasks such as the
assignment of permissions.
Note: Do not set up f olders based on object types unless it is necessary f or access control.
Organizing f olders based on object types can complicate administration tasks such as the
assignment of permissions. As a general rule, you should avoid setting up f olders on this
basis.
Folders enable you to easily restrict access to content. For example:
• If you want to prevent departments from accessing each other’s content, then you can create a
high-level folder for each department and apply different permissions to each of the folders.
• If you want to restrict access to sensitive content (for example, content related to a sensitive
product line or a business activity such as human resources), then you can create a separate
folder for that content and apply a restrictive access control template (ACT).
• If your organization requires a clear separation of content among different categories of SAS
users, then you can create separate folders for each group. Generally, this type of folder structure
is necessary only in large organizations that have separate teams of SAS users with different job
responsibilities. For example, suppose you have one group of users that works on data
preparation tasks (such as creating libraries, tables, and cubes) and another group creates
information maps, stored processes, and reports). To ensure that the groups do not interfere with
one another’s work, you can create a separate folder for each group and apply different
permissions to each of the folders.
Note: If you have separate environments f or development, test, and , production, then use the
same f older structure across environments. Using a unif orm f older structure makes it easier
to promote objects from one enviro nment to another.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 6.3 Customizing SAS Folders 6-47

Metadata Users and Groups (Review)

Initial users PUBLIC Initial
groups
SASUSERS
SAS Administrator SAS
sasadm@saspw Administrators
SAS System SAS Administrator
SAS Environment Manager Services
Service Account
sasev@saspw SAS Trusted User SAS EV Service
Account
SAS General
SAS Trusted User
sastrust@saspw
Servers
sassrv and pw
SAS EV App Server
Tier Users SAS Trusted User
SAS EV Super Users Data Integrators
SAS EV Service
Account
SAS Administrator
Report Content
Application
Creators
Developers
SAS EV
Guests …
Orion Star
SAS Administrator Users
Analysts
Sales
Marketing Custom groups
Managers

53
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Custom Groups
Custom groups can be based on the following:
Organization Marketing, Acquisitions, Shipping, Finance
Function Power users, ETL developers, data modelers, report creators, analysts,
information consumers
Data Access Oracle group group with shared credentials to access third party
database
Special Projects rojectA, roject members are across organizations
Executive Oversight Group that needs limited or complete access across all groups

54
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Note: Groups can be synchronized with groups from your authentication provider, such as LDAP.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
6-48 Lesson 6 Securing Metadata

Baseline ACTs
Mos t of the meta da ta that needs to be s ecured i s stored i n folders a nd
i nheri ts permissions from fol ders. One a pproach to s ecuri ng folders is to
crea te a nd a pply s ome general-use ACTs .
The ACTs ca n be a ppl ied to fol ders in combination with the following:
• expl i cit permissions gra nting a ccess ba ck to pa rticular groups
• a ddi tional ACTs tha t gra nt a ccess back to pa rticular groups

55
C o p yri gh t © SAS In sti tu te In c. Al l ri gh ts re se rve d .

Baseline ACTs
The Hide ACT prevents visibility for users who are not in the
SAS Administrators group and gives SAS administrators and service
identities exclusive Read access to metadata.
RM WM WMM CM A R W C D
PUBLIC 
SAS Administrators ✓
SAS System Services ✓

56
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 6.3 Customizing SAS Folders 6-49

Baseline ACTs
The Protect ACT prevents updates, deletions, and contributions by users
who are not in the SAS Administrators group and gives SAS administrators
exclusive Write access to metadata.
RM WM WMM CM A R W C D
PUBLIC     
SAS Administrators ✓ ✓ ✓ ✓ ✓ ✓

57
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

These grants ensure that administrators can manage all metadata. If you need to separate
administration privileges, this approach is not granular enough. If you do not want the SAS
Administrators group to have universal access, consider creating parallel s ets of baseline ACTs. For
example, to separate administration for an East region and a West region, you might create ACTs
such as Hide_East, Hide_West. In each baseline ACT pattern, you would replace the SAS
Administrators group with a narrower administrative group (for example, East_Admins,
West_Admins). The denials to PUBLIC and grants to the SAS System Services group would not
change. Any unrestricted users can still access everything.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
6-50 Lesson 6 Securing Metadata

Project Folders
If you choose to create project folders, you need to decide the following:
• who should be able to create and modify the project folders themselves
• who should be able to create and modify content within the folders

58
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Securing Project Folders

You can enable all members of the organizational group to access the
project folders and create and modify the content within those folders.

59
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 6.3 Customizing SAS Folders 6-51

Securing Organizational Folders

If you have a central group that creates all content, you could secure the
organizational folders as follows:

Power Users: + RM, +R, +WMM

Power Users: + RM, +R, +WMM

60
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Reporting on Metadata
There are various methods to report on your metadata inventory and
security in your platform environment:
• Report Center in SAS Environment Manager
• SAS security macros
• Batch tools

61
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
6-52 Lesson 6 Securing Metadata

Administration Scenario
The Finance and Shipping Departments of the Orion Star Company need to
be set up in the existing SAS environment. You, as the SAS administrator,
need to do the following:
• create metadata identities
• set up SAS folder structure
• add existing content such as stored processes
• secure the new folders
• verify that users have sufficient access
• add data sources and verify access

62
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 6.3 Customizing SAS Folders 6-53

Practice

Practice scenario: The Finance and Shipping Departments of the Orion Star Company need to
be set up in the existing SAS environment.
• Metadata identities were added previously with the import macros.
• Practice 4: Custom folders are created under the Orion Star folder representing the departments.
• Practice 5 and 6: Content is imported into the new folders.
• Practice 7: Baseline ACTs are created and applied to the folders.
• Practice 8: Group identities are added to the appropriate folders with explicit grants.
Use the Metadata Manager Plug-in in SAS Management Console to run an ad hoc backup of
metadata, with the comment Backup before adding folder content and security on Orion Star.
4. Creating Custom Folders
Note: You have the option of using SAS Environment Manager Administration or SAS
Management Console for the practices. There are step-by-step instructions, but the
solutions offer more steps and display captures.
a. Create the Finance Department and Shipping Department folders under the Orion Star
folder.
b. Create the Payables and Receivables folders under Finance Department.
Note: You can use the sas-make-folder batch tool to create the folders. See b. in the
solution for this practice.
5. Importing a Package of Folders
Note: The import and export tools are available only in SAS Management Console or as batch
tools.
a. Import Folder Set.spk into Orion Star  Finance Department  Payables.
Right-click the Payables folder and select Import SAS Package.
In the first step, navigate to the following:

For Linux Server

D:\Workshop\spaftLNX and select Folder Set.spk to import. Click OK.

For Windows Server

D:\Workshop\spaftWIN and select Folder Set.spk to import. Click OK.

Follow the wizard steps without making any changes.
b. Import the same package, Folder Set.spk, but this time import it into Orion Star  Finance
Department  Receivables.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
6-54 Lesson 6 Securing Metadata

6. Creating a Package
Note: The import and export tools are available only in SAS Management Console or as batch
tools.
a. Use the Export SAS Package Wizard to create a package from the Orion Star  Marketing
Department  Stored Processes folder. Save the package in the following:

For Linux Server

D:\Workshop\spaftLNX\export_sp.spk

For Windows Server

D:\Workshop\spaftWIN\export_sp.spk
Also, in the first step in the wizard, select Include dependent objects when retrieving
initial collection of objects.
b. Import export_sp.spk in the Orion Star  Shipping Department folder.
7. Creating and Applying Baseline Access Control Templates (ACT)
One approach to setting permissions on folders is to create general-use ACTs and apply one or
more of those ACTs to each folder that you need to secure. To grant access back to a specific
group, supplement the ACT settings by adding explicit controls on the target folder. (This is done
in Practice 8.)
You create two baseline ACTs:
Hide ACT, which prevents visibility for users who are not in the SAS Administrators group, but
does give SAS administrators and service identities exclusive Read access to metadata
Protect ACT, which prevents updates, deletions, and contributions by all users who are not in
the SAS Administrators group
Then you apply the Protect ACT to the Orion Star folder and the Hide ACT to the department
folders below the Orion Star folder.
Note: You have the option of using SAS Environment Manager Administration or SAS
Management Console for the practice. There are step-by-step instructions, but the
solutions offer more steps and display captures.

SAS Environment Manager

a. Create the Hide ACT.

The Hide ACT is designed to prevent visibility for users who are not in the SAS
Administrators or SAS System Services groups.
1) On the Administration page, select Folders f rom the navigation bar and expand System
 Security. Right-click Access Control Templates and select New Access Control
Template.
2) Enter Hide ACT in the Name field and add a description if you choose. Click Save.
3) Select ACT Pattern tab on the Hide ACT properties page and click the pencil to edit
the permissions applied to objects where the Hide ACT is applied.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 6.3 Customizing SAS Folders 6-55

4) On the Edit ACT Pattern window, click the Add button + in the upper right toolbar to
open the Add Identities window to add PUBLIC, SAS System Services, and SAS
Administrators.
5) Search PUBLIC and move the identity to the Identities to add pane. Repeat for SAS
System Services and SAS Administrators. Click OK.
6) Click in the ReadMetadata f ield f or PUBLIC and select Deny.
Verify that SAS System Services is granted RM.
Verify that SAS Administrators is granted RM.
7) Click Save.
b. Secure the Hide ACT.
1) Click the Authorization tab on the Hide ACT properties page and click the pencil to
edit the permissions of the ACT itself.
2) Change the indirect Deny of ReadMetadata for PUBLIC to a direct Deny. Notice how
this affects the other identities on the authorization of this object. Click Save.
3) Apply the SAS Administrator Settings ACT to this object to grant back ReadMetadata
to SAS Administrators and SAS System Services. Select Direct ACTs and click the
pencil to apply an ACT.
4) Select the SAS Administrators Settings ACT and click Save.
5) Click the Authorization tab to see the effects.
c. Create the Protect ACT.
1) On the Administration page, select Folders f rom the navigation bar and expand System
 Security. Right-click Access Control Templates and select New Access Control
Template.
2) Enter Protect ACT in the Name field and add a description if you choose. Click Save.
3) Click the ACT Pattern tab on the Protect ACT properties page and click the pencil to
edit the permissions applied to objects where the Protect ACT is applied.

4) In the Edit ACT Pattern window, click the Add button + in the upper right toolbar to open
the Add Identities window to add PUBLIC and SAS Administrators.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
6-56 Lesson 6 Securing Metadata

5) Search PUBLIC and move the identity to the Identities to add pane. Repeat for SAS
Administrators. Click OK.
6) Use this table to set the pattern f or the Protect ACT. Click Save.

Group Setting Permissions

Deny WriteMetadata,
Public
WriteMemberMetadata,
CheckInMetadata, Write,
Administer. Remove the
ReadMetadata permission.
Grant WriteMetadata,
SAS Administrators WriteMemberMetadata,
CheckInMetadata, Write,
Administer, ReadMetadata

d. Secure the Protect ACT. Follow step b. (or follow the step-by step solutions).
e. Apply the Protect ACT to the Orion Star folder.
1) Click the Orion Star folder, select Direct ACTs, and click the pencil to access the list
of ACTs to apply to the Orion Star folder.
2) Select the Protect ACT and click Save.

3) View the authorization settings of the Orion Star folder. Click the Authorization tab.
Notice that the SASUSERS group still has ReadMetadata but only members of the SAS
Administrators group can modify or delete any content from this folder and below. And
the ReadMetadata permissions are coming from somewhere else except for SAS
Administrators, which is coming from the Protect ACT.
f. Apply the Hide ACT to the four department folders below the Orion Star folder.
1) Click the Finance Department folder, select Direct ACTs, and click the pencil to
access the list of ACTs to apply to the Finance Department folder.
2) Select Hide ACT and click Save.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 6.3 Customizing SAS Folders 6-57

3) Click the Authorization tab to view the authorization settings of the Finance Department
folder.

Notice that only SAS Administrators and SAS System Services have visibility because of
the Hide ACT that was applied. We will grant access back to the appropriate groups in
the next practice.
4) Click Close in the upper right toolbar to return to the Folders view.
5) Apply the Hide ACT to the Marketing Department, Sales Department, and Shipping
Department folders by repeating steps 1 through 4.

SAS Management Console

a. Create the Hide ACT.

The Hide ACT is designed to prevent visibility for users who are not in the SAS
Administrators or SAS System Services groups.
1) Expand the Authorization Manager plug-in. Right-click the Access Control Templates
folder and select New Access Control Template.
2) Enter Hide ACT in the Name field on the General tab.
3) Move to the Permission Pattern tab. Click Add next to Users and Groups. Clear the
Show Users check box to list only groups. Hold down the Ctrl key and click the desired
groups: PUBLIC, SAS System Services, and SAS Administrators. Click the right-
pointing arrow to move them to the Selected Identities pane.
4) Click OK.
5) Highlight PUBLIC and deny RM.
6) Highlight SAS System Services and verify that RM is granted.
7) Highlight SAS Administrators and verify that RM is granted.
8) Click OK to create the ACT.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
6-58 Lesson 6 Securing Metadata

b. Secure the Hide ACT.

1) Right-click Hide ACT and select Properties. Click the Authorization tab.
2) Apply the SAS Administrator Settings ACT. On the Authorization tab of the Hide ACT,
select Access Control Template. Move the SAS Administrators Settings ACT from
the Available box to the Currently Using box and click OK.

3) Select PUBLIC and explicitly deny RM, changing the indirect deny of RM to explicit. This
affects SASUSERS because of identity hierarchy. SASUSERS now has an indirect deny
of RM, whereas before it had indirect grant of RM coming from the Repository ACT.
c. Create the Protect ACT.
The Protect ACT is designed to prevent updates, deletions, and contributions by all users
who are not in the SAS Administrators group.
1) Expand the Authorization Manager plug-in. Right-click the Access Control Templates
folder and select New Access Control Template.
2) Enter Protect ACT in the Name field on the General tab.
3) Move to the Permission Pattern tab. Click Add next to Users and Groups. Clear the
Show Users check box to list only groups. Hold down the Ctrl key and click the desired
groups: PUBLIC and SAS Administrators. Click the right-pointing arrow to move them
to the Selected Identities pane.
4) Click OK.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 6.3 Customizing SAS Folders 6-59

5) Highlight PUBLIC and then click RM to remove any grant or deny. The permissions on
the object where the Protect ACT is applied determines the RM permission. Click Deny
for the WM, WMM, CM, A, and W permissions.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
6-60 Lesson 6 Securing Metadata

6) Highlight SAS Administrators and click Grant for the R, WM, WMM, CM, A, and W
permissions.

7) Click OK to create the ACT.

d. Secure the Protect ACT.
1) Right-click Protect ACT and select Properties. Click the Authorization tab.
2) Apply the SAS Administrator Settings ACT. On the Authorization tab of the Protect ACT,
select Access Control Template. Move the SAS Administrators Settings ACT from
the Available box to the Currently Using box and click OK.
3) Select PUBLIC and explicitly deny RM, changing the indirect deny of RM to explicit. This
affects SASUSERS because of identity hierarchy. SASUSERS now has an indirect deny
of RM, whereas before it had indirect grant of RM coming from the Repository ACT.
e. Apply the Protect ACT to the Orion Star folder.
1) On the Folders tab, right-click Orion Star folder and select Properties.
2) Click the Authorization tab, and click Access Control Template.
3) Move Protect ACT over to the Currently Using box and click OK.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 6.3 Customizing SAS Folders 6-61

4) Review the authorization settings.

Notice that the SASUSERS group still has ReadMetadata, but only members of the SAS
Administrators group can modify or delete any content from this folder and below. And
the ReadMetadata permissions are coming from somewhere else except for SAS
Administrators, which is coming from the Protect ACT.
5) Click OK to save your changes.
f. Apply the Hide ACT to the four department folders below the Orion Star folder.
1) Right-click the Finance Department folder and select Properties.
2) Click the Authorization tab, and click Access Control Template.
3) Move Hide ACT over to the Currently Using box and click OK.
4) Review the authorization settings.
Notice that only SAS Administrators and SAS System Services have visibility because of
the Hide ACT that was applied. We will grant access back to the appropriate groups in
the next practice
Apply the Hide ACT to the Marketing Department, Sales Department, and Shipping
Department folders by repeating steps 1-4.
8. Adding Groups to Folders
Note: You can use SAS Environment Manager or SAS Management Console to add identities
to folders and set permissions on folders. Refer to the solutions for step-by-step
instructions.

SAS Environment Manager

Add group identities to folders based on the table below.

Group Name Folder Grant Permissions

Power Users Finance Department, Marketing Department, Sales

RM, R, WMM, CM
Department, Shipping Department

Finance Finance Department RM, R

Marketing Marketing Department RM, R

Sales Sales Department RM, R

Shipping Shipping Department RM, R

Note: There is an automatic grant of ReadMetadata for any identity that is added to the
authorization of an object.
Note: The group identities that are added are automatically added to the subfolders’
authorization with the same permissions inherited, and Power Users will also have WM
indirectly granted because they were given WMM on the parent folder.
a. Click the Finance Department folder, click the Authorization tab, and click the pencil to
configure the permissions on the Finance Department folder.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
6-62 Lesson 6 Securing Metadata

b. Add Finance and Power Users to the authorization.

1) Click the Add Identities button in the upper right toolbar.

2) Search Finance and move the group identity to the Identities to add pane.
3) Search Power Users and move the group identity to the Identities to add pane.
4) Click OK.
c. Verify that the two groups added have ReadMetadata. Next grant both groups the Read
permission. The Power Users will also be granted WriteMemberMetadata and
CheckInMetadata. Click Save. Click in the Read field for Finance and select Grant.
1) Click in the Read field for Finance and Power Users and select Grant.
2) Click in the WriteMemberMetadata and CheckInMetadata fields for Power Users and
select Grant.
3) Click Save.

d. Repeat steps a through c for the other three folders: Marketing Department, Sales
Department, and Shipping Department.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 6.3 Customizing SAS Folders 6-63

SAS Management Console

Add group identities to folders based on the table below.

Group Name Folder Grant Permissions

Power Users Finance Department, Marketing Department, Sales

RM, R, WMM, CM
Department, Shipping Department

Finance Finance Department RM, R

Marketing Marketing Department RM, R

Sales Sales Department RM, R

Shipping Shipping Department RM, R

Note: There is an automatic grant of ReadMetadata for any identity that is added to the
authorization of an object.
Note: The group identities that are added are automatically added to the subfolders’
authorization with the same permissions inherited, and Power Users also have WM
indirectly granted because they were given WMM on the parent folder.
a. Right-click the Finance Department folder and select Properties.
b. Click Add on the Authorization tab of the Finance Department folder.
c. Clear Show Users so that you show only a list of groups.
d. Select Finance and Power Users in the Available Identities list and click the right-pointing
arrow to move the identity to the Selected Identities list.
e. Click OK.
f. Verify that the two groups added have ReadMetadata.
1) Grant Finance the Read permission as well.
2) Grant Power Users the WriteMemberMetadata, CheckinMetadata, and Read
permissions as well.
g. Click OK.
h. Repeat steps a through g for the other three folders: Marketing Department, Sales
Department, and Shipping Department.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
6-64 Lesson 6 Securing Metadata

9. (Optional) Verifying Access

Use the table below to verify the access of users in various groups.

Group User

Marketing Henri

Sales Linda

Shipping Ray

Finance Alex

Power Users Kari

The users in Marketing, Sales, Shipping, and Finance will have access only to the associated
departmental folders. The Power Users (Kari is a member of the Data Integrators group) should
be able to access, add and, modify content in any subfolder of the Orion Star folder.
a. An administrator can use the Permissions Inspector in Environment Manager or the
Advanced option on the Authorization tab in SAS Management Console to inspect the
permissions for some of the users in the table above.
b. To understand how an end user is impacted, impersonate an end user by logging on to a
client application such as SAS Enterprise Guide.
1) Open SAS Enterprise Guide. Click sasserver.demo.sas.com or
sasapp.demo.sas.com (depending on your environment) in the top right of the interface
to modify the connection profile.
2) Click Modify.
3) Enter Kari as the user. No other changes are needed. (Student1 is the password for
everyone.) Click Save and Connect and Close.
4) Can Kari rename or delete the Finance Department folder?
5) Can Kari add a new folder or modify the content in the Finance Department folder?
6) Click sasserver.demo.sas.com or sasapp.demo.sas.com (depending on your
environment), and modify the connection profile, but this time log on as Henri.
7) Can Henri see any folders under the Orion Star folder, other than his own department
folder of Marketing Department?
Can he rename, delete, and add a new folder to the Marketing Department folder? If not,
he has the appropriate permissions for a report consumer in the Marketing group.
8) Repeat steps 6-7 for the other users in the table.
10. (Optional) Reporting on Security
SAS provides a macro, %Mdsecds, to help you extract, filter, and format authorization data
for a specified set of identities, permissions, and objects. This macro is documented in
SAS 9.4 Intelligence Platform: Security Administration Guide.
Note: In SAS 9.4, the sas-show-metadata-access batch tool can generate the same
information as the %Mdsecds macro. For information about the batch tool, refer to
SAS 9.4 Intelligence Platform: Security Administration Guide.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 6.3 Customizing SAS Folders 6-65

Note: The output of the %Mdsecds macro is SAS data sets. You can create your own reports
from these data sets (through SAS programming or an information map and a web
report). A sample reporting program is provided with your software in the following
location:

For Linux Server

SAS-installation-directory/SASFoundation/9.4/samples/base/secrpt.sas

For Windows Server

SAS-installation-directory\SASFoundation\9.4\core\sample\secrpt.sas

a. In SAS Enterprise Guide, use the %Mdsecds macro to identify the permissions that are set
on the Marketing Department folder.
Note: For example, if you want to identify the permissions on the Marketing Department
folder, use the following syntax:

For Linux Server

options metaserver=sasapp metauser="Ahmed"
metapass="Student1";
%mdsecds(folder="\Orion Star\Marketing Department",
includesubfolders=no);

For Windows Server

options metaserver=sasserver metauser="Ahmed"
metapass="Student1";
%mdsecds(folder="\Orion Star\Marketing Department",
includesubfolders=no);

b. Use the %Mdsecds macro to identify the effective permissions of a Marketing member
on the Marketing folder.
Note: For example, if you want to identify the effective permissions of Eric on the Marketing
Department folder, use the following syntax:

For Linux Server

options metaserver=sasapp metauser="Ahmed"
metapass="Student1";
%mdsecds(folder="\Orion Star\Marketing Department",
includesubfolders=no, identitynames="Eric",
identitytypes="Person");

For Windows Server

options metaserver=sasserver metauser="Ahmed"
metapass="Student1";
%mdsecds(folder="\Orion Star\Marketing Department",
includesubfolders=no, identitynames="Eric",
identitytypes="Person");

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
6-66 Lesson 6 Securing Metadata

c. Use the %Mdsecds macro to identify the effective permissions of a Marketing member
and the PUBLIC group on the Marketing Department folder.
Note: For example, if you want to identify the effective permissions of Eric and PUBLIC
on the Marketing Department folder, use the following syntax:

For Linux Server

options metaserver=sasapp metauser="Ahmed"
metapass="Student1";
%mdsecds(folder="\Orion Star\Marketing Department",
includesubfolders=no,
identitynames="Eric,PUBLIC",
identitytypes="Person,IdentityGroup");

For Windows Server

options metaserver=sasserver metauser="Ahmed"
metapass="Student1";
%mdsecds(folder="\Orion Star\Marketing Department",
includesubfolders=no,
identitynames="Eric,PUBLIC",
identitytypes="Person,IdentityGroup");

d. Refer to the %Mdsecds macro documentation to answer the following questions:

Hint: Refer to the %Mdsecds macro syntax in SAS 9.4 Intelligence Platform: Security
Administration Guide.
• If you do not specify the Folder option, what is the default starting point?
• What option would you use to limit the types of objects that are searched?
• What option would you use to limit the permissions that are included?

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 6.3 Customizing SAS Folders 6-67

Setup for the Question

65
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

6.08 Multiple Choice Question

What do the settings on the Authorization tab in SAS Management Console
or SAS Environment Manager Administration of the ACT affect?
a. The settings are applied where the ACT is applied.
b. The settings control who can access and modify the ACT itself.
c. The settings control who can access and modify the repository.
d. The settings are ignored and have no effect.

66
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
6-68 Lesson 6 Securing Metadata

Setup for the Question

68
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

6.09 Multiple Choice Question

The Private User Folder ACT does not include permissions for individual
users such as Barbara. How is Barbara granted access to her My Folder?
a. Barbara is a member of PUBLIC, so the ACT settings for PUBLIC
determine arbara’s access.
b. Barbara is explicitly granted access on the Authorization tab of her
My Folder.
c. Barbara is explicitly granted access on the Authorization tab of the
Barbara folder, and the settings are inherited.
d. Users with the same name as the parent folder are implicitly granted
access.

69
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 6.3 Customizing SAS Folders 6-69

6.10 Multiple Choice Question

What should the setting for PUBLIC for RM be on the Protect ACT?
a. Deny
b. Grant
c. nothing, because the context in which the ACT is applied should
determine the setting

71
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

continued...
General Guidelines
When you assign permissions:
• All users with a metadata identity should have RM and WM permissions
in the foundation repository ACT.
• To enable someone to interact with a folder’s contents but not with the
folder itself, grant WMM and deny WM.
• Before you deny RM on a folder, consider the navigational consequences.
For simplifying your metadata security implementation and maintenance,
consider following these guidelines:
• In general, it is not necessary to add protection to predefined folders.
• Do not deny access to SAS administrators, and do not deny RM permission
to SAS System Services.
73
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
6-70 Lesson 6 Securing Metadata

General Guidelines
• To hide a subfolder branch, apply the Hide ACT to a particular folder and
grant back RM permission to any groups who should have access.
• Use PUBLIC as the broadest group to deny access and then grant access
back to the appropriate group.
• Secure resources with a combination of inherited settings and ACTs. Use
explicit permission settings sparingly.
• Apply security to groups, not users, Include explicit groups on an ACT only
to grant access, never deny. You can deny access to implicit groups on
ACTs.
• Always have a designated repository ACT.

