-
In the host layer, create directories and a configuration
file:
-
In your equivalent
of
SAS-configuration-directory\SASApp
, create a directory called
RestrictedPool
and a subdirectory (below
RestrictedPool
) called
logs
.
-
In the
RestrictedPool
directory, create a configuration
file to be used when the restricted workspace server is started.
-
On Windows, create a file named
sasv9.cfg with the following content:
-config "SAS-configuration-directory\SASApp\sasv9.cfg"
-
On UNIX, create a file named workspaceServer.cfg
with the following content:
-config !SASROOT/sasv9.cfg
-config sasv9.cfg
-
Decide how the restricted
workspace server will connect to the metadata server. Choose one of
the following approaches:
-
Use trusted peer connections, which
the metadata server accepts without requiring credentials. In the
initial configuration, the metadata server accepts trusted peer connections
from all user IDs and machines, so no special configuration is required.
See
the Trusted Peer Connections in SAS Intelligence Platform: Security Administration Guide.
Note: In this approach, the restricted
server’s processes that are initiated from SAS Web Report Studio
run under the
rpoolsrv identity,
and the restricted server’s processes that are initiated from
a desktop application run under the requesting users’s identity.
The
Restricted Puddle Login Group and any allowed individual desktop users must have access to any
external DBMS credentials.
-
Use credential-based
connections, where the workspace server provides a user ID and password
that are stored in its configuration file. In this approach, you add
the METAUSER and METAPASS options to the configuration file that you
created in step 1b. For example:
-metauser "rpoolsrv"
-metapass "encrypted-rpoolsrv-password"
CAUTION:
With this
approach, it is essential to provide host protection of the configuration
file for the restricted workspace server (because it contains privileged
credentials).
Tip
On Windows, qualify the user
ID (for example,
WIN\rpoolsrv).
Tip
Encrypt the password using
the PWENCODE procedure.
See PWENCODE Procedure in Encryption in SAS.
Tip
If you change the
rpoolsrv account password, you must also manually
update the password in this configuration file.
Note: In this approach, all of
the restricted server’s processes are launched under the
rpoolsrv identity. Only the
Restricted Puddle Login Group needs access to
any DBMS credentials.
-
In the metadata, define the restricted server.
-
On the
Plug-ins tab of SAS Management Console, right-click
Server
Manager
and select
New Server.
-
In the New Server wizard,
select
Resource TemplatesServersSAS Application Server.
Note: The restricted workspace server must be in its own dedicated
SAS Application Server.
-
Enter the name
RestrictedPool
.
-
Accept the default version
and vendor information.
-
-
Select the
Custom radio button.
-
Enter a value in the
Command box as follows:
For a workspace server on Windows:
sas -config "SAS-configuration-directory\SASApp\RestrictedPool\sasv9.cfg"
For a workspace server on UNIX:
SAS-configuration-directory/SASApp/sas.sh
-config RestrictedPool/workspaceServer.cfg
-
Specify the following
values:
Select the authentication domain of your
existing, general-purpose workspace server. Usually, this is DefaultAuth
.
Change the default
value (8591) to an unassigned port value (such as 9591).
-
-
Tell the object spawner about the restricted server.
-
Under
Server
Manager, right-click the object spawner, and select
Properties.
-
On the
Servers tab, move
RestrictedPool - Workspace Server to the
Selected servers list. Click
OK.
-
Restart the object spawner.
-
Test the connection to the restricted server.
-
Under
Server
Manager, expand the
RestrictedPool application server and the
RestrictedPool - Logical
Workspace Server. Select the
RestrictedPool
- Workspace Server.
-
In the right pane, right-click
the connection icon and select
Test Connection.
Note: If you are logged on with
an internal account (an account that has the
@saspw suffix), you are prompted for credentials.
Enter the credentials for a user that has an external account, an
individual metadata identity, and (on Windows) the
Log on as a batch job Windows privilege.
Tip
If the connection fails, select
FileClear Credentials Cache from the main menu and try again. You can also check
the log files for the object spawner and the workspace server and
make sure the contents of the configuration file in the
RestrictedPool
directory are correct.
-
Configure
the restricted server to support client-side pooling.
-
Right-click the
RestrictedPool - Logical Workspace Server and select
Convert ToPooling. In the message box, click
Yes.
-
In the
Pooling
Options dialog box, click
New.
-
In the
New Puddle dialog box,
provide values as follows:
|
|
|
|
Minimum
available servers
|
|
Minimum
number of servers
|
|
|
|
|
Restricted
Puddle Access Group
|
-
Click
OK in the
Pooling Options dialog box.