First-Priority Setup Tasks

Summary of First-Priority Setup Tasks

The following tasks are necessary to protect the integrity of your system. Complete these steps as soon as possible after migration, before you complete any of the other tasks that are outlined in this chapter.

Task	Description
Secure the SAS configuration on each server machine.	For a secure deployment, the configuration directory on each server machine must be protected by operating system controls. These controls will prevent inappropriate access to repository data sets, server scripts, server logs, and configuration files. On Windows systems, all configuration directories, files, and scripts are owned by the user who performs the installation. You must update the permissions as shown in Recommended Operating System Protections for Windows Machines in SAS Intelligence Platform: Installation and Configuration Guide. These recommendations assume that your SAS servers and spawners run as services under the Local System account. On UNIX and z/OS systems, the SAS Deployment Wizard automatically applies the appropriate permissions. The default permissions are shown in Default Operating System Protections for UNIX and z/OS Machines in SAS Intelligence Platform: Installation and Configuration Guide.
Establish a formal, regularly scheduled backup process.	Establish a formal, regularly scheduled backup process that includes your metadata repositories as well as the associated physical files. The SAS 9.3 Metadata Server includes a new server-based facility that performs metadata server backups automatically on a scheduled basis. By default, a schedule of daily backups is configured by the SAS Deployment Wizard. As a best practice, you should modify your backup configuration to specify a storage device other than the device that is used to store the metadata repositories and the server configuration files, and you should be sure to include this backup location in your regular system backups. See Backing Up and Recovering the SAS Metadata Server in SAS Intelligence Platform: System Administration Guide. It is important to also back up the physical data that is associated with the metadata so that related information will be synchronized if a restore becomes necessary. For guidance in setting up a backup process, see Best Practices for Backing Up and Restoring Your SAS Content in SAS Intelligence Platform: System Administration Guide.

Task

Description

Secure the SAS configuration on each server machine.

For a secure deployment, the configuration directory on each server machine must be protected by operating system controls. These controls will prevent inappropriate access to repository data sets, server scripts, server logs, and configuration files.

On Windows systems, all configuration directories, files, and scripts are owned by the user who performs the installation. You must update the permissions as shown in Recommended Operating System Protections for Windows Machines in SAS Intelligence Platform: Installation and Configuration Guide. These recommendations assume that your SAS servers and spawners run as services under the Local System account.

On UNIX and z/OS systems, the SAS Deployment Wizard automatically applies the appropriate permissions. The default permissions are shown in Default Operating System Protections for UNIX and z/OS Machines in SAS Intelligence Platform: Installation and Configuration Guide.

Establish a formal, regularly scheduled backup process.

Establish a formal, regularly scheduled backup process that includes your metadata repositories as well as the associated physical files.

The SAS 9.3 Metadata Server includes a new server-based facility that performs metadata server backups automatically on a scheduled basis. By default, a schedule of daily backups is configured by the SAS Deployment Wizard. As a best practice, you should modify your backup configuration to specify a storage device other than the device that is used to store the metadata repositories and the server configuration files, and you should be sure to include this backup location in your regular system backups. See Backing Up and Recovering the SAS Metadata Server in SAS Intelligence Platform: System Administration Guide.

It is important to also back up the physical data that is associated with the metadata so that related information will be synchronized if a restore becomes necessary. For guidance in setting up a backup process, see Best Practices for Backing Up and Restoring Your SAS Content in SAS Intelligence Platform: System Administration Guide.

Recommended Operating System Protections for Windows Machines

On Windows server machines, we recommend that you apply the following operating system protections to your configuration directory. All of these directories are located in SAS-configuration-directory\Levn.

Recommended Operating System Protections on Windows

Directories	Users	Recommended Permissions
SAS-configuration-directory SAS-configuration-directory`\Lev1` `Lev1` subdirectories: `Documents`, `ReportBatch`, `SASApp`, `SASMeta`, `Utilities`, `Web`	SYSTEM and Administrators	Full Control
	All other users	List Folder Contents, Read
`Lev1` subdirectories: `ConnectSpawner` `Logs` `ObjectSpawner` `SASApp\OLAPServer` `SASMeta\MetadataServer` `FrameworkServer` `ShareServer`	SYSTEM and Administrators	Full Control Remove all other users and groups
`SASApp` subdirectories : `PooledWorkspaceServer`, `StoredProcessServer`	SYSTEM, Administrators, and SAS Spawned Servers (sassrv)	Full Control Remove all other users and groups
`SASApp` subdirectories: `ConnectServer\Logs` `Data\wrsdist` `Data\wrstemp` `PooledWorkspaceServer\Logs` `PooledWorkspaceServer\sasuser` `StoredProcessServer\Logs` `StoredProcessServer\sasuser` `WorkspaceServer\Logs` `SASMeta\WorkspaceServer\Logs`	SYSTEM, Administrators, and SAS Spawned Servers (sassrv)	Full Control
sasv9_meta.cfg file	SYSTEM and Administrators	Read and Write Remove all other users and groups