74
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Best Practice: Write and Maintain a Security Model

(Review)
The SAS administrator should write and maintain a security policy to include
• authorization (access rights and permissions) in SAS
• any data or databases accessed via SAS
• OS-managed assets.
The security model refers to security-related procedures that apply to the
installation, configuration, and management of the SAS Platform. The model
conforms to whatever standards and practices are followed by your
organization.

75
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Here are the major components of a security model:

• users and groups definitions and authentication
• specification of what users and groups have access to which resources (authorization)
• organization of SAS assets on the file systems and in SAS metadata
• encryption procedures
• backup and recovery of SAS assets

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 6.3 Customizing SAS Folders 6-71

You should be aware of the following components that have been put in place during the inst allation
and deployment process:
• SAS Metadata Server
• SAS Application Server components
• other SAS Servers
• ports that are used by each server to listen for incoming requests
• configuration directories that store configuration files, logs, scripts, and special -purpose SAS data
sets on each SAS server machine and each middle-tier machine
• initial SAS users, groups, and roles that have been defined, both on your host OS and the SAS
Metadata Repository

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
6-72 Lesson 6 Securing Metadata

6.4 Solutions
Solutions to Practices
1. Exploring Identity Hierarchy and Object Inheritance on a Folder
Verify that you are logged on to SAS Management Console as Ahmed. Run an ad hoc backup,
with the following comment: Backup Before Adding Security on Chocolate Enterprises.
Note: You have the option of using SAS Environment Manager Administration or SAS
Management Console for the practices in this lesson. There are step-by-step
instructions, but the solutions offer more steps and display captures.

SAS Environment Manager

a. Open a web browser from the Windows machine using the taskbar. Select SAS
Environment Manager from the Windows or Linux folder on the Favorites bar. Sign in as
Ahmed with the password Student1.

b. Click the Administration tab. The Folders page is the initial view. If you are already on the
Administration page and another view, select Folders from the navigation bar. Click the
Chocolate Enterprises folder to get to the metadata properties and click the Authorization
tab. To edit the authorization settings, click the pencil at the top right of the window.

c. Highlight one of the identities and click Delete all explicit settings for selected identity,

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 6.4 Solutions 6-73

Can you remove any of the groups listed under Users and Groups? Why or why not?

The four groups listed cannot be removed because they are coming from the
Repository ACT.
d. Add the following three group identities: Application Developers, Data Integrators, and
Report Content Creators.

1) Click the Add button + in the upper right toolbar to open the Add Identities window.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
6-74 Lesson 6 Securing Metadata

2) Select each group and move it from the list of the available identities to Identities to add
using the arrow between the two sections. When all three groups have been added, click
OK.
Tips:
• Select Groups from the Show list.
• Enter a few letters of the group name in the Filter box.
• Press the Ctrl key to select multiple groups before clicking the arrow to move.

3) Click Save.

What permission is automatically granted to an identity when added?

The newly added groups are automatically given a grant of ReadMetadata.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 6.4 Solutions 6-75

Note: While in the Edit Authorization window, you can click a permission field, and a
window appears that identifies the type of permission and where it comes from.

e. On the Administration page, click Users. Select Application Developers and click the
Member Of tab.

What group is Application Developers a member of?

Power Users
f. In the list of identities, click Power Users and select Members.
Who are members of the Power Users group? Application Developers, Data Integrators,
and Report Content Creators.
You can select the arrow to the left of each group to see the users that are members of each
group.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
6-76 Lesson 6 Securing Metadata

g. Click Folders in the navigation bar and return to the Authorization properties of the
Chocolate Enterprises folder. Click the pencil to enter Edit mode.
h. Remove the three group identities (Application Developers, Data Integrators, and Report
Content Creators) from the Authorization properties.
1) Click the row with the authorization settings for each group and then click Delete all
explicit settings for the selected identity, .

2) Click Yes when prompted in the pop-up window.

Note: You can also click the permissions that have explicit settings and change the
setting to no explicit control.

3) Repeat for the remaining group identities.

4) Click Save.
i. Click the pencil to enter Edit mode to add Power Users to the authorization of the
Chocolate Enterprises folder.

1) Click the Add button + in the upper right toolbar to open the Add Identities window.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 6.4 Solutions 6-77

2) Select the Power Users group and move it from the list of the available identities to
Identities to add using the arrow between the two sections and click OK.
Tips:
• Select Groups from the Show list.
• Enter a few letters of the group name in the Filter box.

3) Click Save.
j. The ReadMetadata permission is automatically granted. You need to give grants for the
WriteMemberMetadata, CheckInMetadata, and Read permissions.
1) Click in the WMM, CM, and R permission for Power Users and select Grant. Click Save.

k. Use the Permissions Inspector to look up the effective permissions for any identity. The
Permissions Inspector is represented by the button in the upper right toolbar of the
Authorization page of the object that you are inspecting (in this case, the Chocolate
Enterprises folder).

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
6-78 Lesson 6 Securing Metadata

l. Enter Kari in the field and select Kari from the drop-down list.

Kari’s effective permissions for this object (Chocolate Enterprises folder) are displayed. She
is a member of the Data Integrators group, which is a member of the Power Users group.
The same permissions are applied indirectly for Kari through her identity hierarchy.
m. Click Close.
n. Click Folders in the navigation bar then move to the Chocolate Enterprises  Data folder.
Click the Authorization tab on the Data folder and then click the pencil to enter Edit
mode.

o. Examine the permissions for Power Users.

Where do these permissions come from?

The group was added to the Chocolate Enterprises definition (the parent folder), and
the permissions set for this identity at that level are inherited.
Note: There is also an indirect grant of WriteMetadata. A grant (or deny) of WMM on a
folder becomes an inherited grant (or deny) of WM on the objects in that folder. This
is discussed in the next section.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 6.4 Solutions 6-79

p. Can you remove the Power Users group from the Authorization page of the Data folder?
Why not?
The group was added to the Chocolate Enterprises properties (the parent folder).
Therefore, it cannot be removed from lower objects.
q. (Optional) If you do not want Power Users to modify or delete these folders below the
Chocolate Enterprises folder, select Deny for WriteMetadata. (Notice that
WriteMemberMetadata switches automatically to indirect deny.) Then select Grant for
WriteMemberMetadata. Be sure to save your changes.

SAS Management Console

a. Go to the Authorization tab of the Chocolate Enterprises folder. (Right-click Chocolate

Enterprises and select Properties.)

Can you remove any of the groups listed under Users and Groups? Why or why not?
The four groups listed cannot be removed because they are coming from the
Repository ACT.

b. Add the following three groups to the Authorization tab: Application Developers, Data
Integrators, and Report Content Creators.
Note: You can hold down the Ctrl key, highlight all three at once, and then select the single
arrow to move them over to the Selected Identities pane.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
6-80 Lesson 6 Securing Metadata

What permission is automatically granted to an identity when added?

The newly added groups are automatically given a grant of ReadMetadata.

c. Highlight Data Integrators and select Properties. This displays the properties of the Data
Integrators group, but as Read-only.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 6.4 Solutions 6-81

d. Click the Groups and Roles tab. What group is Data Integrators a member of?

e. Highlight Power Users and select Properties.

Who are members of the Power Users group?

Data Integrators, Application Developers, and Report Content Creators are members
of Orion Star Users.

f. Click Cancel and then Close to return to the Chocolate Enterprises folder properties.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
6-82 Lesson 6 Securing Metadata

g. Remove the three groups (Application Developers, Data Integrators, and Report Content
Creators) from the Users and Groups window.
Hold down the Ctrl key and highlight the three groups. Then select Remove.

Click Yes to confirm the removal.

h. Add Power Users to the Authorization tab.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 6.4 Solutions 6-83

i. The ReadMetadata permission is automatically granted and you need to give grants for the
WriteMemberMetadata, CheckInMetadata, and Read permissions. Do not click OK. You
need to stay on the Authorization tab to get to the Advanced button referenced in j.

j. Click the Advanced button.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
6-84 Lesson 6 Securing Metadata

k. Click the Explore Authorizations tab. Enter Kari in the Name or Display Name field.
Click Search Now. Kari’s effective permissions for this item are displayed. She is a member
of the Data Integrators group, which is a member of the Power Users group. The same
permissions are applied indirectly for Kari through her identity hierarchy.

l. Click OK twice to return to the Chocolate Enterprises folder.

m. Go to the Authorization tab of the Data folder under the Chocolate Enterprises folder.
Right-click the Data folder under the Chocolate Enterprises folder and select Properties.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 6.4 Solutions 6-85

n. Highlight Power Users. Where do these permissions come from?

The permissions that were given on the parent folder, Chocolate Enterprises, are
inherited by the Data folder, a subfolder. The gray background of the Grant and Deny
boxes means that they are indirect settings, coming from somewhere else. In this
case, that is the parent folder: Chocolate Enterprises.

o. Can you remove the Power Users group from the Authorization tab of the Data folder?
Why not?
The group was added to the Chocolate Enterprises properties (the parent folder) and
therefore cannot be removed from lower objects.
Note: There is also an indirect grant of WriteMetadata. A grant (or deny) of WMM on a
folder becomes an inherited grant (or deny) of WM on the objects in that folder. This
is discussed in the next section.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
6-86 Lesson 6 Securing Metadata

p. (Optional) If you do not want Power Users to modify or delete these folders below the
Chocolate Enterprises folder, select Deny for WriteMetadata (notice that
WriteMemberMetadata switches automatically to indirect deny), and then select Grant for
WriteMemberMetadata.
2. Assigning WriteMetadata and WriteMemberMetadata Permissions
Log on to SAS Management Console as Ahmed. Run an ad hoc backup, with a comment of
Before adding parent and child folders.

SAS Environment Manager

a. On the Administration page, select Folders in the navigation bar.

b. Right-click the Chocolate Enterprises folder and select New Folder. Name the new folder
Parent and click Save.

c. Click the Parent folder and click the Authorization tab.

d. Click the pencil to enter Edit mode.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 6.4 Solutions 6-87

e. Add an explicit grant of WM permission for PUBLIC. Click in the WriteMetadata field for
PUBLIC and select Grant from the list. How does this affect WMM permission for PUBLIC?

It changes the WMM permission to a Grant.

f. Click in the WriteMemberMetadata f ield f or PUBLIC and select Show Origins.

g. Change the explicit grant of WriteMetadata for PUBLIC back to no explicit control by
clicking the WriteMetadata field and selecting the option.
How does this affect WMM permission for PUBLIC?
It changes both WM and WMM permission back to indirect Deny.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
6-88 Lesson 6 Securing Metadata

h. Add an explicit grant of WMM permission for PUBLIC.

How does this affect WM permission for PUBLIC?
No change for WM

i. Remove the explicit WMM permission grant for PUBLIC.

How does this affect WM permission for PUBLIC? No change for WM permission

j. Click Cancel to ensure that changes are not saved.

k. Add Alex to the Authorization page for the Parent folder with an explicit denial of WM
permission and an explicit grant of WMM permission.
1) Click the pencil to enter Edit mode on the Parent folder’s Authorization tab again.

2) Click the Add button + in the upper right toolbar to open the Add Identities window.

3) Move Alex from the list of the available identities to Identities to add using the arrow
between the two sections and click OK.
Tips:
• Select Groups from the Show list.
• Enter a few letters of the group name in the Filter box.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 6.4 Solutions 6-89

4) Select Deny for WriteMetadata and Grant for WriteMemberMetadata.

5) Click Save.

6) Click Close.

l. In the list of folders, right-click the Parent folder and select New Folder. Name the new folder
Child and click Save.

m. Click the Child folder and click the Authorization tab.

What are the settings for WM permission and WMM permission for Alex?

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
6-90 Lesson 6 Securing Metadata

Both WM and WMM permissions are granted indirectly. Because Alex was explicitly
granted WMM on the Parent folder, he indirectly has WM on the child folder and any
objects below the Parent folder.
n. Do not log off from SAS Environment Manager.
o. Log on to SAS Management Console as Alex using the password Student1. (You cannot do
steps q through s in SAS Environment Manager because Alex is not a member of any role in
SAS Environment Manager and thus cannot authenticate to the Environment Manager
Server.)
Note: You can open another SAS Management Console session by selecting Start 
SAS Management Console. Or you can disconnect as Ahmed in the current
session by selecting File  Connection Profile and reconnecting as Alex.
p. Right-click My Folder.
Are the following actions available or unavailable: New Folder, New Stored Process,
Rename, and Delete?
New Folder and New Stored Process are available. Rename and Delete are
unavailable. Because it is Alex’s own My Folder, he can add content. He is implicitly
given WMM on his own folder, but implicitly denied WM (the ability to modify his My
Folder definition itself).

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 6.4 Solutions 6-91

q. Right-click the Chocolate Enterprises folder.

Are the following actions available or unavailable: New Folder, New Stored Process,
Rename, and Delete?
None are available. This is because he does not have WMM on the Chocolate
Enterprises folder (the ability to add content in the folder) or WM (the ability to modify
the metadata folder definition itself).

r. Right-click the Parent folder.

Are the following actions available or unavailable: New Folder, New Stored Process,
Rename, and Delete?
Alex can add a folder and stored process but cannot rename or delete this folder. This
is because he has WMM (the ability to add content in the folder) but not WM (the
ability to modify the metadata folder definition itself).

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
6-92 Lesson 6 Securing Metadata

s. In SAS Environment Manager, delete the Parent folder.

1) Right-click the Parent folder and select Delete. Click Delete in the confirmation window.

Can you delete the Parent folder? No, you must first delete the Child folder. Click
Close to continue.

2) Right-click the Child folder and select Delete.

3) Click Delete to confirm the delete request.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 6.4 Solutions 6-93

4) Right-click the Parent folder and select Delete.

5) Click Delete to confirm the delete request.

SAS Management Console

a. On the Folders tab, right-click Chocolate Enterprises and select New Folder. Create a new
folder named Parent.
1) On the Folders tab, right-click Chocolate Enterprises and select New Folder.
2) Enter the name Parent and click Finish.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
6-94 Lesson 6 Securing Metadata

b. Right-click the Parent folder. Select Properties, and click the Authorization tab. Select
PUBLIC and add an explicit grant of WM permission. How does this affect WMM permission
for PUBLIC?
It changes the WMM permission to Grant with an indirect background color.

c. Select the Grant box for WriteMetadata for PUBLIC again to clear the explicit setting. How
does this affect WMM permission for PUBLIC?
It changes both WM and WMM permission back to indirect Deny.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 6.4 Solutions 6-95

d. Add an explicit grant of WMM permission for PUBLIC. How does this affect WM permission
for PUBLIC?
No change for WM

e. Remove the explicit WMM permission grant for PUBLIC. How does this affect WM
permission for PUBLIC? No change for WM permission

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
6-96 Lesson 6 Securing Metadata

f. Add Alex to the permissions list for the Parent folder with an explicit denial of WM permission
and an explicit grant of WMM permission.
1) Click Add.
2) Select Alex from the list in the Available Identities list box. Click the right-pointing arrow
to move Alex to the Selected Identities list box. Click OK to add Alex to the folder.

3) Select Deny for WriteMetadata and Grant for WriteMemberMetadata. Click OK to save
the changes.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 6.4 Solutions 6-97

g. Right-click the Parent folder and select New Folder. Create a new folder named Child.
Click Finish to create the folder.
h. On the Authorization tab of the Child folder, select Alex. What are the settings for WM
permission and WMM permission?
Both WM and WMM permissions are granted indirectly.

i. Log on to SAS Management Console as Alex using the password Student1.

Note: You can open another SAS Management Console session by selecting Start 
SAS Management Console. Or you can disconnect as Ahmed in the current
session by selecting File  Connection Profile and reconnecting as Alex.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
6-98 Lesson 6 Securing Metadata

j. Right-click My Folder. Are the following actions available or unavailable: New Folder, New
Stored Process, Rename, and Delete?
New Folder and New Stored Process are available. Rename and Delete are
unavailable. Because it is Alex’s own My Folder, he can add content, as he is implicitly
given WMM on his own folder, but implicitly denied WM (the ability to modify his My
Folder definition itself).

k. Right-click the Chocolate Enterprises folder. Are the following actions available or
unavailable: New Folder, New Stored Process, Rename, and Delete?
None are available. This is because he does not have WMM on the Chocolate
Enterprises folder (the ability to add content in the folder) or WM (the ability to modify
the metadata folder definition itself).

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 6.4 Solutions 6-99

l. Right-click the Parent folder. Are the following actions available or unavailable: New Folder,
New Stored Process, Rename, and Delete?
Alex can add a folder and stored process but cannot rename or delete this folder. This
is because he has WMM (the ability to add content in the folder) but not WM (the
ability to modify the metadata folder definition itself).

m. Delete the Parent folder. You need to log on as Ahmed to delete the Parent folder because
Alex does not have the authorization to do so.
1) Right-click the Parent folder and select Delete from the drop-down menu.

2) Click Yes to confirm the delete request.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
6-100 Lesson 6 Securing Metadata

3. Adjusting Conflicting Permission Settings

You can use SAS Environment Manager or SAS Management Console to do the practice. Refer
to the solutions for step-by-step instructions.

SAS Environment Manager

a. Create two new metadata groups named Group A and Group B. Assign Harvey as a
member to both groups.

1) On the Administration page, select Users in the navigation bar and change View to
Group.

2) Click the New button and select New Group.

3) Enter Group A as the name and click Save.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 6.4 Solutions 6-101

4) Click the Members tab and click the pencil to add members to the group.

5) Search for Harvey in the Filter field and move the identity to the Direct members pane.
Click Save.

6) Repeat the process for Group B.

b. Create an ACT named Allow Group A, which grants RM permission to Group A.
1) On the Administration page, select Folders in the navigation bar.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
6-102 Lesson 6 Securing Metadata

2) Navigate to System  Security  Access Control Templates.

3) Right-click Access Control Templates and select New access control template.

4) Enter Allow Group A for the name. Click Save.

5) On the Allow Group A properties page, click the ACT: Pattern tab and click the pencil
to define the permissions settings for the ACT.

6) Click the Add button + on the Edit ACT Pattern window to add identities to the ACT.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 6.4 Solutions 6-103

7) Search for Group A in the Filter box and move the identity to the Identities to add pane.
Click OK.

8) Click Save and verify that Group A has a grant of RM on the ACT’s properties page.
Make sure that the ACT Pattern tab is selected.

c. Apply the Allow Group A ACT to the Shared Data folder (on the Authorization tab in SAS
Management Console or the Direct ACTs tab in SAS Environment Manager).
1) On the Administration page, click Folders and then select the Shared Data folder and
click the Direct ACTs tab.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
6-104 Lesson 6 Securing Metadata

2) Click the pencil to select the ACT to apply to the folder.

3) Select the box next to the Allow Group A ACT and click Save.

d. Add Group B to the Authorization of the Shared Data folder and deny RM permission.
1) Click the Authorization tab on the Shared Data folder and click the pencil to select
identities to add to the authorization.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 6.4 Solutions 6-105

2) Click the Add button + in the Edit Authorization window. Search for Group B and move
the identity to the Identities to add pane. Click OK.

3) Click in the ReadMetadata field for Group B and select Deny. Notice that Group A is
listed on the folder’s authorization indicating that its RM setting is coming from an applied
ACT.

4) Click Save.
e. What is the effective permission for Harvey on the Shared Data folder?
Note: Use the Permissions Inspector in SAS Environment Manager.
Note: Use the Advanced option on the Authorization tab in SAS Management Console.
Harvey is denied all permissions.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
6-106 Lesson 6 Securing Metadata

1) Click the Permissions Inspector button in the upper right toolbar.

2) Enter Harvey and select Harvey from the list.

3) Click Close.

SAS Management Console

a. Create two new metadata groups named Group A and Group B. Assign Harvey as a
member to both groups. Assign Harvey as a member.
1) Right-click User Manager and select New  Group.
2) Enter Group A as the name.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 6.4 Solutions 6-107

3) Click the Members tab. Select Harvey and move the name to the Current Members list
box. Click OK.

4) Repeat the process for Group B.

b. Create an ACT named Allow Group A, which grants RM permission to Group A.
1) Expand Authorization Manager.
2) Right-click Access Control Templates and select New Access Control Template.
3) Enter Allow Group A for the name.
4) On the Permission Pattern tab, add Group A and grant RM permission.
5) Click OK.
c. Apply the Allow Group A ACT to the Shared Data folder (on the Authorization tab in SAS
Management Console, or the Apply ACT property in SAS Environment Manager).
1) Right-click the Shared Data folder and select Properties. Click the Authorization tab.
2) Click Access Control Templates.
3) Expand Foundation and select Allow Group A in the Available box. Click the
right-pointing arrow to move it to the Currently Using box.
4) Click OK.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
6-108 Lesson 6 Securing Metadata

d. Add Group B to the Authorization of the Shared Data folder and deny RM permission.
1) Click Add. Select Group B and then click the right-pointing arrow to it move it to the
Selected Identities list box.
2) Click OK.
3) Explicitly deny RM for Group B and make sure that the other permissions are indirectly
denied.
4) Click OK.
e. What is the effective permission for Harvey on the Shared Data folder?
Note: Use the Permissions Inspector in SAS Environment Manager.
Note: Use the Advanced option on the Authorization tab in SAS Management Console.
Harvey is denied all permissions.
4. Creating Custom Folders
Use the Metadata Manager Plug-in in SAS Management Console to run an ad hoc backup of
metadata, with the comment Backup before adding folder content and security on Orion
Star.

Note: You have the option of using SAS Environment Manager Administration or SAS
Management Console for the practice. There are step-by-step instructions, but the
solutions offer more steps and display captures.
Note: You can use the sas-make-folder batch tool to create the folders. See b. below.

SAS Environment Manager

a. Create the Finance Department and Shipping Department folders under the Orion Star
folder.
1) From the Administration page, select Folders from the navigation bar. Right-click the
Orion Star folder and select New Folder.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 6.4 Solutions 6-109

2) Enter Finance Department for Name and click Save.

3) Repeat steps 1 and 2 for the Shipping Department.

b. Create the Payables and Receivables folders under Finance Department.
Follow the steps in a.

SAS Management Console

a. Create the Finance Department and Shipping Department folders under the Orion Star
folder.
1) Right-click Orion Star folder and select New  Folder.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
6-110 Lesson 6 Securing Metadata

2) Enter Finance Department for Name and click Finish.

3) Repeat steps 1 and 2 for the Shipping Department.

b. Create the Payables and Receivables folders under Finance Department.
Follow the steps in a.
To use the sas-make-folder batch tool, do the following:

For Linux Server

1. On the sasapp.demo.sas.com machine, navigate to

/opt/sas/SASHome/SASPlatformObjectFramework/9.4/tools.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 6.4 Solutions 6-111

2. Enter the following: ./sas-make-folder -host “sasserver.demo.sas.com” -port

8561 -user “Ahmed” -password “Student1” “/Orion Star/Finance
Department/Payables” -makeFullPath
Repeat for Receivables under the Finance Department folder and the Shipping
Department.

For Windows Server

1. Access the CMD window from the Start menu.

2. Navigate to D:\Program Files\SASHome\SASPlatformObjectFramework\9.4\tools.

3. Enter the following: sas-make-folder.exe -host “sasserver.demo.sas.com” -port

8561 -user “Ahmed” -password “Student1” “/Orion Star/Finance
Department/Payables” -makeFullPath
Repeat for Receivables under the Finance Department folder and the Shipping
Department.

5. Importing a Package of Folders

Note: The import and export tools are available only in SAS Management Console or as batch
tools.
a. Import Folder Set.spk into Orion Star  Finance Department  Payables.
1) Right-click the Payables folder and select Import SAS Package.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
6-112 Lesson 6 Securing Metadata

In the first step, navigate to the following:

For Linux Server

D:\Workshop\spaftLNX and select Folder Set.spk to import. Click OK.

For Windows Server

D:\Workshop\spaftWIN and select Folder Set.spk to import. Click OK.

Follow the wizard steps without making any changes.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 6.4 Solutions 6-113

2) Click Next.
3) Click Next three more times and click Finish.
b. Import the same package, Folder Set.spk, but this time import it into Orion Star  Finance
Department  Receivables.
6. Creating a Package
Note: The import and export tools are available only in SAS Management Console or as batch
tools.
a. Use the Export SAS Package Wizard to create a package from the Orion Star  Marketing
Department  Stored Processes folder. Save the package in the following:

For Linux Server

D:\Workshop\spaftLNX\export_sp.spk

For Windows Server

D:\Workshop\spaftWIN\export_sp.spk

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
6-114 Lesson 6 Securing Metadata

Also, in the first step in the wizard, select Include dependent objects when retrieving
initial collection of objects.
1) Right-click Orion Star  Marketing Department  Stored Processes and select
Export SAS Package.

2) Navigate to the location D:\Workshop\spaftLNX or D:\Workshop\spaftWIN. Name the

file export_sp.spk. Select Include dependent objects when retrieving initial
collection of objects. Click Next.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 6.4 Solutions 6-115

3) Click Next.

4) Click Next twice, and click Finish.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
6-116 Lesson 6 Securing Metadata

b. Import export_sp.spk in the Orion Star  Shipping Department folder.

1) Right-click Orion Star  Shipping Department and select Import SAS Package.

2) Browse the location of the export_sp.spk file that was just created. If you are doing
this in sequence, the location and file automatically show up in the browse location.
Click Next.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 6.4 Solutions 6-117

3) No more changes are needed, so click Next four times. Click Finish.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
6-118 Lesson 6 Securing Metadata

7. Creating and Applying Baseline Access Control Templates (ACT)

One approach to setting permissions on folders is to create general-use ACTs, and apply one or
more of those ACTs to each folder that you need to secure. To grant access back to a specific
group, supplement the ACT settings by adding explicit controls on the target folder. (This is done
in Practice 8.)
You create two baseline ACTs:
Hide ACT, which prevents visibility for users who are not in the SAS Administrators group, but
does give SAS administrators and service identities exclusive Read access to metadata
Protect ACT, which prevents updates, deletions, and contributions by all users who are not in
the SAS Administrators group
Then you apply the Protect ACT to the Orion Star folder and the Hide ACT to the department
folders below the Orion Star folder.
Note: You have the option of using the Administration page of SAS Environment Manager or
SAS Management Console for the practice. There are step-by-step instructions, but the
solutions offer more steps and display captures.

SAS Environment Manager

a. Create the Hide ACT.

