Chapter Three: User Administration Concepts & Mechanisms
Chapter Three: User Administration Concepts & Mechanisms
2
Cont’d…
You must add users to the Planning Server system
before they can be assigned to roles or use Planning
Server applications.
Users must have valid domain accounts.
On the User Administrator Role page, users who
currently belong to the role are listed in the User ID
column next to the appropriate application or model site.
Except for the Global Administrator role, which has a
system-wide scope, administrative roles have either an
application scope or a model-site scope.
3
Cont’d…
Application scope permissions apply for all model
sites in the application.
Model-site scope permissions apply only for the
specific model site.
You must belong to the Global Administrator or User
Administrator role to add users to or remove users
from the User Administrator role.
Before you can add a user to any Planning Server role,
the user must first be added to Planning Server from
the Users page.
SAS User Administration
In order to make access distinctions and track user activity, a
security system must know who is making each request.
In the platform, the primary user administration task is to
store each user's external account ID in the SAS metadata.
SAS uses its copy of these IDs to establish a unique SAS
identity for each connecting user.
All of a user's metadata layer memberships, permissions, and
capabilities are ultimately tied to the user's SAS identity.
5
Cont’d…
Note: It is not necessary to store passwords in the SAS
metadata for the purpose of identifying a user.
SAS identity is determined by examining stored user
IDs, not by examining stored passwords.
Note: For some service identities and metadata
administrators, you can use a SAS internal account
instead of a stored SAS copy of an external account ID
6
Who Can Manage Users, Groups, and Roles?
7
Cont’d…
8
Cont’d…
For restricted user administrators (users who have the user
administration role but are not unrestricted), the following
constraints apply:
• Restricted user administrators cannot update the unrestricted role.
• To update or delete an identity, restricted user administrators must
have the
Write Metadata permission for that identity.
For example, you can prevent a restricted user administrator from
updating User’s metadata
definition by taking away his or her default grant of the Write
Metadata permission (on User’s Authorization tab, explicitly deny
the Write Metadata permission to the restricted user administrator).
9
Cont’d…
To change a role's capabilities, restricted user administrators
must have the Write Metadata permission for the associated
software component.
To access user management features in SAS Management
Console, restricted user administrators must have the User
Manager capability
Groups of users
Both Unix and NT allow users to belong to multiple groups.
A group is an association of usernames which can be referred
to collectively by a single name.
10
Cont’d…
NT also allows the creation of groups. Groups are created by
command, rather than by file editing, using:
net group groupname /ADD Users may then be added with
the syntax, net group groupname username1 username2...
/ADD They can also be edited with the GUI on a local host.
NT distinguishes global groups (consisting only of domain
registered users) from local groups, which may also contain
locally registered users.
Some standard groups are defined by the system, e.g.
administrators, users & Guest
The Administrators group has privileged access to the system.
11
Account policy
Most organizations need a strict policy for assigning
accounts and opening the system for users.
Users are the foremost danger to a computing
system, so the responsibility of owning an account
should not be dealt out lightly.
There are many ways in which accounts can be
abused.
12
Cont’d…
Users can misuse accounts for villainous purposes and
they can abuse the terms on which the account was issued,
wasting resources on personal endeavors.
For example, in Norway, where education is essentially
free
Due to this reason students have been known to undergo
semester registration simply to have an account, giving
them essentially free access to the Internet and a place to
host their web sites.
13
Cont’d…
Policy rules are required for guiding user behavior, and
also for making system rules clear.
Experience indicates that simple rules are always
preferable, though this is so far unsubstantiated by any
specific studies.
A complex and highly specific rule, that is understood
only by its author, may seem smart, but most users will
immediately write it off as being nonsense.
Such a rule is ill advised because it is opaque.
The reason for the rule is not clear to all parties, and thus
it is unlikely to be respected.
14
What should an account policy contain?
1. Rules about what users are allowed/not allowed to do.
2. Specifications of what mandatory enforcement users
can expect, e.g. tidying of garbage files.
Any account policy should contain a clause about
weak passwords.
If weak passwords are discovered, it must be
understood by users that their account can be closed
immediately.