Note:

These recommendations assume that your SAS servers and spawners run as services under the Local System account. If servers and spawners are run under a different account, then grant that account the permissions that are recommended for SYSTEM.
You might have selected the custom installation option to place all of your log files in a single directory. If you selected this option, then you will need to grant the SAS Spawned Servers (sassrv) user Full Control of the central log destination (for example, SAS-configuration-directory\Lev1\Logs).
If users will be using SAS Enterprise Guide to create stored processes, then the SAS Spawned Servers (sassrv) account must have Write access to the directory in which stored processes will be stored.
If you enable logging for a workspace server, then you will need to grant all users of the workspace server Full Control of the log directory. (See Create a Log File for Workspace Server Troubleshooting in SAS Intelligence Platform: System Administration Guide).

For information about backups, see Backing Up and Recovering the SAS Metadata Server in SAS Intelligence Platform: System Administration Guide.

For details about the configuration directory structure, see Overview of the Configuration Directory Structure in SAS Intelligence Platform: System Administration Guide.

Default Operating System Protections for UNIX and z/OS Machines

The following table shows the default operating system protections that are provided automatically for configuration directories on UNIX and z/OS machines. All of these directories are located in SAS-configuration-directory/Levn.

Default Operating System Protections on UNIX and z/OS

Directories	Users	Default Permissions
SAS-configuration-directory SAS-configuration-directory`/Lev1` `Lev1` subdirectories: `Documents`, `ReportBatch`, `SASApp`, `SASMeta`, `Utilities`, `Web`	SAS Installer	Read, Write, and Execute
	All other users	Read and Execute
`Lev1` subdirectories: `ConnectSpawner` `Logs` `ObjectSpawner` `SASApp/OLAPServer` `SASMeta/MetadataServer` `FrameworkServer` `ShareServer`	SAS Installer	Read, Write, and Execute
	All other users	No access
`SASApp` subdirectories : `PooledWorkspaceServer`, `StoredProcessServer`	SAS Installer	Read, Write, and Execute
	sas group	Read and Execute
`SASApp` subdirectories : `ConnectServer/Logs` `Data/wrsdist` `Data/wrstemp` `PooledWorkspaceServer/Logs` `PooledWorkspaceServer/sasuser` `StoredProcessServer/Logs` `StoredProcessServer/sasuser` `WorkspaceServer/Logs` `SASMeta/WorkspaceServer/Logs`	SAS Installer	Read, Write, and Execute
	sas group	Read, Write, and Execute
sasv9_meta.cfg file	SAS Installer	Read and Write
sasv9_meta.cfg file	All other users	no access

Note:

Make sure that the SAS Spawned Servers account (sassrv) is a member of the sas group, which has the necessary permissions to server configuration files and log directories.
You might have selected the custom installation option to place all of your log files in a single directory. If you selected this option, then you will need to grant either the sas group or the SAS Spawned Servers (sassrv) user Read, Write, and Execute permission on the central log destination (for example, SAS-configuration-directory/Levn/Logs).
If users will be using SAS Enterprise Guide to create stored processes, then the SAS Spawned Servers (sassrv) account must have Write access to the directory in which stored processes will be stored.
If you enable logging for a workspace server, then you will need to grant all users of the workspace server Full Control of the log directory. (See Create a Log File for Workspace Server Troubleshooting in SAS Intelligence Platform: System Administration Guide)..
The user who backs up the metadata server must have full access to SAS-configuration-directory/Levn/SASMeta/MetadataServer, to its subdirectories rposmgr and MetadataRepositories/Foundation, and to the backup destination (for example, SAS-configuration-directory/Levn/SASMeta/MetadataServer/SASBackup). The SAS Installer user has the required access.

CAUTION:

Do not run a backup or a restore as the Root user. Doing so will change ownership of the metadata server files.
For information about backups, see Backing Up and Recovering the SAS Metadata Server in SAS Intelligence Platform: System Administration Guide.

For details about the configuration directory structure, see Overview of the Configuration Directory Structure in SAS Intelligence Platform: System Administration Guide.