1) On the Administration page, select Folders f rom the navigation bar and expand System
 Security. Right-click Access Control Templates and select New Access Control
Template.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 6.4 Solutions 6-119

2) Enter Hide ACT in the Name field and add a description if you choose. Click Save.

3) Click the ACT Pattern tab on the Hide ACT properties page and click the pencil to
edit the permissions applied to objects where the Hide ACT is applied.

4) In the Edit ACT Pattern window, click the Add button + in the upper right toolbar to open
the Add Identities window to add PUBLIC, SAS System Services, and SAS
Administrators.

5) Search PUBLIC and move the identity to the Identities to add pane. Repeat for SAS
System Services and SAS Administrators. Click OK.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
6-120 Lesson 6 Securing Metadata

6) Click in the ReadMetadata f ield f or PUBLIC and select Deny.

Verify that SAS System Services is granted RM.
Verify that SAS Administrators is granted RM.

7) Click Save.
b. Secure the Hide ACT.
1) Click the Authorization tab on the Hide ACT properties page and click the pencil to
edit the permissions of the ACT itself.

2) Change the indirect Deny of ReadMetadata for PUBLIC to a direct Deny. Notice how this
affects the other identities on the authorization of this object. Click Save.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 6.4 Solutions 6-121

3) Apply the SAS Administrator Settings ACT to this object to grant back ReadMetadata
to SAS Administrators and SAS System Services. Select Direct ACTs and click the
pencil to apply an ACT.

4) Select the SAS Administrators Settings ACT and click Save.

5) Click the Authorization tab to see the effects.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
6-122 Lesson 6 Securing Metadata

c. Create the Protect ACT.

1) On the Administration page, select Folders f rom the navigation bar and expand System
 Security. Right-click Access Control Templates and select New Access Control
Template.

2) Enter Protect ACT in the Name field and add a description if you choose. Click Save.

3) Click the ACT Pattern tab on the Protect ACT properties page and click the pencil to
edit the permissions applied to objects where the Protect ACT is applied.

4) In the Edit ACT Pattern window, click the Add button + in the upper right toolbar to open
the Add Identities window to add PUBLIC and SAS Administrators.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 6.4 Solutions 6-123

5) Search PUBLIC and move the identity to the Identities to add pane. Repeat for SAS
Administrators. Click OK.

6) Use this table to set the pattern f or the Protect ACT. Click Save.

Group Setting Permissions

Deny WriteMetadata,
Public
WriteMemberMetadata,
CheckInMetadata, Write,
Administer. Remove the
ReadMetadata permission.
Grant WriteMetadata,
SAS Administrators
WriteMemberMetadata,
CheckInMetadata, Write,
Administer, ReadMetadata

d. Secure the Protect ACT.

1) Click the Authorization tab on the Protect ACT properties page and click the pencil
to edit the permissions of the ACT itself.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
6-124 Lesson 6 Securing Metadata

2) Change the indirect Deny of ReadMetadata for PUBLIC to a direct Deny. Notice how this
affects the other identities on the authorization of this object. Click Save.

3) Apply the SAS Administrator Settings ACT to this object to grant back ReadMetadata
to SAS Administrators. Select Direct ACTs and click the pencil to apply an ACT.

4) Select the SAS Administrators Settings ACT and click Save.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 6.4 Solutions 6-125

5) Click the Authorization tab to see the effects.

e. Apply the Protect ACT to the Orion Star folder.

1) Click the Orion Star folder, select Direct ACTs, and click the pencil to access the list
of ACTs to apply to the Orion Star folder.

2) Select Protect ACT and click Save.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
6-126 Lesson 6 Securing Metadata

3) View the authorization settings of the Orion Star folder. Click the Authorization tab.

Notice that the SASUSERS group still has ReadMetadata, but only members of the SAS
Administrators group can modify or delete any content from this folder and below. And
the ReadMetadata permissions are coming from somewhere else except for SAS
Administrators, which is coming from the Protect ACT.
f. Apply the Hide ACT to the four department folders below the Orion Star folder.
1) Click the Finance Department folder, select Direct ACTs, and click the pencil to
access the list of ACTs to apply to the Finance Department folder.

2) Select the Hide ACT and click Save.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 6.4 Solutions 6-127

3) Click the Authorization tab to view the authorization settings of the Finance Department
folder.

Notice that only SAS Administrators and SAS System Services have visibility because of
the Hide ACT that was applied. We grant access back to the appropriate groups in the
next practice.
4) Apply the Hide ACT to the Marketing Department, Sales Department, and Shipping
Department folders by repeating steps 1 through 3.

SAS Management Console

a. Create the Hide ACT.

The Hide ACT is designed to prevent visibility for users who are not in the SAS
Administrators or SAS System Services groups.
1) Expand the Authorization Manager plug-in. Right-click the Access Control Templates
f older and select New Access Control Template.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
6-128 Lesson 6 Securing Metadata

2) Enter Hide ACT in the Name field on the General tab.

3) Move to the Permission Pattern tab. Click Add next to Users and Groups. Clear the
Show Users check box to list only groups. Hold down the Ctrl key and click the desired
groups: PUBLIC, SAS System Services, and SAS Administrators. Click the right-
pointing arrow to move them to the Selected Identities pane.

4) Click OK.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 6.4 Solutions 6-129

5) Highlight PUBLIC and deny RM.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
6-130 Lesson 6 Securing Metadata

6) Highlight SAS System Services and verif y that RM is granted.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 6.4 Solutions 6-131

7) Highlight SAS Administrators and verif y that RM is granted.

8) Click OK to create the ACT.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
6-132 Lesson 6 Securing Metadata

b. Secure the Hide ACT.

1) Right-click Hide ACT and select Properties. Click the Authorization tab.
2) Apply the SAS Administrator Settings ACT. On the Authorization tab of the Hide ACT,
select Access Control Template. Move the SAS Administrators Settings ACT from
the Available box to the Currently Using box and click OK.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 6.4 Solutions 6-133

3) Select PUBLIC and explicitly deny RM, changing the indirect deny of RM to explicit. This
affects SASUSERS because of identity hierarchy. SASUSERS now has an indirect deny
of RM, whereas before it had indirect grant of RM coming from the Repository ACT.

c. Create the Protect ACT.

The Protect ACT is designed to prevent updates, deletions, and contributions by all users
who are not in the SAS Administrators group.
1) Expand the Authorization Manager plug-in. Right-click the Access Control Templates
f older and select New Access Control Template.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
6-134 Lesson 6 Securing Metadata

2) Enter Protect ACT in the Name field on the General tab.

3) Move to the Permission Pattern tab. Click Add next to Users and Groups. Clear the
Show Users check box to list only groups. Hold down the Ctrl key and click the desired
groups: PUBLIC and SAS Administrators. Click the right-pointing arrow to move them
to the Selected Identities pane.

4) Click OK.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 6.4 Solutions 6-135

5) Highlight PUBLIC and deny WM. Then click RM to remove any grant or deny

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
6-136 Lesson 6 Securing Metadata

6) Highlight SAS Administrators, verif y that RM is granted, and grant WM, CM,
and W.

7) Click OK to create the ACT.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 6.4 Solutions 6-137

d. Secure the Protect ACT.

1) Right-click Protect ACT and select Properties. Click the Authorization tab.
2) Apply the SAS Administrator Settings ACT. On the Authorization tab of the Protect ACT,
select Access Control Template. Move the SAS Administrators Settings ACT from
the Available box to the Currently Using box and click OK.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
6-138 Lesson 6 Securing Metadata

3) Select PUBLIC and explicitly deny RM, changing the indirect deny of RM t o explicit. This
affects SASUSERS because of identity hierarchy. SASUSERS now has an indirect deny
of RM, whereas before it had indirect grant of RM coming from the Repository ACT.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 6.4 Solutions 6-139

e. Apply the Protect ACT to the Orion Star folder.

1) On the Folders tab, right-click Orion Star folder and select Properties.

2) Click the Authorization tab, and click Access Control Template.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
6-140 Lesson 6 Securing Metadata

3) Move Protect ACT over to the Currently Using box and click OK.

4) Review the authorization settings.

5) Click OK to save your changes.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 6.4 Solutions 6-141

f. Apply the Hide ACT to the four department folders below the Orion Star folder.
1) Right-click the Finance Department folder and select Properties.
2) Click the Authorization tab, and click Access Control Template.

3) Move Hide ACT over to the Currently Using box and click OK.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
6-142 Lesson 6 Securing Metadata

4) Review the authorization settings.

Notice that SASUSERS is denied ReadMetadata because the group is a subgroup of

PUBLIC, which is denied ReadMetadata through the HIDE ACT. But SAS Administrators
still has visibility. You grant access back to the appropriate groups in the next practice.
5) Apply the Hide ACT to the Marketing Department, Sales Department, and Shipping
Department folders by repeating steps 1-4.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 6.4 Solutions 6-143

8. Adding Groups to Folders

Note: You can use SAS Environment Manager or SAS Management Console to add identities
to folders and set permissions on folders. Refer to the solutions for step-by-step
instructions.

SAS Environment Manager

Add group identities to folders based on the table below.

Group Name Folder Grant Permissions

Power Users Finance Department, Marketing Department, Sales

RM, R, WMM, CM
Department, Shipping Department

Finance Finance Department RM, R

Marketing Marketing Department RM, R

Sales Sales Department RM, R

Shipping Shipping Department RM, R

Note: There is an automatic grant of ReadMetadata for any identity that is added to the
Authorization of an object.
Note: The group identities that are added are automatically added to the subfolders’
authorization with the same permissions inherited, and Power Users will also have WM
indirectly granted because they were given WMM on the parent folder.
a. Click the Finance Department folder, click the Authorization tab, and click the pencil to
configure the permissions on the Finance Department folder.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
6-144 Lesson 6 Securing Metadata

b. Add Finance and Power Users to the authorization.

1) Click the Add Identities button in the upper right toolbar.

2) Search Finance and move the group identity to the Identities to add pane.
3) Search Power Users and move the group identity to the Identities to add pane.
4) Click OK.

c. Verify that the two groups added have ReadMetadata. Next grant both groups the Read
permission. Power Users will also be granted WriteMemberMetadata and
CheckInMetadata. Click Save.
1) Click in the Read field for Finance and Power Users and select Grant.

Finance and Power Users:

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 6.4 Solutions 6-145

2) Click in the WriteMemberMetadata and CheckInMetadata fields for Power Users and
select Grant.

Power Users:
3) Click Save.
When complete:

d. Repeat steps a through c for the other three folders: Marketing Department, Sales
Department, and Shipping Department.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
6-146 Lesson 6 Securing Metadata

SAS Management Console

Add group identities to folders based on the table below.

Group Name Folder Grant

Permissions

Power Users Finance Department, Marketing Department, Sales

RM, R, WMM, CM
Department, Shipping Department

Finance Finance Department RM, R

Marketing Marketing Department RM, R

Sales Sales Department RM, R

Shipping Shipping Department RM, R

Note: There is an automatic grant of ReadMetadata for any identity that is added to the
Authorization of an object.
Note: The group identities that are added are automatically added to the subfolders’
authorization with the same permissions inherited, and Power Users will also have WM
indirectly granted because they were given WMM on the parent folder.
a. Right-click the Finance Department folder and select Properties.

b. Click Add on the Authorization tab of the Finance Department folder.

c. Clear Show Users so that you show only a list of groups.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 6.4 Solutions 6-147

d. Select Finance and Power Users in the Available Identities list and click the right-pointing
arrow to move the identity to the Selected Identities list.

e. Click OK.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
6-148 Lesson 6 Securing Metadata

f. Verify that the two groups added have ReadMetadata.

1) Grant Finance the Read permission as well.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 6.4 Solutions 6-149

2) Grant Power Users the WriteMemberMetadata, CheckinMetadata, and Read

permissions as well.

g. Click OK.
h. Repeat steps a through g for the other three folders: Marketing Department, Sales
Department, and Shipping Department.
9. (Optional) Verifying Access
Use the table below to verify the access of users in various groups.

Group User

Marketing Henri

Sales Linda

Shipping Ray

Finance Alex

Power Users Kari

The users in Marketing, Sales, Shipping, and Finance have access to only the associated
departmental folders. The Power Users group (Kari is a member of the Data Integrators group)
should be able to access, add, and modify content in any subfolder of the Orion Star folder.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
6-150 Lesson 6 Securing Metadata

a. An administrator can use the Permissions Inspector in Environment Manager or the

Advanced option on the Authorization tab in SAS Management Console to inspect the
permissions for osome of the users in the table above.
b. To understand how an end user is impacted, impersonate an end user by logging on to a
client application such as SAS Enterprise Guide. Open SAS Enterprise Guide. Click
sasserver.demo.sas.com or sasapp.demo.sas.com (depending on your environment) in
the top right of the interface to modify the connection profile.

or
1) Click Modify.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 6.4 Solutions 6-151

2) Enter Kari as the user. No other changes are needed. (Student1 is the password for
everyone.)

Click Save and Connect and Close.

3) Can Kari rename or delete the Finance Department folder? No. That would require
WM on the Finance Department folder. Power Users have only WMM, which does
give Kari the ability to add a new folder.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
6-152 Lesson 6 Securing Metadata

4) Can Kari add a new folder or modify the content in the Finance Department folder? Yes

5) Click sasserver.demo.sas.com or sasapp.demo.sas.com (depending on your

environment), and modify the connection profile, but this time log on as Henri.
6) Can Henri see any folders under the Orion Star folder, other than his own department
folder of Marketing Department? No.
Can he rename, delete, and add a new folder to the Marketing Department folder? No. If
not, he has the appropriate permissions for a report consumer in the Marketing group.

7) Repeat steps 6-7 for the other users in the table.

10. (Optional) Reporting on Security
SAS provides a macro, %Mdsecds, to help you extract, filter, and format authorization data
for a specified set of identities, permissions, and objects. This macro is documented in
SAS 9.4 Intelligence Platform: Security Administration Guide.
Note: In SAS 9.4, the sas-show-metadata-access batch tool can generate the same
information as the %Mdsecds macro. For information about the batch tool, refer to
SAS 9.4 Intelligence Platform: Security Administration Guide.
Note: The output of the %Mdsecds macro is SAS data sets. You can create your own reports
from these data sets (through SAS programming or an information map and a web
report). A sample reporting program is provided with your software in the following
location:

For Linux Server

SAS-installation-directory/SASFoundation/9.4/samples/base/secrpt.sas

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 6.4 Solutions 6-153

For Windows Server

SAS-installation-directory\SASFoundation\9.4\core\sample\secrpt.sas

a. In SAS Enterprise Guide, use the %Mdsecds macro to identify the permissions that are set
on the Marketing folder.

For Linux Server

options metaserver=sasapp metauser="Ahmed"
metapass="Student1";
%mdsecds(folder="\Orion Star\Marketing Department",
includesubfolders=no);

For Windows Server

options metaserver=sasserver metauser="Ahmed"
metapass="Student1";
%mdsecds(folder="\Orion Star\Marketing Department",
includesubfolders=no);

b. Use the %Mdsecds macro to identify the effective permissions of a Marketing member
on the Marketing Department folder.

For Linux Server

options metaserver=sasapp metauser="Ahmed"
metapass="Student1";
%mdsecds(folder="\Orion Star\Marketing Department",
includesubfolders=no, identitynames="Eric",
identitytypes="Person");

For Windows Server

options metaserver=sasserver metauser="Ahmed"
metapass="Student1";
%mdsecds(folder="\Orion Star\Marketing Department",
includesubfolders=no, identitynames="Eric",
identitytypes="Person");

c. Use the %Mdsecds macro to identify the effective permissions of a Marketing member
and the PUBLIC group on the Marketing Department folder.

For Linux Server

options metaserver=sasapp metauser="Ahmed"
metapass="Student1";
%mdsecds(folder="\Orion Star\Marketing Department",
includesubfolders=no,
identitynames="Eric,PUBLIC",
identitytypes="Person,IdentityGroup");

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
6-154 Lesson 6 Securing Metadata

For Windows Server

options metaserver=sasserver metauser="Ahmed"
metapass="Student1";
%mdsecds(folder="\Orion Star\Marketing Department",
includesubfolders=no,
identitynames="Eric,PUBLIC",
identitytypes="Person,IdentityGroup");

d. Refer to the %Mdsecds macro documentation to answer the following questions:

Hint: Refer to the %Mdsecds macro syntax in SAS 9.4 Intelligence Platform: Security
Administration Guide.
• If you do not specify the folder option, what is the default starting point?
By default, the starting point is the server root (the SAS Folders node).
• What option would you use to limit the types of objects that are searched?
MEMBERTYPES
• What option would you use to limit the permissions that are included?
PERMS

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 6.4 Solutions 6-155

Solutions to Activities and Questions

6.01 Multiple Choice Question – Correct Answer

What would happen if you remove the repository ACT?
a. All permissions are denied.
b. Nothing. Permissions will come from somewhere else.
c. All permissions are granted.
d. Permissions come from the SAS Folders Authorization tab.

18
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

6.02 Multiple Choice Question – Correct Answer

Given the Authorization tab for the Marketing Department folder, which
identities are on the Authorization tab of any item stored directly under
that folder?
a. only the identities that need access to the item
b. only the identities added on the specific item
c. only the identities from the Marketing Department Authorization tab
d. the identities from the Marketing Department folder and any added on
that specific item

21
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
6-156 Lesson 6 Securing Metadata

6.03 Multiple Choice Question – Correct Answer

What is the effect of explicitly denying PUBLIC RM?
a. Only PUBLIC is affected, and the settings for the other users and groups
remain unchanged.
b. Only PUBLIC and SASUSERS are affected, and the settings for the other
users and groups remain unchanged.
c. PUBLIC is denied RM, which overrides all explicit, ACT, and indirect
settings for the other users and groups.
d. PUBLIC is denied RM, which overrides all indirect settings for the other
users and groups but does not override explicit or ACT settings for other
users and groups.

38
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

6.04 Multiple Choice Question – Correct Answer

If an ACT includes settings for Ellen and you apply the ACT to an object that
already lists Ellen on the authorization of an object, what happens to Ellen’s
permissions?
a. The settings from the ACT take precedence.
b. The settings from the ACT are ignored.
c. Explicit settings are not affected and indirect settings are changed to
ACT settings.
d. The settings from the groups in her identity hierarchy take precedence.
Note: If there are conflicting ACT settings, the denial settings are used.

40
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 6.4 Solutions 6-157

6.05 Multiple Choice Question – Correct Answer

What is Eric’s effective permission?
a. Grant RM because explicit settings take precedence over ACTs
b. Deny RM because ACT settings take precedence over explicit settings
c. Deny RM because when there is a conflict at the same level of an
identity hierarchy, the outcome is a denial
d. Grant RM because when there is a conflict at the same level of an
identity hierarchy, the outcome is a grant

43
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

6.06 Multiple Choice Question – Correct Answer

What is Eric’s effective permission?
a. Grant RM because grants take precedence over denials
b. Deny RM because denial settings take precedence over grants
c. Deny RM because when there is a conflict at the same level of an
identity hierarchy and both permissions are ACTs (or both are explicit),
the outcome is a denial
d. Grant RM because when there is a conflict at the same level of an
identity hierarchy and both permissions are ACTs (or both are explicit),
the outcome is a grant

46
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
6-158 Lesson 6 Securing Metadata

6.07 Multiple Choice Question – Correct Answer

What is Eric’s effective permission?
a. Grant RM because explicit grants always take precedence over denials
b. Deny RM because the denial setting is coming from a direct group and
take precedence over grants from an indirect group
c. Deny RM because grants coming from an ACT always take precedence
d. Grant RM because the HR group inherits the Explicit grant of RM from
the Finance Group

49
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

6.08 Multiple Choice Question – Correct Answer

What do the settings on the Authorization tab in SAS Management Console
or SAS Environment Manager Administration of the ACT affect?
a. The settings are applied where the ACT is applied.
b. The settings control who can access and modify the ACT itself.
c. The settings control who can access and modify the repository.
d. The settings are ignored and have no effect.

67
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 6.4 Solutions 6-159

6.09 Multiple Choice Question – Correct Answer

The Private User Folder ACT does not include permissions for individual
users such as Barbara. How is Barbara granted access to her My Folder?
a. Barbara is a member of PUBLIC, so the ACT settings for PUBLIC
determine arbara’s access.
b. Barbara is explicitly granted access on the Authorization tab of her
My Folder.
c. Barbara is explicitly granted access on the Authorization tab of the
Barbara folder, and the settings are inherited.
d. Users with the same name as the parent folder are implicitly granted
access.

70
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

6.10 Multiple Choice Question – Correct Answer

What should the setting for PUBLIC for RM be on the Protect ACT?
a. Deny
b. Grant
c. nothing, because the context in which the ACT is applied should
determine the setting

72
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
6-160 Lesson 6 Securing Metadata

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
Lesson 7 Establishing
Connectivity to Data Sources
7.1 Registering Libraries and Tables in Metadata ............................................................... 7-3
Demonstration: Registering SAS Library and Table Metadata in SAS Environment
Manager ....................................................................................... 7-14
Demonstration: Registering SAS Library and Table Metadata in SAS Management
Console (Optional).......................................................................... 7-21
Practice............................................................................................................... 7-24

7.2 Setting Up Data Access ............................................................................................. 7-28

Practice............................................................................................................... 7-39

7.3 Solutions ................................................................................................................... 7-46

Solutions to Practices ............................................................................................ 7-46
Solutions to Activities and Questions........................................................................ 7-87
7-2 Lesson 7 Establishing Connectivity to Data Sources

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 7.1 Registering Libraries and Tables in Metadata 7-3

7.1 Registering Libraries and Tables in

Metadata

Data Sources
Here are several options for data storage on the platform:
• SAS data sets
• third-party data stores
• ODBC data sources
• Hadoop
Data Sources
For each type of data source, SAS uses the appropriate
engine to access the data. SAS Data Sets
SAS OLAP Cubes
Third-Party Data Stores
Enterprise Resource
Planning (ERP) Systems
SAS Web Infrastructure
Platform Data Server

3
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

The Base SAS engine is used to access SAS data sets. SAS data sets (tables) are the default SAS
storage format. A SAS table contains data values that are organized as a table of rows and columns .
A SAS data set can be processed by SAS software.
You can use SAS/ACCESS Interface to Oracle or SAS/ACCESS Interface to ODBC to access
Oracle tables. SAS/ACCESS Interface to Oracle uses the Oracle engine. SAS/ACCESS Interface to
ODBC uses the ODBC engine.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
7-4 Lesson 7 Establishing Connectivity to Data Sources

Accessing Data
Here are ways that you can access data:
• writing SAS code to connect to the data source
libname orion "d:\workshop\orion";

• referring to the metadata registration of the data source

4
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

When you write SAS code, the LIBNAME statement, with the appropriate native engine, can be used
in SAS applications that offer a programmatic interface (for example, SAS Enterprise Guide), as well
as in stored processes and batch jobs. You can also include LIBNAME statements in autoexec files.
An alternative to the native engine is to use the META engine in the LIBNAME statement.
libname orstar meta library="Orion Star Library";
The META engine causes a lookup in the metadata for the connection information and metadata
permission check. This is similar to having a user of a SAS application select a table from a list of
metadata-registered tables.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 7.1 Registering Libraries and Tables in Metadata 7-5

Accessing Data
By selecting a table registered in metadata, users
have to go through metadata layer controls.

By submitting a LIBNAME statement directly,

users can bypass metadata layer controls.

Regardless, host access to the data is required.

5
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

If a library is metadata bound, even if a user tries to access it directly, metadata layer permissions
are enforced.

Accessing Data without Metadata

6
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

The data can be local to the workspace server machine or in a remote location that is accessed
using a network path. Data cannot be accessed via mapped drives on the SAS Application Server.
You must use the UNC path, such as \\dataserver\sourcetables.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
7-6 Lesson 7 Establishing Connectivity to Data Sources

Accessing Data with Metadata

7
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

The appropriate LIBNAME statement is created from the information retrieved from the metadata.

Accessing Relational Data with Metadata

8
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

SAS/ACCESS must be on the same machine as the SAS process that access es the data. In a UNIX
environment, the configuration of SAS/ACCESS requires setting some environment variables.
The database client installation and configuration is typically done by a database administrator
(DBA). The DBA has access to tools that help test the configuration and connection to the database
server.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 7.1 Registering Libraries and Tables in Metadata 7-7

Databases typically maintain credentials separate from other authentication providers.

Connection Information
For RDBMS libraries, additional connection information is required and
could be erroneous:
• server host
• database name
• schema name
• credentials

9
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Troubleshooting Data Access

The library metadata is converted to a LIBNAME statement, which you can
access from the Data Library Manager. Copy the LIBNAME statement from
SAS Management Console and submit it in a SAS session.

10
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
7-8 Lesson 7 Establishing Connectivity to Data Sources

For troubleshooting a SAS/ACCESS library configuration when registering tables fails, perform the
following steps:
1. From SAS Management Console, right-click the Library icon and select Display LIBNAME
Statement.
2. Start SAS on the SAS server host, or use a client application such as SAS Enterprise Guide,
which includes a Program Editor, and issue the LIBNAME statement displayed from SAS
Management Console.
3. If the SAS log indicates failure, check the following items:
a. If this is UNIX environment, check your UNIX environment variables:
http://support.sas.com/documentation/cdl/en/bidsag/67493/HTML/default/viewer.htm#p1w3v
98qca3sfzn1rzty2tngrfyq.htm
b. Check and revise the LIBNAME statement. For more information about LIBNAME
statements for SAS/ACCESS engines, see SAS/ACCESS for Relational Databases:
Reference. If you are successful at this stage, then use the Properties tab of the library to
reconfigure the library.
c. Confirm that SAS/ACCESS is installed correctly. For installation information, go to the Install
Center at http://support.sas.com/documentation/installcenter/94 and use the operating
system and SAS version to locate the appropriate SAS Foundation Configuration Guide.
4. If the connection succeeds, run the DATASETS procedure:
PROC DATASETS LIBRARY=libref;
QUIT;
If no members are returned, then check the schema value by performing the next step or
contacting your database administrator.
5. Log on with the user account to the host where the SAS server is running, and use the native
database client to connect to the database. If this fails, confirm that the user account has file
system privileges to the database client binaries and libraries.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 7.1 Registering Libraries and Tables in Metadata 7-9

Connection to External Database Server (Review)

Providing access to a third-party database such as Oracle or DB2 usually
requires maintaining a SAS copy of external credentials in the metadata
(outbound login).
The outbound login can be associated with the following:
• an individual metadata identity if each user has unique database
credentials
• a group metadata identity if a collection of users shares database
credentials

11
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

An authentication domain is a SAS metadata object that pairs logins with the server def initions
where those credentials are correctly authenticated.
For example, an Oracle server definition and the SAS copies of Oracle credentials (outbound logins)
have the same authentication domain value (for example, “OracleAuth”) if those credentials
authenticate on that Oracle server. Authentication domains can be managed using the Server
Manager plug-in or the User Manager plug-in. Right-click the plug-in and select Authentication
Domains.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
7-10 Lesson 7 Establishing Connectivity to Data Sources

Registering Libraries and Tables in Metadata

Table registrations rely on other information in the metadata, including
library and server definitions.
The following applications can be used to register tables and libraries
in the metadata:
• SAS Management Console
• SAS Environment Manager
• SAS OLAP Cube Studio
• SAS Data Integration Studio

12
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Setting up a connection from SAS to a database management system is a two-step process:

1. Register the database server. This can be done within the New Library Wizard when specifying
the server and connection information. Or it can be registered through the Server Manager
Plug-in.
2. Register the database library.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 7.1 Registering Libraries and Tables in Metadata 7-11

Registering Libraries and Tables in Metadata

The library object contains the connection information (engine,
location of data, additional information as needed) and the libref.

