Lwspafm4 001

SAS® Platform
Administration: Fast Track
Course Notes
SAS® Platform Administration: Fast Track Course Notes was developed by Sheila Riley and Christine
Vitron. Additional contributions were made by Marty Flis, John Hall, Dave Naden, Gerry Nelson, and
Raymond Thomas. Editing and production support was provided by the Curriculum Development and
Support Department.
SAS and all other SAS Institute Inc. product or service names are registered trademarks or trademarks of
SAS Institute Inc. in the USA and other countries. ® indicates USA registration. Other brand and product
names are trademarks of their respective companies.
SAS® Platform Administration: Fast Track Course Notes
Copyright © 2017 SAS Institute Inc. Cary, NC, USA. All rights reserved. Printed in the United States of
America. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in
any form or by any means, electronic, mechanical, photocopying, or otherwise, without the prior written
permission of the publisher, SAS Institute Inc.
Book code E71018, course code LWSPAFM4/SPAFM4, prepared date 17May2017. LWSPAFM4_001
ISBN 978-1-63526-179-0
For Your Information iii
Table of Contents
Chapter 1 Reviewing the Platform for SAS® Business Analytics ...................... 1-1
1.1 Exploring the Platform for SAS Business Analytics Overview ....................................... 1-3
Demonstration: Accessing the Classroom Environment ......................................... 1-14
Exercises.................................................................................................................. 1-17
1.2 Reviewing Platform Administration Deployment and Maintenance Tasks ................... 1-23
Exercises.................................................................................................................. 1-33
1.3 Reviewing Platform Administration Metadata and Ongoing Tasks ............................... 1-37
Demonstration: Accessing SAS Management Console and SAS Environment
Manager......................................................................................... 1-49
Exercises.................................................................................................................. 1-55
1.4 Solutions ........................................................................................................................ 1-60
Chapter 2 Reviewing SAS Platform Architecture ................................................ 2-1
2.1 Exploring the Platform Architecture ................................................................................ 2-3

Exercises.................................................................................................................. 2-15
2.2 Operating SAS Servers and Spawners ........................................................................... 2-19

Demonstration: Using SAS Environment Manager to Operate Servers and
Spawners ....................................................................................... 2-27
Exercises.................................................................................................................. 2-29
2.3 Exploring SAS Environment Manager .......................................................................... 2-32

Demonstration: Exploring SAS Environment Manager.......................................... 2-41
Exercises.................................................................................................................. 2-49
2.4 Exploring SAS Environment Manager Service Architecture......................................... 2-54

Exercises.................................................................................................................. 2-64
2.5 Solutions ........................................................................................................................ 2-71

iv For Your Information
Chapter 3 Understanding SAS® Metadata and the Metadata Server ................. 3-1
3.1 Exploring the SAS Metadata Server and Metadata Repositories..................................... 3-3
Exercises.................................................................................................................. 3-11
3.2 Exploring SAS Metadata Objects .................................................................................. 3-16

Demonstration: Exploring SAS Metadata in SAS Environment Manager ............. 3-27
Exercises.................................................................................................................. 3-31
3.3 Implementing a SAS Metadata Server Cluster .............................................................. 3-36
3.4 Backing Up the SAS Metadata Server ........................................................................... 3-49

Exercises.................................................................................................................. 3-61
3.5 Backing Up the SAS Environment ................................................................................ 3-63

Demonstration: Listing the Deployment Schedule and Using the Backup
Manager in SAS Environment Manager ....................................... 3-74
Exercises.................................................................................................................. 3-80
3.6 Solutions ........................................................................................................................ 3-84
Chapter 4 Understanding Initial Authentication and Administering

Users, Groups, and Roles .................................................................... 4-1
4.1 Exploring Initial Authentication to the Metadata Server ................................................. 4-3

Exercises.................................................................................................................... 4-8
4.2 Administering Users and Groups ................................................................................... 4-13

Exercises.................................................................................................................. 4-19
4.3 Using Import Macros ..................................................................................................... 4-22

Exercises.................................................................................................................. 4-32
4.4 Exploring Internal Accounts and Internal Authentication Mechanisms ........................ 4-35
Exercises.................................................................................................................. 4-42
4.5 Administering Roles and Administrative Identities ....................................................... 4-44

Exercises.................................................................................................................. 4-50
4.6 Solutions ........................................................................................................................ 4-53

For Your Information v
Chapter 5 Managing SAS® Compute Servers and Spawners ............................. 5-1
5.1 Understanding SAS Compute Servers ............................................................................. 5-3

Demonstration: Monitoring SAS Servers and Sessions from
SAS Management Console ............................................................ 5-20
Exercises.................................................................................................................. 5-22
5.2 Exploring Credential Management ................................................................................ 5-28

Demonstration: (Optional) Configuring Access to a Database in
SAS Management Console ............................................................ 5-34
Exercises.................................................................................................................. 5-42
5.3 Administering Server Logging ...................................................................................... 5-43

Demonstration: Viewing Metadata Server Logging in SAS Management
Console .......................................................................................... 5-54
Exercises.................................................................................................................. 5-58
5.4 Solutions ........................................................................................................................ 5-62
Chapter 6 Securing Metadata ................................................................................ 6-1
6.1 Reviewing Metadata Security .......................................................................................... 6-3

Demonstration: Exploring the Repository ACT ...................................................... 6-12
Exercises.................................................................................................................. 6-20
6.2 Exploring Metadata Permissions and ACTs ................................................................... 6-25

Demonstration: Identifying Applicable Permissions............................................... 6-35
Exercises.................................................................................................................. 6-38
6.3 Customizing SAS Folders .............................................................................................. 6-45

Exercises.................................................................................................................. 6-53
6.4 Solutions ........................................................................................................................ 6-68
Chapter 7 Establishing Connectivity to Data Sources ....................................... 7-1
7.1 Registering Libraries and Tables in Metadata .................................................................. 7-3

Demonstration: Registering SAS Library and Table Metadata in SAS
Environment Manager ................................................................... 7-12
vi For Your Information
Demonstration: Registering SAS Library and Table Metadata in

SAS Management Console (Optional) .......................................... 7-21
Exercises.................................................................................................................. 7-24
7.2 Setting Up Data Access .................................................................................................. 7-27

Exercises.................................................................................................................. 7-37
7.3 Solutions ........................................................................................................................ 7-44
Chapter 8 Monitoring Your SAS® Environment ................................................... 8-1
8.1 Monitoring a SAS Environment with SAS Environment Manager ................................. 8-3
Demonstration: Viewing Analyze Pages and Creating an Alert in
SAS Environment Manager........................................................... 8-13
Exercises.................................................................................................................. 8-20
8.2 Reviewing SAS Middle-Tier Architecture ..................................................................... 8-26

Exercises.................................................................................................................. 8-38
8.3 Additional Topics on SAS Server Maintenance............................................................. 8-48

Exercises.................................................................................................................. 8-54
8.4 Solutions ........................................................................................................................ 8-59
Chapter 9 Exploring Ongoing Administration Tasks .......................................... 9-1
9.1 Updating SAS Software ................................................................................................... 9-3

Exercises.................................................................................................................. 9-12
9.2 Finding Resources for SAS Administrators ................................................................... 9-13
9.3 Solutions ........................................................................................................................ 9-19
Chapter 10 Learning More ..................................................................................... 10-1
10.1 SAS Resources ............................................................................................................... 10-3
10.2 Beyond This Course ....................................................................................................... 10-6

For Your Information vii
To learn more…
For information about other courses in the curriculum, contact the SAS
Education Division at 1-800-333-7660, or send e-mail to training@sas.com.
You can also find this information on the web at
http://support.sas.com/training/ as well as in the Training Course Catalog.
For a list of other SAS books that relate to the topics covered in this
course notes, USA customers can contact the SAS Publishing Department
at 1-800-727-3228 or send e-mail to sasbook@sas.com. Customers outside
the USA, please contact your local SAS office.
Also, see the SAS Bookstore on the web at http://support.sas.com/publishing/
for a complete list of books and a convenient order form.
viii For Your Information
Chapter 1 Reviewing the Platform
for SAS® Business Analytics
1.1 Exploring the Platform for SAS Business Analytics Overview .................................. 1-3
Demonstration: Accessing the Classroom Environment...................................................... 1-14
Exercises .............................................................................................................................. 1-17
1.2 Reviewing Platform Administration Deployment and Maintenance Tasks ............. 1-23
Exercises .............................................................................................................................. 1-33
1.3 Reviewing Platform Administration Metadata and Ongoing Tasks .......................... 1-37
Demonstration: Accessing SAS Management Console and SAS Environment
Manager ..................................................................................................... 1-49
Exercises .............................................................................................................................. 1-55
1.4 Solutions ....................................................................................................................... 1-60

Solutions to Exercises .......................................................................................................... 1-60
Solutions to Student Activities (Polls/Quizzes) ..................................................................... 1-86

1-2 Chapter 1 Reviewing the Platform for SAS® Business Analytics
Copyright © 2017, SAS Institute Inc., Cary, North Carolina, USA. ALL RIGHTS RESERVED.
1.1 Exploring the Platform for SAS Business Analytics Overview 1-3
1.1 Exploring the Platform for SAS

Business Analytics Overview
Objectives
• Compare the types of SAS installations.

• Explore the platform for SAS Business Analytics.
• Identify the different platform applications and job roles.
3
Copy rig ht © SA S Institute Inc. A ll rig hts re se rve d.
Varieties of SAS Deployments
With SAS®9, there are two types of SAS® Viya™

SAS installations: The platform
• SAS Foundation
• platform for SAS Business Analytics
SAS Foundation
Platform for SAS Business Analytics
4
SAS Foundation is the traditional SAS installation, which enables you to write SAS programs or use
a point-and-click application such as SAS Enterprise Guide to assist with creating programs.
The platform for SAS Business Analytics is enterprise software that uses multiple machines throughout
the organization. This SAS platform consists of applications that help you accomplish the various tasks
for accessing and creating information, as well as performing analysis and reporting.
SAS Viya is a new computing platform from SAS. It offers a rich set of data mining and machine-learning
capabilities that run on a robust, in-memory, distributed-computing infrastructure. This platform provides
an environment that is unified, open, powerful, and adaptive.
Note: SAS Viya and SAS 9 represent an “and” strategy. Each is designed to solve different use cases.
For more information about SAS Viya: http://support.sas.com/documentation/onlinedoc/viya/
SAS Foundation
• The SAS windowing environment is used to develop and run SAS programs.
• SAS Enterprise Guide is a point-and-click interface that can also develop SAS
programs.
• SAS Studio is a development application for SAS that you access through
your web browser.
5
SAS Studio supports multiple web browsers, such as Microsoft Internet Explorer, Apple Safari, Mozilla
Firefox, and Google Chrome.
Platform for SAS Business Analytics
The platform for SAS Business Analytics is enterprise software with

components that exist on multiple machines throughout the organization.
6
The platform for SAS Business Analytics is also known as the SAS Enterprise Intelligence Platform
and the SAS Intelligence Platform.
The platform for SAS Business Analytics consists of several software offerings, including the following:
 SAS BI Server
 SAS Enterprise BI Server
 SAS Enterprise Data Integration Server (for renewals only) and SAS Data Integration Server
 SAS Data Management (Standard or Advanced)
SAS High-Performance Analytics
The SAS High-Performance Analytics infrastructure consists of software that

performs analytic tasks in a high-performance environment, which is
characterized by massively parallel processing (MPP). The infrastructure is
used by SAS products and solutions that typically analyze big data that resides
in a distributed data storage appliance Controller
or Hadoop cluster.
SAS ANALYTICS
Client
7
Apache Hadoop on Commodity Hardware
The SAS In-Memory Analytics Server divides analytic processes into manageable pieces and distributes
them in parallel across a dedicated set of blade servers, either Hadoop or commercial databases such as
Greenplum and Teradata.
SAS procedures, DS2 thread programs, formatted SQL queries, and scoring models are run inside the
database.
Here are the SAS In-Memory Analytics product solutions:
 SAS High-Performance Analytics products
 SAS Visual Analytics: web-based solution for exploring large data volumes
 SAS In-Memory Statistics: delivers statistical modeling and machine learning capabilities in a
programming environment
 SAS Code Accelerator for Hadoop (DS2)
Hadoop is an open-source software framework that provides distributed storage and processing of large
amounts of data. The data is divided into blocks and stored across multiple connected nodes (computers)
that work together.
SAS High-Performance Analytics: SAS Grid Computing
SAS Grid Manager provides a shared, centrally managed analytic computing

environment that has high availability and accelerates processing. It provides
workload management to optimally process multiple applications and
workloads to maximize overall throughput.
The Grid
SAS Grid
Manager
…
Set of Servers
8
Data Management
The data management components enable you to consolidate and manage

enterprise data from a variety of source systems, applications, and technologies.
The software and applications primarily include the following:
• SAS Data Integration Studio
• SAS Data Quality Server
• DataFlux Data Management Studio
• DataFlux Data Management Server
9
Data management components in SAS enable a data warehouse developer to create and manage metadata
objects that define sources, targets, and the sequence of steps for the extraction, transformation,
and loading of data.
SAS Data Integration Studio provides a powerful visual design tool for building, implementing, and
managing data integration processes regardless of data sources, applications, or platforms. An easy-to-
manage, multiple-user environment enables collaboration on large enterprise projects with repeatable
processes that are easily shared. The creation and management of data and metadata are improved with
extensive impact analysis of potential changes made across all data integration processes.
SAS Data Quality Server enables you to cleanse data and execute jobs and services on the DataFlux Data
Management Server to improve data quality. It is part of a number of SAS software offerings, including
SAS Data Quality and SAS Data Management.
SAS Data Quality Solution includes the following features:
 business rule validation – ensures that data meets organizational standards for data quality
and processes.
 data profiling – examines the structure, completeness, and suitability of your information assets.
 data quality – improves the quality of your enterprise information.
 entity resolution – matches data and identifies potential relationships across sources.
 master data management foundation – creates a hub of master data based on a subset of your existing
data through a phased MDM approach.
DataFlux Data Management Studio is a data management suite that combines data quality, data
integration, and master data management. It is the main administrative interface for DataFlux Data
Management Servers, DataFlux Authentication Servers, and other optional components.
DataFlux Data Management Server provides a scalable server environment for large Data Management
Studio jobs. Jobs can be uploaded from Data Management Studio to the Data Management Server where
the jobs are executed.
Advanced Analytics
SAS offers a rich and expansive portfolio of analytic products. The portfolio
includes products for predictive and descriptive modeling, data mining, text
analytics, forecasting, optimization, simulation, data visualization, model
management, and experimental design.
• SAS Enterprise Miner
• SAS Forecast Server
• SAS Model Manager
• JMP
10
SAS Enterprise Miner enables analysts to create and manage data mining process flows. These flows
include steps to examine, transform, and process data to create models that predict complex behaviors
of economic interest. The SAS Intelligence Platform enables SAS Enterprise Miner users to centrally
store and share the metadata for models and projects. In addition, SAS Data Integration Studio provides
the ability to schedule data mining jobs.
SAS Forecast Server enables organizations to plan more effectively for the future by generating
large quantities of high-quality forecasts quickly and automatically. This solution includes the
SAS High-Performance Forecasting engine, which selects the time series models, business drivers,
and events that best explain your historical data, optimizes all model parameters, and generates high-
quality forecasts. SAS Forecast Studio provides a graphical interface to these high-performance
forecasting procedures.
SAS Model Manager supports the deployment of analytical models into your operational environments.
It enables registration, modification, tracking, scoring, and reporting on analytical models that have been
developed for BI and operational applications.
JMP is interactive, exploratory data analysis and modeling software for the desktop. JMP makes data
analysis—and the resulting discoveries—visual and helps communicate those discoveries to others.
JMP presents results both graphically and numerically. By linking graphs to each other and to the data,
JMP makes it easier to see the trends, outliers, and other patterns that are hidden in your data.
SAS Business Intelligence
The business intelligence components enable users with various needs and
skill levels to create, produce, and share their own reports and analyses.
The software tools in the business intelligence category address two main
functional areas: information design and self-service reporting and analysis.
SAS Enterprise
BI Server
SAS Business
Intelligence SAS Office Analytics
SAS Visual Analytics
11
The SAS platform applications were created to organize the functions of various job roles into the
different applications. Instead of having one large client application that does everything for all people
across the organization, there are several applications to accomplish these tasks.
Some of the applications are installed on each user’s machine; others are accessed using a web browser.
SAS Add-In for The SAS Add-In for Microsoft Office enables business users to
Microsoft Office transparently leverage the power of SAS analytics, reporting, and data
access directly from Microsoft Office via integrated menus and toolbars.
SAS BI Dashboard SAS BI Dashboard is a point-and-click dashboard development application

that enables the creation of dashboards from a variety of data sources to
surface information visually.
SAS Data SAS Data Integration Studio enables a data warehouse developer to create
Integration Studio and manage metadata objects that define sources, targets, and the sequence
of steps for the extraction, transformation, and loading of data.
SAS Enterprise SAS Enterprise Guide provides a guided mechanism to exploit the power
Guide of SAS and publish dynamic results throughout the organization. SAS
Enterprise Guide can also be used for traditional SAS programming.
SAS Information The SAS Information Delivery Portal is a web application that can surface
Delivery Portal the different types of business analytic content such as information maps,
stored processes, and reports.
SAS Information SAS Information Map Studio is used to build information maps, which
Map Studio shield business users from the complexities of the underlying data by
organizing and referencing data in business terms.
SAS Management SAS Management Console provides a single interface for administrators to
Console manage the metadata and servers in the SAS platform. Specific
administrative tasks are supported by plug-ins to the SAS Management
Console.
SAS OLAP Cube SAS OLAP Cube Studio is used to create OLAP cubes, which are
Studio multidimensional structures of summarized data. The Cube Designer
provides a point-and-click interface for cube creation.
SAS Web Report SAS Web Report Studio provides intuitive and efficient access to query and
Studio reporting capabilities on the web.
Note: The applications listed above are not all of the applications available with the SAS platform.