Users need to understand that this is a necessary
security initiative.
15
The privileged account’s or super user’s
Environment
User support services
All users require help at some time or another.
The fact that normal users are not privileged users
means that they must occasionally rely on a super
user to clean up a mess, or fix a problem which is
beyond their control.
If we are to distinguish between privileged and
non-privileged users, we cannot deny users this
service.
16
Support policy
The amount of support that one offers users is a matter of policy.
One has the choice between supporting users directly, and
investing time in making them self-sufficient.
Which of these two strategies pays most dividends depends on
the nature of the problem.
In almost all cases both strategies are needed. Thus one looks
for a mixture of the following:
• Training users.
• Helping users.
• Documenting and providing the answers to frequently asked
questions.
17
Cont’d…
The proportion of time spent on each must be chosen
as policy.
System administrators’ time is usually in short supply,
though increased automation is steadily freeing us to
concentrate on higher level problems, like support.
The ability to support a system depends on its size in
relation to the available resource personnel.
Supporting hardware and software means fixing
errors, upgrading and perhaps providing tuition or
telephone help-desks.
18
Cont’d…
E-mail help-desks such as Rust, Gnats, Nearnet, Netlog, PTS,
QueueMH can assist in the organization of support services, but
they are mainly task-tracking tools.
Sometimes hosts and software packages are labelled unsupported
in order to emphasize to users that they are on their own if they
insist on using those facilities.
One of the challenges system administrators sometimes have to
endure on coming to a new site, where chaos reigns, is the
transition from anarchy to a smaller set of supported platforms
and software.
Support services need to be carefully considered and tailored to each
local environment.
19
The Registry
Windows registry is a central repository of information
about all aspects of the computer
in particular, its hardware, operating system, applications
and users.
It can be accessed and updated under software control and
also directly by users.
The registry first appeared in Windows 3.1. In that system it
was a single file, called REG.DAT, and was mainly used to
store information about OLE objects.
20
Cont’d…
Most other configuration data was held in various INI
files, of which WIN.INI and SYSTEM.INI were the
most important.
The modern registry, as found in Windows 9x and
NT, brings together all the information that was
previously held in REG.DAT and the separate INI
files.
The registry has several advantages over INI files.
Because the information is centralized, it is easier for
applications to access it.
21
Cont’d…
It is more hierarchical than INI files, and so better suited for
storing large amounts of structured data.
It is also free of the size limitations which affect INI files
(although there is still a maximum total registry size limit).
Storage
Although the registry is usually considered to be a single entity,
its contents are in fact stored in more than one physical file.
In Windows 9x, there are two such files: SYSTEM.DAT and
USER.DAT.
22
Cont’d…
These hold computer-specific and user-specific information
respectively.
In Windows NT, the registry is spread over a series of files,
sometimes called hives.
SYSTEM.DAT and USER.DAT are usually held in the Windows
directory.
However, it is also possible to place USER.DAT in the user’s
login directory on a network, thus allowing the user to log in at
other workstations.
In NT, the hive files are located in the SYSTEM32\CONFIG
directory, which is off the Windows directory.
23
What is scripting?
Simply a script is a small, interpreted program that can
carry out a series of tasks and make decisions based on
specific conditions it finds.
By "interpreted," we mean that when it is run, it is
carried out one line at a time, as opposed to "compiled,"
which is the process of turning it into machine language
before it is run.
A script is created using ASCII text, so Windows
Notepad or a similar text editor is the only tool required.
24
Cont’d…
A number of scripting "languages" are available for
you to choose from, each with its own capabilities and
limitations.
These languages include Windows native shell
scripting, Visual Basic Scripting Edition, JavaScript,
Kixtart, and Perl.
Which one you choose will ultimately depend on a
combination of the tasks required and your own
experience and inclinations.
25
How is scripting used?
Scripting lets you automate various network
administration tasks, such as those that are performed
every day or even several times a day.
For example, login scripts run every time a user logs
in to the network
and can perform tasks like mapping network drives
for the user based on certain conditions, such as
group membership.