The table object is a description of the table including column

information (names, types, attributes), indexes, name of physical
table, and the library that holds the connection information.

Note: There are some uniqueness requirements when you register libraries
and tables in the metadata.

13
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

The same library name cannot be used multiple times in the same metadata folder or for the same
application server.
The same table name cannot be used multiple times in the same metadata folder or for the same
library.
• To associate a library with an application server, you need WM permission for the server and
WMM for the parent folder.
• To associate a table with a library, you need WM permission for the library and WMM for the
parent folder.
• For a table accessed via the metadata LIBNAME engine, you need Read permission in order to
access data.
• For a table accessed via a native engine (that is, BASE, ORACLE, TERADATA), the Read
permission in Metadata is ignored, so Grant or Deny has no effect. This is also true for the Write,
Create, and Delete permissions.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
7-12 Lesson 7 Establishing Connectivity to Data Sources

Metadata-Bound Libraries and Tables

Enforcement for a metadata-bound library originates from the physical data.

14
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

When accessing a traditional table, a user can bypass metadata-layer controls by making a direct
request.
When accessing a metadata-bound table, a user cannot completely bypass metadata-layer controls.
Even on a direct request, UserA is always subject to a metadata-layer permissions check before
accessing SAS data from SAS.
For each metadata-bound table, information within the table header identifies a corresponding
metadata object (a secured table object). Metadata-layer permissions on each secured table object
affect access from SAS to the corresponding physical table.
For the metadata-bound table, UserB is subject to two metadata-layer authorization checks against
two different metadata objects. The first check is against a traditional table object. The second check
is against a secured table object.
Only Base SAS data, SAS tables, and SAS views can be bound to metadata. Binding data to
metadata does not prevent the use of operating system commands against files or directories.
Setting up a metadata-bound library involves the following:
1. In the SAS metadata, below the /System/Secured Libraries/ folder, identify or create an
appropriately secured folder for the data.
2. Use either SAS Management Console or SAS code to bind the physical library to metadata. For
SAS code, submit a CREATE statement with the AUTHLIB procedure. The options in the
AUTHLIB procedure reference your physical data directory and the metadata folder that you
identified in step 1.
3. If you want to support access from clients that use metadata in order to locate data, make sure
that the physical library and tables are also registered in metadata.
For more information, refer to SAS Guide to Metadata-Bound Libraries.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 7.1 Registering Libraries and Tables in Metadata 7-13

Data Permissions for Metadata-Bound Libraries

For secured library objects and secured table objects, SAS enforces the
following special metadata-layer permissions:

Select (S) Read rows within a physical table.

Delete (D) Delete rows in a physical table.
Insert (I) Add rows to a physical table.
Update (U) Update rows in a physical table.
Create Table (CT) Create new physical table.
Drop Table (DT) Delete a physical table.
Alter Table (AT) Replace a physical table.

15
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
7-14 Lesson 7 Establishing Connectivity to Data Sources

Registering SAS Library and Table Metadata in SAS

Environment Manager
This demonstration illustrates how to use SAS Environment Manager to register a SAS library and
tables in the metadata.
Note: For the current release of SAS Environment Manager, you can browse any type of library
that has been defined in SAS metadata. You can create and edit definitions for Base SAS
libraries and SAS LASR Analytic libraries.
1. Sign in to SAS Environment Manager as Ahmed using the Student1 password.
2. Click the Administration tab. On the Administration page, click Libraries.

3. The Libraries page displays a table of all library definitions in the SAS Metadata Server. You can
filter by library type, as well as search the table, sort the table by a selected column, and choose
which columns appear in the table.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 7.1 Registering Libraries and Tables in Metadata 7-15

4. To register a new library, click the New Library button in the upper right toolbar.
Enter Orion Gold ship1 for the metadata library name. (The libref is included in the metadata
library object name as an example of an access structure that you can use for SAS Enterprise
Guide users.)

5. Click Browse to navigate to the SAS Folder location.

6. Navigate to SAS Folders  Orion Star  Shipping Department and click OK.

7. For Type, select SAS Base Library.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
7-16 Lesson 7 Establishing Connectivity to Data Sources

8. Enter ship1 as the libref. Keep Engine as BASE.

Note: A libref is a nickname or short ref erence to the physical location of the data. It is a best
practice to use unique libref s in the metadata. Uniqueness of libref s is not enf orced.

9. Select the box next to the path of the physical storage of the data.

For Linux /opt/sas/Workshop/OrionStar/orgold

For Windows D: \Workshop\OrionStar\orgold

Note: If the path was not already defined, click the Add button in the upper right toolbar
and enter it manually.
10. Click Save.
11. To register tables in metadata to this library, select Tables on the Orion Gold ship1 library
properties page.

12. Click the Register Tables toolbar button +.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 7.1 Registering Libraries and Tables in Metadata 7-17

13. You cannot register tables until the library is assigned to a SAS server context. Click Close.

14. Select Assigned SAS Servers on the Orion Gold ship1 library properties page.

15. Click the pencil to edit the servers, select the box next to SASApp, and click Save.

Note: This assignment makes the library available to the servers in the SASApp application
server context.

If you do not assign a library to an application server, the library is not available in some
client applications, including SAS Enterprise Guide. Unless you want to intentionally limit
the accessibility of a library by this method, you should assign each library to an
application server. It is a best practice to use metadata-layer and operating-system-layer
permissions to control access to data.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
7-18 Lesson 7 Establishing Connectivity to Data Sources

16. Now the tables can be registered for this library. Select Tables on the Orion Gold ship1 library
properties page and click the Register Tables toolbar button +.
Note: If you are signed in as sasadm@saspw, you receive an error because that account is
internal and does not have access to a SAS Workspace Server.

17. Change the location to /Orion Star/Shipping Department by using the Browse button. Select
CUSTOMER_DIM, GEOGRAPHY_DIM, ORGANIZATION_DIM, and TIME_DIM.

18. Click OK.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 7.1 Registering Libraries and Tables in Metadata 7-19

19. Select Show details. (The METALIB procedure is used to register these tables. The METALIB
procedure is discussed in the next section.)

20. Click Close.

Note: You can register tables from the Libraries module. Right-click the library and select
Register tables from the pop-up menu. The Register Tables dialog box appears.

Note: You can register tables from the Folders module. Navigate to the library. Right-click the
library and select Register tables from the menu.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
7-20 Lesson 7 Establishing Connectivity to Data Sources

21. The library and tables are stored in the Orion Star  Shipping Department folder. On the
Administration page, click Folders and navigate to the Shipping Department folder to confirm
that the library and tables are found there.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 7.1 Registering Libraries and Tables in Metadata 7-21

Registering SAS Library and Table Metadata in

SAS Management Console (Optional)
This demonstration illustrates how to use SAS Management Console to register a SAS library and
tables in the metadata.
1. Log on to SAS Management Console 9.4 as Ahmed using the Student1 password.
2. On the Plug-ins tab, expand Data Library Manager  Libraries.
3. Right-click Libraries and select New Library.

4. Select SAS BASE Library and click Next.

5. Enter the name Orion Gold ship1 and click Browse. (The libref is included in the metadata
library object name as an example of an access structure that you can use for SAS Enterprise
Guide users.)
6. Navigate to SAS Folders  Orion Star  Shipping Department and click OK.

7. Click Next.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
7-22 Lesson 7 Establishing Connectivity to Data Sources

8. Move SASApp to the Selected servers list box and click Next.

Note: This assignment makes the library available to the servers in the SASApp application
server context.

If you do not assign a library to an application server, the library is not available in some
client applications, including SAS Enterprise Guide. Unless you want to intentionally limit
the accessibility of a library by this method, you should assign each library to an
application server. It is a best practice to use metadata-layer and operating-system-layer
permissions to control access to data.
9. Enter ship1 as the libref.
Note: A libref is a nickname or short ref erence to the physical location of the data. It is a best
practice to use unique libref s in the metadata. Uniqueness of libref s is not enf orced.
10. Move the following path over:

For Linux /opt/sas/Workshop/OrionStar/orgold

For Windows D:\Workshop\OrionStar\orgold

Note: If the path to the data source location is not in the available items, click New and
navigate to the location.
11. Click Next.
12. Review the settings and click Finish.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 7.1 Registering Libraries and Tables in Metadata 7-23

13. Right-click Orion Gold ship1 and select Register Tables.

14. Verify the library settings and click Next.

Note: If you are prompted for credentials, you are probably logged on as an unrestricted user
with only an internal account.
15. Hold down the Ctrl key and select CUSTOMER_DIM, GEOGRAPHY_DIM,
ORGANIZATION_DIM, and TIME_DIM. Click Next.

16. Click Next.

17. Click Finish.
18. The tables are registered in the metadata and now appear in SAS Management Console.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
7-24 Lesson 7 Establishing Connectivity to Data Sources

Practice

1. Registering a SAS Library and Tables

a. Perform an ad hoc backup named Library Example in SAS Management Console. Log on
as Ahmed using the password Student1.
You can use SAS Environment Manager or SAS Management Console to register a SAS
library.

SAS Environment Manager

1) Make sure that you are signed on to SAS Environment Manager as Ahmed with the
password Student1. On the Administration page, click Libraries.

2) Click the New Library button in the upper right toolbar.

3) Create a library with the following characteristics:

Name Customer orders ordetail

Folder location /Orion Star/Shipping Department

Library Type SAS Base Library

Libref ordetail

Engine BASE

• On the Linux server: /opt/sas /Workshop/OrionStar/ordetail

Path
specification • On the Windows server: D:\Workshop\OrionStar\ordetail
Note: You need to add the path to the existing list.

Assigned SAS SASApp

Servers

4) Register the following tables in the Customer Orders ordetail library and store the
metadata in the same folder as the library:
CUSTOMER, ORDERS, ORDER_ITEM, PRICE_LIST, PRODUCT_LIST

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 7.1 Registering Libraries and Tables in Metadata 7-25

SAS Management Console

1) Right-click Libraries and select New Library.

2) Create a library with the following characteristics:

Library Type SAS Base Library

Name Customer Orders ordetail

Folder location /Orion Star/Shipping Department

Server SASApp

Libref ordetail

Path • On the Linux server: /opt/sas /Workshop/OrionStar/ordetail

specification • On the Windows server: D:\Workshop\OrionStar\ordetail
Note: You need to add the path to the existing list in the wizard.

3) Register the following tables in the Customer Orders ordetail library and store the
metadata in the same folder as the library:
CUSTOMER, ORDERS, ORDER_ITEM, PRICE_LIST, PRODUCT_LIST
2. Verifying Library and Table Metadata in SAS Enterprise Guide
a. Perform an ad hoc backup named Before denying Shipping group Read on Shipping
Folder in SAS Management Console. Log on as Ahmed using the password Student1.
b. Use SAS Environment Manager or SAS Management Console to deny Shipping the Read
permission on the Shipping Department folder.
c. Log on to SAS Enterprise Guide as Ray. (He is a member of the Shipping group, so he is
able to see the Shipping Department folder and the folders below.)
d. Select the Server list in the Resources pane. Expand Servers  SASApp  Libraries.
Through the Server list, you can see the metadata libraries and the tables that are registered
to those libraries.
Note: Only SAS Enterprise Guide and the SAS Add-In for Microsoft Office have a Server
list display.
e. Right-click Customer Orders ordetail and select Properties. What is the libref? Click
Close.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
7-26 Lesson 7 Establishing Connectivity to Data Sources

f. Open or create a new program and enter the following LIBNAME statement in the Program
Editor and run the program:
Note: To get to the Program Editor, select Program  New program. Or you can select
File  New  Program.
libname ordetail meta library='Customer Orders ordetail';
Check for errors in the log.
If it was successfully assigned, you see that, under the Server list, the library icon for
Customer Orders ordetail has changed to yellow because it has been assigned.
(You need to refresh the view by right-clicking SASApp under the Server list and
selecting Refresh.)
Note: The five tables that were registered in the previous practice are listed under the
library in the Server list.
g. Select the Folders list in the Resource pane in the bottom left of the interface. Expand
Orion Star  Shipping Department. Do you see the library? Do you see any tables?
Note: If you did the demonstration, you will also see the registered tables from that library.
h. Open one of the tables. (You can right-click and select Open or double-click the table.) Are
you able to open the table?
i. Return to the code section of the Program window and change the LIBNAME statement as
follows:

For Linux Server

libname ordetail '/opt/sas/Workshop/OrionStar/ordetail';

For Windows Server

libname ordetail 'D:\Workshop\OrionStar\ordetail';

This LIBNAME statement is not referencing the library in metadata. How many tables appear
under the Customer Orders ordetail library under the server list? (You will need to refresh
the view by right-clicking SASApp under the Server list and selecting Refresh.)
How many tables appear in the Folders list Orion Star  Shipping?
j. Use SAS Environment Manager or SAS Management Console to grant the Read permission
back to Shipping on the Shipping Department folder. Or you can recover from the backup
that you performed in part a.

3. Listing Libraries, Librefs, and Their Server Contexts

Metadata DATA step functions provide a programming-based interface to create and maintain
metadata on the SAS Metadata Server. This program uses metadata DATA step functions to
return more detailed information about the libraries. The results are returned to a libraries data
set in the Work library. The requested data includes the library metadata ID, the library name,
the libref, the engine, the path on the file system (or if DBMS data, the DBMS path), and the
server contexts to which the library is associated.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 7.1 Registering Libraries and Tables in Metadata 7-27

a. Sign in to SAS Studio as Ahmed and run the following program:

extractlibrefandserverapp.sas
Open a web browser from the Windows machine using the taskbar. Select SAS Studio from
the Windows or Linux folder on the Favorites bar.

For Linux Server

Expand Files (/opt/sas/Workshop)  spaft.

Double-click extractlibrefandserverapp.sas to bring the program into the editor.

For Windows Server

Expand Files (D:\Workshop)  spaftWIN.

Double-click extractlibrefandserverapp.sas to bring the program into the editor.

b. Verify the connection information to the metadata server in the OPTIONS statement at the
top of the program.

For Linux Server

options metaserver="sasapp"
metaport=8561
metauser="sasadm@saspw"
metapass="Student1"
metarepository="Foundation";

For Windows Server

options metaserver="sasserver"
metaport=8561
metauser="sasadm@saspw"
metapass="Student1"
metarepository="Foundation";
c. Run the program. Are there any duplicate librefs?
Note: Sample programs and more information about using DATA step functions to extract
metadata information can be found in the following documentation: SAS 9.4
Language Interfaces to Metadata, Second Edition.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
7-28 Lesson 7 Establishing Connectivity to Data Sources

7.2 Setting Up Data Access

Library Assignment
Assigning a library to a SAS server enables the following:
• the SAS server to access the library
• the library to be visible to users of the SAS server
• control over which SAS engine is used by the SAS server to access data,
if the library is pre-assigned
By default, libraries are assigned by the client applications, but not until a
user tries to access a library. In other words, library assignment is deferred
until it is needed.

21
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Assigning a library to a SAS server means letting the SAS server session know that a libref (a
shortcut name) is associated with the inf ormation that a SAS session needs to access a data library.

Pre-assigned Libraries
Here are some characteristics of pre-assigned libraries:
• They are assigned when the server starts.
• Pre-assigned libraries require the administrator to configure the
environment so that the SAS server finds out about the libref and the
SAS engine to use for data access at server start-up. So the connection
information is established before any code that uses that libref is
submitted.
• The libraries do not become available to the user until all pre-assigned
libraries are assigned.

22
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 7.2 Setting Up Data Access 7-29

Pre-assigned libraries are assigned using the server’s identity. For servers that run under shared
credentials, such as the stored process server, this means that the library is assigned using the
shared identity, not an individual user identity.
Note: The disadvantage of pre-assigning libraries is that pre-assigning an excessive number of
libraries can slow the execution of SAS jobs for all users.

Pre-assigning Libraries
You can pre-assign a library in these ways:
• in the metadata
• in a server autoexec file
Libraries assigned by an autoexec file take precedence over same-named
libraries that are pre-assigned in the metadata.
Note: The best practice when pre-assigning libraries is to use only one
method if possible. If you have configuration information in two
places, maintenance increases.

23
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
7-30 Lesson 7 Establishing Connectivity to Data Sources

Pre-assigning Libraries in the Metadata

To pre-assign libraries in metadata, use SAS Management Console
or SAS Environment Manager.

24
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

By native library engine: The library is assigned through the METAAUTORESOURCES options.
You use the library engine defined for the library.
By metadata LIBNAME engine: The library is assigned through the METAAUTORESOURCES
options. You use the metadata LIBNAME engine (MLE). Using the MLE ensures that access controls
that are placed on the library and its tables and columns are enforced in metadata.
By external configuration: The library is assigned through an external definition or by an
autoexec file.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 7.2 Setting Up Data Access 7-31

Pre-assigning Libraries in an Autoexec File

1. Add the LIBNAME statement to the autoexec file.

libname orstar
"S:\Workshop\OrionStar\orstar";

libname orstar meta

library="Orion Star Library";

2. Restart the object spawner and any server processes whose autoexec
files were modified.

25
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Note: You cannot see the LIBNAME statement in the properties of the metadata library if the library
is pre-assigned.
The LIBDEBUG option reports to the SAS log the LIBNAME statement, which is generated behind
the scenes when the META engine is used.
libname orstart meta library="Orion Star Library" libdebug;

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
7-32 Lesson 7 Establishing Connectivity to Data Sources

Metadata LIBNAME Engine

The metadata LIBNAME engine points to metadata, rather than referencing
the actual physical data. Here is what the engine does:
• retrieves library connection information from the metadata (physical
location of data, credentials if required, and so on)
• enforces additional metadata permissions (Read, Write, Create, Delete)
• uses the access engine (such as BASE or ORACLE) in the library definition
to read values from tables in the library

26
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

You can use the appropriate METAOUT option value in your META LIBNAME statement in your
autoexec file for pre-assignment.

METAOUT=ALL You can read, create, update, and delete observations in physical
tables that exist and are registered in metadata. You cannot create or
*default delete entire tables.

You can read, create, update, and delete physical tables.

METAOUT=DATA

METAOUT=DATAREG You can read, update, and delete physical tables that are def ined in
metadata. You can create a table, but you cannot read, update, or
delete the new table until it is def ined in metadata.

If you want to use the META engine and do not need to create or delete tables, do the f ollowing:
1. Register the library in the metadata.
2. Flag the library as pre-assigned by the metadata LIBNAME engine.
Note: Using this option results in using the metadata engine with the METAOUT=ALL option.
This LIBNAME option specifies that you can read, create, update, and delete
observations in physical tables that exist and are registered in metadata. You cannot
create or delete entire tables.
If you want to use the META engine and need to create or delete tables, do the f ollowing:
1. Register the library in the metadata.
2. Flag the library as pre-assigned by external configuration.
3. Add the metadata LIBNAME statement to an autoexec file. You can use the appropriate
METAOUT= option value. For example:
libname meta library="Orion Star Library" metaout=data;

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 7.2 Setting Up Data Access 7-33

Note: Omitting the METAOUT= option in your LIBNAME statement or f lagging the
pre-assignment in metadata with the metadata engine results in using the metadata
engine with the METAOUT=ALL option.
4. Restart the object spawner and any server processes whose autoexec files were modified.
For the SAS/CONNECT server and the SAS DATA Step Batch server, modify the server’s
sasv9_usermods.cfg file by adding the following SAS system option:
-metaautoresources 'SASApp'

Default Engines Used

Application Library Minimum Metadata
Engine Used Authorizations Required
SAS Add-In for Microsoft Office META Library: ReadMetadata
SAS Enterprise Guide Table: ReadMetadata
Read
SAS Data Integration Studio Native engine Library: ReadMetadata
SAS OLAP Cube Studio Table: ReadMetadata
SAS Information Map Studio

27
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

When libraries are not pre-assigned, each SAS application accesses data with the SAS engine that
makes the most sense for that application. Applications typically used for queries and reporting are
designed to use the metadata engine. Applications typically used to update or create tables are
designed to use the native engine.
Note: The metadata authorization layer supplements operating system and RDBMS security. It
does not replace it. Operating system and RDBMS authorization should always be used as
the f irst means of securing access to tables.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
7-34 Lesson 7 Establishing Connectivity to Data Sources

Metadata LIBNAME Engine Used Metadata LIBNAME Engine Not Used

Library not SAS Enterprise Guide SAS Data Integration Studio

pre-assigned SAS Add-In for Microsoft Office SAS OLAP Cube Studio
SAS Information Map Studio
Library • in metadata with meta engine • in metadata with native engine
pre-assigned • in autoexec file with meta engine • in autoexec file with native engine

SAS Enterprise Guide and SAS Add-In

for Microsoft Office
If you administer only SAS Enterprise Guide and SAS Add-In for Microsoft
Office, consider the following questions:
• Should users be permitted to create new tables or modify
existing tables in the library?
• Do you want metadata permissions enforced on tables?
• Should the library connection be deferred until
needed or made when the server starts
(pre-assignment)?

28
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 7.2 Setting Up Data Access 7-35

Library Metadata and AssignMode

Anytime that SAS Enterprise Guide or the SAS add-in assigns a library, the
library’s value of AssignMode is used, if present, to determine the
assignment behavior. For libraries assigned with the META engine, the value
of AssignMode is also used to set the value for the METAOUT= option.

With an AssignMode value of 0, data is accessed through the underlying

engine, and no metadata permissions on tables or columns are enforced.
Tables can be seen only through the Server
29
list.
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Note: This would have the same effect as pre-assigning a library with the native LIBNAME
statement.

You risk permanently corrupting the library metadata if you do not enter a valid name and
value for the extended attribute.
AssignMode Values

0 The library is assigned using SAS Enterprise Guide. Data is accessed through the
underlying engine and no metadata permissions on tables or columns are enforced.

1 The library is assigned using the META engine with the METAOUT=ALL option (the
default META engine behavior). Metadata permissions are enforced and the user only
sees registered tables. The metadata and physical tables are prevented from becoming
out of sync, even if the user has permissions such as Write and Delete on tables in the
library.

2 The library is assigned using the META engine with the METAOUT=DATA option.
Metadata permissions are enforced for all registered tables, but the user sees all
physical tables in the library. The user can change, create, and delete registered tables
if he has appropriate permissions in the metadata. This can cause the metadata and the
physical tables to become out of sync.

4 The library is assigned using the META engine with the METAOUT=DATAREG option.
Metadata permissions are enforced and the user only sees registered tables. In this
mode, the users can change, create, and delete the tables if they have appropriate
permissions in the metadata. This can cause the metadata and the physical tables to
become out of sync. If the user creates a table, he cannot read, update, or delete the
newly created table until it is registered in metadata.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
7-36 Lesson 7 Establishing Connectivity to Data Sources

Other applications, such as SAS Data Integration Studio, ignore the AssignMode extended attribute
when you assign libraries.

Access to Data in Stored Processes

You have several options to make data available to a stored process:
• include the LIBNAME statement using the native engine in the code
• include the LIBNAME statement using the META engine in the code
• pre-assign the library

30
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

If you include a LIBNAME statement in the code:

• The library is assigned when the code runs.
• Metadata layer permissions for the user running the code are checked.
• Operating system access is based on the account under which the server runs.
• RDBMS access is based on the credentials used to make the connection.
If you choose to include the LIBNAME statement using the native engine in the code, you need
to do the following:
• include RDBMS credentials for RDBMS data or include the AUTHDOMAIN= option so that
credentials can be retrieved from the metadata for the connecting user
• maintain connection information included in the LIBNAME statements in the code
If you choose to include the LIBNAME statement using the META engine in the code, you need
to do the following:
• maintain RDBMS credentials in the metadata
• maintain the connection information in the metadata

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 7.2 Setting Up Data Access 7-37

Updating Table Metadata

Updating table metadata synchronizes the physical data with the
metadata definitions of the data. Here are the available methods:
• update the Metadata task in SAS Management Console and
SAS Data Integration Studio
• update the Library Metadata task in SAS Enterprise Guide
• write custom code using the METALIB procedure

31
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Updating table metadata enables you to do the f ollowing:

• Add table metadata for tables that exist in the physical library but have no metadata in the
repository
• Delete metadata for table definitions that exist in the metadata repository but do not have a
corresponding table in the physical library
• Update table definitions to match corresponding physical tables, including changes to the table’s
columns and indexes
PROC METALIB provides options for maintaining your table metadata that are not available in SAS
Management Console.
• The Update Library Metadata task in SAS Enterprise Guide uses PROC METALIB.
• The Update Library Metadata task is available from the Task list, under the Tools category,
or by selecting Tools  Update Library Metadata.
• The METALIB procedure gives you the most control over the updating features and can be run in
batch.