SAS Visual Analytics is
• a web-based product that leverages SAS High-Performance Analytics
technologies to enable organizations to explore data of any size
• built on the platform for SAS Business Analytics and is designed to work
with the SAS LASR Analytic Server.
Clients Server Components
Web Browser SAS Visual Analytics

Web Applications Platform Servers
• Home Page • SAS Metadata Server
• Explorer • SAS Workspace Server
• Designer • and so on
Mobile Device • Viewer

• Data Builder
• Graph Builder SAS LASR Analytic Server
• Administrator
12
The SAS Visual Analytics infrastructure includes some of the same software components that are
included in the SAS platform. However, SAS Visual Analytics is installed in a dedicated environment that
includes specialized hardware and its own instances of SAS software and servers.
SAS Solutions
SAS Business Solutions leverage traditional strengths of SAS in data

management and data analysis into cross-functional, as well as vertically
specific, analytic application areas.
• Manage credit risk in financial services
• Develop, execute, and manage drug trials to market in life sciences
• Identify cross-sell opportunities in retail
• Forecast demand to predict outcomes in manufacturing
• Prevent fraud in insurance
• Monitor transactions for money laundering and terrorist financing
activities in banking
13
SAS Platform Job Roles

There are various job roles for users of the platform for SAS Business Analytics.
Platform for SAS

Business Analytics
14
SAS Platform Applications
The SAS platform

SAS Platform Applications
applications provide
intuitive point-and- Data Management Analytics Reporting
click interfaces
to surface the SAS Data Integration Studio SAS Enterprise Miner SAS Information Delivery Portal
power of business DataFlux Data

SAS Forecast Server SAS BI Dashboard
Management Studio
analytics.
SAS OLAP Cube Studio SAS Model Manager SAS Web Report Studio
SAS Information Map Studio JMP SAS Add-In for Microsoft Office
SAS Enterprise Guide SAS Studio
15
Classroom Environment
The classroom environment consists of a two-machine

sasserver
collection of a SAS deployment.
sasclient
Windows 2008 Server
sasserver
16 Linux Server
Accessing Your Server Machine
From your client (sasclient) machine, use mRemoteNG to access your

sasserver machine. Select sasserver from the left side of the mRemote
window. You are automatically logged on with the SAS installer credentials.
Windows 2008 Server Linux Server

17
Accessing the Classroom Environment
This demonstration illustrates how to access your two-machine collection and verify that the SAS servers
are started.
1. Access your Windows client machine.
Live Web Course Classroom Course
Use the URL in step 6 of the email that you Use a remote desktop connection with the IP
received from Live Web Administration. address that is given to you by your instructor.
Log on with these credentials:
User: Student
Password: Metadata0
2. Connect to the server machine and check the status of SAS servers.
For Linux Server

1. Use mRemoteNG as a terminal session to the Linux server. A connection to
sasserver.demo.sas.com is set up in mRemoteNG.
Double-click the mRemoteNG button on the desktop and then double-click the
sasserver.demo.sas.com session.
For
Linux Server
2. Navigate to /opt/sas/config/Lev1. Use the sas.servers script to verify the status of the
SAS servers: ./sas.servers status
3. If the servers are not started, enter the command ./sas.servers start. (The valid commands are
stop, start, restart, and status.)
For Windows Server

1. Use mRemoteNG as a terminal session to the Windows server. A connection to
sasserver.demo.sas.com is set up in mRemoteNG, using the install account sas
and the password Student1.
sasserver.demo.sas.com session connection.
2. Click the Services button in the system tray. With Services selected, scroll down to the
SAS services. Verify that the status for all the SAS services is Started.
Note: In a typical deployment, the Windows services would have a start-up type of
Automatic. The classroom image uses a batch file to start services.
3. If the SAS services are not started, open a CMD window under Start  Command Window.
4. Enter the d: command.
5. Enter cd scripts.
6. Enter stopSAS.
Enter Y when prompted.
This displays the services that are being stopped. Enter Y again when prompted.
A message is displayed when the script is done.
7. Start the servers with the startSAS script. This displays the services as they are starting.
8. Click OK.
9. Click OK.
A message is displayed when the script is done. (You can start the Task Manager to watch the
CPU activity.)
Exercises
1. Locating and Opening the Instructions.html Document

This exercise illustrates how to find SAS web application URLs for our SAS environment, which
are documented in Instructions.html.
Instructions.html is the reference document for your SAS deployment and would contain any
manual configuration steps that must be performed. It provides an overview of your deployment,
including the web application URLs. It is located under the SAS configuration directory in the
Levn/Documents subdirectory (for example: D:\SAS\Config\Lev1\Documents).
Note: An Instructions.html document is created on each machine that executes the
SAS Deployment Wizard.
a. Access your Windows client machine.
Use the URL in step 6 of your email that Use a remote desktop connection with the IP
you received from Live Web address that is given to you by your instructor.
Administration.
User: Student
Password: Metadata0
b. Connect to the server machine and check the status of SAS servers.
For Linux Server

For
Linux Server
3. If the servers are not started, enter the command ./sas.servers start. (The valid commands
are stop, start, restart, and status.)
Note: The SAS Web Application Server might take as many as 15 minutes to start.
For Windows Server

sasserver.demo.sas.com is set up in mRemoteNG, using the install account sas and the
password Student1.
3. If the SAS services are started, go to Step C.
4. If they are not started, open a CMD window under Start  Command Window.
7. Enter stopSAS.
This displays the services that are being stopped.
Enter Y again when prompted.
9. Click OK to the message prompt.
10. Click OK to the second message prompt.
A message is displayed when the script is done. (You can start the Task Manager to watch
the CPU activity.)
c. Locate and open the Instructions.html document. In a default deployment, it is located under the
configuration directory in the Levn/Documents subdirectory.
For Linux Server

1. Use WinSCP located on the client desktop. Navigate to /opt/sas/config/Lev1/Documents.
2. Right-click Instructions.html and select Open. (Double-clicking the file renders it in the
WinSCP editor, not Internet Explorer.).
3. (Optional) You can use MRemoteNg. Use the firefox

/opt/sas/config/Lev1/Documents/Instructions.html command to open the document.
For Windows Server

1. Access Windows Explorer and navigate to D:\SAS\Config\Lev1\Documents.
2. Double-click Instructions.html to open the document in Internet Explorer.

Note: You are opening Internet Explorer on the server machine.
d. Click SAS Web Applications in the Overview list at the top of the page.
e. Review the URLs of the SAS web applications. Scroll to SAS Studio Mid-Tier and click the
URL for the SAS Studio web application.
For Linux Server
For Windows Server
Note: The page request is going through the SAS Web Server. The port for the SAS Web Server
differs on Windows and Linux environments.
f. The SAS Logon Manager appears initially. The purpose of the SAS Logon Manager is to
authenticate and direct a successful sign-in to the appropriate web application. It enables the user
to access all SAS web applications without a credential change.
Sign in as Eric and use the password: Student1.
g. Enter the following code in the Program Editor:
proc setinit;
run;
Note: This procedure writes site information to the log, such as site number, expiration
of license, and the SAS products that are licensed.
h. Click Run (the running person icon) located above the code to submit the program.
i. The Log window appears. It contains a note that includes a list of the SAS software products that
are licensed in this environment. Review the information.
On what operating system are these products licensed?
What products listed pertain to data access?
j. Close out of Internet Explorer.
2. Looking Up the SAS Software Components That Are Licensed and Installed
a. On the client machine, open SAS Enterprise Guide. Select Start  All Programs  SAS 
SAS Enterprise Guide 7.1. (Close the Welcome window.)
b. On the Resources pane in the bottom left of SAS Enterprise Guide, expand Servers.
c. Expand SASApp.
d. Right-click SASApp and select Properties.
e. Click the Software tab.

Note: In order to see the software that is licensed and installed, the client has to be connected
to a workspace server.
f. Click View SAS Server Products.
This view shows licensed and installed products for the SASApp server context. When you run
the SETINIT procedure, which was done in the demonstration and exercise, the list written
to the log is only what is licensed.
g. Close the SAS Server Products window and the SASApp Properties window.
3. Using the SAS Installation Reporter Program
You run the program identified below to generate a report that shows which SAS components (for
example, software, client applications, and hot fixes) are installed.
a. Use SAS Enterprise Guide or SAS Studio to run the sasinstallreport.sas program located in the
following directory on your client machine: D:\Workshop\spaft.
b. Review the results in the log.
The report includes the following information:
 licensed SAS software (for example, Base SAS and SAS/STAT)
 installed SAS software
 installed SAS clients or applications (for example, SAS Enterprise Guide and the SAS System
Viewer)
 installed SAS hot fixes (along with cursory status).
 other versions of SAS software (only in Windows environments and when the XCMD system
option is enabled)
 information about your deployment, including orders and configured servers
 installed and running SAS Windows services (when the XCMD system option is enabled)
Note: To download the program in your environment, see Usage Note 20390, “The SAS
Installation Reporter program creates a report showing which applications, clients, and
hotfixes are installed”: http://support.sas.com/techsup/notes/v8/20/390.html
Note: There are two SAS procedures that give you similar information:
 The SETINIT procedure tells you what is licensed and the expiration dates, and it
works in all versions of SAS.
 The PRODUCT_STATUS procedure tells you what is installed. Some products
might be licensed but not installed. For example, if you are not actively using the
product, you might not want to use disk space.
4. Considering Users and Applications

What types of users do you have at your site and which SAS applications are used by these users?
Platform Job Role Applications
1.2 Reviewing Platform Administration Deployment and Maintenance Tasks 1-23
1.2 Reviewing Platform Administration

Deployment and Maintenance Tasks
Objectives
• Explore the SAS software life cycle.

• Explore the SAS platform administration life cycle.
• Review the contents of the SAS software depot.
• Review the tools for SAS deployments and updates: SAS Deployment
Wizard and SAS Deployment Manager.
• Review and run the deployment registry report.
22
SAS Software Life Cycle
The SAS software life cycle involves planning, deploying, and administering
SAS software.
23
The SAS administrator might be responsible for planning, designing, deploying, monitoring, and
maintaining a SAS environment—whether it is in the cloud or in a data center.
During the development phase:
 A customer’s requirements are gathered to understand how the features and behaviors of SAS can
support the objectives of the organization.
 A design is created with the detailed requirements of the business and IT stakeholders regarding
security, scalability, availability, integration with third-party technology, installation specifications,
monitoring and auditing, configuration management, disaster management, and performance.
 A plan to build and test the SAS platform is performed. With pre-installation, the infrastructure is
prepared for SAS software. SAS software is installed and configured and validated.
During the operational phase:
 Activities to bring on board the end user and administration stakeholders are performed, to include
training and identifying efficient SAS administration practices.
 The SAS administrators will perform tasks to keep the system healthy and available for the SAS users.
 Continue to strengthen and optimize business analytics service capabilities and capacity by evolving
the SAS environment.
Administer, Manage, and Update
The following activities are typically undertaken by administrators or consultants

to enable business as desired.
Key enablers
• User management
• Authentication
• Authorization
• Manage and apply licenses
• Provision client applications
• Back up and restore
• Encryption
• Monitor servers
• Schedule batch tasks
• Promote content
• Apply hotfixes and
maintenance
• Maintain storage capacity
• Maintain I/O throughput
capacity 24
SAS Platform Administration Life Cycle

Managing a SAS deployment is an ongoing exercise. Administrators perform
a wide variety of tasks that fall under these categories:
Deployment Maintenance
Administration Tasks Administration Tasks
Backups and Recovery Apply Maintenance Apply Hotfixes
Update Hostnames Update Passwords
Client Applications Provisioning
Maintain Hardware Capacity
Encryption Authentication Update Licenses
Ongoing Administration Tasks Metadata Administration Tasks