26
Cont’d
Another example of script use might be a situation where
you want to have each Windows NT server create a new
Emergency Restore Disk and then copy the contents of that
disk to a network location.
Other tasks might need to be carried out only once,
such as a modification to the registry
However, to a large number of servers that are widely
distributed geographically.
In a case like this, you could create and distribute a
single script to run the task on each server.
27
Cont’d…
You can start scripts manually, but you can also start
them automatically, either by a specific event or
scheduled via the Windows Task Scheduler.
Windows NT allows scripts to be run automatically
each time a user logs in to the network.
Windows 2000 goes much further and can be
configured to automatically run separate scripts upon:
Machine startup, Machine shutdown, User login,
User logout
28
Shell scripting
A shell is more than an interface that allows a user to
communicate with, or issue commands directly to, the
operating system.
The concept of a shell has been around in UNIX for
many years.
In fact, there are several shells in the UNIX world, each
with its own features and commands that make it suitable
for various tasks.
In Windows, there is no such diversity.
You have only one shell, the Windows shell, which is
built into the operating system.
29
Cont’d…
And you are undoubtedly already familiar with the
interface, although you probably call it the command
prompt or, if you're a real old-timer, perhaps the DOS
prompt.
Technically speaking, it's called a command shell and
is run by executing the file Cmd.exe, found in C:\
Winnt\System32.
Probably the easiest way to run it is to simply click
Start | Run, type cmd in the text box, and click OK, or
create a shortcut to Cmd.exe.
30
Cont’d…
The Windows shell comes with a set of built-in
commands, many of which are well known and
commonly used, such as dir, copy, del, cd, etc.
Commands and their associated parameters are
usually issued one at a time at the command line.
More important for our purposes is the fact that
commands can also be used in a batch mode.
31
Cont’d…
That is, using a text editor, you can write a separate command on
each line, saving the finished product with the extension of
either .bat or .cmd.
This turns the text file into an executable that will be run as an
interpreted program, carrying out each command one line at a time,
in order. This is what we call shell scripting.
Although the Windows scripting language is far from being a full-
scale programming language,
It does come with some useful commands and features that allow it
to have some of the flexibility you'd expect to find in a program.
Some of these features are:
32
Cont’d…
Conditional processing
You can have your script test to see whether a certain condition
exists, and if it does, do one thing, and if it doesn't, do something
else.
Error trapping
Every time a command is carried out, Windows generates an error
level, with error level 0 being "no error."
This allows you to include a provision in your script to gracefully
exit from an error it might encounter.
33
System variables
Information about a given computer and the user who is logged
on to that computer can be found in the registry, at
HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER.
Some of that information, which can be of use in scripting, is
available in the form of system variables.
To get an idea of what is available, you can open the command
shell and type the command set.
This will display a list of all the system variables and their
current values.
34
Cont’d…
These can then be referenced in a script by
bracketing them with the percent symbol.
For instance, %username% will refer to the
username of whoever is currently logged on to the
computer.
An example of its use would be to copy the current
user's Favorites folder and all subfolders on the
local machine to that user's home folder on the
server:
35
Windows Scripting Host
The Windows Scripting Host (WSH) is a set of three
files (Wscript.exe, Cscript.exe, and Wsh.ocx) that
provide an environment for other scripting languages
to run in.
Built into the WSH are two "engines“ for the scripting
languages Visual Basic Scripting Edition (VBS) and
JScript, which is a Microsoft version of JavaScript.
You can also load other engines for such scripting
languages such as Perl or REXX, if you want.
36
Cont’d…
Although the shell scripting language remains a fixed
part of the operating system
WSH can be separately updated and upgraded, since it
exists as separate files.
In addition, it can be installed on several versions of
Windows.
To determine which version is currently installed, type
cscript at the command shell.
37
Cont’d…
The WSH makes use of a rather strange concept called an
object model
which can take some getting used to for a newcomer to
scripting and programming.
Each object has a set of methods associated with it.
The root object for WSH is called WScript, and from it,
other objects can be created and used within scripts to
accomplish tasks.
Both VBS and JScript are object-based languages, and
each uses its own object model that works in conjunction
with the WSH object model.
38