The METALIB procedure can produce “duplicate” table registrations in the same metadata
folder. These are two tables with the same name but registered to different libraries. SAS
Data Integration Studio table properties highlight the differences.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
7-38 Lesson 7 Establishing Connectivity to Data Sources

The METALIB procedure syntax is as f ollows:

PROC METALIB;
OMR <=> (LIBID = <">identifier<"> | LIBRARY = <">name<">
| LIBRARY = "/folder-pathname/name" |
| LIBURI = "URI-format"
<server-connection-arguments>);
<EXCLUDE <=> (table-specification <table-specification-n>);> |
<SELECT (table-specification <READ = read-password>
< table-specification-n <READ = read-password-n>>);>
<FOLDER <=> "/pathname";> |
<FOLDERID <=> "identifier.identifier";>
<IMPACT_LIMIT = n;>
<NOEXEC;>
<PREFIX <=> <">text<">;>
<REPORT <<=> (report-arguments)>;>
<UPDATE_RULE <=> (<DELETE> <NOADD> <NODELDUP>
<NOUPDATE> <STATS_AUTH>);>
RUN;

For more information about the METALIB procedure, refer to SAS 9.4 Language Interfaces
to Metadata.

Security
Access to a table requires access to the following:
• server metadata for a server that opens data
• credentials for a server (or multiple servers)
• table metadata
• a table in an operating system.
Note: The level of metadata security for tables depends on whether the
metadata LIBNAME engine is used.

32
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 7.2 Setting Up Data Access 7-39

Practice

4. Looking at Metadata LIBNAME Engine and Metadata Permission Implications

a. Perform an ad hoc backup named Before adding library assignment example in
SAS Management Console. Log on as Ahmed using the password Student1.
b. Register a library and tables in metadata. You can use SAS Environment Manager or
SAS Management Console to register a SAS library.

SAS Environment Manager

1) Make sure that you are signed in to SAS Environment Manager as Ahmed with the
password Student1. On the Administration page, click Libraries.

2) Click the New Library button in the upper right toolbar.

3) Create a library with the following characteristics:

Name Library Assignment Example libdata

Folder location /Orion Star/Shipping Department

Library Type SAS Base Library

Libref libdata

Engine BASE

Path specification • On the Linux server:

/opt/sas/Workshop/OrionStar/orstar
• On the Windows server:
D:\Workshop\OrionStar\orstar

Assigned SAS SASApp

Servers

4) Register the following tables in the Library Assignment Example libdata library and
store the metadata in the same folder as the library:
NEWHIRES, PRODUCT_DIM

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
7-40 Lesson 7 Establishing Connectivity to Data Sources

SAS Management Console

1) Create a library with the following characteristics:

Library Type SAS Base Library

Name Library Assignment Example libdata

Folder location /Orion Star/Shipping Department

Server SASApp

Libref libdata

Path specification • On the Linux server: /opt/sas/Workshop/OrionStar/orstar

• On the Windows server: D:\Workshop\OrionStar\orstar

2) Register the following tables in the Library Assignment Example libdata library and
store the metadata in the same folder as the library:
NEWHIRES, PRODUCT_DIM
c. Add Jacques to the authorization of the Shipping Department folder. Verify that he has a
grant of ReadMetadata and deny all other permissions. You can use SAS Environment
Manager or SAS Management Console.
d. Log on to SAS Enterprise Guide as Jacques using the password Student1. Submit the
following code:
proc print data=libdata.NEWHIRES (obs=10);
run;
You get the following error: ERROR: Libref LIBDATA is not assigned.
Note: A solution would be to do the following:
1) Right-click Library Assignment Example libdata and select Assign, but coders
do not like this.
2) Provide a LIBNAME statement, but that is more dif f icult to maintain and
administer.
3) Pre-assign a library.
e. Navigate to Server List  Servers  SASApp  Libraries  Library Assignment
Example libdata.
Note: The library icon is white (unassigned).
Note: There are two tables (NEWHIRES and PRODUCT_DIM).
f. Open the NEWHIRES table. Are you successf ul?
Note: SAS Enterprise Guide assigns libraries by def ault, using the metadata LIBNAME
engine. The metadata LIBNAME engine enf orces the Read permission in metadata.
g. Navigate to Servers  SASApp. Right-click SASApp and select Disconnect.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 7.2 Setting Up Data Access 7-41

h. Log on to OLAP Cube Studio as Jacques with the password Student1, using the SAS
Admin - Linux or the SAS Admin - Windows connection profile. You can access OLAP
Cube Studio f rom the Start menu by selecting All Programs  SAS.
Navigate to Folders  Orion Star  Shipping Department. Right-click NEWHIRES and
select Open.
Note: No error was generated, and Jacques is able to view the data because SAS OLAP
Cube Studio uses the native engine by default (BASE, ORACLE, R3, and so on), so
the Read, Write, Create, and Delete permissions in metadata are ignored.
i. Exit SAS OLAP Cube Studio.
5. Pre-assigning a Library in the Metadata
a. Pre-assign Library Assignment Example libdata in metadata, using SAS Environment
Manager or SAS Management Console.

SAS Environment Manager

1) On the Administration page, click Libraries. Right-click Library Assignment Example

libdata and select Open.
2) Click the Options tab and then click the pencil to edit the Pre-assignment options.
3) Select Pre-assign in the left pane. Click Library is pre-assigned in the right pane and
select By metadata library engine in the Pre-assignment Type list. Save your
changes.

SAS Management Console

1) Under the Data Library Manager plug-in, right-click Library Assignment Example
libdata and select Properties.
2) On the Options tab, click the Advanced Options button.
3) Pre-assign the library using the metadata library engine. Click OK twice.
b. In SAS Enterprise Guide, verif y that you are logged on as Jacques. Under the Servers list,
expand SASApp. (This establishes the connection or session.)
c. Expand Library Assignment Example libdata.
Note: The Library icon is yellow, which means it is assigned.
Note: You see the two registered tables (NEWHIRES and PRODUCT_DIM).
d. Open Program Editor. Edit and submit the f ollowing code:
proc print data=libdata.NEWHIRES (obs=10);
run;
Note: The code runs, but there is an authorization error. The library assigns but cannot
read data. (The metadata LIBNAME engine enf orces Read, Write, Create, and
Delete.)
e. Disconnect from the workspace server by right-clicking SASApp under the Servers list and
select Disconnect.
f. Log on to SAS OLAP Cube Studio as Jacques using the password Student1. On the Folders
tab, navigate to Orion Star  Shipping Department. Right-click NEWHIRES and select
View Data.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
7-42 Lesson 7 Establishing Connectivity to Data Sources

Note: There is an error indicating that Read permission is required because this library was
pre-assigned with the metadata LIBNAME engine.
g. Exit SAS OLAP Cube Studio.
6. Pre-assigning a Library in Metadata Using a Native Engine
a. Pre-assign Library Assignment Example libdata in metadata, using SAS Environment
Manager or SAS Management Console.

SAS Environment Manager

1) On the Administration page, click Libraries. Right-click Library Assignment Example

libdata and select Open.
2) Click the Options tab and then click the pencil to edit the Pre-assignment options.
3) Select Pre-assign in the left pane. Click Library is pre-assigned in the right pane and
select By native library engine in the Pre-assignment Type list. Save your changes.

SAS Management Console

1) Under the Data Library Manager plug-in, right-click Library Assignment Example
libdata and select Properties.
2) On the Options tab, click the Advanced Options button.
3) Pre-assign the library using By native library engine. Click OK twice.
b. In SAS Enterprise Guide, verif y that you are logged on as Jacques. Under the Servers list,
expand SASApp. (This establishes the connection or session.)
c. Expand Library Assignment Example libdata.
Note: The Library icon is yellow, which means it is assigned.
Note: All tables show up regardless of whether they are registered in metadata, based on
Jacques’ operation system permissions on the table.
d. Open the Program Editor. Enter and submit the f ollowing code:
proc print data=libdata.NEWHIRES (obs=10);
run;
Note: The code runs, and a list report is produced with 10 rows displayed.
Note: There were no metadata permissions enf orced on the table. When you
pre-assign with the native engine, SAS Enterprise Guide display s all tables
in the Server list, regardless of whether they are registered in metadata.
Note: To use the native LIBNAME engine without pre-assigning the library, use the
AssignMode option with value of 0.
e. Exit out of SAS Enterprise Guide.
f. Remove Jacques f rom the Authorization tab of the Shipping Department f older using SAS
Environment Manager or SAS Management Console.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 7.2 Setting Up Data Access 7-43

7. Updating Table Metadata with SAS Enterprise Guide

a. Open SAS Enterprise Guide and log on as Ray using the password Student1.
b. Select Tools  Update Library Metadata.
c. Create a project to perform the task. Select Create Project.
d. Select SASApp as the server and Customer Orders ordetail. Click Next.
e. Select Report on the differences between physical tables and the metadata repository
and click Finish.
f. View the results. Do any tables need to be updated?
Do any tables need to be added?
Do any tables need to be deleted?
g. In the project tree, under the process flow, right-click Update Metadata for "Customer
Orders ordetail" and select Modify.
h. Keep the same server and library on Step 1 but select Update and add table definitions in
the metadata with the actual tables and columns on Step 2.
For which actions can you override the default credentials?
What are the default credentials?
Why or when might you want to override the default credentials?
i. Click the box in the Override default credentials section to Specify a different user than
Ray (Ray). Use Ahmed for the User ID and Student1 for the password. Click Finish to run
the update.
Are any new tables defined?

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
7-44 Lesson 7 Establishing Connectivity to Data Sources

7.01 Activity
The unrestricted user can see the Sample Data library and its tables
registered in the metadata using SAS Management Console.
Marcel cannot see the Sample Data library and tables in SAS Add-In for
Microsoft Office or in SAS Data Integration Studio.
What is the problem?

35
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

7.02 Activity
The unrestricted user can see the Sample Data library and its tables
registered in the metadata using SAS Management Console.
Marcel can see the Sample Data library and tables in SAS Add-In for
Microsoft Office but cannot open the table.
What is a possible cause of this problem?

37
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 7.2 Setting Up Data Access 7-45

7.03 Activity
Marcel can see the Sample Data library and tables in SAS Management
Console and in SAS Data Integration Studio. Marcel can open the table in
SAS Data Integration Studio.
Marcel cannot see the Sample Data library and tables in the SAS Add-In for
Microsoft Office.
What is the problem?

39
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
7-46 Lesson 7 Establishing Connectivity to Data Sources

7.3 Solutions
Solutions to Practices
1. Registering a SAS Library and Tables
a. Perform an ad hoc backup named Library Example in SAS Management Console. Log on
as Ahmed using the password Student1.

You can use SAS Environment Manager or SAS Management Console to register a SAS
library.

SAS Environment Manager

1) Make sure that you are signed on to SAS Environment Manager as Ahmed with the
password Student1. On the Administration page, click Libraries.

2) Click the New Library button in the upper right toolbar.

3) Create a library with the following characteristics:

Name Customer Orders ordetail

Folder location /Orion Star/Shipping Department

Library Type SAS Base Library

Libref ordetail

Engine BASE

Path specification • On the Linux server: /opt/sas /Workshop/

OrionStar/ordetail
• On the Windows server:
D:\Workshop\OrionStar\ordetail
Note: You need to add the path to the existing list.

Assigned SAS SASApp

Servers

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 7.3 Solutions 7-47

a) Click the Add button to add the path of the physical location of the data to the list.

b) Enter the path. Click Save.

c) Click Save.
d) Select Assigned SAS Servers on the Customer Orders ordetail library properties
page.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
7-48 Lesson 7 Establishing Connectivity to Data Sources

e) Click the pencil to edit the servers, select the box next to SASApp, and click Save.

4) Select Tables on the Customer Orders ordetail library properties page and click the
Register Tables toolbar button +.
5) Register the following tables in the Customer Orders ordetail library and store the
metadata in the same folder as the library:
CUSTOMER, ORDERS, ORDER_ITEM, PRICE_LIST, PRODUCT_LIST
Note: If you are signed in as sasadm@saspw, you receive an error because that
account is internal and does not have access to a SAS Workspace Server.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 7.3 Solutions 7-49

a) Change the location to /Orion Star/Shipping Department by using the Browse

button and select CUSTOMER, ORDERS, ORDER_ITEM, PRICE_LIST,
PRODUCT_LIST.

b) Click Close in the pop-up window, and the tables are now shown as registered in
metadata.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
7-50 Lesson 7 Establishing Connectivity to Data Sources

SAS Management Console

1) Make sure you are logged on as Ahmed using the password Student1. On the Plug-ins
tab, expand Data Library Manager. Right-click Libraries and select New Library.

2) Create a library with the following characteristics:

Library Type SAS Base Library

Name Customer Orders ordetail

Folder location /Orion Star/Shipping Department

Server SASApp

Libref ordetail

• On the Linux server:

Path specification
/opt/sas/Workshop/OrionStar/ordetail
• On the Windows server: D:\Workshop\OrionStar\ordetail
Note: You need to add the path to the existing list in the
wizard.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 7.3 Solutions 7-51

a) Highlight SAS BASE Library. Click Next.

b) Enter Customer Orders ordetail in the Name field. Select Browse and navigate to
Orion Star/Shipping Department. Click Next.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
7-52 Lesson 7 Establishing Connectivity to Data Sources

c) Move SASApp to the Selected servers box. Click Next.

d) Enter ordetail in the Libref field. Click New to add the data path to the Available
items list.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 7.3 Solutions 7-53

e) Navigate to the proper location.

For Linux Server

opt/sas/Workshop/OrionStar/ordetail

For Windows Server

D:\Workshop\OrionStar\ordetail

f ) Click OK twice.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
7-54 Lesson 7 Establishing Connectivity to Data Sources

g) The path appears in the Selected items box. Click Next.

h) Click Finish.

3) Register the following tables in the Customer Orders ordetail library and store the
metadata in the same folder as the library:
CUSTOMER, ORDERS, ORDER_ITEM, PRICE_LIST, PRODUCT_LIST

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 7.3 Solutions 7-55

a) Right-click the Customer Orders ordetail library under the Data Library Manager
plug-in and select Register Tables.

b) Click Next.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
7-56 Lesson 7 Establishing Connectivity to Data Sources

c) Hold down the Ctrl key down while you select CUSTOMER, ORDERS,
ORDER_ITEM, PRICE_LIST, and PRODUCT_LIST. Verify that the folder location in
metadata is the same as where the library was registered. Click Next.

d) Click Finish.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 7.3 Solutions 7-57

2. Verifying Library and Table Metadata in SAS Enterprise Guide

a. Perform an ad hoc backup named Before denying Shipping group Read on Shipping
Folder in SAS Management Console. Log on as Ahmed using the password Student1.
b. Use SAS Environment Manager or SAS Management Console to deny Shipping the Read
permission on the Shipping Department folder.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
7-58 Lesson 7 Establishing Connectivity to Data Sources

c. Log on to SAS Enterprise Guide as Ray. (He is a member of the Shipping group, so he is
able to see the Shipping Department folder and the folders below.)
d. Select the Server list in the Resources pane. Expand Servers  SASApp  Libraries.
Through the Server list, you can see the metadata libraries and the tables that are registered
to those libraries.
Note: Only SAS Enterprise Guide and the SAS Add-In for Microsoft Office have a Server
list display.

e. Right-click Customer Orders ordetail and select Properties. What is the libref? ORDETAIL
Click Close.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 7.3 Solutions 7-59

f. Open or create a new program and enter the following LIBNAME statement in the Program
Editor and run the program:
Note: To get to the Program Editor, select Program  New program. Or you can select
File  New  Program.
libname ordetail meta library='Customer Orders ordetail';
Check for errors in the log.

If it was successfully assigned, you see that under the Server list, the library icon for
Customer Orders ordetail has changed to yellow because it has been assigned. (You need
to refresh the view by right-clicking SASApp under the Server list and selecting Refresh.)
Note: The five tables that were registered in the previous practice are listed under the
library in the Server list.

g. Select the Folders list in the Resources pane in the bottom left of the interface. Expand
Orion Star  Shipping Department. Do you see the library?
No, the folder structure in SAS Enterprise Guide does not show library definitions.
Do you see any tables?
Yes, the registered tables to Customer Orders ordetail are displayed.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
7-60 Lesson 7 Establishing Connectivity to Data Sources

Note: If you did the demonstration, you will also see the registered tables from that library.

h. Open one of the tables. (You can right-click and select Open or double-click the table.)
Are you able to open the table?
No

Authorization for accessing this table requires Read as well as ReadMetadata when
opening tables in SAS Enterprise Guide because the metadata LIBNAME engine is
used by default, which enforces the Read permission as well. In step a, we denied
Shipping the Read permission on the Shipping Department folder.
i. Return to the code section of the Program window and change the LIBNAME statement as
follows:

For Linux Server

libname ordetail '/opt/sas/Workshop/OrionStar/ordetail';

For Windows Server

libname ordetail 'D:\Workshop\OrionStar\ordetail';

This LIBNAME statement is not referencing the library in metadata. How many tables appear
under the Customer Orders ordetail library under the server list? (You need to refresh the
view by right-clicking SASApp under the Server list and selecting Refresh.)

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 7.3 Solutions 7-61

All the tables appear that the user logged on to and has permission to see in the
stored location in the operation system. When writing this native LIBNAME statement,
the user is not going through metadata for table metadata, so no metadata
permissions are enforced.

j. Use SAS Environment Manager or SAS Management Console to grant the Read permission
back to Shipping on the Shipping Department folder. Or you can recover from the backup
that you performed in step a.

3. Listing Libraries, Librefs, and Their Server Contexts

Metadata DATA step f unctions provide a programming -based interf ace to create and maintain
metadata in the SAS Metadata Server. This program uses metadata DATA step f unctions to
return more detailed inf ormation about the libraries. The results are returned to a libraries data
set in the Work library. The requested data includes the library metadata ID, the library name,
the libref , the engine, the path on the f ile system (or if DBMS data, the DBMS path), and the
server contexts to which the library is associated.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
7-62 Lesson 7 Establishing Connectivity to Data Sources

a. Sign in to SAS Studio as Ahmed and run the f ollowing program:

extractlibrefandserverapp.sas.
Open a web browser f rom the Windows machine using the taskbar. Select SAS Studio f rom
the Windows or Linux f older on the Favorites bar.

For Linux Server

Expand Files (/opt/sas/Workshop)  spaft. Double-click

extractlibrefandserverapp.sas to bring the program into the editor.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 7.3 Solutions 7-63

For Windows Server

Expand Files (D:\Workshop)  spaftWIN. Double-click

extractlibrefandserverapp.sas to bring the program into the editor.

b. Verif y the connection inf ormation to the metadata server in the OPTIONS statement at the
top of the program.

For Linux Server

options metaserver="sasapp"
metaport=8561
metauser="sasadm@saspw"
metapass="Student1"
metarepository="Foundation";

For Windows Server

options metaserver="sasserver"
metaport=8561
metauser="sasadm@saspw"
metapass="Student1"
metarepository="Foundation";
c. Run the program. Are there any duplicate librefs? No
Note: Sample programs and more information about using DATA step functions to extract
metadata information can be found in the following documentation: SAS 9.4
Language Interfaces to Metadata, Second Edition.
4. Looking at Metadata LIBNAME Engine and Metadata Permission Implications
a. Perform an ad hoc backup named Before adding library assignment example in SAS
Management Console. Log on as Ahmed using the password Student1.
b. Register a library and tables in metadata. You can use SAS Environment Manager or
SAS Management Console to register a SAS library.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
7-64 Lesson 7 Establishing Connectivity to Data Sources

SAS Environment Manager

1) Make sure that you are signed in to SAS Environment Manager as Ahmed with the
password Student1. On the Administration page, click Libraries.

2) Click the New Library button in the upper right toolbar.

3) Create a library with the following characteristics:

Name Library Assignment Example libdata

Folder location /Orion Star/Shipping Department

Library Type SAS Base Library

Libref libdata

Engine BASE

Path specification • On the Linux server:

/opt/sas/Workshop/OrionStar/ordetail
• On the Windows server: D:\Workshop\OrionStar\ordetail

Assigned SAS SASApp

Servers

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 7.3 Solutions 7-65

a) Select the box next to the following:

For Linux server: /opt/sas/Workshop/OrionStar/orstar
For Windows server: D:\Workshop\OrionStar\orstar

b) Click Save.
c) Select Assigned SAS Servers on the Library Assignment Example libdata library
properties page. Click the pencil to edit the servers, select the box next to SASApp,
and click Save.

4) Register the following tables in the Library Assignment Example libdata library and
store the metadata in the same folder as the library:
NEWHIRES, PRODUCT_DIM

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
7-66 Lesson 7 Establishing Connectivity to Data Sources

a) Click the Tables tab on the Library Assignment Example libdata properties page and
click the Register Tables toolbar button +.

Note: If you are signed in as sasadm@saspw, you receive an error because that
account is internal and does not have access to a SAS Workspace Server.

b) Change the location to /Orion Star/Shipping Department by using the Browse

button if necessary and then select NEWHIRES and PRODUCT_DIM and click OK.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 7.3 Solutions 7-67

c) Click Close in the pop-up window.

SAS Management Console

1) Create a library with the following characteristics:

Library Type SAS Base Library

Name Library Assignment Example libdata

Folder location /Orion Star/Shipping Department

Server SASApp

Libref libdata

Path specification • On the Windows server:

D:\Workshop\OrionStar\orstar
• On the Linux server:
/opt/sasinside/DemoData/Workshop/
OrionStar/orstar

a) In the Data Library Manager Plug-in, right-click Libraries and select New Library.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
7-68 Lesson 7 Establishing Connectivity to Data Sources

b) Select SAS BASE Library. Click Next.

c) Enter Library Assignment Example libdata in the Name field. Make sure that the
metadata location is /Orion Star/Shipping Department. Click Next.

d) Move SASApp to the Selected servers box and click Next.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 7.3 Solutions 7-69

e) Enter libdata in the Libref field and highlight the following:

For Linux Server

opt/sas/Workshop/OrionStar/orstar

For Windows Server

D:\Workshop\OrionStar\orstar

f ) Move it to the Selected items box. Click OK.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
7-70 Lesson 7 Establishing Connectivity to Data Sources

g) Click Finish.
2) Register the following tables in the Library Assignment Example libdata library and
store the metadata in the same folder as the library:
NEWHIRES, PRODUCT_DIM
Right-click Library Assignment Example libdata under the Data Library Manager
Plug-in and select Register Tables. Click Next. With the Ctrl key held down, select
NEWHIRES and PRODUCT_DIM. Verify that the metadata location is the same folder
as the library. Click Next. Click Finish.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 7.3 Solutions 7-71

c. Add Jacques to the authorization of the Shipping Department folder. Verify that he has
a grant of ReadMetadata and deny all other permissions. You can use SAS Environment
Manager or SAS Management Console.

SAS Environment Manager

1) Make sure that you are signed in to SAS Environment Manager as Ahmed using the
password Student1. On the Administration page, select Folders, expand the Orion Star
folder, and select the Shipping Department folder. Click the Authorization tab on the
Shipping Department properties page and click the pencil to edit the folder’s
authorization.

2) Click the Add Identities toolbar button + in the upper right.

3) Enter Jacques in the filter and move Jacques to the Identities to add pane. Click OK.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
7-72 Lesson 7 Establishing Connectivity to Data Sources

4) Jacques is given an automatic grant of ReadMetadata. Select Deny for all other
permission that he has as indirect Grants (WMM, CM, R).

5) Click Save.

SAS Management Console

1) Right-click the Shipping Department folder and click the Authorization tab. Click Add
next to the Users and Groups window. Add Jacques to the Selected Identities box. Click
OK.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 7.3 Solutions 7-73

2) He is given an automatic grant of ReadMetadata. Select Deny for all other permissions
that Jacques has as indirect grants.

d. Log on to SAS Enterprise Guide as Jacques using the password Student1. Open a new
program and submit the following code:
proc print data=libdata.NEWHIRES(obs=10);
run;
You get the following error: ERROR: Libref LIBDATA is not assigned.

Note: A solution would be to do the following:

1) Right-click Library Assignment Example libdata and select Assign, but coders
do not like this.
2) Provide a LIBNAME statement, but that is more dif f icult to maintain and
administer.
3) Pre-assign a library.
e. Navigate to Servers  SASApp  Libraries  Library Assignment Example libdata.
Note: The library icon is white (unassigned).
Note: There are two tables (NEWHIRES and PRODUCT_DIM).

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
7-74 Lesson 7 Establishing Connectivity to Data Sources

f. Open the NEWHIRES table. Are you successf ul? No, an Error window appears, indicating
that Read permission is required.
Note: SAS Enterprise Guide assigns libraries by def ault, using the metadata LIBNAME
engine. The metadata LIBNAME engine enf orces the Read permission in metadata.
Right-click the NEWHIRES table in the server list and select Open.

Error message:

g. Navigate to Servers  SASApp. Right-click SASApp and select Disconnect.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 7.3 Solutions 7-75

h. Log on to OLAP Cube Studio as Jacques with the password Student1 using the SAS
Admin - Linux or the SAS Admin - Windows connection profile. You can access OLAP
Cube Studio f rom the Start menu under SAS.

Navigate to Folders  Orion Star  Shipping Department. Right-click NEWHIRES and

select View Data.
Note: No error was generated, and Jacques is able to view the data because SAS OLAP
Cube Studio uses the native engine by default (BASE, ORACLE, R3, and so on), so
the Read, Write, Create, and Delete permissions in metadata are ignored.
i. Exit SAS OLAP Cube Studio.
5. Pre-assigning a Library in the Metadata
a. Pre-assign Library Assignment Example libdata in metadata, using SAS Environment
Manager or SAS Management Console.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
7-76 Lesson 7 Establishing Connectivity to Data Sources

SAS Environment Manager

1) On the Administration page, click Libraries. Right-click Library Assignment Example

libdata and select Open.

2) Click the Options tab and then click the pencil to edit the Pre-assignment options.

3) Select Pre-assign in the left pane. Click Library is pre-assigned in the right pane and
select By metadata library engine in the Pre-assignment Type list. Save your
changes.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 7.3 Solutions 7-77

SAS Management Console

1) Under the Data Library Manager plug-in, right-click Library Assignment Example
libdata and select Properties.

2) On the Options tab, click the Advanced Options button.

3) Pre-assign the library using the metadata library engine.