Schedule Batch Tasks
User Management
Maintain I/O Throughput Capacity
Metadata Server Backups
Backups and Recovery Authorization
Monitoring Servers Promotion of Content
25
Some of these tasks occur once. Others occur on a daily, weekly, or monthly basis. Administrators are
asked to perform a wide variety of tasks that can be grouped in the following ways:
 Deployment Administration Tasks: Immediately after a deployment, initial administration tasks
might include activities necessary to protect the integrity of your system, such as configuring
encryption, authentication, and authorization, and establishing a regular backup schedule. These tasks
can be performed only once and perhaps updated occasionally, or revisited if major elements of the
SAS platform or the business requirements change.
Client Application Provisioning
 Ensuring that pre-install requirements are met
 Adding SAS desktop applications to users
 Adding third-party components like Adobe Flash to enable web application usage for some SAS
offerings
 Updating clients for hotfixes and maintenance releases
Authentication
There is no single mechanism that is applicable to all authentication events throughout a typical
deployment. Each deployment uses some combination of authentication processes, trust relationships,
and single sign-on technologies.
Encryption
The platform offers encryption features that help protect information about disk and in transit. Here is
an overview of encryption support:
 Passwords in configuration files and the metadata are encrypted or encoded. Most other metadata is
not encrypted.
 Passwords in transit to and from SAS servers are encrypted or encoded. You can choose to encrypt
all such traffic, instead of encrypting only credentials.
 When you obtain and implement certificates for SAS Web Server and other middle-tier components,
you can use auto-generated certificates from SAS Deployment Wizard or provide your own.
Backups and Recovery
Backups of your SAS platform are scheduled by default at deployment, but they can be modified
anytime after in SAS Management Console, SAS Environment Manager, or with scripting tools.
 Maintenance Administration Tasks: These tasks are performed at the time of a major upgrade of
the software, such as a maintenance release or adding products, license renewals, and applying
hotfixes.
 Metadata Administration Tasks: These tasks include setting up user access to data and metadata
resources, set and manage metadata security, ensure that metadata is being backed up, and promotion
metadata.
 Ongoing Administration Tasks: These tasks are performed on an ongoing basis to keep the SAS
Intelligence Platform operational. When a deployment is up and running, it requires regular
management and maintenance such as monitoring servers and activity.
For detailed information about administration tasks, view the Checklist of SAS Platform Administration
Tasks: http://support.sas.com/resources/papers/Platform-Administration-Tasks.pdf
Best Practice: Know Where Your SAS Environment Is!
A first step for any SAS administrator is to know his or her SAS environment.
Know where your installation depot and all corresponding documents are.
Know which SAS products are installed, and which SAS versions and releases.
Key management and maintenance tasks also vary based on characteristics
of the SAS deployment:
• Licensed products and solutions
• Volume and type of users
• IT requirements such as uptime, change management, security, auditing
All relevant documentation describing your SAS platform should be stored,
for use by all SAS or IT administrators, in one central location. This includes
installation checklists, post-install docs,26 security models, and log locations.
SAS Software Depot
The SAS Software Depot is the central location from which you update your
SAS software. The depot contains
• SAS Deployment Wizard executable
• a collection of SAS installation files
• one or more orders
• your initial SAS 9.4 software order
and additional orders that you
make in the future.
27
A single depot maintains disk copies of installation media for all of your orders, optimizing space by
storing a single copy of any product that appears in multiple orders. The SAS Deployment Wizard is
located at the root of the SAS Software Depot alongside folders that contain license files, third-party
support files, various deployment utilities, and the packages from which products are installed and
configured.
Here are the benefits:
 With a centralized SAS Software Depot, you can run the SAS Deployment Wizard on each of your
machines directly from this network-accessible depot.
 You can apply maintenance and upgrades easier.
 You can save time and disk space if you maintain all of your SAS orders in a single depot. You save
space by sharing content across orders, and you save download time by downloading only the product
content that has not already been downloaded as part of another order.
 Hotfixes, license keys, plan files, and so on, are all organized in one designated location.
SAS 9.4 Intelligence Platform: Installation and Configuration Guide:
http://support.sas.com/documentation/cdl/en/biig/63852/HTML/default/titlepage.htm
SAS Deployment Wizard and SAS Deployment Manager 94: User’s Guide
http://support.sas.com/documentation/installcenter/en/ikdeploywizug/66034/PDF/default/user.pdf
SAS Tools for Deployments and Updates

Deployment Administration Tasks
SAS Download Manager Backups and Recovery
• Downloads new software and updates Client Applications Provisioning
the SAS Software Depot Encryption Authentication
SAS Deployment Wizard

• Initial installation and configuration
Maintenance Administration Tasks
• Updating and applying maintenance Apply Maintenance Apply Hotfixes
SAS Deployment Manager Remove or Update Existing configurations
• Installing hotfixes Update Hostnames Maintain Hardware Capacity
• Started by the SAS Deployment Update Passwords Update Licenses
Wizard during updates

28
SAS Deployment Wizard
The SAS Deployment Wizard is used to install and deploy all SAS 9.4 software.
It provides a broad range of installations:
• on a single machine
• on many machines across several tiers
• silently or interactively
29
Deployment Registry Report
Before updating your SAS products or applying hotfixes, you need the
product release numbers for all SAS products at your site. To determine these
product release numbers for each machine in your SAS deployment, generate
a deployment registry report and save it for future reference.
The ViewRegistry reporting

utility processes the
deployment registry and
generates a report. 30
The installation of SAS products is logged in the SAS Deployment Registry. ViewRegistry is a reporting
utility that processes the deployment registry to generate a report. This report identifies all SAS 9.2 and
later software that is installed in the current SASHOME location. Installed hot fixes are also logged in the
SAS Deployment Registry and reported in DeploymentRegistry.html.
Beginning with SAS 9.4 M3, the default output reports only the current release of product components
that are installed in the current SASHOME. Duplicate product component entries appear only for
products that support side-by-side deployment (for example, SAS Enterprise Guide and SAS Add-In for
Microsoft Office). The -all option can be used to report on all product components that have been
installed in SASHOME.
The ViewRegistry report is generated by executing the JAR file sas.tools.viewregistry.jar. This JAR file
is located in the SASHOME/deploymntreg directory and must be executed from this directory.
Two output files are produced by the reporting utility: DeploymentRegistry.html and
DeploymentRegistry.txt. The HTML and TXT output files are written in the SASHOME/deploymntreg
directory. Note that in order to run the reporting utility, Windows users must have Write permissions for
the deploymntreg directory (the default location is D:\Program Files\SASHome\deploymntreg)
because the resulting reports are written to this location. UNIX users must have Write permission to the
SASHOME location.
For more information about using the ViewRegistry report, see Usage Note 35968, “Using the
ViewRegistry Report and other methods to determine the SAS 9.2 and later software releases and hot
fixes that are installed”: http://support.ss.com/kb/35/968.html.
SAS Deployment Manager
SAS Deployment Manager is used for post-installation configuration tasks

such as configuring some products, applying hotfixes, updating metadata,
and uninstalling SAS software.
For example, to fully renew SAS software
and ensure that SAS Environment
Manager has the correct date for its
metrics on license expiration, always
use SAS Deployment Manager to do
these two things:
• update the SAS license
• update the SID file in metadata
31
SAS Deployment Manager is a graphical user interface that enables you to do the following:
 update passwords for the service accounts that were configured when you ran the SAS Deployment
Wizard
 rebuild and redeploy web applications that have previously been configured but whose configuration
has changed
 remove one or more components of a SAS Intelligence Platform configuration from your environment
 update setinit (license) information in metadata for some SAS solutions that depend on a SAS middle
tier
 manage the default associations between file types and SAS software
 change the host names (including the network domains to which they belong) of server machines in
your deployment
 apply downloaded hotfixes to your SAS software
 update existing configuration for SAS products that have been updated or upgraded
 change the passphrase that is used to encrypt stored passwords
 configure the language and region for SAS Foundation and certain SAS applications
 configure autoload directory for SAS Visual Analytics
 uninstall SAS software
 configure and manage the SAS Deployment Agent service
 configure certain SAS/ACCESS products to include Hadoop configurations
 manage Trusted CA Bundle
For details, see “Overview of SAS Deployment Manager” in SAS® 9.4 Intelligence Platform: System
Administration Guide, Third Edition
The SAS Deployment Manager includes a task to update the license file in the metadata.
http://support.sas.com/documentation/cdl/en/bisag/68240/HTML/default/viewer.htm#n1dkjbmslqht
w2n1rfte1g05py2h.htm
Updating SAS Deployments
You can update your existing SAS Software by doing the following:
• Installing and configuring a SAS product that is new to your system.
• Applying maintenance. Maintenance releases provide updates and new
functionality for SAS products and solutions
• Installing hotfixes. Hotfixes repair problems that have been identified in
SAS product code.
Chapter 9
32
Here are two common scenarios for adding to your SAS deployment:
 You ordered the SAS product but did not install it.
 You are deploying new products from a new SAS order.
There are two types of maintenance releases:
 A SAS maintenance release is a maintenance release for SAS Foundation. This type of maintenance
release includes software changes for multiple SAS products, such as Base SAS and SAS/GRAPH.
 A product-specific maintenance release is a maintenance release for a specific product, such as the first
maintenance release for SAS Forecast Server. This type of maintenance release includes software
changes for a single SAS product.
Update-in-place is the process of updating an existing SAS deployment to

apply maintenance or add and update SAS products. The update modifies the
existing deployment rather than creating a new deployment.
The SAS Deployment Wizard

automatically enters Update mode
if the software in the SAS Depot is
more recent than the software in
the SASHome directory.
33
SAS® 9.4 Guide to Software Updates:

http://support.sas.com/documentation/cdl/en/whatsdiff/66129/HTML/default/titlepage.htm
Exercises
5. Adding SAS Enterprise Guide as a Stand-Alone Product

Beginning with SAS 9.4, SAS Enterprise Guide and SAS Add-In for Microsoft Office can be
delivered in a smaller format that does not require using the SAS Deployment Wizard. (The standard
format is to be installed by the SAS Deployment Wizard.) This second format makes it much easier to
install over a distributed deployment, especially using provisioning tools such as SCCM from
Microsoft. These products are available only on Windows.
a. On the server machine, navigate to where the SAS Software Depot is and the subdirectory
standalone_installs.
For Linux Server

Use WinSCP for navigation because you will need to copy this directory to your
windows client machine.
/opt/sas/depot/standalone_installs/SAS_Enterprise_Guide_Independent_Installer
For Windows Server

D:\SAS\depot\standalone_installs\SAS_Enterprise_Guide_Independent_Installer
b. Copy the SAS_Enterprise_Guide_Independent_Installer directory to the client machine.

For Linux Server: Use the WINSCP application to copy from the Linux server to the windows
client machine.
c. Run the executable: SASEnterpriseGuide71_x86_x64.exe
For Linux Server: Do not open the executable through WINSCP. Instead, navigate to the
executable through Windows Explorer on the client machine.
d. Follow the SAS Deployment Wizard instructions but do not start the install because those
products are already installed.
Note: If you are installing to a system that has a previous version of an independent product
already installed, the executables update the product to the version used in the name of
the file.
1) Click Install on the Ready to Install page to continue.
2) The Initializing and Installing page opens. When the files have been moved, the Choose
Language page opens. Click OK.
3) The Select Enterprise Guide Mode page opens. Click Next to continue.
4) The Select Language Support page opens. You can click Clear All to remove the selection
from all of the languages except English. Click Next to continue.
5) The Checking System page opens as the installer ensures that the machine has the resources
necessary. Click Next to continue.
6) Click Cancel because the same version of SAS Enterprise Guide is already installed on this
machine.
Note: Command line options all work with the independent installers, which allows for quiet
deployment. All responses are created in a response file using Record mode and then use
Quiet Playback mode to perform the quiet deployment on the target machine.
Refer to Appendix A of SAS® Deployment Wizard and SAS® Deployment Manager 9.4: User’s Guide,
available at http://support.sas.com/deploywizug94.html.
6. Accessing Deployment Manager
Access SAS Deployment Manager and review the tasks. Also, view the internal service accounts that
would be updated with this application. However, do not be update passwords at this time.
a. On the server machine, navigate to SAS Deployment Manager.
For Linux Server
Navigate to /opt/sas/SASHome/SASDeploymentManager/9.4 and run

sasdm.sh:
./sasdm.sh
For Windows Server
Navigate to D:\Program Files\SASHome\SASDeploymentManager\9.4

and run sasdm.exe.
b. Click OK when prompted for language.

c. Scroll through the list of tasks that are performed in SAS Deployment Manager.
d. With Update Passwords selected, click Next.
e. Click Next to move through the selection of configuration directory and level.
f. Enter Student1 as the password for sasadm@saspw. Click Next.
g. Enter Student1 as the password for ShareServices. Click Next.
h. Review the list of internal service accounts that were created at SAS deployment. Click Cancel
because no passwords need to be updated.
i. Click Yes when prompted to verify that you want to cancel.
Note: Passwords for any service accounts that you introduce in SAS Management Console are not
managed by this tool. For example, if you designate a new logon as the launch credential for
a server, that launch credential is not automatically added to the list of accounts that the SAS
Deployment Manager can update.
7. Generating the Deployment Registry Report

The installation of SAS products is logged in the SAS Deployment Registry. The deployment registry
report processes the deployment registry and identifies all SAS 9.2 and later software that is installed
in the current SASHOME location. Installed hotfixes are also logged in the SAS Deployment
Registry and reported in DeploymentRegistry.html.
Note: For details about running the ViewRegistry report, see Usage Note 35968:
http://support.sas.com/kb/35/968.html.
The ViewRegistry utility that is used to generate the report is installed in SASHome/deploymntreg.
For Linux Server

1. Navigate to /opt/sas/SASHome/deploymntreg
2. Run the command java –jar sas.tools.viewregistry.jar.
3. Open DeploymentRegistry.html in the same directory. (You can use the WinSCP application
that has a shortcut on your desktop or use Firefox on your Linux server.)
For Windows Server

1. Open a command window and navigate to C:\Program Files\SASHome\deploymntreg.
2. Run this command:

"C:\Program Files\SASHome\SASPrivateJavaRuntimeEnvironment\9.4\jre\bin\java.exe"
-jar sas.tools.viewregistry.jar
3. Navigate to C:\Program Files\SASHome\deploymntreg and open DeploymentRegistry.html

Review the versions of SAS software installed.
1.01 Multiple Choice Poll
Which of the following tasks are performed using SAS Deployment Manager?
a. updating license information

b. deploying SAS software
c. changing host names
d. updating passwords for user accounts
e. starting SAS Deployment Agent
36
1.02 Poll
The deploymntreg directory is located under your SAS Software Depot.
 True
 False
38
1.3 Reviewing Platform Administration Metadata and Ongoing Tasks 1-37
1.3 Reviewing Platform Administration

Metadata and Ongoing Tasks
Objectives
• Explore the platform administration tasks.

• Explore applications used to administer the platform.
41
Metadata Administration Tasks
Enable the users in your organization to begin using SAS applications to

access and analyze data.
Metadata Administration Tasks
User Management Data Access Management
Metadata Server Backups : SAS Management Console

Metadata Manager Plug-in
Authorization: Setting up a SAS Folder Structure
Promotion of Content: SAS Management Console

or Batch Tools
42
Adding Users and Managing Access
In order to make access distinctions and track user activity, create SAS
identities for your users.
User management is
Users
covered in Chapter 4.
Groups
Ellen
Henri
Sales
Marketing
43
Setting Up Your Metadata Folder Structure
The SAS applications use a hierarchy of SAS folders to store metadata,

including the metadata folders shown below:
• libraries
• tables
• OLAP cubes
• jobs
• information maps
• stored processes
• reports Metadata is covered
in Chapter 3.
44
The initial SAS folder structure provides private folders for individual users. Within the SAS folders,
you should create a customized folder structure that meets your specific needs.
Establishing Connectivity to Data Sources
In order to make data available to most SAS applications, you need to register
data sources in the metadata, including these listed below:
SAS data sets OLAP cubes
LASR tables XML files

RDBMS tables
Information maps
Hadoop (HDFS)
Data access is covered

in Chapter 7.
45
Metadata Security
Setting security in the metadata occurs in conjunction with several

administrator tasks:
• adding users and managing access
• establishing connectivity to data sources
• setting up your metadata folder structure
Caution: It is important to plan security for your environment

before implementing it.
Metadata security is
46
Best Practice: Write and Maintain a Security Model
The SAS administrator should write and maintain a security policy to include
• authorization (access rights and permissions) in SAS
• any data or databases accessed via SAS
• OS-managed assets.
The security model refers to security-related procedures that apply to the

installation, configuration, and management of the SAS platform. The model
conforms to whatever standards and practices are followed by your
organization.
47
Here are the major components of a security model:

 Users and groups definitions and authentication
 Specification of what users and groups have access to which resources (authorization)
 Organization of SAS assets on the file systems and in SAS metadata
 Encryption procedures
 Backup/recovery of SAS assets.
You should be aware of the following components that have been put in place during the installation and
deployment process:
 SAS Metadata Server
 SAS Application Server components
 Other SAS Servers
 Ports that are used by each server to listen for incoming requests
 Configuration directories that store configuration files, logs, scripts, and special-purpose SAS data sets
on each SAS server machine and each middle-tier machine
 Initial SAS users, groups, and roles that have been defined, both on your host OS and the SAS
Metadata Repository
Best Practice: Backing Up the SAS Platform
To ensure the integrity of the content that is created and managed by the
SAS platform, the following are recommended best practices:
• Always use the metadata server backup facility to back up the repository
manager and metadata repositories.
• Perform regularly scheduled full backups.
• Perform backups before and after major changes.
• Specify a reliable backup destination that is included in daily system backups.
Have a disaster recovery plan in place (which includes Backups are covered
the SAS recovery tools) as part of a larger scheme of in Chapter 3.
recovering all of your SAS software.
48
In addition to performing regular full backups, in some situations, it might be appropriate to back up
specific objects or folders in the metadata folders (SAS Folders) tree. In these situations, you can use the
promotion tools, which include the Export SAS Package Wizard, the Import SAS Package Wizard, and
the batch export and import tools.
Note: You should synchronize the backups with the backup of other physical files.
Moving Metadata
As an administrator, you might need to move metadata either within the same
deployment or across different deployments.
Promotion is the process of copying selected metadata and associated content
within or between planned deployments of SAS.
49
Objects can be promoted from one location in the SAS Folder tree to another location in the same tree.
For example, you might want to promote a newly created or modified object from a user’s home folder to
a shared location.
Promotion can also be used to create a backup of specific folders and objects.
Among the promotion tools are the following:
 the Export SAS Package and Import SAS Package Wizards in SAS Management Console, SAS Data
Integration Studio, and SAS OLAP Cube Studio. However, SAS Data Integration Studio and SAS
OLAP Cube Studio can export and import only the objects that pertain to the application.
 the batch export tool and the batch import tool. The batch import tool and export tool are called
ImportPackage and ExportPackage and are located in SAS-installationdirectory
\SASPlatformObjectFramework\9.4
The package format is the same regardless of the host machine’s operating system or the tool (wizard or
batch tool) used to create it.
continued...
SAS Tools for Metadata Management
SAS Management Console is a desktop client application that enables

administrators to administer metadata, register users, and set metadata
security.
Administrative functionality is
presented through plug-ins.
Metadata is organized
in folders.
50
SAS Management Console provides a single interface for administrators to manage the metadata
and servers in the SAS platform. Specific administrative tasks are supported by plug-ins to
SAS Management Console.
Another tool, SAS Web Administration Console, is a web-based interface that enables you to do the
following:
 monitor which users are logged on to SAS web applications
 view audit reports of logon and logoff activity
 manage notification templates and letterheads
 manage web-layer authorization (including privileges, roles, and permissions)
 access the SAS Content Server Administration Console
 view the current configuration of the web applications

 dynamically adjust logging levels for some web applications
SAS Tools for Metadata Management
SAS Environment Manager Administration enables you to manage

SAS resources and resource definitions, including the following:
• folders and objects
• authorization controls
• user and group definitions
• library definitions
• database server definitions
• SAS content backups
51
For details, see SAS® Environment Manager Administration: User's Guide:

http://support.sas.com/documentation/cdl/en/evadmug/68379/HTML/default/viewer.htm#titlepage.htm
Note: You can use Help in the SAS Environment Manager Administration interface.
Comparison of SAS Management Console and the Current Version of SAS Environment Manager
Administration Task Available in Available in

Environment Management
Manager Console
Start, stop, and restart the SAS Web Application Server; and start, 
stop, and reload web applications
View metrics on the availability, performance, utilization, resource 

consumption, and throughput of server machines on the middle tier
and the SAS server tier. Set up alerts based on these metrics
Use reporting tools to obtain a comprehensive view of the 

performance and status of your SAS environment and its resources
Start servers on the SAS server tier 

Pause, resume, quiesce, and stop servers on the SAS server tier;  
and view the status of server processes on the SAS server tier
View events of a specified level from server log files  

View server logs and dynamically change logging levels 
Validate servers on the SAS server tier and run the Deployment 
Tester
Schedule, configure, monitor, and perform integrated backups of 

your SAS content across multiple tiers and machines
Back up and restore the metadata server, and create and administer
metadata repositories

Monitor the operation of grids, and administer grid hosts, queues,
and jobs
 
Schedule flows to run on a scheduling server 
Browse the contents of SAS folders, view and update properties of
folders and objects, and rename and delete objects
 
Create, rename, and delete SAS folders  
Create and modify metadata definitions for users, groups, and
roles; and manage memberships, logins, and internal accounts
 
Administration Task Available in Available in

Environment Management
Manager Console
Define metadata access rules, and create and update access control
templates (ACTs)
 
Browse any type of library or server that has been defined in
SAS metadata
 
Create and modify metadata definitions for Base SAS libraries,
SAS LASR Analytic Server libraries, and SAS LASR Analytic
Servers
Create and modify metadata definitions for other types of

SAS libraries and servers

Create and modify metadata definitions for database schemas, map
services, servers, stored processes, publication channels, and

subscribers
Display lineage information 

Promote (export and import), copy, and paste metadata 
View and modify configuration attributes for SAS applications,
and view and modify deployment configurations for infrastructure

and extension services that are used by these applications
Ongoing Administration Tasks
Ongoing system administration tasks keep the platform operational.

Ongoing Administration Tasks
Use server logs and configure
logging options
Monitor the activity
Schedule batch tasks
of servers
Start, stop, pause, resume, and refresh
Set up alerts the servers that are used in the system
Backups and recovery
Maintain I/O throughput capacity
52
Checking the Status and Operating Servers
SAS provides a number of tools that you can use to determine the status,
operation, and monitoring of your servers and spawners, including the following:
• SAS Environment Manager
• SAS Management Console
• scripts
• third-party monitoring tools
Each server has a logging configuration file that controls the destination,
contents, and format of the log for that server.
Server monitoring is covered
in Chapters 2, 5, and 8.
53
Solution-specific administration interfaces are available, such as SAS Visual Analytics Administrator.
There are also some optional setup tasks that might be necessary for you to modify your initial
configuration to meet specific requirements in your environment. Optional administration and
configuration tasks include the following:
 install sas.servers as a boot script
 optimize performance of the metadata server
 modify the configuration of your processing servers
 optimize web application performance
 adjust server logging
 enable job and report scheduling
 increase Java head memory allocation for desktop applications
 set up change management for SAS Data Integration Studio jobs
 collect ARM log information for SAS Data Integration Studio batch use
For additional information, see “Optional Setup Tasks” in SAS® 9.4 Intelligence Platform: System
Administration Guide, Fourth Edition.
continued...
SAS Environment Manager
SAS Environment Manager is a web-based administration tool that enables you

to monitor the performance, health, and operation of your SAS deployments,
including the operation of SAS servers on the server tier and middle tier.
Features include the following:
• collect and chart data on metrics for
SAS resources
• monitor log events and reporting alerts
• incorporate the monitoring and managing
of IT and SAS resources into a service
management strategy including Environment Manager architecture
predefined reports is covered in Chapter 2.
54
SAS Environment Manager is an operational monitoring and management system for SAS deployments.
SAS Environment Manager incorporates some of the Hyperic technology from VMware in order to offer
enterprise-class operational features. It incorporates plug-ins that are designed for administration,
management, and monitoring of SAS technologies.
Beginning with SAS Environment Manager 2.4, the component SAS Environment Manager Data Mart
Performance and Usage Reporting is also included. Extract, transform, and load (ETL) processes obtain
metric information from the SAS Environment Manager agent and from SAS logs, standardize the data,
and store the data in the SAS Environment Manager Data Mart. From there, the data is used to produce
predefined reports in the Report Center.
For details, see SAS® Environment Manager: User's Guide:

http://go.documentation.sas.com/?cdcId=evcdc&cdcVersion=2.5_M1&docsetId=evug&doc
setTarget=titlepage.htm&locale=en
SAS Management Console
The Server Manager plug-in in SAS Management Console enables you to

monitor your SAS servers.
SAS servers are

55
Accessing SAS Management Console and SAS Environment

Manager
This demonstration introduces SAS Management Console and SAS Environment Manager.
1. On the client machine, start SAS Management Console by selecting Start  SAS Management
Console. When the Connection Profile window appears, click OK to connect with the My Server
connection profile. Log on as Ahmed using the password Student1.
Note: Ahmed is the SAS administrator in our classroom environment.
2. Because we are logged on as Ahmed, we can see all three tabs: Plug-ins, Folders, and Search.
A plug-in is an application module that is designed to create and maintain metadata for a specific type
of resource.
Only certain users can view and use plug-ins. A user’s access depends on which roles the user is
assigned to and which capabilities are assigned to those roles. We cover roles in Chapter 4.
These are some of the plug-ins:
 Authorization Manager: used to define and maintain access rules to control how users and groups
can access metadata definitions.
 Data Library Manager: used to create and maintain definitions for SAS libraries and database
schemas.
 Metadata Manager: used to perform administration tasks related to the SAS Metadata Server.
 Server Manager: used to create and maintain server definitions.
 User Manager: used to create and maintain definitions for users, groups, and roles.
3. The Folders tab displays the SAS Folders hierarchy. Metadata is organized and viewed through
the folders.
You can keep SAS Management Console minimized on your desktop because you use the application
throughout class.
4. Open Internet Explorer or Google Chrome from the client machine using the taskbar. Click SAS
Environment Manager on the Favorites bar.
Note: To access SAS Environment Manager, use your web browser to got to
http://<localhost>:7080, where localhost is the machine on which the SAS Environment
Manager server is installed.
5. Sign in as sasadm@saspw using password Student1.
6. Your initial view will be the dashboard. Click Resources  Browse, or click Resources and that
takes you to the Resources page. Your SAS resources can be viewed and monitored from here. These
resources are categorized by Platforms, Servers, and Services. There are other groupings that can be
used for ease of access to resources.
7. By clicking an entry, such as sasserver.demo.sas.com Object Spawner – sasserver under Servers,

you are taken to the monitoring page of that resource.
8. Metrics are displayed that are relevant to this resource, and you can navigate to Inventory to see
configuration details; Alerts to see alerts for this resource, modify existing alerts, or create new alerts;
or Control to perform or schedule a control action, such as starting, stopping, or restarting the object
spawner.
These actions are discussed in subsequent chapters.
9. Click the Administration tab.
10. The Administration page is where you can manage SAS metadata. The application provides these
functions through the use of modules. Each module manages a specific type of SAS metadata.
Initially, the application displays the Folders module. This view enables you to view and manage
SAS folders and the metadata objects that they contain.
11. To switch to a different module, click the Side menu icon to open the side menu, which displays
a list of all of the available modules. Click a module name to open it and view the specific objects that
the module manages.
12. Click Servers.
13. Expand SASApp  SASApp - Logical Workspace Server  SASApp - Workspace Server.
14. Right-click SASApp - Workspace Server and select Open to see the metadata properties. (You can
also double-click on the metadata object.)
15. Object definitions open on the Basic Properties page. The title of the page is displayed at the top of
the page, next to the entry’s name. To view other property pages for the definition, click the page title
to display a menu of the page titles.
16. As you open object definitions in the modules, the object counter icon on the toolbar keeps
track of the definitions that are open and provides easy access to an open definition. The counter on
the icon indicates the number of object definitions that are open. Click the icon to display a menu of
all open definitions. Select an item in the menu to go to that definition. An asterisk beside an entry in
the menu indicates that the definition has been changed but not yet saved.
Note: It is a good idea to not have many definitions open, because it causes erroneous views of
metadata definitions.
17. You can keep SAS Environment Manager and SAS Environment Manager Administration minimized
throughout class, although you will need to log back in each day because the time-out interval of
cached credentials for SAS web applications is 12 hours, by default.
Exercises
8. Exploring Metadata in SAS Management Console

a. On the client machine, log on to SAS Management Console. Use the sasserver profile
and provide the user ID Ahmed and the password Student1.
b. On the Plug-ins tab, expand Data Library Manager  libraries.
c. Right-click Sales Analysis Library and select Properties to see the metadata definition. The
answers to the questions can be found on the Properties tabs.
Where is the location of this library definition in the metadata folder structure?
Where is the physical location in which this library is referencing?
Are there any tables registered in metadata in this library?
d. Navigate to the metadata folder location of the Sales Analysis Library and SALES_ANALYSIS
table.
Note: The table is stored in the same metadata folder as the library to which it is registered.
Registering libraries and its registered tables to the same metadata folder is a good
practice due to the metadata access controls. This is discussed in a later chapter.
9. Comparing Server Hierarchy in SAS Management Console and SAS Environment Manager
Compare the server hierarchy in the Server Manager plug-in in SAS Management Console
to the Server module in SAS Environment Manager Administration.
a. In SAS Management Console, on the Plug-ins tab, expand Server Manager.
b. Open Internet Explorer or Google Chrome, located on the taskbar of your client machine. Click
SAS Environment Manager on the Favorites bar. Sign in as sasadm@saspw and use the
password Student1.
1) Click the Administration tab.
Note: To open Administration in a separate tab, hold down the Ctrl key while clicking
Administration.
2) Select the side menu in the upper left of the interface.
3) Select Servers.
c. Do the server hierarchies in SAS Management Console and SAS Environment Manager
Administration differ?
Expand SASMeta and SASApp in either interface.
How many servers are defined under SASMeta?
How many servers are defined under SASApp?
d. In SAS Management Console, right-click Object Spawner – sasserver and select Properties.
Click the Servers tab.
In SAS Environment Manager Administration, right-click Object Spawner – sasserver and
select Open. (You can also double-click Object Spawner – sasserver to open up the metadata
definition.)
From the drop-down menu, select Servers. (Click the down arrow next to Basic Properties.)
What servers are the object spawner responsible for?
e. You are viewing SAS server metadata in SAS Management Console and SAS Environment
Manager.
You can also monitor your SAS compute servers and middle tier servers in SAS Environment
Manager. In SAS Management Console, you can monitor usage on your SAS compute servers
only. (This is covered in later chapters.)
1.03 Multiple Answer Poll
What content can you place in SAS metadata folders?
a. SAS configuration files

b. SAS libraries
c. SAS stored processes
d. SAS reports
e. SAS license files
59
Registering data sources in metadata means which of the following?
a. copying data sources into metadata

b. creating a description of the table to include the library connection
information
c. copying data sources into SAS Environment Manager
d. making a pointer in the configuration files to data sources
61
1.05 Multiple Answer Poll
Writing a SAS security policy should include input from which of the
following?
a. database administrators
b. system administrators
c. users
d. managers
63
1.06 Quiz
Who should have SAS Management Console installed on their desktops?
Who should have access to SAS Environment Manager?
65
How often do you need to check the status of your SAS servers?
a. never
b. at installation time and as needed thereafter
c. as needed
d. daily
67
How often do you need to back up your environment?
a. never
c. as needed
d. daily
69
1.4 Solutions
Solutions to Exercises
1. Locating and Opening the Instructions.html Document
This exercise illustrates how to find SAS web application URLs for our SAS environment, which
are documented in Instructions.html.
Instructions.html is the reference document for your SAS deployment and would contain any
manual configuration steps that must be performed. It provides an overview of your deployment,
including the web application URLs. It is located under the SAS configuration directory in the
Levn/Documents subdirectory (for example: D:\SAS\Config\Lev1\Documents).
Note: An Instructions.html document is created on each machine that executes the
SAS Deployment Wizard.
a. Access your Windows client machine.
Use the URL in step 6 of your email that Use a remote desktop connection with the IP
you received from Live Web address that is given to you by your instructor.
Administration.
User: Student
Password: Metadata0
b. Connect to the server machine and check the status of SAS servers.
For Linux Server

For
Linux Server
1.4 Solutions 1-61
3. If the servers are not started, enter the command ./sas.servers start. (The valid commands
are stop, start, restart, and status.)
For Windows Server

sasserver.demo.sas.com is set up in mRemoteNG, using the install account sas and
password Student1.
3. If the SAS services are started, go to Step C.
4. If they are not started, open a CMD window under Start  Command Window.
7. Enter stopSAS.
This displays the services that are being stopped. A message is displayed when the script is
done.
This displays the services that are being stopped. Enter Y again when prompted.
1.4 Solutions 1-63
9. Click OK to the message prompt.
10. Click OK to the second message prompt.
A message is displayed when the script is done. (You can start the Task Manager to watch
the CPU activity.)
c. Locate and open the Instructions.html document. In a default deployment, it is located under the
configuration directory in the Levn/Documents subdirectory.
For Linux Server

1. Use WinSCP located on the client desktop. Navigate to /opt/sas/config/Lev1/Documents.
WinSCP editor, not Internet Explorer.)
3. (Optional) You can use MRemoteNg. Use the firefox

/opt/sas/config/Lev1/Documents/Instructions.html command to open the document.
1.4 Solutions 1-65
For Windows Server

1. Access Windows Explorer and navigate to D:\SAS\Config\Lev1\Documents.

d. Click SAS Web Applications in the Overview list at the top of the page.
e. Review the URLs of the SAS web applications. Scroll to SAS Studio Mid-Tier and click the
URL for the SAS Studio web application.
For Linux Server
For Windows Server
Note: The page request is going through the SAS Web Server. The port for the SAS Web Server
will differ on Windows and Linux environments.
f. The SAS Logon Manager appears initially. It is a web application that handles all authentication
requests for SAS web applications. Users see the same logon page when they access any
SAS web application. It is a global single sign-in session. It enables the user to access all
SAS web applications without a credential change.
Sign in as Eric and use the password Student1.
g. Enter the following code into the Program Editor:

proc setinit;
run;
Note: This procedure writes site information to the log, such as site number, expiration
of license, and the SAS products that are licensed.
h. Click Run (the running person icon) located above the code to submit the program.
1.4 Solutions 1-67
i. The Log window appears. It contains a note that includes a list of the SAS software products that
are licensed in this environment. Review the information.
On what operating system are these products licensed?
What products listed pertain to data access? SAS/ACCESS Interface products, such
as the following:
j. Close out of Internet Explorer.