Click OK twice.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
7-78 Lesson 7 Establishing Connectivity to Data Sources

b. In SAS Enterprise Guide, verif y that you are logged on as Jacques. Under the Servers list,
expand SASApp. (This establishes the connection or session.)

c. Expand Library Assignment Example libdata.

Note: The Library icon is yellow, which means it is assigned.
Note: You see the two registered tables (NEWHIRES and PRODUCT_DIM).

d. Open the Program Editor. Enter and submit the f ollowing code:
proc print data=libdata.NEWHIRES (obs=10);
run;
Note: The code runs, but there is an authorization error. The library assigns but cannot
read data. (The metadata LIBNAME engine enf orces Read, Write, Create, and
Delete.)

e. Navigate to Servers  SASApp. Right-click SASApp and select Disconnect.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 7.3 Solutions 7-79

f. Log on to SAS OLAP Studio as Jacques using the password Student1. On the Folders tab,
navigate to Orion Star  Shipping. Right-click NEWHIRES and select View Data.
Note: There is an error indicating that Read permission is required because this library was
pre-assigned with the metadata LIBNAME engine.

g. Exit SAS OLAP Cube Studio.

6. Pre-assigning a Library in Metadata Using a Native Engine
a. Pre-assign Library Assignment Example libdata in metadata, using SAS Environment
Manager or SAS Management Console.

SAS Environment Manager

1) On the Administration page, click Libraries. Right-click Library Assignment Example

libdata and select Open.

2) Click the Options tab and then click the pencil to edit the Pre-assignment options.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
7-80 Lesson 7 Establishing Connectivity to Data Sources

3) Select Pre-assign in the left pane. Click Library is pre-assigned in the right pane and
select By native library engine in the Pre-assignment Type list. Save your changes.

SAS Management Console

1) Under the Data Library Manager plug-in, right-click Library Assignment Example
libdata and select Properties.
2) On the Options tab, click the Advanced Options button.
3) Pre-assign the library using By native library engine.

Click OK twice.
b. In SAS Enterprise Guide, verif y that you are logged on as Jacques. Under the Servers list,
expand SASApp. (This establishes the connection or session.)

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 7.3 Solutions 7-81

c. Expand Library Assignment Example libdata.

Note: The Library icon is yellow, which means it is assigned.
Note: All tables show up regardless of whether they are registered in metadata, based on
Jacques’ operating system permissions on the table.

d. Open the Program Editor. Enter and submit the f ollowing code:
proc print data=libdata.NEWHIRES (obs=10);
run;
Note: The code runs and a list report is produced with 10 rows displayed.
Note: There were no metadata permissions enf orced on the table. When you pre-assign
with the native engine, SAS Enterprise Guide display s all tables in the server list,
regardless of whether they are registered in metadata.
Note: To use the native LIBNAME engine without pre-assigning the library, use the
ASSIGNMODE= option with value of 0.
e. Exit out of SAS Enterprise Guide.
f. Remove Jacques f rom the Authorization tab of the Shipping Department f older using SAS
Environment Manager or SAS Management Console.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
7-82 Lesson 7 Establishing Connectivity to Data Sources

7. Updating Table Metadata with SAS Enterprise Guide

a. Open SAS Enterprise Guide and log on as Ray using the password Student1.
b. Select Tools  Update Library Metadata.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 7.3 Solutions 7-83

c. Create a project to perform the task. Click Create Project.

d. Select SASApp as the server and Customer Orders ordetail as the library. Click Next.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
7-84 Lesson 7 Establishing Connectivity to Data Sources

e. Select Report on the differences between physical tables and the metadata repository
and click Finish.

f. View the results. Do any tables need to be updated? Yes, one table
Do any tables need to be added? Yes, 17 tables
Do any tables need to be deleted? No

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 7.3 Solutions 7-85

g. In the project tree, under the process flow, right-click Update Metadata for “Customer
Orders ordetail” and select Modify.

h. Keep the same server and library on Step 1, but select Update and add table definitions in
the metadata with the actual tables and columns on Step 2.
For which actions can you override the default credentials? The Update and Delete
selections
What are the default credentials? The user who is currently logged on, Ray/Student1
Why or when might you want to override the default credentials? You might want to
override the default credentials If the user that you used to log on to SAS Enterprise
Guide does not have the appropriate permissions to update libraries and tables.
Running an update or delete with appropriate permissions results in an error.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
7-86 Lesson 7 Establishing Connectivity to Data Sources

i. Click the box in the Override default credentials section to Specify a different user than
Ray (Ray). Use Ahmed for the User ID and Student1 for the password. Click Finish to run
the update.

Are any new tables defined? Yes, 17 tables

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 7.3 Solutions 7-87

Solutions to Activities and Questions

7.01 Activity – Correct Answer

The unrestricted user can see the Sample Data library and its tables
registered in the metadata using SAS Management Console.
Marcel cannot see the Sample Data library and tables in SAS Add-In for
Microsoft Office or in SAS Data Integration Studio.
What is the problem?

Marcel was denied access to the Sample Data library via metadata
permissions.

36
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

7.02 Activity – Correct Answer

The unrestricted user can see the Sample Data library and its tables
registered in the metadata using SAS Management Console.
Marcel can see the Sample Data library and tables in SAS Add-In for
Microsoft Office but cannot open the table.
What is a possible cause of this problem?

Marcel does not have sufficient access to the table metadata or access to
the physical table in the operating system or database where it resides.

38
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
7-88 Lesson 7 Establishing Connectivity to Data Sources

7.03 Activity – Correct Answer

Marcel can see the Sample Data library and tables in SAS Management
Console and in SAS Data Integration Studio. Marcel can open the table in
SAS Data Integration Studio.
Marcel cannot see the Sample Data library and tables in the SAS Add-In for
Microsoft Office.
What is the problem?

The Sample Data library was not assigned to an application server.

40
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
Lesson 8 Monitoring Your SAS®
Environment
8.1 Monitoring a SAS Environment with SAS Environment Manager ................................. 8-3
Demonstration: Exploring Alerts in SAS Environment Manager.................................... 8-13
Practice............................................................................................................... 8-20

8.2 Additional Topics about SAS Server Maintenance ..................................................... 8-35

Practice............................................................................................................... 8-41

8.3 Solutions ................................................................................................................... 8-46

Solutions to Practices ............................................................................................ 8-46
Solutions to Activities and Questions........................................................................ 8-82
8-2 Lesson 8 Monitoring Your SAS® Environment

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 8.1 Monitoring a SAS Environment with SAS Environment Manager 8-3

8.1 Monitoring a SAS Environment with

SAS Environment Manager

Windows Operating System Monitoring Tools

The Windows platform provides these built-in applications to help you
monitor your SAS deployment:
• Windows Services application
• Windows Task Manager/Process Explorer
• Windows Event Viewer
• Windows Explorer/editors

3
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

The most valuable tools are of ten the Windows Explorer and simple text f ile editors. With these two
tools, you can search f or and monitor server logs.
The Windows Services application provides an interf ace to start, stop, and configure Windows
services. It also does the f ollowing:
• enables the administrator to list and review installed applications that do not require a login
• obtains status on what applications are currently running (no history) and what identity is running
them
• determines the start-up type of the application (Automatic, Manual, Disabled, or Automatic
(Delayed Start))
• sets dependencies for start-up order for processes. By default, all SAS server processes running
on Windows are installed as services.
In contrast to the Windows Services application, the Task Manager provides an additional level of
detail. It shows all running processes (foreground and background) and the name of the executable.
An application might involve more than one individual process. It also indicates system resource
utilization (CPU, memory, and disk I/O) for each process, and the Process ID (PID) - for each
process. It also provides a one-minute timeline of resource usage in real time.
The Process Explorer is similar but provides more detail. It shows the entire executable with all
parameters, and it shows parent/child process relationships. The Process Explorer also highlights
processes that are just starting up, and those that have recently shut down. Note that the Process
Explorer must be downloaded and installed separately. It is not a default part of Windows.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
8-4 Lesson 8 Monitoring Your SAS® Environment

The Windows Event viewer can be useful for a system administrator because it provides hardware-
level information, and requires systems administration knowledge. An example might be a failure to
write to a file because the user running the application does not have Write permissions to that
directory.

UNIX Operating System Monitoring Tools

The UNIX platform has built-in monitoring commands that provide a variety
of functions that are oriented toward the system administrator. Here are
some examples:
• ps, top, vmstat, lsof, tcpdump,
netstat, ss, iostat, strace, free,
mpstat, df, du

4
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

The built-in UNIX monitoring commands provide a wide variety of f unctions that are oriented toward
the UNIX system administrator. These tools can provide inf ormatio n at the operating system,
application, or the individual process level.
The top command produces a list of all the currently running processes listed in order of CPU
usage. The top CPU users appear at the top of the list, leading to the name of this command. The
list is continuously updated at f ive second intervals by default, and there are options to shorten or
lengthen the update period. The administrator can specif y which f ields to display, their order, f ilter
the output on a variety of f ields, and sort the output by various fields.
Af ter a process ID is identif ied, you can use the ps command to f ind the complete command line,
thus identif ying the specific server (SAS or otherwise) of interest.
There are two commands that are usef ul in evaluating disk space utilization. The Linux df command
displays the amount of f ree space on all mounted f ile systems. A related commend, du, provides
disk usage (in Kb) of each directory and its subdirectories.
The SAS Environment Manager gathers many of its metrics f rom some of these UNIX tools.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 8.1 Monitoring a SAS Environment with SAS Environment Manager 8-5

Developing a Monitoring Plan

• Who is responsible for monitoring and addressing problems?
• What resources need to be checked, and how often?
• Which resources are most critical?
• Which metrics are most useful?
• What happens when an issue or problem arises?
• Are there scheduled tasks that should be regularly checked?
• What reports are most helpful in identifying trends and potential
problems?

5
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

A perf ormance monitoring plan ensures that administrators always have up-to-date inf ormation
about how their servers are operating. Knowing what questions to ask usually lead s to what data is
needed to provide answers to those questions, and can provide guidance when developing a
perf ormance monitoring plan.
Establishing a perf ormance baseline establishes a ref erence point that makes it easier to identif y
problems when, or bef ore, they occur. When administrators have perf ormance data f or their systems
that cover multiple activities and loads, they can def ine a range of measurements that represent
normal perf ormance levels under typical operating conditions for each server. In addition, when
troubleshooting system problems, perf ormance data gives inf ormation about the behavior of the
various system resources when the problem occurs.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
8-6 Lesson 8 Monitoring Your SAS® Environment

SAS Monitoring Tools

6
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

In addition to the OS-provided tools mentioned, SAS has several tools that enable the administrator
to examine, monitor, and manipulate a SAS installation. Most are highly specialized and are used f or
a small number of specific tasks.
SAS Management Console is the heart of a SAS installation, providing authentication, authorization,
conf iguration metadata, and other services. Using SAS Management Console, you can validate
basic f unctionality of SAS servers and examine o bject spawner connections, server options and
properties, and logging levels.
SAS also provides some scripting tools to start, stop, and determine the status of the SAS servers
and applications. In an earlier chapter of this course, we used the sas.servers script on UNIX to
check the status of SAS servers. In addition, most SAS servers have their own start/stop/status
scripts that can be executed either individually or as a part of a larger script.
Also, there are some monitoring tools that are a part of some SAS solutions. For example, the SAS
Visual Analytics Administrator provides reports in the SAS Visual Analytics environment. Platf orm
RTM and SAS Grid Manager Module enable grid administrators to graphically view the status of
devices and services within a SAS Grid environment.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 8.1 Monitoring a SAS Environment with SAS Environment Manager 8-7

SAS Environment Manager (Review)

SAS Environment Manager provides a framework for SAS administrators to
monitor the performance, health, and operation of their SAS deployments.
• A comprehensive view of all resources related to SAS is displayed.
• It provides drill-down into different levels of detail on resources.
• It provides a flexible alerting function to warn administrators of problems.

7
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

SAS Environment Manager is based on VMware’s Hyperic application monitoring framework with
customizations and plug-ins to optimize the product specifically f or a SAS environment.
SAS Environment Manager connects a SAS environment with the underlying data services and
operating system inf ormation. Having this inf ormation connected and correlated provides a single,
consistent view of the operating environment.
SAS Environment Manager also provides proactive monitoring capabilities. Through a series of
events and alerts, you can notif y designated personnel when a threshold is exceeded and run
designated resource control operations when an alert is triggered.
The SAS Environment Manager Service Architecture provides f unctions and capabilities that enable
SAS Environment Manager to f it into a service-oriented architecture (SOA). The package
implements best practices f or resource monitoring, and automates the application’s auditing and
user monitoring capabilities.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
8-8 Lesson 8 Monitoring Your SAS® Environment

SAS Operational Monitoring Continuum

Real Time Operational Operational Capacity Planning/
(Detailed) (Summary) Forensics

Focus: Usage and Process SAS Environment Manager Service

Monitoring Architecture Framework
Consumption
(not persisted)
SAS IT Resource Management
(Performance Database)
Focus: OS Metrics
and Events SAS Environment Manager

• Dynamic visualization • Monitor health of the • Provide “context” for • Understanding usage
Goals/Tasks/Uses of real-time activity environment operational activities patterns of SAS content
• Alerting • Configuration change and data
• Review logs control • Audit security
changes
• Capacity planning
• Hardware maintenance
Time Scale < 1 minute 1 minute to 3 days 3 days to 10 days > 10 days

8
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Each SAS system administrator or IT operations specialist is faced with the challenging task of
monitoring, managing, and forecasting the needs of software, hardware, and systems. Adding to the
challenge is that even the language of discussing a problem, event, or analysis can become rather
complex. This diagram depicts the monitoring “continuum” over time:
• dynamic monitoring, which is typically not persisted
• recent monitoring, to include less than three days review of system usage via SAS Environment
Manager
• longer-term “forensics” type of usage and capacity planning offered by the SAS Environment
Manager Service Architecture and the SAS IT Resource Management solution
For more information, see the SAS Global Forum paper “Monitoring 101: New Features in SAS 9.4
for Monitoring Your SAS Intelligence Platform”:
http://support.sas.com/resources/papers/proceedings13/463-2013.pdf.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 8.1 Monitoring a SAS Environment with SAS Environment Manager 8-9

Monitoring Resources: The Analyze Pages

The Analyze pages contain the following:
• Alert Center
• Event Center
• Operations Center
• Environment Snapshot
• Report Center
• Monitoring Center
These pages enable you to quickly view and work with alerts, events, system
status, and performance and usage reporting throughout your system.

9
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

The Report Center is included only if you have enabled SAS Environment Manager Service
Architecture.

Events
An event is generated when there is a change in a resource’s state
or a change in a resource’s threshold value for one of these items:
• messages written to a log file associated with a monitored resource
• changes made to monitored configuration files or directories
• control actions: server start/stop/restart
• alerts
• event importer/event exporter

10
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

SAS Environment Manager provides the capability to monitor metrics, scan log files, manage
conf iguration changes, and monitor availability. When there is a change in a resource’s threshold
value f or one of these items, an event is recorded in SAS Environment Manager’s event message
system. Events are also automatically created f or certain types of entries in SAS server logs, and
you can specif y other criteria that will create events based on SAS server logs.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
8-10 Lesson 8 Monitoring Your SAS® Environment

Alerts
Alerts are a predefined or user-defined type of event that indicates a critical
condition in a selected resource.
Co nfiguration Measurement Baseline C o ntrol Log P r operty
C h ange D ata C h ange Ac t ion Ev ent Ch ange

Event Logs and Resources

Triggers

Trigger Actions
Yes
Fired Generate Notification
Alert? Syslog
Yes
Actions Mail
Notification SNMP
Suppression Pause Escalation ALERT Control Script
Yes No
More Stop
No Fixed Yes
Action? Escalation
11
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

When an alert occurs, it must be acknowledged, and alerts are listed until they are marked as being
f ixed. You can def ine escalation schemes to identify the actions that happen if an alert is not f ixed
within a specif ied time.
If you initialize SAS Environment Manager Extended Monitoring, a set of alerts is automatically
created.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 8.1 Monitoring a SAS Environment with SAS Environment Manager 8-11

Environment Snapshot (Review)

Environment Snapshot contains a comprehensive listing of the system
information in the SAS Environment Manager database.

12
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Environment Snapshot was originally designed to provide SAS Technical Support with a method f or
quickly diagnosing system issues, but it also provides you with valuable inf ormation about your
system. It collects and displays the most current perf ormance measures and conf iguration
parameters f rom the SAS Environment Manager database. It also executes and gathers real-time
usage inf ormation.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
8-12 Lesson 8 Monitoring Your SAS® Environment

Operations Center
The Operations Center lists resources that are down or have active alerts.

13
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

You can use f ilters to f ind resources and problem types of interest. This concise view displays the
current number of unavailable resources and active alerts, as well as a one-line problem summary
f or each resource.

SAS Environment Manager Service Architecture

(Review)
The SAS Environment Manager Extended Monitoring package implements best
practices for SAS Environment Manager. The framework consists of two
components:
• predefined alerts, groups, logging, and metric configurations
• data mart infrastructure, which provides empty data tables, stored processes, and
reports that are populated by data that is provided by APM or ACM ETL processes
• Best Practices: Extended Monitoring
Data Mart
• Predefined alerts
VA auto-load Feed

Audit, Performance, and

• Automate resource configuration
Report Center

Measurement Data (APM)

• Additional resource groups
• Metric collection adjustments Agent-Collect
• Additional resources Metrics Data (ACM)
• Event importing and exporting
Kits Data

14
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Note: Extended monitoring components are not active until you initialize the service architecture.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 8.1 Monitoring a SAS Environment with SAS Environment Manager 8-13

Exploring Alerts in SAS Environment Manager

This demonstration illustrates how to use alerts in SAS Environment Manager.

1. Open a web browser from the Windows machine using the taskbar. Click SAS Environment
Manager from the Linux or Windows folder on the Favorites bar.
2. Sign in as Ahmed using the password Student1.
The Analyze tab contains these selections: Environment Snapshot, Operations Center, Alert
Center, Report Center, and Event Center.

3. Select Analyze  Alert Center.

The Alert Center page provides a deployment-wide view of alerts and alert definitions.
The default view when you click a resource’s Alert page is a list of the alerts that triggered on the
current day for the resource. You can use the navigation controls on the page to list all alerts for
the resource that are still in the database. By default, alerts are removed from the database after
31 days. The retention period is configurable on the Manage  Server Settings page.
You can use the filter controls to filter by criteria such as status, type, and priority.

By selecting the box next to an alert, you can mark it as f ixed. A pop-up window enables you to
enter a note regarding the resolution of the alert. (Marking it as f ixed is a record-keeping activity
and does not mean the underlying situation that triggered the alert is f ixed.) You can
acknowledge an alert only if an escalation scheme has been def ined f or it. If an escalation
scheme has not been def ined f or the alert, you can mark the alert only as f ixed. (When an alert
occurs, it must be f ixed or acknowledged, and alerts are listed until they are marked as being
f ixed.)

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
8-14 Lesson 8 Monitoring Your SAS® Environment

If you initialize SAS Environment Manager Extended Monitoring, a set of alerts is automatically
created f or you, as we have done in this environment. These alerts identif y the most common
problems in a SAS environment.
4. Click an entry in the Resource Alerts area in the table. Detailed information about the alert is
displayed.

5. Select Analyze  Alert Center to go back to the Alert Center page.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 8.1 Monitoring a SAS Environment with SAS Environment Manager 8-15

6. Click the Definition tab. The Definition tab in the Alert Center contains a table that lists all the
defined alerts. Clicking an alert takes you to the definition page for the alert, where you can view
more detailed information or edit the alert. These alerts were created when Extended Monitoring
was enabled.

7. To view a list of alert definitions that apply to a resource, you will want to go to the resource itself.
Let’s look at the SAS Metadata Server resource.
Select Resources  Servers  SAS Metadata Server.
8. Select Alert  Configure.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
8-16 Lesson 8 Monitoring Your SAS® Environment

9. Click Metadata Excessive Authentication Errors. Notice that it is not enabled. However, you
could modify that here by clicking Edit.
Under Alert Properties, you can see the following:
• name of the alert. A triggered alert is identified by this name and a timestamp.
• description.
• priority.
• whether the alert is active.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 8.1 Monitoring a SAS Environment with SAS Environment Manager 8-17

10. Click Edit under Condition Set.

An alert condition specifies a resource metric value or event that triggers an alert. Dif f erent types
of conditions are supported f or different resource types.
• Conditions are based off of a metric value, by comparing the value to an absolute value (first
radio button).
Note: If the metric value is a percentage, specify it as a float value. For example, enter .99
for 99% and enter 1.0 for 100%. Use a period as a decimal separator, not a comma.
To compare the metric value to a minimum, baseline, or maximum value, select the
second radio button. Select an operator, specify a value, and select Min Value,
Baseline Value, or Max Value.
Note: To use this approach, base lining must be enabled.
To trigger the alert when the metric value changes, select the third radio button (value
changes).
• A condition that is based on the value of an inventory property.
• A control action condition that is triggered when a particular control action is performed or
when a particular control action causes a particular result status.
• Events/logs condition, a condition that is triggered by a tracked log event. Select a message
severity level. The condition is met when a message of the specified severity (that contains
the match string, if one was specified) is written to a tracked log f ile.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
8-18 Lesson 8 Monitoring Your SAS® Environment

Note: To use this approach, log tracking must be enabled for the resource. To identify the
log files that are tracked for a particular resource, see the Configuration Properties
section of that resource's Inventory page.
Note: The log files that are tracked for a resource are defined using the
server.log_track.files property.
• Config changed condition: a condition that is triggered by a change to a monitored
configuration file for a particular resource. To limit the condition to a single configuration file,
enter the file name in the match filename field. If you do not specify a file name, a change to
any monitored file triggers the alert.
Note: To identify the monitored log files for a particular resource, examine the Configuration
Properties section of the resource's Inventory page.
Note: The configuration files that are monitored for a resource are defined using the
server.config_track.files property. The maximum file name length that you can enter
is 25 characters.
You can have up to three conditions for an alert, and you can attach a recovery alert, in which a
condition detects when a condition that triggered a primary alert is no longer true. When a
recovery alert is triggered, it marks the primary alert as Fixed and the primary alert definition is
re-enabled.
Enable Actions: To disable an alert definition after it is triggered (and re-enable it when the alert
that triggered it is marked Fixed), select the Generate one alert and then disable alert
definition until fixed check box. This option eliminates redundant alerts for a single problem. If
you do not select this option, the alert triggers repeatedly, as long as the triggering condition
remains true.
You can use this option in conjunction with recovery alerts to automate the process of disabling
and re-enabling an alert definition. This yields the following results: There are no redundant
alerts and you do not have to manually fix an alert that is triggered by a transient problem.
11. Click Cancel. Let’s look at alert actions at the bottom.
The types of actions that are available on the Alert Definition page vary based on the following:
• the type of resource the alert applies to
• whether the types of actions have been configured before you can use them (such as
escalations, OpenNMS trap actions, and SNMP notifications).
a. You can designate users, roles, or explicit email addresses to receive notifications when an
alert triggers.
b. If the server is configured for Open NMS integration, you can use this tab to configure SAS
Environment Manager to send an SNMP trap to OpenNMS when the alert triggers. The
notification is generated by the opennms_notify.gsp alert notification template. To
configure an OpenNMS trap action, enter a listen address and port for the OpenNMS
server. (And you will need to first configure the server to send SNMP notifications to your
NMS, under Server Settings on the Manage page.)
c. There are escalation schemes that you can assign to an alert definition. The escalation
scheme must already be defined. To create an escalation, click Escalation Schemes
Configuration on the Manage page.
d. You can define a resource control action to be performed when an alert is triggered.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 8.1 Monitoring a SAS Environment with SAS Environment Manager 8-19

e. You can define a script to be performed when an alert is triggered.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
8-20 Lesson 8 Monitoring Your SAS® Environment

Practice

1. Setting Up a Monitor for the SAS Work Directory

The SAS Work directory stores temporary files that are created during SAS processing of code.
This directory is automatically cleaned up by default. However, the SAS Work directory might not
be cleaned up properly due to unexpected errors in processing or termination of SAS sessions. It
might be necessary to monitor the SAS Work directory to avoid a buildup of disk usage.
a. Sign in to SAS Environment Manager as Ahmed using the password Student1.
b. Locate the resource for the SAS Work directory by selecting Resources  Services.

c. Enter work directory in the search field and click the arrow to the far right of the row .
d. Click the appropriate entry:

For Linux Server

sasapp.demo.sas.com SAS Home Directory 9.4 SAS work directory

Where is the SAS Work directory located?
(It will be at the top of the Resource page.)

For Windows Server

sasserver.demo.sas.com SAS Home Directory 9.4 SAS work directory

Where is the SAS Work directory located?
(It will be at the top of the Resource page.)

e. (Optional) You can confirm the location by opening a SAS session through SAS Studio or
SAS Enterprise Guide and submitting the following code:
proc options option = work;
run;

For Linux Server

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 8.1 Monitoring a SAS Environment with SAS Environment M anager 8-21

For Windows Server

f. Review the metrics collected for the SAS Work directory.

Back in SAS Environment Manager, click Metric Data to see a list of metrics.
Note: Use Percent is one of the metrics available for this resource.
g. Select Alert  Configure. Two alerts are configured and active because SAS Environment
Manager Extended Monitoring was enabled.
h. Click SASWork Disk Use %> 70. The condition is based on the Use Percent metric. You
could modify the condition set to a percentage that is appropriate in your environment.
Note: If you change the value, ensure that you enter it as a decimal value. For example,
.75 should be entered for 75%.
2. Creating a Dashboard Metric Viewer for the SAS Work Directory
The Metric Viewer portlet does not provide a resource type of SAS Work directory. It has only
SAS Home Directory and SAS Config Level Directory. Therefore, SAS Work metrics cannot be
displayed directly. The workaround is to create a platform service of type FileServer Directory
Tree, which provides the metrics that we want and then points this new platform service to the
OS directory where SAS Work is located.
a. Select Resources  Platforms.

For Linux Server

Click sasapp.demo.sas.com.
Note: You might need to clear out the cached search criteria in order for the platforms
to show up.

For Windows Server

Click sasserver.demo.sas.com.
Note: You might need to clear out the cached search criteria in order for the platforms
to show up.

b. From the Tools menu, select New Platform Service.

c. Use the following information:
Name: Enter SASWork directory.
Description: Enter Storage area for SAS intermediate and temporary files.
Service Type: Select FileServer Directory Tree.
d. Click OK.
e. Click Configuration Properties to configure the resource.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
8-22 Lesson 8 Monitoring Your SAS® Environment

f. Enter a path for Path to Directory and click OK.

For Linux Server

Enter /tmp.

For Windows Server

Enter C:\Windows\Temp\SAS Temporary Files.

g. Create a new Metric Viewer portlet on the Dashboard page.

1) Click the Dashboard tab.
2) On the right side at the bottom of the Dashboard page, select Metric Viewer in the Add
Content to this column field and click the button.
3) Click the Configure button to display the Dashboard Settings page for the portlet.

4) On the Dashboard Settings page, use the following information:

Description: Enter SAS Work disk space.
Resource Type: Select FileServer Directory Tree.
Metric: Select Disk Usage.
5) Click Add to List.
6) Select the SAS Work resource that you just defined and click the arrow pointing to the
right to move the resource to the right side. Click OK.
7) Click OK.
In most cases, the Metric Viewer portlet provides the resource types that you want.
Therefore, you can get the metrics that you want to view directly. In this case, we had to use
an OS-level resource type (platform file server directory) to view those metrics.
3. Setting Up a Basic Alert for a SAS Web Server in SAS Environment Manager
In this practice, you create an alert indicating when the SAS Web Server is down and when it is
back up (a recovery alert). You also create an escalation scheme, which is a series of steps to be
executed when the alert fires.
a. Sign in to SAS Environment Manager as Ahmed using the password Student1, if not
already signed in.
b. Create an escalation scheme.
1) Click the Manage tab.
2) Click the Escalation Schemes Configuration link.
3) Fill in the form with the following information:
Name: WebServerScheme
Description: Web Server Status
If the alert is acknowledged: Allow user to pause escalation for 5 minutes

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 8.1 Monitoring a SAS Environment with SAS Environment Manager 8-23

If the alert state changed: Notify previously notified users

If the alert is not fixed when escalation ends: Repeat escalation actions

4) Click Next Step.

5) Click the Create Action button.
6) Complete the f ollowing fields:
Create an Action for this escalation: SMS
Select method to notify: Notify Roles
In the pop-up box, select Super User Role and click OK.
Then select Continue.
Note: Ahmed is a member of the Super User role. You might want all members of the
role to be notified when something as crucial as a server goes down.
7) Click Save.
c. Create the first alert that indicates that the web server is down.
1) Select Resources  Servers 
For Linux Server: sasmid.demo.sas.com Apache 2.4.34
For Windows Server: SASSERVER Apache 2.4.34
2) Select Alert  Configure.
3) On the Alert Definitions page, click New.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
8-24 Lesson 8 Monitoring Your SAS® Environment

4) Enter the following information in the fields:

Name: NoWebServer
Description: SAS Web Server Down
Priority: High
Active: Yes
If Condition: Metric: Availability is < 100% of Baseline Value
Enable Actions: Each time conditions are met
Enable Action Filters: Generate one alert and then disable alert definition until fixed

5) Click OK to save the alert definition.

d. You are now presented with an additional window that enables you to associate this alert
with an escalation scheme. Use the drop-down list to select the WebServerScheme scheme
that was just created.
e. After the escalation scheme is selected, click Return to Alert Definitions to create the
recovery alert.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 8.1 Monitoring a SAS Environment with SAS Environment Manager 8-25

f. Create the second alert, the recovery alert, which indicates the server is back up.
1) Click New. A new alert definition window appears.
2) Enter the following information:
Name: YesWebServer
Description: SAS Web Server is back up!
Priority: High
Active: Yes
If Condition: Metric Availability = 100% of Baseline Value
Recovery Alert for: NoWebServer
Enable Action(s): Each time conditions are met
Enable Action Filters: (blank)

3) Click OK to save the new recovery alert.

g. Select Analyze  Alert Center. Click the Definition tab. All defined alerts are listed,
including the two that you just defined.
h. Test the new alerts. Go to Resource  Browse. Click the following:
For Linux Server: sasmid.demo.sas.com Apache 2.4.34
For Windows Server: SASSERVER Apache 2.4.34
i. Click Control.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
8-26 Lesson 8 Monitoring Your SAS® Environment

j. Select Stop from the drop-down list and click the right-pointing arrow next to the
Control Action field.
Note: It can take up to five minutes before the system detects that the SAS Web Server is
down because the default collection interval for it is five minutes.
k. Select Resources. With Servers selected, the SAS Web Server is displayed as Not
Available in the Availability column.
Here are some of the locations where alerts appear:
• Dashboard  Recent Alerts or Problem Resources portlets
• on the header of Environment Manager
• Analyze tab  Alert Center
• event bar for that resource (added automatically when an event is generated)
• if you set the alert (notify) to send an email
l. You can look at the other locations as well.
Recent Alerts Portlet on Dashboard Tab

SAS Environment Manager Header and Alert Center

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 8.1 Monitoring a SAS Environment with SAS Environment Manager 8-27

Event Bar for the SAS Web Server Resource

Note: The default metric collection interval for the Pivotal Web Server is five minutes.
(This can be changed by selecting Manage  Monitoring Defaults. Scroll to
Pivotal Web Server 5.5 Servers. Select Edit Metric Template to the far right of the
entry.) Therefore, you might wait as long as five minutes before the alert fires and
you see results on your interface.
m. Acknowledge the alert. This enables others on the system to be aware that an administrator
is aware of the problem. You can acknowledge an alert in two places:
• the dashboard Recent Alerts portlet
• Analyze  Alert Center  Alerts tab
1) On the dashboard, select the box next to the NoWebServer and click ACKNOWLEDGE.
2) You can add a note f or the reason. It will show up as acknowledged on the Alerts page.
If it is not f ixed within f ive minutes (as specif ied when the alert was created), then it will
request acknowledgment again.
n. Restart the SAS Web Server by issuing the control action. Go to Resources and select the
following:
For Linux Server: sasmid.demo.sas.com Apache 2.4.34
For Windows Server: SASSERVER Apache 2.4.34
Select Control. Select Start and click the arrow in the Quick Control area.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
8-28 Lesson 8 Monitoring Your SAS® Environment

o. Within five minutes or less, you should see the recovery alert, called YesWebServer. It
appears in the same places and indicates that the SAS Web Server is running again.
4. Defining an Alert for a SAS Server Log File
Log file entries are one type of event that can be configured and customized using log file
tracking in SAS Environment Manager. For each SAS server, a special file named
sev_logtracker_plugin.properties is automatically set up by the SAS Deployment Wizard.
These files can be configured to trap various log entries and capture them as events.
You can add to this file to create events for criteria of your choosing. Because each SAS server
has its own properties file, logging events can be created for specific server types.
In this practice, you set up an alert to be triggered whenever a warning message for the I/O
Subsystem appears in the log of the SAS Metadata Server.
a. Navigate to the metadata server’s sev_logtracker_plugin.properties f ile.

For Linux Server

On the sasapp.demo.sas.com machine navigate to

/opt/sas/config/Lev1/SASMeta/MetadataServer.

For Windows Server

Navigate to D:\SAS\Config\Lev1\SASMeta\MetadataServer.

b. Make a backup copy of sev_logtracker_plugin.properties.

c. Open sev_logtracker_plugin.properties.

The entries in this file use this format:

level. [level_of_message] . [sequential_number] = [regular_expression]
All sev_logtracker_plugin.properties files contain the following two entries by default:
#All fatal
level.fatal.1=.*

#All errors
level.error.1=.*

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 8.1 Monitoring a SAS Environment with SAS Environment Manager 8-29

These entries specify that an event is created whenever a message appears in the SAS log
with a level of Fatal or Error. The message can contain any text. (The period represents any
character and the asterisk says “zero or more of the preceding character,” which is a period,
so any and all characters.)
level.warn.1=.*Access to this account.*is locked out.* specifies that an event is created
whenever a message with a level of Warn appears that also contains the words Access to
this account and is locked out. Any or no characters can be before, in between, or after
these words.
Multiple entries for messages at the same log level must have an incremental number. In the
metadata server properties file, the next warn message to be captured would be
level.warn.3=.*message text here.*
d. Add the f ollowing entry to the f ile:
#I/O subsystem information
level.info.1=.*I/O Subsystem.*

e. Save and close the f ile.

f. In SAS Environment Manager, locate the server SASMeta - SAS Metadata Server on the
Resource page and click it to bring up the Resource Detail page f or the server.
g. On the Detail page, select Alert  Configure to display the Alert Conf iguration page.
h. Click New to display the New Alert Conf iguration page.
i. Name the alert, select the priority, and specif y that the alert should be active.
Alert Properties:
Name: I/O Subsystem
Priority: Medium
Description: I/O subsystem warnings in the server log
Condition Set: Select the Event/Logs Level radio button and then select Info in the
Event/Logs Level f ield.
In the Substring to Match f ield, enter I/O Subsystem. This value is case
sensitive.
These values specif y that an alert is issued whenever an event is f ound f or an Inf o message
f rom the log containing the string I/O Subsystem.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
8-30 Lesson 8 Monitoring Your SAS® Environment

In the Enable Actions(s) area, select the Each time conditions are met radio button. An
alert is triggered each time I/O Subsystem information appears in the log.

j. Click OK.
k. (Optional) Search on the web f or the SAS Usage Notes on I/O Subsystem.

1) Open a web browser f rom the Windows machine and click the Home button in the
upper right.
2) In the search f ield, enter I/O Subsystem.
3) Select Usage Note 53874.
Note: There are many papers from SAS that can help you with various troubleshooting
techniques. For a complete list of papers useful for troubleshooting system
performance problems, see Usage Note 42197.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 8.1 Monitoring a SAS Environment with SAS Environment Manager 8-31

5. Importing Events
You can turn additional items into events by using the SAS macro %evevent to simulate an
external event, which is then imported into SAS Environment Manager.
a. Go to Resources  Services and search for Event Importer.
b. Select the Service Architecture Event Importer and go to the Inventory page.
c. In the Configuration Properties section, click Edit.
d. Review the event importer settings. The settings should be as follows:
Enable Event Importer check box: selected
Enable Log Tracking check box: selected
Track event log level: INFO
Log files: Events/sasev.events

Note: If you do not have the Services Architecture initialized, you can create your own
event importer by going to Resources  Platforms (select platform)  Tools
Menu  New Platform Service. Under Service Type, select SAS Event Importer
and then fill in the same fields as shown above.
e. Click OK to exit the properties of the event importer.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
8-32 Lesson 8 Monitoring Your SAS® Environment

f. Navigate to the following directory:

For Linux Server

On the sasapp.demo.sas.com machine, /opt/sas/Workshop/spaft

The program CreateEvent.sas generates an event using the %evevent macro.

For Windows Server

D:\Workshop\spaftWIN
The program CreateEvent.sas generates an event using the %evevent macro.

The SAS macro library with sample macros used with the Service Architecture is in the
following location:
Linux Server: /opt/sas/config/Lev1/Web/SASEnvironmentManager/emi -framework
Windows Server: D:\SAS\Config\Lev1\Web\SASEnvironmentManager\emi-framework
g. View the contents of the program through a text editor, but do not make changes.

The syntax f or the macro is as f ollows:

SRC= specif ies the originator of the event. You can also use this parameter to specif y the
f ormat of the text in the MSGTEXT= parameter. The value that you specif y f or the f ormat is
specif ied by the parser. Use a colon (:) to separate the originator and the f ormat inf ormation.
MSGLEVEL= specif ies the level of the event. Valid values are DEBUG, INFO, WARN, and
ERROR.
MSGTEXT= specif ies the text of the event message.
h. Generate the external event.

For Linux Server

Note: Use mRemoteNg and not WINSCP because you will be issuing a command.
1. On the sasapp.demo.sas.com machine, navigate to the following directory:
/opt/sas/config/Lev1/Web/SASEnvironmentManager/emi-framework/bin

2. Execute the following command:

./runSASJob.sh /opt/sas/Workshop/spaft/CreateEvent.sas

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 8.1 Monitoring a SAS Environment with SAS Environment Manager 8-33

For Windows Server

1. Open a command prompt from the Start menu.

Navigate to the following directory:
D:\SAS\Config\Lev1\Web\SASEnvironmentManager\emi-framework\bin

2. Execute the following command:

runSASJob.bat D:\Workshop\spaftWIN\CreateEvent.sas

Note: The runSASJob.sh script sets up the SAS environment needed to run the job.
i. In SAS Environment Manager, select Analyze  Event Center. The event should appear in
a few minutes.
j. Check the sasev.events file located here:

For Linux Server

On the sasapp.demo.sas.com machine,

/opt/sas/config/Lev1/Web/SASEnvironmentManager/emi-
framework/Events/sasev.events
The event is included in the file. You can open up the file with the command gedit
sasev.events or use the WinSCP application.

For Windows Server

D:\SAS\Config\Lev1\Web\SASEnvironmentManager\emi-
framework\Events\sasev.events
The event is included in the file. You can open the file with Notepad++.

6. (Optional) Exporting Events

a. Create an Event Exporter Service in SAS Environment Manager. Navigate to Resources 
Platforms 
For Linux Server: sasapp.demo.sas.com
For Windows Server: sasserver.demo.sas.com
b. From the Tools menu, select New Platform Service.
1) Enter a name: sasserver export event
2) Enter a description: sasserver export event
3) Select the service type: SAS Event Exporter
4) Click OK.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
8-34 Lesson 8 Monitoring Your SAS® Environment

c. In the new exporter, select Configuration Properties and enter the following properties:
1) Enable Event Exporter: Select to enable the event exporter.
2) Events File Name: For Linux Server: /opt/sas/config/Lev1/AppData/EventsOut.txt
For Windows Server: D:\SAS\Config\Lev1\AppData\EventsOut.txt
3) User Name: Ahmed
4) Password: Student1
5) Click OK.
d. Generate an event by restarting the object spawner.
1) Go to Resources  Servers and select the following:
For Linux Server: sasapp.demo.sas.com Object Spawner -sasapp
For Windows Server: sasserver.demo.sas.com Object Spawner -sasserver
2) Click Control in the Quick Control section.
3) Change Control Action to Restart and click the arrow to the right.
e. Go to Analyze  Event Center to verify that the events occurred.
f. Navigate to the following text file to see the events being written to it:

For Linux Server

On the sasapp.demo.sas.com machine,

/opt/sas/config/Lev1/AppData/EventsOut.txt
Notice the object spawner log entry.

For Windows Server

D:\SAS\Config\Lev1\AppData\EventsOut.txt
Notice the object spawner log entry.

Note: The event exporter does not allow subsetting of the events that are exported. All
events that SAS Environment Manager generates are written to the file.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 8.2 Additional Topics about SAS Server Maintenance 8-35

8.2 Additional Topics about SAS Server

Maintenance

Troubleshooting the SAS Metadata Server

If the metadata server is not responding to client requests:
1. Stop the metadata server.
2. Review the entries in the metadata server log to determine the cause
of the problem.
3. Start the metadata server. Do not forget about server dependencies.
4. If you still cannot start the server, review the log again and resolve any
issues, if possible.

19
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

In this situation, these are the pref erred methods f or stopping the server:
• Use the metadata manager in SAS Management Console.
• Click the Plug-ins tab, expand the Metadata Manager node, right-click the Active Server node,
and select Stop.
• Use SAS Environment Manager
• Use the metadata server script.
• (Windows only) If you cannot stop the server using the Metadata Manager or the script, then stop
the Windows service. If you cannot stop the service, then use the windows task manager to stop
the server process.
• (UNIX only) if you cannot stop the server using the metadata manager or the script, use one of the
following commands to stop the server process:
kill -2 server-process-id kill -15 server-process-id
If the process f ails to stop, use the f ollowing command:
kill -9 server-process-id
For more inf ormation, see “Exiting or Interrupting Your SAS Session in UNIX Environments” in
SAS ® Companion for UNIX Environments.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
8-36 Lesson 8 Monitoring Your SAS® Environment

Recovering an Unresponsive SAS Metadata Server

To recover a non-clustered metadata server that is not responding to client
requests:
1. Copy current configuration information and data.
2. Try to start the server using the -recover option.
3. Manually recover the configuration files.
4. Use SAS Management Console to perform a normal recovery.
5. Run the Analyze and Repair Metadata Tool.

20
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

For more inf ormation, see “What to Do If the SAS Metadata Server Is Unresponsive” in
SAS 9.4 Intelligence Platform: System Administration Guide.

Analyze and Repair Tool

The Metadata Analyze and Repair Tool enables you to run selected tests on
metadata to locate common problems. When possible, the tools also repair
problems that the analysis has identified.
The Analyze and Repair Tool can be
• accessed from the Metadata Manager
node in SAS Management Console
• run in batch mode from a command line,
sas-analyze-metadata.

21
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

• Verify Metadata Files analyzes key metadata server files to determine whether they are
corrupted and, when possible, recommends repairs that can be applied.
• Verify Associations checks the metadata repository for associations in which one or the other
associated object does not exist.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 8.2 Additional Topics about SAS Server Maintenance 8-37

• Metadata Server Cluster Synchronization verifies that metadata is synchronized among all the
nodes of a metadata server cluster.
• Verify Permissions verifies that permission objects exist only in the Foundation repository.
• Verify Authentication Domains checks authentication domain objects to ensure that the object
names are valid and unique.
• Orphaned Objects locates metadata objects that are no longer being referenced.
• Validate SAS Folders analyzes the integrity of objects contained in the SAS Folders tree.

Analyze and Repair Tool

When using the Analyze and Repair Tool:
• Back up the metadata server before running a repair.
• The metadata server is automatically paused to ADMINISTRATION mode.
• On a clustered metadata server, stop all of the nodes in the cluster. Then
start a single node without clustering.
• When running the Verify Metadata Files and Verify Associations tools, it is
recommended that you run an analyze and a repair in two separate steps.
Note: If the Verify Metadata Files tool reports errors (as compared to
warnings), do not run the repair for that tool. Instead, contact
SAS Technical Support for assistance.

22
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

The ADMINISTRATION state prevents metadata changes f rom occurring while the analysis process
is running, except that unrestricted users can continue to change metadata during this time. The
server is automatically resumed when the analysis and repair process is completed.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
8-38 Lesson 8 Monitoring Your SAS® Environment

Configuration and Log Files for SAS Servers

Every server tier has a configuration directory that includes servers that are
components of a SAS Application Server: OLAP servers, workspace servers,
pooled workspace servers, stored process servers, and SAS/CONNECT
servers.
Each component has the following:
• scripts for start, stop, and status
• configuration files
• logging configuration files
• autoexec files
• _usermod files
• log files
23
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

The structure and contents of the directory vary depending on the host operating system, which
products are installed, and whether the host machine is a server-tier host or a middle-tier host.

Tuning Workspace Servers

Changes that you might need to make include specifying the following:
• an appropriate work folder
• a buffer size for writing files to the work area
• a limit on the total amount of memory that SAS uses at any one time
System Option Explanation

-work work-folder Specifies the pathname for the directory that contains the Work data library.
This directory should reside on a disk that emphasizes fast write performance.
-memsize size-value Specifies a limit on the total amount of memory that SAS uses at any one time.

-sortsize size-value Limits the amount of memory that can be used temporarily for sorting. Larger
sort sizes reduce the use of the work folder, but increase the possibility of
paging.
-ubufsize size-value Specifies a buffer size for writing files to the work area.
24
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

See “Workspace Server Conf iguration Tasks” in SAS 9.4 Intelligence Platform: Application Server
Administration Guide.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 8.2 Additional Topics about SAS Server Maintenance 8-39

Tuning Workspace Servers

After you have determined the system options that you want to use to start your
workspace server, edit the SAS command that starts the server.

Note: You might have optimized your workspace server for use with an application,
such as SAS Web Report Studio. If you are using other applications and these
applications can benefit from a workspace server that is configured
differently, you must create a new logical workspace server (under SASApp)
and add a workspace server to it.
25
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Tuning SAS Servers

Before modifying system options,
monitor the performance of your
SAS servers.
You can use the reports in the
Report Center to see resource
utilization of your SAS servers
over time.

26
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
8-40 Lesson 8 Monitoring Your SAS® Environment

8.01 Multiple Choice Question

If you want to specify different values for system options, or if you want to
specify additional options, then enter your updates and additions in which
of the following files for a SAS server?
a. sasv9.cfg
b. metadataconfig_usermods.xml
c. sasv9_usermods.cfg
d. autoexec.sas

27
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 8.2 Additional Topics about SAS Server Maintenance 8-41

Practice

7. Exploring the Analyze and Repair Tool

a. Log on to SAS Management Console as Ahmed using the password Student1.
b. Expand Metadata Manager. Right-click Active Server and select Analyze/Repair
Metadata.
c. The following message is displayed:

Click Yes. (The server will be paused after you complete the next two wizard pages.)
d. On the first wizard page, select the Foundation repository to analyze and repair. Click Next.
e. The next wizard page lists the analysis tools that are available. Select all of the tools. Do not
click the Repair immediately check box. It is recommended that you perform the repairs in a
separate step. Click Analyze.
A message is displayed stating that the server is being paused to Administration mode. The
analysis is then performed. When it is finished, the results are displayed.
If problems are found, the following message is displayed: Analysis has completed and
problems were found. View the log for details.
f. Click View Log to see information about the errors. Additional details might also be available
in the metadata server log.
g. Scroll down to find WARN messages:
Orphaned Objects locates metadata objects that are no longer being referenced.
Click OK to close out of the log.
h. Click Next.
i. The next wizard page displays a list of the analysis tools that found problem situations. Select
one or more tools to run in Repair mode, and click Repair.
j. A message reminds you to back up your metadata before running the repairs. Click Yes to
continue. The repairs are executed. A dialog box indicates whether each repair was
completed successfully.
k. Click Finish to exit the wizard.
Note: The log will still show the WARN message. Instead, rerun the Analysis/Repair Tools
without repairing and check the log. You should not see any WARN messages.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
8-42 Lesson 8 Monitoring Your SAS® Environment

8. Locating the Start-up Scripts and Configuration Files for the Workspace Server
On the server machine, open the script to start the SAS Workspace Server.
What configuration files are read during the server start-up?

For Linux Server

On the sasapp.demo.sas.com machine, start at
/opt/sas/config/Lev1/SASApp/WorkspaceServer/WorkspaceServer.sh

Which points to: appservercontext_env.sh

Which also points to level_env.sh

So APPSERVER_ROOT resolves to /opt/sas/config/Lev1/SASApp and CONFIGDIR

resolves to /opt/sas/config/Lev1/SASApp/WorkspaceServer.
Here are the four configuration files that are read:
• /opt/sas/config/Lev1/SASApp/sasv9.cfg
• /opt/sas/config/Lev1/SASApp/sasv9_usermods.cfg
• /opt/sas/config/Lev1/SASApp/WorkspaceServer/sasv9.cfg
• /opt/sas/config/Lev1/SASApp/WorkspaceServer/sasv9_usermods.cfg
Note: These configuration files include other reference to configuration files. The
complete list of configuration files and order of precedence can be f ound at the
end of this practice.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 8.2 Additional Topics about SAS Server Maintenance 8-43

For Windows Server

Start at D:\SAS\Config\Lev1\SASApp\WorkspaceServer\WorkspaceServer.bat

Notice that Appservercontext_env.bat is called:

And Level_env.bat calls:

So the value of APPSERVER_ROOT resolves to D:\SAS\Config\Lev1\SASApp,

CONFIGDIR resolves to D:\SAS\Config\Lev1\SASApp\WorkspaceServer, and
CMD_OPTIONS= -config "D:\SAS\Config\Lev1\SASAp\WorkspaceServer\sasv9.cfg".
sasv9.cfg includes two other configuration files:

Note: The documentation provides information about the configuration files used by default.
This can be found in the appendix of SAS 9.4 Intelligence Platform: System
Administration Guide, Fourth Edition.
Configuration Files for Components of SAS Application Servers

Order of Path and File Name

Precedence

1 Windows: \Lev1\server-context\server-name\sasv9.cfg
UNIX: /Lev1/server-context/server-name/sasv9.cfg

2 Windows: \Lev1\server-context\sasv9.cfg
UNIX: /Lev1/server-context/sasv9.cfg

3 Windows: SAS-install-directory\SASFoundation\9.4\sasv9.cfg
UNIX: SAS-install-directory /SASFoundation/9.4/sasv9.cfg

4 UNIX only: SAS-install-directory /SASFoundation/9.4/sasv9_local.cfg

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
8-44 Lesson 8 Monitoring Your SAS® Environment

Order of Path and File Name

Precedence

5 Windows: SAS-install-directory\SASFoundation\9.4\locale\sasv9.cfg
UNIX: SAS-install-directory /SASFoundation/9.4/locale/sasv9.cfg

6 Windows: \Lev1\server-context\sasv9_usermods.cfg
UNIX: /Lev1/server-context/sasv9_usermods.cfg

7 Windows: \Lev1\server-context\appserver_autoexec.sas
UNIX: /Lev1/server-context/appserver_autexec.sas

8 Windows: \Lev1\server-context\appserver_autoexec_usermods.sas
UNIX: /Lev1/server-context/appserver_autoexec_usermods.sas

9 Windows: \Lev1\server-context\server-name\sasv9_usermods.cfg
UNIX: /Lev1/server-context/server-name/sasv9_usermods.cfg

10 Windows: \Lev1\server-context\server-name\autoexec.sas
UNIX: /Lev1/server-context/server-name/autoexec.sas

11 Windows: \Lev1\server-context\server-name\autoexec_usermods.sas
UNIX: /Lev1/server-context/server-name/autoexec_usermods.sas

9. (Optional) Adding System Options to the Workspace Server Launch Command

After you determine the system options that you want to use to start your workspace server, you
can add system options to the workspace server launch command.
a. In SAS Management Console, expand Server Manager  SASApp - Logical Workspace
Server. A tree node that represents the physical workspace server is displayed.
b. Right-click the icon f or the physical workspace server, and select Properties.
c. Click the Options tab. The command to start the workspace server is displayed.
d. You would edit the text in the Command text box, which by def ault is set to this:
configuration-directory\SASApp\WorkspaceServer\WorkspaceServer.bat
For example, here is a command with options that improve performance for a workspace
server:
configuration-directory\SASApp\WorkspaceServer\WorkspaceServer.bat
-rsasuser -work work-folder -ubufsize 64K -memsize 512M
-realmemsize 400M -sortsize 256M
e. If you wanted to f orce the workspace server to disconnect idle clients, on this Options tab,
click Advanced Options.
f. Click Launch Properties.
g. In the Inactive client timeout f ield, enter a numeric value (minutes) that a connected client
is allowed to remain inactive bef ore the server disconnects the client. Specify a value of 0 to
disable this option.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 8.2 Additional Topics about SAS Server Maintenance 8-45

h. Click Cancel in the Advanced Options dialog box.

i. Click Cancel in the Properties dialog box. (You are not making any changes.)