2. Looking Up SAS Software Components That Are Licensed and Installed
a. On the client machine, open SAS Enterprise Guide. Select Start  All Programs  SAS  SAS
Enterprise Guide 7.1. (Close the Welcome window.)
b. On the Resources pane in the bottom left of SAS Enterprise Guide, expand Servers.
c. Expand SASApp.
d. Right-click SASApp and select Properties.
e. Click the Software tab.

Note: In order to see the software licensed and installed, the client has to be connected
f. Click View SAS Server Products.
1.4 Solutions 1-69
This view shows licensed and installed products for the SASApp server context. When you run
the SETINIT procedure, which was done in the demonstration and exercise, the list produced
in the log is only what is licensed.
g. Close the SAS Server Products window and the SASApp Properties window.
3. Using the SAS Installation Reporter Program
You run the program identified below to generate a report that shows which SAS components (for
example, software, client applications, and hot fixes) are installed.
a. Use SAS Enterprise Guide or SAS Studio to run the sasinstallreport.sas program located in the
following directory on your client machine: D:\Workshop\spaft
b. Review the results in the log.
The report includes the following information:
 licensed SAS software (for example, Base SAS, SAS/STAT, and so on)
 installed SAS software
 installed SAS clients or applications (for example, SAS Enterprise Guide, the SAS System
Viewer, and so on)
 installed SAS hotfixes (along with cursory status).
 other versions of SAS software (only in Windows environments and when the XCMD system
option is enabled)
 information about your deployment, including orders and configured servers
 installed and running SAS Windows services (when the XCMD system option is enabled)
Note: To download the program in your environment, see Usage Note 20390, “The SAS
Installation Reporter program creates a report showing which applications, clients, and
hotfixes are installed”: http://support.sas.com/techsup/notes/v8/20/390.html
Note: There are two SAS procedures that will give you similar information:
 The SETINIT procedure tells you what is licensed and the expiration dates and
works in all versions of SAS.
 The PRODUCT_STATUS procedure tells you what is installed. Some products
might be licensed but not installed. For example, if you are not actively using the
product, you might not want to use disk space.
4. Considering Users and Applications
What types of users do you have at your site and which SAS applications are used by these users?
Platform Job Role Applications
1.4 Solutions 1-71
5. Adding SAS Enterprise Guide as a Stand-Alone Product

Beginning with SAS 9.4, SAS Enterprise Guide and SAS Add-in for Microsoft Office can be
delivered in a smaller format that does not require using the SAS Deployment Wizard. (The standard
format is to be installed by the SAS Deployment Wizard.) This second format makes it much easier to
install over a distributed deployment, especially using provisioning tools such as SCCM from
Microsoft. These products are available only on Windows.
a. On the server machine, navigate to where the SAS Software Depot is and the subdirectory
standalone_installs.
For Linux Server

Use WinSCP for navigation because you will need to copy this directory to your
windows client machine.
/opt/sas/depot/standalone_installs/SAS_Enterprise_Guide_Independent_Installer
For Windows Server

D:\SAS\depot\standalone_installs\SAS_Enterprise_Guide_Independent_Installer
b. Copy the SAS_Enterprise_Guide_Independent_Installer directory to the client machine.

For Linux Server: Use the WINSCP application to copy from the Linux server to the windows
client machine.
For Windows Server:
1.4 Solutions 1-73
c. Run the executable: SASEnterpriseGuide71_x86_x64.exe
For Linux Server: Do not open the executable through WINSCP, but navigate to the executable
through Windows Explorer on the client machine.
d. Follow the SAS Deployment Wizard instructions but do not start the install because those
products are already installed.
Note: If you are installing to a system that has a previous version of an independent product
already installed, the executables will update the product to the version used in the name
of the file.
1) Click Install on the Ready to Install page to continue.
2) The Initializing and Installing page opens. When the files have been moved, the Choose
Language page opens. Click OK.
3) The Select Enterprise Guide Mode page opens. Click Next to continue.
4) The Select Language Support page opens. You can click Clear All to remove the selection
from all of the languages except English. Click Next to continue.
5) The Checking System page opens as the installer ensures that the machine has the resources
necessary. Click Next to continue.
1.4 Solutions 1-75
6) Click Cancel because the same version of SAS Enterprise Guide is already installed on this
machine.
Note: Command line options all work with the independent installers, which allows for quiet
deployment. All responses are created in a response file using Record mode and then use
Quiet Playback mode to perform the quiet deployment on the target machine.
Refer to Appendix A of SAS® Deployment Wizard and SAS® Deployment Manager 9.4: User’s Guide,
available at http://support.sas.com/deploywizug94.html.
6. Accessing Deployment Manager
You will access the SAS Deployment Manager and review the tasks. Also, view the internal service
accounts that would be updated with this application. However, do not update passwords at this time.
a. On the server machine, navigate to the SAS Deployment Manager.
For Linux Server
Navigate to /opt/sas/SASHome/SASDeploymentManager/9.4 and run sasdm.sh:

./sasdm.sh
For Windows Server
Navigate to D:\Program Files\SASHome\SASDeploymentManager\9.4

and run sasdm.exe.
b. Click OK when prompted for language.
c. Scroll through the list of tasks that are performed in SAS Deployment Manager.
1.4 Solutions 1-77
d. With Update Passwords selected, click Next.
e. Click Next to move through the selection of configuration directory and level.
f. Enter Student1 as the password for sasadm@saspw. Click Next.
g. Enter Student1 as the password for ShareServices. Click Next.
h. Review the list of internal service accounts that were created at SAS deployment. Click Cancel
because no passwords need to be updated.
i. Click Yes when prompted to verify that you want to cancel.
Note: Passwords for any service accounts that you introduce in SAS Management Console are
not managed by this tool. For example, if you designate a new logon as the launch
credential for a server, that launch credential is not automatically added to the list of
accounts that the SAS Deployment Manager can update.
7. Generating the Deployment Registry Report
The installation of SAS products is logged in the SAS Deployment Registry. The deployment
registry report processes the deployment registry and identifies all SAS 9.2 and later software
that is installed in the current SASHOME location. Installed hot fixes are also logged in the
Note: For details about running the ViewRegistry report, see Usage Note 35968:
http://support.sas.com/kb/35/968.html.
1.4 Solutions 1-79
The ViewRegistry utility that is used to generate the report is installed in SASHome/deploymntreg.
For Linux Server

1. Navigate to /opt/sas/SASHome/deploymntreg.
2. Run the command java –jar sas.tools.viewregistry.jar.
3. Open DeploymentRegistry.html in the same directory. (You can use the WinSCP application
that has a shortcut on your desktop or use Firefox on your Linux server.)
For Windows Server

1. Open a command window and navigate to C:\Program Files\SASHome\deploymntreg.
2. Run this command:

"C:\Program Files\SASHome\SASPrivateJavaRuntimeEnvironment\9.4\jre\bin\java.exe"
-jar sas.tools.viewregistry.jar
3. Navigate to C:\Program Files\SASHome\deploymntreg and open DeploymentRegistry.html

Review the versions of SAS software installed.
8. Exploring Metadata in SAS Management Console

a. On the client machine, log on to SAS Management Console. Use the sasserver profile
and provide the user ID Ahmed and the password Student1.
b. On the Plug-ins tab, expand Data Library Manager  libraries.
c. Right-click Sales Analysis Library and select Properties to see the metadata definition.
The answers to the questions can be found on the Properties tabs.
Where is the location of this library definition in the metadata folder structure?
/Orion Star/Marketing Department/Data
1.4 Solutions 1-81
Where is the physical location in which this library is referencing?
For Linux Server

/opt/sas/Workshop/OrionStar
For Windows Server

D:\Workshop\OrionStar
Server
Are there any tables registered in metadata in this library?

Yes, SA LES_ANALYSIS
d. Navigate to the metadata folder location of the Sales Analysis Library and SALES_ANALYSIS
table.
Note: The table is stored in the same metadata folder as the library to which it is registered.
Registering libraries and its registered tables to the same metadata folder is a good
practice due to the metadata access controls. This is discussed in a later chapter.
9. Comparing Server Hierarchy in SAS Management Console and SAS Environment Manager
Compare the server hierarchy in the Server Manager plug-in in SAS Management Console
to the Server module in SAS Environment Manager Administration.
a. In SAS Management Console, on the Plug-ins tab, expand Server Manager.
1.4 Solutions 1-83
b. Open Internet Explorer or Google Chrome, located on the taskbar of your client machine. Click
SAS Environment Manager on the Favorites bar. Sign in as sasadm@saspw and use the
password Student1.
1) Click the Administration tab.

Note: To open Administration in a separate tab, hold down the Ctrl key while clicking
Administration.
2) Select the side menu in the upper left of the interface.
3) Select Servers.
c. Do the server hierarchies in SAS Management Console and SAS Environment Manager
Administration differ?
No. It is a different tool displaying the same metadata.
Expand SASMeta and SASApp in either interface.

How many servers are defined under SASMeta?
How many servers are defined under SASApp?
There is one under SASMeta.
There are eight under SASApp.
d. In SAS Management Console, right-click Object Spawner – sasserver and select Properties.
In SAS Environment Manager Administration, right-click Object Spawner – sasserver and
select Open. (You can also double-click Object Spawner – sasserver to open up the metadata
definition.)
From the drop-down menu select Servers. (Click the down arrow next to Basic Properties.)
1.4 Solutions 1-85
What servers are the object spawner responsible for?
e. You are viewing SAS server metadata in SAS Management Console and SAS Environment
Manager.
You can also monitor your SAS compute servers and middle tier servers in SAS Environment
Manager. In SAS Management Console, you can monitor usage on your SAS compute servers
only. (This is covered in later chapters.)
Solutions to Student Activities (Polls/Quizzes)
1.01 Multiple Choice Poll – Correct Answer
Which of the following tasks are performed using SAS Deployment Manager?
a. updating license information

b. deploying SAS software
c. changing host names
d. updating passwords for user accounts
e. starting SAS Deployment Agent
37
1.02 Poll – Correct Answer
The deploymntreg directory is located under your SAS Software Depot.
 True
 False
The ViewRegistry report is generated by executing the JAR file

sas.tools.viewregistry.jar. This JAR file is located in the
SASHOME/deploymntreg directory and must be executed
from this directory.
39
1.4 Solutions 1-87
1.03 Multiple Answer Poll – Correct Answer
What content can you place in SAS metadata folders?
a. SAS configuration files

b. SAS libraries
c. SAS stored processes
d. SAS reports
e. SAS license files
60
Registering data sources in metadata means which of the following?
a. copying data sources into metadata

b. creating a description of the table to include the library connection
information
c. copying data sources into SAS Environment Manager
d. making a pointer in the configuration files to data sources
62
1.05 Multiple Answer Poll – Correct Answer
Writing a SAS security policy should include input from which of the
following?
a. database administrators
b. system administrators
c. users
d. managers
64
1.06 Quiz – Correct Answer
Who should have SAS Management Console installed on their desktops?
Who should have access to SAS Environment Manager?
SAS administrators, not end users
66
1.4 Solutions 1-89
How often do you need to check the status of your SAS servers?
a. never
c. as needed
d. daily
68
How often do you need to back up your environment?
a. never
c. as needed
d. daily
70
Chapter 2 Reviewing SAS Platform
Architecture
2.1 Exploring the Platform Architecture ......................................................................... 2-3
Exercises............................................................................................................. 2-15
2.2 Operating SAS Servers and Spawners ................................................................... 2-19

Demonstration: Using SAS Environment Manager to Operate Servers and Spawners ..... 2-27
Exercises............................................................................................................. 2-29
2.3 Exploring SAS Environment Manager .................................................................... 2-32

Demonstration: Exploring SAS Environment Manager................................................ 2-41
Exercises............................................................................................................. 2-49
2.4 Exploring SAS Environment Manager Service Architecture .................................. 2-54

Exercises............................................................................................................. 2-64
2.5 Solutions ................................................................................................................. 2-71

Solutions to Exercises ........................................................................................... 2-71
Solutions to Student Activities (Polls/Quizzes) ......................................................... 2-105
2-2 Chapter 2 Review ing SAS Platform Architecture
2.1 Exploring the Platfor m Architecture 2-3
2.1 Exploring the Platform Architecture
Objectives
• Explore the SAS platform architecture.

• Examine how to secure a SAS platform configuration.
• Explore Environment Snapshot in SAS Environment Manager.
3
C o p yri gh t © SA S In sti tu te In c. A l l ri gh ts reserved .
Best Practice:
Know the Components of Your SAS Platform
Ensure that you can identify the components of your SAS platform and the
hosts on which they are installed and configured. Ensure that you have a
basic awareness of what each component does.
For a secure deployment, the configuration directory on each server machine
must be protected by operating system controls. These controls will prevent
inappropriate access to repository data sets, server scripts, server logs, and
configuration files.
4
SAS Platform Architecture
The platform for SAS Business Analytics consists of

Clients
a multiple-tier environment that is typically
represented by the following:
• clients SA S Servers
• middle tier
Met adata
• SAS servers
Ser ver
• data sources
Middle D ata
The tiers do not necessarily Tier So urces
represent separate computers
or groups of computers.
5
The platform for SAS Business Analytics consists of a multiple-tier environment that is typically
represented by the following:
Client Tier: SAS client software is installed on users’ desktops. SAS client applications cannot execute
SAS code on their own. They must request code submission and other services from a SAS server. A web
browser is all that is necessary for SAS web applications.
Middle Tier: The middle tier is where the web applications reside and execute. The middle tier also
contains the infrastructure that supports the execution of the web browser applications, including a Java
servlet container (or web application server), the Java Runtime Environment, the JMS Broker, the Cache
Locator, the SAS Web Infrastructure Platform, the Content Server.
Server Tier: SAS Servers: The server tier consists of one or more machines where the SAS servers are
installed and accessed by the SAS platform applications. Several types of SAS servers are available to
handle different workload types and processing intensities, including the metadata server, the workspace
servers, the stored process servers, and the object spawner.
Server Tier: SAS Metadata Server: The SAS platform uses the metadata server and metadata
repositories to manage information about the entire environment, including server definitions, data
definitions, users and groups, security settings, and business intelligence content.
Data Tier: Data sources store your enterprise data. All of your existing data assets can be used, whether
your data is stored in third-party database management systems, SAS tables, or enterprise resource
planning (ERP) system tables.
continued...
SAS Platform Architecture
Metadata Server Cl i ent Tier
Mi ddle Tier
Da ta Sources
SA S Servers SAS Web Application Server
Web Applications: SAS Management Console
SAS Workspace Server SAS Enterprise Guide
SAS Studio
SAS Data Sets SAS Pooled Workspace SAS Web Report Studio SAS Add-In for Microsoft
SAS OLAP Cubes Server SAS Information Delivery Office
Third-Party Data Stores SAS Stored Process Portal SAS Enterprise Miner
Enterprise Resource Server SAS Web Report Studio SAS Data Integration Studio
Planning (ERP) Systems SAS Grid Servers SAS Visual Analytics SAS Information Map Studio
SAS OLAP Server Other SAS Web Applications
SAS OLAP Cube Studio
SAS LASR Analytics and Solutions
SAS Solution Applications
Server
SAS Web Infrastructure SAS Web Infrastructure
Platform Web Browser
Platform Data Server
(Logon Manager)
SAS Environment
Manager Agent SAS Environment SAS Web Server Mobile Devices (to view
Manager Agent (http server) some types of reports)
JMS Broker SAS Environment

Manager Server
Cache Locator
6
The four tiers listed above represent categories of software that perform similar types of computing tasks
and require similar types of resources. The tiers do not necessarily represent separate computers or groups
of computers.
For a large company, the tiers can be installed across a multitude of machines with different operating
systems. For prototyping, demonstrations, or very small enterprises, all of the tiers can be installed
on a single machine.
continued...
Clients
Cl i ent Tier
Desktop clients run on Windows
desktops.
SAS Enterprise Guide Some of these clients are native
SAS Add-In for Microsoft
Office
Windows applications and others
SAS Web Applications:
SAS Enterprise Miner are Java applications.
SAS Data Integration Studio
SAS Logon Manager Some clients require only a web
SAS Information Map Studio
SAS OLAP Cube Studio browser to be installed on each
SAS Studio
SAS Information Delivery Portal client machine.
SAS Web Report Studio Web Browser
Mobile Devices (to view
some types of reports)
7
The client tier provides users with desktop access to intelligence data and functionality through easy-to-
use interfaces. For most information consumers, reporting and analysis tasks can be performed with only
a web browser. For more advanced design and analysis tasks, SAS client software is installed on users’
desktops.
continued...
SAS Servers: Metadata Server
SA S Servers The SAS Metadata Server is the

most critical software component
Metadata Server
C l ient Tier in the SAS Intelligence Platform.
SAS Enterprise Guide
SAS applications connect to the
Office
SAS Enterprise Miner SAS Metadata Server and other
SAS Data Integration Studio
SAS servers that are part of the
platform depend on the SAS
Web Browser Metadata Server.
SAS Logon Manager
SAS Studio
SAS Inf ormation Delivery Portal
SAS Web Report Studio
N ote: The term server refers to
a process or processes.
8
continued...
SAS Servers
SA S Servers
Metadata Server
SAS servers execute
SAS analytical and reporting
C l ient Tier
SAS Workspace Server
processes for distributed clients.
SAS Pooled Workspace These servers are typically
Of f ice
SAS Enterprise Miner
Server accessed either by desktop
SAS Data Integration Studio SAS Stored Process
SAS Inf ormation Map Studio
SAS OLAP Cube Studio Server
clients or by web applications
SAS Grid Servers that run in the middle tier.
Web Browser SAS OLAP Server
SAS Logon Manager
SAS Environment Manager SAS LASR Analytic
SAS Studio
SAS Inf ormation Delivery Portal Server N ote: The term server refers to a
process or processes.
9
On the platform, the term server refers to a process or processes that wait for and fulfill requests from
client programs for data or services. The term server does not necessarily refer to a specific computer,
because a single computer can host one or more servers of various types.
The SAS servers use the SAS Integrated Object Model (IOM). The IOM is a set of distributed object
interfaces that make SAS software features available to client applications when SAS is exec uted
on a server. Each server uses a different set of IOM interfaces and has a different purpose.
continued...
Data Sources
S A S S ervers
Da ta Sources
Metadata Server
The platform includes several
options for data storage, including
SAS Pooled Workspace
Server SAS Data Sets SAS data sets, SAS OLAP cubes, and
SAS Stored Process
Server SAS OLAP Cubes the SAS Web Infrastructure
SAS Grid Servers
SAS OLAP Server Third-Party Data Stores
Enterprise Resource
Platform Data Server.
SAS LASR Analytic
Server
Planning (ERP) Systems In addition, SAS provides products
that enable you to access data in
SAS Web Infrastructure
C l ient Tier
your existing third-party data stores
SAS Client Applications
SAS Web Applications
and ERP systems.
10
SAS data sets are analogous to relational database tables.

SAS OLAP cubes are multidimensional structures of summarized data.
The SAS Web Infrastructure Platform Data Server is the default location for middle-tier data such
as alerts and comments. It can store the data for the SAS Content Server. The server is provided
as an alternative to using a third-party relational database.
The SAS/ACCESS interfaces provide direct access to a variety of data stores.
continued...
Middle Tier
Mi ddle Tier
SAS Web Server Cache Locator The middle tier includes
C l ient Tier
(http server)
JMS Broker the following:
SAS Client Applications SAS Web Application Server • SAS Web Server and
Web Browser Web Applications:
SAS Studio
SAS Web Application Server
S A S S ervers SAS Information Delivery • a Java Runtime Environment
Portal
Metadata Server SAS Web Report Studio (JRE)
SAS Servers
Other SAS web applications
and solutions
• SAS web applications
D ata Sources SAS Web Infrastructure • SAS Web Infrastructure
SAS Web Infrastructure Platform
Platform Data Server (Logon Manager) Platform
SAS Environment SAS Environment SAS Environment • SAS Environment Manager
Manager Agent Manager Server Manager Agent
Server and Agent
11
The middle tier enables users to access intelligence data and functionality via a web browser. This tier
provides web-based interfaces for report creation and information distribution, while passing analysis
and processing requests to the SAS servers.
Beginning with the release of SAS 9.4, SAS includes an embedded middle-tier server called SAS Web
Application Server. SAS no longer requires nor supports external third-party application servers. SAS
also now includes several new middle-tier capabilities, including enhanced monitoring and management,
web-based administration, load balancing, and improved availability.
The SAS Web Infrastructure Platform includes the SAS Content Server and other infrastructure
applications and services.
A JMS broker provides distributed communication with Java Messaging Services. Some SAS web
applications use queues and topics for business logic.
A cache locator is used by SAS web applications to locate and connect to a distributed cache. The SAS
web applications use the cache to maintain awareness of user sessions and to share application data.
SAS Environment Manager Server is responsible for communicating with the agents. It collects information
about items such as discovered resources, metrics, and availability, and issues control actions received from
the SAS Environment Manager application. Collected data is stored in the SAS Environment Manager
database.
SAS Environment Manager Agent is a software process that runs on each platform (middle-tier and server-tier
machine) in a SAS deployment. The agent is responsible for tasks such as discovering software components on
its platform, gathering metric and availability data for the platform and components, and performing resourc e
control actions. The agents communicate with the management server. Plugins are used to provide the agents
with the information needed to discover SAS resources installed on a platform.
SAS Platform Architecture (Review)

Metadata Server Cl i ent Tier
Mi ddle Tier
Da ta Sources
SA S Servers SAS Web Application Server
Web Applications:
SAS Workspace Server SAS Enterprise Guide
SAS Studio
SAS Data Sets SAS Pooled Workspace SAS Add-In for Microsoft
SAS OLAP Cubes Server SAS Information Delivery Office
Third-Party Data Stores SAS Stored Process Portal SAS Enterprise Miner
Enterprise Resource Server SAS Web Report Studio SAS Data Integration Studio
Planning (ERP) Systems SAS Grid Servers SAS Visual Analytics SAS Information Map Studio
SAS OLAP Server Other SAS web applications SAS OLAP Cube Studio
SAS LASR Analytic and solutions SAS Solution Applications
Server
SAS Web Infrastructure SAS Web Infrastructure
Platform Web Browser
(Logon Manager)
SAS Environment
Manager Agent SAS Environment SAS Web Server Mobile Devices (to view
Manager Agent (http server) some types of reports)
JMS Broker SAS Environment

Manager Server
Cache Locator
12
SAS Installation and Configuration
SAS installation and configuration files are stored in separate locations.
SASHOME The location on a file system where an instance of

Directory SAS software is installed
SAS Configuration The location on a file system where configuration
Directory information for a SAS deployment is stored
13
The location of the SASHOME directory is established at the initial installation of SAS software
by the SAS Deployment Wizard. That location becomes the default installation location for any other
SAS software that is installed on the same computer.
Securing a SAS Configuration
The SAS configuration directory on each server machine must be protected

by operating system controls. These controls prevent inappropriate access to
the following:
• metadata repository data sets
• server scripts
• server logs
• configuration files
14
Securing a SAS Configuration: Windows
On Windows, all of the configuration

directories, files, and scripts are owned by
the user who performed the installation.
It is recommended that you set additional
operating system permissions.
15
These recommendations assume that your SAS servers and spawners run as services under the
Local System account. If servers and spawners run under a different account, then grant that account
the permissions that are recommended for SYSTEM.
Directories Recommended Permissions for Windows

 SAS-configuration-directory  SYSTEM and Administrators: Full Control
 SAS-configuration-directory\Lev1  All other users: List Folder Contents, Read
 Lev1 subdirectories: Documents, ReportBatch,
SASApp, SASMeta, Utilities, Web
Lev1 subdirectories:  SYSTEM and Administrators: Full Control
 ConnectSpawner  Remove all other users and groups
 Logs
 ObjectSpawner
 SASApp\OLAPServer
 SASMeta\MetadataServer
 FrameworkServer
 ShareServer
SASApp subdirectories:PooledWorkspaceServer,  SYSTEM, Administrators, and SAS Spawned
StoredProcessServer Servers (sassrv): Full Control
 Remove all other users and groups
SASApp subdirectories:  SYSTEM and Administrators: Full Control
 ConnectServer\Logs
 Data\wrsdist
 Data\wrstemp
 PooledWorkspaceServer\Logs
 PooledWorkspaceServer\sasuser
 StoredProcessServer\Logs
 StoredProcessServer\sasuser
 WorkspaceServer\Logs
SASMeta\WorkspaceServer\Logs
 SYSTEM and Administrators: Read and Write
sasv9_meta.cfg file
 Remove all other users and groups
If you selected the customer installation option to place all of your log files in a single directory, then you
will need to grant the SAS Spawned Servers (sassrv) user Full Control of the central log destination.
If you enable logging for a standard workspace server, then you will need to grant all users
of the workspace server Full Control of the log directory.
Securing a SAS Configuration: UNIX and z/OS
On UNIX and z/OS systems, the SAS Deployment Wizard automatically applies
the permissions that give appropriate access to the configuration directory
of the following:
• SAS Installer account (typically sas)
• sas group (which includes sas and sassrv)
In addition to the default security, you might want to give administrators
access to the configuration directory so that they can modify files and run
backups.
16
On UNIX and z/OS systems, the SAS Deployment Wizard automatically applies the appropriate
permissions. The default permissions are shown below.
Directories Default Permissions for UNIX and z/OS

 SAS-configuration-directory  SAS Installer: Read, Write, and Execute
 SAS-configuration-directory\Lev1  All other users: Read and Execute
 Lev1 subdirectories: Documents, ReportBatch,
SASApp, SASMeta, Utilities, Web
Lev1 subdirectories:  SAS Installer: Read, Write, and Execute
 ConnectSpawner  All other users: no access
 Logs
 ObjectSpawner
 SASApp/OLAPServer
 SASMeta/MetadataServer
 FrameworkServer
 ShareServer
SASApp subdirectories: PooledWorkspaceServer,  SAS Installer: Read, Write, and Execute
StoredProcessServer  sas group: Read and Execute
SASApp subdirectories  SAS Installer: Read, Write, and Execute
 ConnectServer/Logs  sas group: Read, Write, and Execute
 Data/wrsdist
 Data/wrstemp
 PooledWorkspaceServer/Logs
 PooledWorkspaceServer/sasuser
 StoredProcessServer/Logs
 StoredProcessServer/sasuser
 WorkspaceServer/Logs
SASMeta/WorkspaceServer/Logs
 sasv9_meta.cfg file  SAS Installer: Read and Write
 All other users: no access
If you selected the customer installation option to place all of your log files in a single directory, then you
will need to grant the SAS Spawned Servers (sassrv) user Read, Write, and Execute permission to the
central log destination.
If you enable logging for a standard workspace server, then you will need to grant all users of the
workspace server Read, Write, and Execute permission to the log directory.
Make sure the SAS Spawned Server (sassrv) account is a member of the sas group, which has the
necessary permissions to server configuration files and log directories.
Environment Snapshot
The Environment Snapshot captures and reports information about the state
of all the machines in your SAS deployment at a single point in time. This can
assist in debugging issues in a SAS deployment.
17
Environment Snapshot:
 Collects and displays the most current performance measures and configuration parameters from the
SAS Environment Manager database.
 Executes live queries and gathers real-time usage information.
 Can save all of the data to a text file.
Tabs contain information about the following:

 Hardware (CPU speed, free memory, RAM, CPU specs)
 System (OS details
 Network (IP address, DNS information, network interfaces, and transmission speeds)
 Mounts (File and NFS mount points, response metrics)
 Servers (counts of active servers on the machine)
 Services (counts of active services on the machine)
 Logs (locations of important log repositories)
 Control Actions (history and schedule of start/stop/restart actions)
 SAS (SAS servers, versions, install paths, ports, and so on)
 Live System Queries (output from df, who, top commands).
Exercises
1. Locating the Installation and Configuration Directories of the SAS Deployment

a. On the server machine, locate the installation directory.
For Linux Server

Navigate to /opt/sas/SASHome. Are any desktop applications installed on the server
machine?
For Windows Server

Access Windows Explorer and navigate to D:\Program Files\SASHome. Are any desktop
applications installed on the server machine?
b. Locate the configuration directory.
For Linux Server

Navigate to /opt/sas /config/Lev1.
For Windows Server

Access Windows Explorer and navigate to D:\SAS\Config\Lev1.
Note: The Levn subdirectory contains configuration information and other files for a particular
installation instance. Lev1 is generally used for production environments. Additional
levels such as Lev2 and Lev3 can be used for environments that you install for purposes
such as development and testing. During installation, the SAS Deployment Wizard
enables you to select the level number.
2. Examining details_diagram.html
A 9.4 Standard Deployment plan is an XML-based description of the topology for your SAS system.
Similar to an architect’s floor plan, the plan describes the intended final SAS software environment.
The plan is used in the SAS software deployment process to “tell” the SAS Deployment Wizard
which software components to install and configure on each machine. A diagram of your customized
deployment plan, called details_diagram.html (optimized for Firefox) or
details_diagram_for_ie7.mht (optimized for Internet Explorer), comes with your custom plan file.
Note: See Installation Note 44320, Using deployment plans during a SAS ® installation.
a. On the server machine, locate and open the details_diagram.html file.
For Linux Server

Navigate to /opt/sas/depot /plan_files.
For Windows Server

Access Windows Explorer, and navigate to D:\SAS\depot\plan_files
b. Where is SAS Management Console installed? Configured?