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
8-46 Lesson 8 Monitoring Your SAS® Environment

8.3 Solutions
Solutions to Practices
1. Setting Up a Monitor for the SAS Work Directory
The SAS Work directory stores temporary files that are created during SAS processing of code.
This directory is automatically cleaned up by default. However, the SAS Work directory might not
be cleaned up properly due to unexpected errors in processing or t ermination of SAS sessions. It
might be necessary to monitor the SAS Work directory to avoid a buildup of disk usage.
a. Sign in to SAS Environment Manager as Ahmed using the password Student1.
b. Locate the resource for the SAS Work directory by selecting Resources  Services.

c. Enter work directory in the search field and click the arrow to the far right of the row .

d. Click the appropriate entry:

For Linux Server

sasapp.demo.sas.com SAS Home Directory 9.4 SAS work directory

Where is the SAS Work directory located? /tmp
(It will be at the top of the Resource page.)

For Windows Server

sasserver.demo.sas.com SAS Home Directory 9.4 SAS work directory

Where is the SAS Work directory located? C:\Windows\Temp\SAS Temporary Files
(It will be at the top of the Resource page.)

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 8.3 Solutions 8-47

e. (Optional) You can confirm the location by opening a SAS session through SAS Studio or
SAS Enterprise Guide and submitting the following code:
proc options option = work;
run;

For Linux Server

For Windows Server

f. Review the metrics collected for the SAS Work directory.

Back in SAS Environment Manager, click Metric Data to see a list of metrics.

Note: Use Percent is one of the metrics available for this resource.
g. Select Alert  Configure. Two alerts are configured and active because SAS Environment
Manager Extended Monitoring was enabled.

h. Click SASWork Disk Use %> 70. The condition is based on the Use Percent metric. You
could modify the condition set to a percentage that is appropriate in your environment.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
8-48 Lesson 8 Monitoring Your SAS® Environment

Note: If you change the value, ensure that you enter it as a decimal value. For example,
.75 should be entered for 75%.
2. Creating a Dashboard Metric Viewer for the SAS Work Directory
The Metric Viewer portlet does not provide a resource type of SAS Work directory. It has only
SAS Home Directory and SAS Config Level Directory. Therefore, SAS Work metrics cannot be
displayed directly. The workaround is to create a platform service of type FileServer Directory
Tree, which provides the metrics that we want and then points this new platform service to the
OS directory where SAS Work is located.
a. Select Resources  Platforms.

For Linux Server

Click sasapp.demo.sas.com.
Note: You might need to clear out the cached search criteria in order for the platforms
to show up.

For Windows Server

Click sasserver.demo.sas.com.
Note: You might need to clear out the cached search criteria in order for the platforms
to show up.

b. From the Tools menu, select New Platform Service.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 8.3 Solutions 8-49

c. Use the following information:

Name: Enter SASWork directory.
Description: Enter Storage area for SAS intermediate and temporary files.
Service Type: Select FileServer Directory Tree.

d. Click OK.
e. Click Configuration Properties to configure the resource.

f. Enter a path for Path to Directory and click OK.

For Linux Server

Enter /tmp.

For Windows Server

Enter C:\Windows\Temp\SAS Temporary Files.

g. (Optional) Create a new Metric Viewer portlet on the Dashboard page.

1) Click the Dashboard tab.
2) On the right side at the bottom of the Dashboard page, select Metric Viewer in the Add
Content to this column field and click the button.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
8-50 Lesson 8 Monitoring Your SAS® Environment

3) Click the Configure button to display the Dashboard Settings page for the portlet.

4) On the Dashboard Settings page, use the following information:

Description: Enter SASWork disk space.
Resource Type: Select FileServer Directory Tree.
Metric: Select Disk Usage.

5) Click Add to List.

6) Select the SAS Work resource that you just defined and click the arrow pointing to the
right to move the resource to the right side. Click OK.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 8.3 Solutions 8-51

7) Click OK.

In most cases, the Metric Viewer portlet provides the resource types that you want.
Therefore, you can get the metrics that you want to view directly. In this case, we had to
use an OS-level resource type (platform file server directory) to view those metrics.
3. Setting Up a Basic Alert for a SAS Web Server in SAS Environment Manager
In this practice, you create an alert indicating when the SAS Web Server is down and when it is
back up (a recovery alert). You also create an escalation scheme, which is a series of steps to be
executed when the alert fires.
a. Sign in to SAS Environment Manager as Ahmed using the password Student1, if not
already signed in.
b. Create an escalation scheme.
1) Click the Manage tab.
2) Click the Escalation Schemes Configuration link.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
8-52 Lesson 8 Monitoring Your SAS® Environment

3) Fill in the form with the following information:

Name: WebServerScheme
Description: Web Server Status
If the alert is acknowledged: Allow user to pause escalation for 5 minutes
If the alert state changed: Notify previously notified users
If the alert is not fixed when escalation ends: Repeat escalation actions

4) Click Next Step.

5) Click the Create Action button.

6) Complete the following fields:

Create an Action for this escalation: SMS
Select method to notify: Notify Roles

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 8.3 Solutions 8-53

In the pop-up box, select Super User Role and click OK.

Then select Continue.

Note: Ahmed is a member of the Super User role. You might want all members of the
role to be notified when something as crucial as a server goes down.
7) Click Save.
c. Create the first alert that indicates that the web server is down.
1) Select Resources  Servers 
For Linux Server: sasmid.demo.sas.com Pivotal Web Server 5.5 WebServer
For Windows Server: sasserver.demo.sas.com Pivotal Web Server 5.5 WebServer

2) Select Alert  Configure.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
8-54 Lesson 8 Monitoring Your SAS® Environment

3) On the Alert Definitions page, click New.

4) Enter the following information in the fields:

Name: NoWebServer
Description: SAS Web Server Down
Priority: High
Active: Yes
If Condition: Metric: Availability is < 100% of Baseline Value
Enable Actions: Each time conditions are met
Enable Action Filters: Generate one alert and then disable alert definition until fixed

5) Click OK to save the alert definition.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 8.3 Solutions 8-55

d. You are now presented with an additional window that enables you to associate this alert
with an escalation scheme. Use the drop-down list to select the WebServerScheme scheme
that was just created.

e. After the escalation scheme is selected, click Return to Alert Definitions to create the
recovery alert.
f. Create the second alert, the recovery alert, which indicates the server is back up.
1) Click New. A new alert definition window appears.
2) Enter the following information:
Name: YesWebServer
Description: SAS Web Server is back up!
Priority: High
Active: Yes
If Condition: Metric Availability = 100% of Baseline Value
Recovery Alert for: NoWebServer
Enable Action(s): Each time conditions are met
Enable Action Filters: (blank)

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
8-56 Lesson 8 Monitoring Your SAS® Environment

3) Click OK to save the new recovery alert.

g. Select Analyze  Alert Center. Click the Definition tab. All defined alerts are listed,
including the two that you just defined.

h. Test the new alerts. Go to Resource  Browse. Click the following:

For Linux Server: sasmid.demo.sas.com Pivotal Web Server 5.5 Web Server
For Windows Server: sasserver.demo.sas.com Pivotal Web Server 5.5 Web Server

i. Click Control.

j. Select Stop from the drop-down list and click the right-pointing arrow next to the Control
Action field.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 8.3 Solutions 8-57

Note: It can take up to f ive minutes bef ore the system detects that the SAS Web Server is
down, because the def ault collection interval f or it is f ive minutes.

For Windows Server

Troubleshooting moment!
When you attempt to stop the SAS Web Server, there is an error:

Why is that?
The SAS Deployment Agent cannot find the Windows service that is used for issuing
control actions this server.
Edit the service_name value under Inventory  Configuration Properties and the
Control section. The value should match what is seen in the Windows Services
application for the SAS Web Server. To avoid spelling issues, copy the name of the
SAS[Config-Lev1]httpd-WebServer from Windows Services.
(Right-click the service and select Properties to copy the service name.)

After updating the proper Windows service name, you can now use control actions for
the SAS Web Server.

k. Select Resources. With Servers selected, the SAS Web Server is displayed as Not
Available in the Availability column.
Here are some of the locations where alerts appear:
• Dashboard  Recent Alerts or Problem Resources portlets
• on the header of the Environment Manager
• Analyze tab  Alert Center
• event bar for that resource (added automatically when an event is generated)
• if you set the alert (notify) to send an email

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
8-58 Lesson 8 Monitoring Your SAS® Environment

l. You can look at the other locations as well.

Recent Alerts Portlet on Dashboard Tab

SAS Environment Manager Header and Alert Center

Event Bar for the SAS Web Server Resource

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 8.3 Solutions 8-59

Note: The default metric collection interval for the Pivotal Web Server is five minutes.
(This can be changed by selecting Manage  Monitoring Defaults. Scroll to
Pivotal Web Server 5.5 Servers. Select Edit Metric Template to the far right of the
entry.) Therefore, you might wait as long as five minutes before the alert fires and
you see results on your interface.
m. Acknowledge the alert. This enables others on the system to be aware that an administrator
is aware of the problem. You can acknowledge an alert in two places:
• the dashboard Recent Alerts portlet
• Analyze  Alert Center  Alerts tab

1) On the dashboard, select the box next to NoWebServer and click ACKNOWLEDGE.
2) You can add a note for the reason. It will show up as acknowledged on the Alerts page.
If it is not fixed within five minutes (as specified when the alert was created), then it will
request acknowledgment again.

n. Restart the SAS Web Server by issuing the control action. Go to Resources and select the
following:
For Linux Server: sasmid.demo.sas.com Pivotal Web Server 5.5 Web Server
For Windows Server: sasserver.demo.sas.com Pivotal Web Server 5.5 Web Server

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
8-60 Lesson 8 Monitoring Your SAS® Environment

Select Control. Select Start and click the arrow in the Quick Control area.

o. Within five minutes or less, you should see the recovery alert, called YesWebServer. It
appears in the same places and indicates that the SAS Web Server is running again.
4. Defining an Alert for a SAS Server Log File
Log file entries are one type of event that can be configured and customized using SAS
Environment Manager’s log file tracking. For each SAS server, a special file named
sev_logtracker_plugin.properties is automatically set up by the SAS Deployment Wizard.
They can be configured to trap various log entries and capture them as events.
You can add to this file to create events for criteria of your choosing. Because each SAS server
has its own properties file, logging events can be created for specific server types.
In this practice, you set up an alert to be triggered whenever a warning message for the I/O
Subsystem appears in the log of the SAS Metadata Server.
a. On the server machine, navigate to the metadata server’s
sev_logtracker_plugin.properties file.

For Linux Server

On the sasapp.demo.sas.com machine, navigate to

/opt/sas/config/Lev1/SASMeta/MetadataServer.

For Windows Server

Navigate to D:\SAS\Config\Lev1\SASMeta\MetadataServer.

b. Make a backup copy of sev_logtracker_plugin.properties.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 8.3 Solutions 8-61

c. Open sev_logtracker_plugin.properties.

The entries in this file use this format:

level. [level_of_message] . [sequential_number] = [regular_expression]
All sev_logtracker_plugin.properties files contain the following two entries by default:
#All fatal
level.fatal.1=.*

#All errors
level.error.1=.*
These entries specify that an event is created whenever a message appears in the SAS log
with a level of Fatal or Error. The message can contain any text. (The period represents any
character and the asterisk says “zero or more of the preceding character,” which is a period,
so any and all characters.)
level.warn.1=.*Access to this account.*is locked out.* specifies that an event is created
whenever a message with a level of Warn appears that also contains the words Access to
this account and is locked out. Any or no characters can be before, in between, and after
these words.
Multiple entries for messages at the same log level must have an incremental number. In the
metadata server properties file, the next warn message to be captured would be
level.warn.3=.*message text here.*
d. Add the following entry to the file:
#I/O subsystem information
level.info.1=.*I/O Subsystem.*

e. Save and close the file.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
8-62 Lesson 8 Monitoring Your SAS® Environment

f. In SAS Environment Manager, locate the server SASMeta - SAS Metadata Server on the
Resource page and click it to bring up the Resource Detail page for the server.

g. On the Detail page, select Alert  Configure to display the Alert Configuration page.

h. Click New to display the New Alert Configuration page.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 8.3 Solutions 8-63

i. Name the alert, select the priority, and specify that the alert should be active.
Alert Properties:
Name: I/O Subsystem
Priority: Medium
Description: I/O subsystem warnings in the server log
Condition Set: Select the Event/Logs Level radio button and then select Info in the
Event/Logs Level f ield.
In the Substring to Match f ield, enter I/O Subsystem.
These values specify that an alert is issued whenever an event is found for an Info message
from the log containing the string I/O Subsystem.
In the Enable Actions(s) area, select the Each time conditions are met radio button. An
alert is triggered each time I/O Subsystem information appears in the log.

j. Click OK.
k. (Optional) Search on the web for the SAS Usage Notes on I/O Subsystem.

1) Open a new tab in Internet Explorer and click the Home button in the upper right.
2) In the search field, enter I/O Subsystem.
3) Select the Usage Note 53874.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
8-64 Lesson 8 Monitoring Your SAS® Environment

Note: There are many papers f rom SAS that can help you with various troubleshooting
techniques. For a complete list of papers usef ul for troubleshooting system
perf ormance problems, see Usage Note 42197.

5. Importing Events
You can turn additional items into events by using the SAS macro %evevent to simulate an
external event, which is then imported into SAS Environment Manager.
a. Go to Resources  Services and search for Event Importer.

b. Select the Service Architecture Event Importer and go to the Inventory page.

c. In the Configuration Properties section, click Edit.

d. Review the event importer settings. The settings should be as follows:

Enable Event Importer check box: selected
Enable Log Tracking check box: selected
Track event log level: INFO
Log files: Events/sasev.events

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 8.3 Solutions 8-65

Note: If you do not have the Services Architecture initialized, you can create your own
event importer by going to Resources  Platforms (select platform)  Tools
Menu  New Platform Service. Under Service Type, select SAS Event Importer
and then fill in the same fields as shown above.
e. Click OK to exit the properties of the event importer.
f. Navigate to the following directory:

For Linux Server

On the sasapp.demo.sas.com machine, /opt/sas/Workshop/spaft

The program CreateEvent.sas generates an event using the %evevent macro.

For Windows Server

D:\Workshop\spaftWIN
The program CreateEvent.sas generates an event using the %evevent macro.

The SAS macro library with samples macros used with the Service Architecture is in the
following location:
For Linux Server: /opt/sas/config/Lev1/Web/SASEnvironmentManager/emi -framework
For: Windows Server: D:\SAS\Config\Lev1\Web\SASEnvironmentManager\emi-
framework
g. View the contents of the program through a text editor, but do not make changes.

The syntax f or the macro is as f ollows:

SRC= specif ies the originator of the event. You can also use this parameter to specif y the
f ormat of the text in the MSGTEXT= parameter. The value that you specif y f or the f ormat is
specif ied by the parser. Use a colon (:) to separate the originator and the f ormat inf ormation.
MSGLEVEL= specif ies the level of the event. Valid values are DEBUG, INFO, WARN, and
ERROR.
MSGTEXT= specif ies the text of the event message.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
8-66 Lesson 8 Monitoring Your SAS® Environment

h. Generate the external event.

For Linux Server

12.
Note: Use mRemoteNg and not WINSCP because you will be issuing a command.
1. On the sasapp.demo.sas.com machine, navigate to the following directory:
/opt/sas/config/Lev1/Web/SASEnvironmentManager/emi -framework/bin

2. Execute the following command:

./runSASJob.sh /opt/sas/Workshop/spaft/CreateEvent.sas

For Windows Server

1. Open a command prompt from the Start menu. Navigate to the following directory:
D:\SAS\Config\Lev1\Web\SASEnvironmentManager\emi-framework\bin

2. Execute the following command:

runSASJob.bat D:\Workshop\spaftWIN\CreateEvent.sas

Note: The runSASJob.sh script sets up the SAS environment needed to run the job.
i. In SAS Environment Manager, select Analyze  Event Center. The event should appear in
a few minutes.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 8.3 Solutions 8-67

j. Check the sasev.events file located here:

For Linux Server

On the sasapp.demo.sas.com machine,

/opt/sas/config/Lev1/Web/SASEnvironmentManager/emi-
framework/Events/sasev.events
The event is included in the file. You can open up the file with the command gedit
sasev.events or use the WinSCP application.

For Windows Server

D:\SAS\Config\Lev1\Web\SASEnvironmentManager\emi-
framework\Events\sasev.events
The event is included in the file. You can open the file with Notepad++.

6. (Optional) Exporting Events

a. Create an Event Exporter Service in SAS Environment Manager. Navigate to Resources 
Platforms and select the following:
For Linux Server: sasapp.demo.sas.com
For Windows Server: sasserver.demo.sas.com.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
8-68 Lesson 8 Monitoring Your SAS® Environment

b. From the Tools menu, select New Platform Service.

1) Enter a name: sasserver export event
2) Enter a description: sasserver export event
3) Select a service type: SAS Event Exporter
4) Click OK.

c. In the new exporter, select Configuration Properties and enter the following properties:
1) Enable Event Exporter: Select to enable the event exporter.
2) Events File Name: For Linux Server: /opt/sas/config/Lev1/AppData/EventsOut.txt
For Windows Server: D:\SAS\Config\Lev1\AppData\EventsOut.txt
3) User Name: Ahmed
4) Password: Student1

5) Click OK.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 8.3 Solutions 8-69

d. Generate an event by restarting the object spawner.

1) Go to Resources  Servers and select the following:
For Linux Server: sasapp.demo.sas.com Object Spawner -sasapp.
For Windows Server: sasserver.demo.sas.com Object Spawner -sasserver.
2) Click Control in the Quick Control section.
3) Change Control Action to Restart and click the arrow to the right.

e. Go to Analyze  Event Center to verify that the events occurred.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
8-70 Lesson 8 Monitoring Your SAS® Environment

f. Navigate to the following text file to see the events being written to it:

For Linux Server

On the sasapp.demo.sas.com machine,

/opt/sas/config/Lev1/AppData/EventsOut.txt

Notice the object spawner log entry.

For Windows Server

D:\SAS\Config\Lev1\AppData\EventsOut.txt

Notice the object spawner log entry.

Note: The event exporter does not allow subsetting of the events that are exported. All
events that SAS Environment Manager generates are written to the file.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 8.3 Solutions 8-71

7. Exploring the Analyze and Repair Tool

a. Log on to SAS Management Console as Ahmed using the password Student1.
b. Expand Metadata Manager. Right-click Active Server and select Analyze/Repair
Metadata.

c. The following message is displayed:

Click Yes. (The server will be paused after you complete the next two wizard pages. )

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
8-72 Lesson 8 Monitoring Your SAS® Environment

d. On the first wizard page, select the Foundation repository to analyze and repair. Click Next.

e. The next wizard page lists the analysis tools that are available. Select all of the tools. Do not
click the check box to Repair immediately. It is recommended that you perform the repairs
in a separate step. Click Analyze.

A message is displayed stating that the server is being paused to Administration mode. The
analysis is then performed. When it is finished, the results are displayed.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 8.3 Solutions 8-73

If problems are found, the following message is displayed: Analysis has completed and
problems were found. View the log for details.
f. Click View Log to see information about the errors. Additional details might also be available
in the metadata server log.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
8-74 Lesson 8 Monitoring Your SAS® Environment

g. Scroll down to find WARN messages:

Orphaned Objects locates metadata objects that are no longer being referenced.
Click OK to close out of the log.
h. Click Next.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 8.3 Solutions 8-75

i. The next wizard page displays a list of the analysis tools that found problem situations. Select
one or more tools to run in Repair mode, and click Repair.

j. A message reminds you to back up your metadata before running the repairs. Click Yes to
continue. The repairs are executed. A dialog box indicates whether each repair was
completed successfully.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
8-76 Lesson 8 Monitoring Your SAS® Environment

k. Click Finish to exit the wizard.

Note: The log will still show the WARN message. Instead, rerun the Analysis/Repair Tools
without repairing and check the log. You should not see any WARN messages.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 8.3 Solutions 8-77

8. Locating the Start-up Scripts and Configuration Files for the Workspace Server
On the server machine, open the script to start the SAS Workspace Server.
What configuration files are read during the server start-up?

For Linux Server

On the sasapp.demo.sas.com machine, start at:
/opt/sas/config/Lev1/SASApp/WorkspaceServer/WorkspaceServer.sh

Which points to: appservercontext_env.sh

Which also points to level_env.sh

So APPSERVER_ROOT resolves to /opt/sas/config/Lev1/SASApp, and CONFIGDIR

resolves to /opt/sas/config/Lev1/SASApp/WorkspaceServer.
Here are the four configuration files that are read:
• /opt/sas/config/Lev1/SASApp/sasv9.cfg
• /opt/sas/config/Lev1/SASApp/sasv9_usermods.cfg
• /opt/sas/config/Lev1/SASApp/WorkspaceServer/sasv9.cfg
• /opt/sas/config/Lev1/SASApp/WorkspaceServer/sasv9_usermods.cfg
Note: These configuration files include other reference to configuration files. The
complete list of configuration files and order of precedence can be found at the
end of this practice.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
8-78 Lesson 8 Monitoring Your SAS® Environment

For Windows Server

Start at D:\SAS\Config\Lev1\SASApp\WorkspaceServer\WorkspaceServer.bat

Notice that Appservercontext_env.bat is called:

And Level_env.bat calls:

So the value of APPSERVER_ROOT resolves to D:\SAS\Config\Lev1\SASApp,

CONFIGDIR resolves to D:\SAS\Config\Lev1\SASApp\WorkspaceServer, and
CMD_OPTIONS= -config "D:\SAS\Config\Lev1\SASAp\WorkspaceServer\sasv9.cfg".
sasv9.cfg includes two other configuration files:

Note: These configuration files include other reference to configuration files. The
complete list of configuration files and order of precedence can be found at the
end of this practice.

Note: The documentation provides information about the configuration files used by default.
This can be found in the appendix of SAS 9.4 Intelligence Platform: System
Administration Guide, Fourth Edition.
Configuration Files for Components of SAS Application Servers

Order of Path and File Name

Precedence

1 Windows: \Lev1\server-context\server-name\sasv9.cfg
UNIX: /Lev1/server-context/server-name/sasv9.cfg

2 Windows: \Lev1\server-context\sasv9.cfg
UNIX: /Lev1/server-context/sasv9.cfg

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 8.3 Solutions 8-79

Order of Path and File Name

Precedence

3 Windows: SAS-install-directory\SASFoundation\9.4\sasv9.cfg
UNIX: SAS-install-directory /SASFoundation/9.4/sasv9.cfg

4 UNIX only: SAS-install-directory /SASFoundation/9.4/sasv9_local.cfg

5 Windows: SAS-install-directory\SASFoundation\9.4\locale\sasv9.cfg
UNIX: SAS-install-directory /SASFoundation/9.4/locale/sasv9.cfg

6 Windows: \Lev1\server-context\sasv9_usermods.cfg
UNIX: /Lev1/server-context/sasv9_usermods.cfg

7 Windows: \Lev1\server-context\appserver_autoexec.sas
UNIX: /Lev1/server-context/appserver_autexec.sas

8 Windows: \Lev1\server-context\appserver_autoexec_usermods.sas
UNIX: /Lev1/server-context/appserver_autoexec_usermods.sas

9 Windows: \Lev1\server-context\server-name\sasv9_usermods.cfg
UNIX: /Lev1/server-context/server-name/sasv9_usermods.cfg

10 Windows: \Lev1\server-context\server-name\autoexec.sas
UNIX: /Lev1/server-context/server-name/autoexec.sas

11 Windows: \Lev1\server-context\server-name\autoexec_usermods.sas
UNIX: /Lev1/server-context/server-name/autoexec_usermods.sas

9. (Optional) Adding System Options to the Workspace Server Launch Command

After you have determined the system options that you want to use to start your workspace
server, you can add system options to the workspace server launch command.
a. In SAS Management Console, expand Server Manager  SASApp - Logical Workspace
Server. A tree node that represents the physical workspace server is displayed.
b. Right-click the icon for the physical workspace server and select Properties.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
8-80 Lesson 8 Monitoring Your SAS® Environment

c. Click the Options tab. The command to start the workspace server is displayed.

d. You would edit the text in the Command text box, which by default is set to this:
configuration-directory\SASApp\WorkspaceServer\WorkspaceServer.bat
For example, here is a command with options that improve performance for a workspace
server:
configuration-directory\SASApp\WorkspaceServer\WorkspaceServer.bat
-rsasuser -work work-folder -ubufsize 64K -memsize 512M
-realmemsize 400M -sortsize 256M
e. If you wanted to force the workspace server to disconnect idle clients, on this Options tab,
click Advanced Options.

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
 8.3 Solutions 8-81

f. Click Launch Properties.

g. In the Inactive client timeout field, enter a numeric value (minutes) that a connected client
is allowed to remain inactive before the server disconnects the client. Specify a value of 0 to
disable this option.
h. Click Cancel in the Advanced Options dialog box.
i. Click Cancel in the Properties dialog box. (You are not making any changes.)

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
8-82 Lesson 8 Monitoring Your SAS® Environment

Solutions to Activities and Questions

8.01 Multiple Choice Question – Correct Answer

If you want to specify different values for system options, or if you want to
specify additional options, then enter your updates and additions in which
of the following files for a SAS server?
a. sasv9.cfg
b. metadataconfig_usermods.xml
c. sasv9_usermods.cfg
d. autoexec.sas

28
C o p y r i g h t © S AS In s t i tu t e In c. Al l r i g h t s re s e r ve d .

Copyright © 2020, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.