Where is SAS Foundation software installed? Configured?
Where is SAS Enterprise Guide installed? Configured?
3. Creating an Environment Snapshot
The Environment Snapshot contains a comprehensive listing of the system information in the SAS
Environment Manager database. It collects and displays the most current performance measures
and configuration parameters and also executes and gathers real-time usage information.
a. Log on to SAS Environment Manager as sasadm@saspw using the password Student1.
b. Select Analyze  Environment Snapshot.
c. Under Summary Table, select sasserver.demo.sas as your system.
d. Click the Snapshot Environment button.
e. Click the SAS tab and notice the metadata server configuration attributes.
f. Click the Logs tab. A comprehensive list of server log locations is displayed. Notice that many of
the middle tier servers do not have log tracking enabled, whereas the SAS servers do.
g. You can change this by going to a resource inventory property and enable log tracking. Go to
Resources  Browse  Servers and select sasserver.demo.sas.com tc Runtime
SASServer1_1.
h. Click the Inventory tab and scroll down to Configuration Properties and click Edit.
i. Check server.log_track.enable and change the value of server.log_track files to logs/server.log.
j. Click OK.
Many of the server-level resources enable the administrator to set up log tracking. This is a method of
monitoring log files for specific messages, such as severe errors or other critical information. By
doing this, you do not need to open the log files directly. You can access only the portion that you
need from the user interface. These log file entries are one type of event that can be configured and
customized in SAS Environment Manager.
For SAS Servers, a special file, sev_logtracker_plugin.properties, is automatically set up by the
SAS Deployment Wizard. For servers that are not SAS servers, you have to turn on log tracking and
specify the log messages that you want to capture.
Note: Setting up log tracking is covered in a later chapter.
k. Return to Environment Snapshot on the Analyze tab and select sasserver.demo.sas.com as your
system. Click the Logs tab to see that the tc runtime SASServer1_1 now has the logging file
location.
l. Click the Snapshot environment under Create a Snapshot.
m. When the processing is complete, click the Snapshots tab. A text file is created. Where is the
physical location?
Take note of the snapshot location displayed on the screen. The path is on the middle-tier machine
where SAS Environment Manager Server is located and is relative to the SAS configuration
directory.
n. Navigate to the file location and view the file contents:
4.For Linux Server

/opt/sas/config/Lev1/Web/SASEnvironmentManager/server-5.8.0-EE and
For Windows Server

D:\SAS\Config\ Lev1\Web\SASEnvironmentManager\server-5.8.0-EE and
4. Diagramming Your SAS Environment

a. At your site, how many physical servers are used for your SAS environment?
b. What operating systems run on your servers?
c. Use the blank diagram to indicate where the components are installed in your environment.
Draw additional boxes if necessary.
SAS Servers Middle Tier Data Sources
2.2 Operating SAS Servers and Spaw ners 2-19
The SAS configuration directory under Levn will include which of the
following subdirectories?
a. SASApp, SASMeta, ObjectSpawner, Binaries

b. SASMeta, AppData, SASPlatformObjectFramework
c. SASApp, SASMeta, AppData, Documents
d. Documents, SASManagementConsole, SASApp, SASMeta
20
2.2 Operating SAS Servers and Spawners
Objectives
• Explore the recommended start-up order for the SAS servers and spawners.
• Examine the recommended method of starting up the SAS servers and
spawners.
• Use SAS Environment Manager to operate the servers and spawners.
23
Required Servers
In order for clients to access the SAS environment, the following components
must be running on network-accessible machines:
24
The SAS Object Spawner acts as a listener for SAS Workspace Servers, SAS Pooled Workspace Servers,
and SAS Stored Process Servers.
You might also have the following components on network-accessible machines: a SAS OLAP Server, a
SAS/SHARE server, a SAS/CONNECT spawner, and SAS Distributed In-Process Scheduler Job Runner,
a SAS Deployment Tester server, which is used to run the SAS Deployment Tester utility.
SAS middle-tier servers include the SAS Web Application Server, SAS Web Server, SAS Environment
Manager Server, and the supporting JMS Broker and Cache Locator components.
Note: Because of dependencies, it is important to start the servers in the correct order. Processes on the
server tier need to be started before the middle tier. The recommended order is described on the
following slides.
Recommended Start-Up Order: Server Tier
Sta rt Order Server or Service

1 SAS Metadata Server
2 SAS Web Infrastructure Platform Data Server
3 SAS OLAP Server
4 SAS Object Spawner
5 SAS/SHARE Server
6 SAS/CONNECT Spawner
7 SAS Deployment Tester Server
8 SAS Distributed In-Process Scheduler Job Runner
25
Note: All of the servers except the SAS Web Infrastructure Platform Data Server depend on the
metadata server.
Note: In clustered configurations, make sure that all the metadata server nodes are running before
you start dependent components.
By default, the SAS Web Infrastructure Platform Data Server is backed by PostgreSQL and is provided
as an alternative to using a third-party DBMS. The server cannot be used as a general purpose data store.
OLAP cubes are logical sets of data that are organized and structured in a hierarchical multidimensional
arrangement. Cubes are queried by using the multidimensional expression (MDX) language.
The SAS Object Spawner is a process that runs on workspace server, pooled workspace server, and stored
process server host machines. It listens for requests for these servers, authenticates clients, and launches
server processes as needed. In a pooled workspace server configuration, the object spawner maintains
a collection of reusable workspace server processes that are available for clients. If server load balancing
is configured, the object spawner balances workloads between server processes. The object spawner
connects to the metadata server to obtain information about the servers that it manages.
The SAS/SHARE server provides concurrent Read and Write access to tables.
SAS/CONNECT servers provide computing resources on remote machines where SAS Integration
Technologies is not installed.
The SAS Deployment Tester Server is a diagnostic tool used for assessing a SAS deployment. After
an installation or upgrade, you can use the Deployment Tester to ensure that your SAS software and
critical components have been installed and configured correctly. The Deployment Tester Server is
installed on each server tier machine in the SAS deployment.
The Job Execution Service provides a common, standardized way for web applications to create, submit,
store, retrieve, and queue jobs for SAS servers. The SAS Distributed In-Process Scheduler Job Runner
can be used for running these scheduled jobs.
Recommended Start-Up Order: Middle Tier
Start Order Server or Service

9 JMS Broker
10 Cache Locator
11 SAS Web Server
12 SAS Web Application Server
13 SAS Environment Manager Server
14 SAS Environment Manager Agent
15 SAS Deployment Agent
26
The SAS Web Application Server depends on the Cache Locator.

The SAS Environment Manager Server depends on the SAS Web Infrastructure Platform Data Server
and the SAS Web Application Server, but it can start without these components. However, the SAS
Environment Manager application requires these components in order to provide full functionality.
Start-Up Parameters
Start-up parameters for SAS servers are stored in sasv9 configuration files.
These SAS system options take effect each time you invoke SAS.
Ca ution: If you want to specify different values for system options, or if

you want to specify additional options, then enter your updates
and additions in s a sv9_usermods.cfg, which is located in the same
directory as s a sv9.cfg. You must restart the server in order for
the changes to take effect.
27
Running Servers as Windows Services
On Windows, the SAS servers and services are installed as Windows services
that have these features:
• start automatically when you restart the machines
• are named S A S [deployment-name-and-level] <server-context -> server-name
• can be managed from a command line using SAS provided batch scripts:
n et start|stop|pause|continue “service-name”
• have built-in dependencies to ensure that they start up in the correct order
on each machine
28
Note: In a typical deployment, the Windows services would have a start-up type of Automatic.
The classroom image uses a batch file to start services and has a start-up type of Manual.
Note: Service dependencies are not set up by the SAS Deployment Wizard for the SAS Web
Application Server. See Installation Note 52100: http://support.sas.com/kb/52/100.html.
Using the sas.servers Script on UNIX or z/OS
The SAS Deployment Wizard creates a sas.servers script during installation.

The script enables you to use a single command to do any of the following:
• start, stop, or restart all of the SAS servers and spawners on the machine
in the correct order
• display the status of all the SAS servers and spawners on the machine
N ote: The script does not include the SAS Deployment Agent. To start and
stop the SAS Deployment Agent, use the following:
- SAS Deployment Manager
- SAS Environment Manager
- the command, located in the SASHome directory
29
Using the sas.servers Script on UNIX or z/OS
The script is located in the top level of the configuration directory (for
example, SAS-configuration-directory/Lev1).
To use the sas.server script, perform the following steps:

1. Log on as the SA S Installer user.
2. Go to the configuration directory where the sas.server script is stored.
3. Issue the following command:
./s as.servers start|stop|restart|status
You can also install the sas.servers script as a boot script.

30
Some servers are started directly by the sas.servers script. Other servers are started by the sas.servers. pre
and sas.servers.mid scripts, which are called by sas.servers. The table below shows the script names,
the components that are included in each script, and the order in which the components are started.
Beginning with the first maintenance release for SAS 9.4, the sas.servers.mid script starts the SAS Web
Server before the SAS Web Application Server. This start-up order helps ensure optimum performance
when web applications are initialized.
Script Tier Start-up Order
sas.servers.pre (called by server tier SAS Web Infrastructure Platform Data Server
sas servers)
sas.servers server tier SAS Metadata Server, SAS OLAP Server, SAS Object
Spawner, SAS/SHARE server, SAS/CONNECT spawner,
and SAS Distributed In-Process Scheduler Job Runner
sas.servers.mid (called middle tier JMS Broker, Cache Locator, SAS Web Server, SAS Web
by sas.servers) Application Server, and SAS Environment Manager server
sas.servers.mid (called server and SAS Environment Manager Agent
by sas.servers) middle tier
If needed, you can use the sas.servers.pre or sas.servers.mid script to start a subset of servers. However,
make sure that you follow the start-up order that is shown in the preceding table.
Other servers might also be included in the scripts, depending on which SAS applications you configured.
Caution: You should not directly update the sas.servers script. If the script needs to be updated
(for example, to add new servers or remove servers), then regenerate the script by using
generate_boot_scripts.sh. For details, see “Regenerating a sas.servers Script” in SAS®
9.4 Intelligence Platform: System Administration Guide.
Multi-tiered SAS Services
The s a s .servers script does not take into account the correct start-up order of
SAS servers across multiple machines. Technical Support does supply a utility
that manages multi-tiered SAS services for UNIX and Linux deployments.
1 2 3
Middle Tier
Me tadata Server S AS Servers
SAS Web Infrastructure Platform SAS Web Application Server
SAS Environment Data Server
Manager Agent SAS Object Spawner
SAS Environment SAS Web Server
SAS OLAP Server (http server)
SAS/CONNECT Spawner Manager Agent
SAS/SHARE Server SAS Environment
JMS Broker
SAS Environment Manager Server
Manager Agent
Cache Locator
31
See Usage Note 58231, “Utility that manages multi-tiered SAS services for UNIX and Linux
deployments” for more information: http://support.sas.com/kb/58/231.html
Also, see the SAS Global Forum paper “An Oasis of Serenity in a Sea of Chaos: Automating the
Management of Your UNIX/LINUX Multi-tiered SAS Services”:
http://support.sas.com/resources/papers/proceedings17/SAS0339-2017.pdf
You can start and stop the following servers from SAS Environment Manager:
• SAS Metadata Server
• SAS OLAP Server
• SAS Object Spawner
• SAS/CONNECT Spawner
• SAS Web Application Server
• SAS Web Server
• SAS Deployment Agent
32
Note: In SAS Environment Manager, SAS Web Application Server appears as sasserver.demo.sas.com
tc Runtime SASServer[instance number].
Available Methods for Operating Servers
Using SAS Environment Manager to Operate Servers and

Spawners
This demonstration uses SAS Environment Manager to operate SAS servers and spawners.
1. On the client machine, access Internet Explorer and select SAS Environment Manager from
the Favorites bar.
2. Log on as sasadm@saspw using the Student1 password.
3. Click the Resources tab.
4. Click Servers.
5. In the list of servers, click sasserver.demo.sas.com Object Spawner - sasserver. You need to go to
the next page for the object spawner.
6. Click Control.
7. You can issue control commands from this location. You can schedule a control action. An example of
this is if you need to recycle a SAS Web Application Server at a low usage time.
Under Quick Control, change Control Action to Stop and click .
After the control action is complete, a message is presented.
8. Check the status of that server from the main monitoring page. Select Resources  Browse 
Servers and verify that the Stop control action worked properly. The status of the object spawner
changes to not available. However, the change in status does not show up immediately.
Or you can see a bubble at the bottom of the monitoring page of the object spawner, which signifies
an event just occurred. Clicking the bubble shows the event.
9. Start the object spawner. (You can either use the Quick Control action in SAS Environment Manager
or perform the appropriate action on the server machine.)
Exercises
5. Operating the SAS Servers

a. Check the status of the SAS Servers.
For Linux Server

1. On UNIX systems, scripts are designed to enforce the correct order of stopping and
starting SAS Servers. They are called sas.servers.pre, sas.servers, and sas.servers.mid.
Some servers are started directly by the sas.servers script. Other servers are started by the
sas.servers.pre and sas.servers.mid scripts, which are called by sas.servers. The table on
page 2-24 of your Course Notes shows the script names, the components that are included
in each script, and the order in which the components are started. For Linux Server
SAS servers: ./sas.servers status. (The valid commands are stop, start, restart, and
status.)
For Windows Server
1. On your Windows Server machine, it is fastest to use the Windows Services application to
check status and to stop and start SAS servers. Click the Services icon in the system tray.
With Services selected, scroll down to the SAS services. Verify that the status for all the
SAS services is Started.
2. Check the built-in Windows Service dependencies for the SAS Metadata Server.
Right-click SAS[Config-Lev1] SASMeta-Metadata Server and select Properties.
3. Click the Dependencies tab.

Note: The dependencies do not include any middle-tier servers. It is not recommended
that you include them in the dependencies. However, it is possible. See
Installation Note 52100: http://support.sas.com/kb/52/100.html
b. Review the start-up order of the SAS servers.
For Linux Server

Use gedit, vi, or WinSCP to open the sas.servers script. Review the start-up order of the
SAS servers.
For Windows Server

Navigate to D:\scripts. Right-click StartSAS.bat and select Edit. Review the start-up
order of the servers.
How much time is built in for the web server to wait for the cache locator to start up?
What is being read before it starts up?
Caution: You might use a script similar to this one in your environment. However,
be aware that this script deletes log files, which you would not want for a
SAS Environment outside of the classroom.
6. (Optional) Stopping and Starting Servers in the Correct Order
Caution: It is important to start servers in the correct order. When shutting down, use the reverse
order that is used when starting up.
For Linux Server

On the Linux server, use the sas.servers script.
Issue the following command to restart the servers because you did restart the SAS Web
Server in the previous exercise: ./sas.servers restart
(You could also issue a command of stop, wait for the servers to go down, and then issue a
start command.)
For Windows Server
1. Note: You would use the Windows Services application to shut down and then restart all of
the servers in the correct order in a typical deployment.
The classroom image uses a batch file to start and stop Windows Services.
In order to make sure that servers in our environment are started up in the correct order, first
use the stopSAS script. The scripts are located here: D:\scripts.You can monitor the
stopping and then starting of the servers via the command window.
This displays the services being stopped. A message is displayed when the script is done.
2. Start the servers with the startSAS script.

The services are displayed as they are starting. (You can start the Task Manager to watch the
CPU activity.)
Note: The SAS Web Application Servers takes from 15 to 20 minutes to start, depending on
how many SAS applications are deployed. You can examine the log files to monitor its
progress and verify that everything started successfully.
7. Validating the Servers in SAS Management Console
a. On the client machine, log on to SAS Management Console as Ahmed using the Student1
password.
b. Expand Server Manager  SASApp  SASApp - Logical Workspace Server 
SASApp - Workspace Server. Right-click sasserver.demo.sas.com and select Validate.
Was the validation successful? If not, verify that the object spawner is running.
c. View the details of the validation. What autoexec file was executed at server initialization?
Note: An autoexec file contains SAS statements that are executed immediately after
SAS initializes the server.
2.3 Exploring SAS Environment Manager
Objectives
• Describe the SAS Environment Manager architecture.

• Describe the SAS Environment Manager interface.
• Explore the resource inventory model.
• Explore metrics and monitoring resources.
• Explore the use of the dashboard.
37
SAS Environment Manager (Review)
SAS Environment Manager provides a framework for SAS administrators to

monitor the performance, health, and operation of their SAS deployments.
• A comprehensive view of all resources related to SAS is displayed.
• It provides drill-down into different levels of detail on resources.
• It provides a flexible alerting function
to warn administrators of problems.
38
SAS Environment Manager surfaces the following key monitoring and management capabilities from
Hyperic:
 Resource discovery automatically discovers resources and software, and enables the detailed and
customized monitoring of them.
2.3 Exploring SAS Environment Manager 2-33
 Personal dashboards can display summaries and high-level monitoring, based on user IDS or on role
memberships.
 Metric collection collects a standard set of metrics that reflect availability, performance, utilization, and
throughput.
 Event tracking monitors log and configuration files and records events of interest for most server types.
 Resource control: You can use SAS Environment Manager for remote control and administration of
your software resources (for example, starting, stopping, or pausing a server).
 Alerting and escalation: You can set alerts on metrics and configure actions to perform when an alert
fires. For example, when an alert fires, the system can issue email notifications, set SNMP traps,
perform a control action, or issue a communication to another management system.
 Visualizations are in the form of graphic displays for server monitoring, memory/disk, and/or processor
usage.
 Live data: Hyperic provides Live Exec views for all platform types. You can run a variety of real-time
system commands to obtain the live system status.
SAS Environment Manager Architecture

Platform 1 (machine 1)
Service A SAS Environment

SAS Environment Manager Server
Service B
Manager Agent Management Server
Middle Tier
Servers
resources, metrics,
events, alerts,
control actions
SAS Environment
Service C Manager web
SAS Environment application SAS Environment
Service D
Manager Agent Manager
SAS Servers Database
Object
Spawner
Upgradeable through plug-ins: each plug-

in is associated with a specific resource
SAS Environment
SAS Metadata Server Manager Agent
39
Components of SAS Environment Manager:

The SAS Environment Management Server communicates with the agents to collect information
about discovered resources, metrics, and availability. It issues control actions received from the
SAS Environment Manager application.
The SAS Environment Manager Agent is a software process that runs on each machine in the
configuration (middle-tier and server-tier machines in a SAS deployment). It scans the machine, the
process table, and the file system for processes that it is familiar with, and gathers that information.
Periodically, the agents send their information to the server, where it is summarized and added to the
database as part of the inventory. Plugins are used to provide the agents with the information needed to
discover SAS resources installed on a platform.
SAS Environment Manager Database is a repository for all of the resource information that is known to
SAS Environment Manager. It uses the SAS Web Infrastructure Platform Data Server, which is based on
PostgreSQL. After resources are discovered and added to your inventory, the database stores data that is
collected from the agents about the resources.
SAS Environment Manager Application is the web-based interface to the SAS Environment Manager
system. Administrators can use the web-based interface to view this data, and thereby obtain a host of
information about the various resources that are running in the system. The interface also enables
administrators to set up alerts when specified events occur, and generate reports that summarize the state
of the platform. SAS Environment Manager also enables administrators to control the servers, via the
agents, and perform such actions as starting and stopping servers and modifying the configurations of
various servers. The application also includes a framework to add functions specific to SAS, such as
server, library, and user administration.
Plug-ins enable agents to discover and monitor resources in a SAS environment. Each plug-in is
associated with a specific resource, and provides the agents with the instructions needed to recognize the
resource during auto-discovery and to monitor and collect metrics for the resource.
The basic architecture of SAS Environment Manager consists of an agent process running on each
platform in a SAS deployment that communicates to a central management server. Agents monitor
detected resources and periodically report resource metrics back to the server. The server provides an
interface for interacting with those agents, managing the data collected by the agents, distributing plug-
ins, creating alerts and escalation procedures based on collected metrics, and graphing the metrics
provided through the installed plug-ins.
SAS Environment Manager Architecture

A broad set of operational metrics is collected.
Solutions
Web Application Servers
WIP Services and DB
ActiveMQ Messaging
Apache tc Server A vailability
SAS Servers
• Metadata Pe rformance
• Object Spawner
• StoredProcess Server Configuration
Operating Systems cha nges
• Memory
• Processor E ve nts S erv er Manager
• IO D atab ase
Storage & IO Systems
• LASR Log entries
• Scalable Performance Data Server
• SAS Data Set Virtualization
40
Metrics are the measurements taken by the SAS Environment Manager agents, on the various computing
resources being monitored. Metrics can be static numbers, frequencies over some time period,
percentages, or averages over some time period. They are periodically sent to the server, and stored in the
database.
SAS Environment Manager Interface
The SAS Environment Manager interface includes five main areas:
Dashboard Configurable collections of portlets
Resources Resource-level monitoring and management
Analyze Deployment-wide views of events and alerts
Administration Access and management of SAS metadata folders

and SAS metadata user definitions
Manage Native users, roles, permissions, plug-ins

41
Resource Inventory Model
The relation between service, server, and platform is a resource hierarchy.

The Resources page lists the inventory of resources.
P l atform Platform
Machine, OS, network
switch, or SAS deployment
Server
S erv er S er v ice
A software product or Service A task-specific software

processes such as, SAS component, such as SAS
Metadata server or tc logical server, that runs
Server, that runs on a on a server or platform
platform
42
Examples of types of resources:

Platforms: operating system platforms (such as sasserver.demo.sas.com), SAS deployments (such as
SAS 9.4 Application Server Tier), virtual and network platforms (such as Cisco IOS or
GemFire Distributed System)
Servers: web application server, web server, Postgres server, SAS Metadata Server, SAS Object
Spawner, SAS Home Directory Service
Services: DNS service, Fileserver mount, Windows service, Work directory
Note: When you run SAS Environment Manager for the first time, the application auto-discovers
and auto-accepts the resources listed in the auto-approved.properties file. (This is created when
the SAS Deployment Wizard installs SAS applications and is located in the <agenthome>/conf
directory.) Resource types that are not listed in this file must be accepted for monitoring after
they have been discovered.
Additional Groups That Can Be Created
Compatible Groups These groups contain selected instances of a single type of resource (for
example, SAS Object Spawners or Visual Analytics nodes). Because every
member of a compatible group is uniform, the metrics collected across the group
can be aggregated for reporting purposes.
Mixed Groups These are user-created groups that can contain multiple types of resources, such
as other groups, platforms, servers, and services. Availability is the only metric
that is available for a mixed group.
I IApplication These groups are sets of selected services, usually running on different servers
on multiple platforms that together fulfill a single business purpose. Creating
application groups enables you to manage your infrastructure from an
application perspective, as opposed to a hardware perspective.
Metrics
Metrics are the measurements taken by the SAS Environment Manager

agents on the various computing resources being monitored.
• The “Availability” metric is required by all plug-ins, and it is the one
measure that is found on all resources.
• A different set of metrics is collected
for each type of resource.
• There is a default subset of
metrics that will be displayed
for each resource type, but
this can be modified.
43
Using the Dashboard
The dashboard is your first view when you start SAS Environment Manager.
It provides a configurable graphical display of important items to be watched.
The administrator is able to do the following:
• focus on a few specific resources and their availability
• focus on specific metrics that are most important for a given resource
• compare similar resources on a specific metric
• organize alerts
• create multiple dashboards for different purposes (for example, a “basic
monitoring” dashboard or a “troubleshooting” dashboard
44
Each user can access their own personal dashboard as well as a dashboard for each of the native roles of
which the user is a member. Each dashboard can be customized to meet the needs of the user or role.
Using the Dashboard
The dashboard is divided into two columns. The portlets can be rearranged, deleted,
and added back in. Some portlets can appear only once, whereas other portlets can
appear more than once.
Left Column Only Right Column Only
Availability Summary * Auto-Discover
Saved Charts * Metric Viewer *
Summary Counts Group Alerts Summary *
Recently Added Control Actions
Search Resources Favorite Resources *
Recent Alerts *
Problem Resources *
45
No te: The portlets with an asterisk (*) are specifically for monitoring.
The portlets that can appear more than once are ones that display information about a selec ted group of
resources. Each instance of the portlet displays information about different resources. The portlets that
can appear only once display information for the entire environment.
Available Portlets
Name Description Location Instances
Auto- Lists new and changed resources and enables you to add them Right One
Discovery to the inventory. Check this portlet after you install a plug-in to
accept the newly discovered resources into the inventory.
Availability Indicates the availability of selected resources, grouped by Left Multiple

Summary resource type. This portlet refreshes every minute.
Control Lists recently performed actions on managed resources and Right One
Actions upcoming scheduled actions. Also indicates which quick control
actions are most frequently performed.
Favorite Lists selected resources. Right One

Resources
Saved Displays selected charts as a slide show. Left One

Charts
Recent Lists the most recently triggered alerts for selected resources. Right Multiple
Alerts This portlet refreshes every minute.
Recently Lists platforms that have been recently added to inventory. Left One
Added
Search Enables you to search for resources. The search supports case- Left One
Resources insensitive, partial-term queries for a specified inventory type
Summary Displays a count of managed resources by inventory type. Only Left One
Counts those resources that you are allowed to access are displayed.
Group Displays traffic light indicators for resource alerts and group Right One
Alerts alerts for selected groups. To view a list of alerts that have fired
Summary for a group, click that group’s traffic light. To view a group
page, click that group’s name.
Metric Displays selected metrics for selected resources. This portlet Right Multiple
Viewer refreshes every minute.
Problem Lists all resources that have problem metrics and provides Right One
Resources details, including availability status, number of alerts per
resource, number of times the metric has been out of bounds,
and the most recent time that the out-of-bounds metric was
collected.
Controlling Access to Environment Manager
Users in SAS Environment Manager are mapped to users created in

SAS metadata.
Group Name in SAS Metadata Role in Environment Manager
SAS Environment Manager Super Super user role
User
SAS Environment Manager Guest Guest role
SAS Environment Manager App Server SAS App Tier role

Tier Users
SAS Environment Manager Data Mart (not used)
Administrators
SAS Environment Manager Data Mart (not used)
Users
46
Although native user definitions are internal to SAS Environment Manager, they are mapped to user
definitions created in SAS metadata. Native users are created by first creating the user definition in
metadata and then synchronizing the user information with SAS Environment Manager. You cannot
create or edit native user definitions in SAS Environment Manager directly.
Native roles enable you to grant capabilities and permissions for actions in SAS Environment Manager to
selected users. For example, an administrator role could be granted full permissions for all resource types
and the ability to acknowledge and fix alerts, whereas a guest role could be denied the ability to fix or
acknowledge alerts and have only Read permission for resources. Assigning a native role to a native user
determines the actions that the user can perform in SAS Environment Manager.
Each native role also has its own unique dashboard page. Each user has access to his or her own personal
dashboard page and to the dashboard pages of all native roles of which he or she is a member.
Authentication to Environment Manager
Environment Manager controls access and permissions within the application

with its own registry of users and its own system of roles and permissions.
SASServer1_1 SAS Metadata Server
/SASLogon
application Group: SAS EV
Super Users
(sasadm@saspw)
SAS EV Server
Role: Super User

(contains user
sasadm )
URL: http:<machine>:7080
47
Step 1: User accesses the URL to SAS Environment Manager in browser

Step 2: Request is redirected to the SAS Logon Manager application for authentication
Step 3: User is authenticated by the metadata serSo tver
Step 4: Request is passed on to SAS Environment Manager Server
Step 5: User is again authenticated in SAS Environment Manager, and the user’s Role membership
determines what he or she can do in SAS Environment Manager
Exploring SAS Environment Manager
This demonstration explores SAS Environment Manager.

1. Open Internet Explorer from the client machine using the taskbar. Click SAS Environment Manager
on the Favorites bar.
Note: To access SAS Environment Manager, use your web browser to go to
Note: The recommended browser for SAS Environment Manager 2.5 is Google Chrome.
2. Sign in as sasadm@saspw using the password Student1.
The interface is organized around five main areas.
Dashboard Configurable collections of portlets; this is the initial view

when starting SAS Environment Manager
Resources Resource-level monitoring and management
Analyze Deployment-wide views of events and alerts
Administration Metadata definitions for folders and objects, servers,

libraries, users, and metadata security and access controls
Manage Native users, roles, permissions, plugins
3. Dashboard: The Dashboard page is the initial view when a user logs on. It contains two columns of
portlets. Each portlet contains the resources and metrics that are most important to your environment.
 The Dashboard page is customized by deleting, adding back, or rearranging the various portlets
that you see.
 Selecting an entry in a portlet takes you to more detailed information about the entry.
 Each user can access his or her own personal dashboard as well as a dashboard for each
of the native roles of which the user is a member. Each dashboard can be customized to meet
the needs of the user or role. To choose a different dashboard, select the one that you want
to use from the Select a Dashboard field.
4. Resources: Click Resources  Browse. The Resources page enables you to monitor, configure, and
manage inventory resources, organized by type (for example, Platforms, Servers, Services).
 The buttons on the left of the resource name ( ) enable you to quickly jump to the Monitor,
Inventory, or Alerts page for the resource. You can also click the resource to open the Details page
that includes links to Monitor, Inventory, or Alerts pages.
 The number of resources extends to two pages. You can change items per page in the bottom right
of the interface, or use the black arrow to move to the second page of resources.
5. Click Platforms (2). In this installation, there are two platforms: the machine and the
SAS Application Server Tier.
6. Click sasserver.demo.sas.com. The details about this resource, the OS platform, are displayed. You
can get similar details for any resource (a platform, a server, or a service) by clicking it. The details
for each resource differ somewhat, depending on what type of resource it is.
 Across the top, basic machine specifications are given: OS, CPU speed, architecture, IP address,
RAM, and more.
 Notice the five links on the upper left: Monitor, Inventory, Alert, Control, and Views. By default,
you are on the Monitor page. A variety of metric data is displayed, both in numeric and graphic
format, to enable you to examine detailed information about the resource’s operation.
 The fastest way to check the status of a resource is to use the availability bar, which is above the
indicator charts. The availability bar displays a color-coded dot that represents the availability
during a time slice. The length of each time slice depends on the display range that you select (for
example, if you display the past eight hours of data, each dot corresponds to approximately eight
minutes). The percentage of time that the resource was available is displayed at the end of the
availability bar.
The dots are color-coded using the following format:
Green = 100% availability
Yellow = Partial availability; between 0% and 100%
Red = 0% availability
 To the left of the indicator charts, there are links to other resources that are under this resource in
the hierarchy.
 The events bar is displayed below the indicator charts. It is similar to the availability bar, with dots
representing time slices. The bar displays a dot if an event occurs during a time slice. If no event
occurs, the bar remains black.
7. On the bottom left of the page, click the down arrow next to Problem Metrics and select All Metrics
to display a list of all available metrics for this resource. Click the arrow next to a metric to add the
chart to those displayed on the page.
8. Analyze: The Analyze pages contains the Alert Center, Report Center (only if you have enabled
SAS Environment Manager Service Architecture), Environment Snapshot, Event Center, and
Operations Center. (You might see a Monitoring Center, which is part of the Job Monitor service.
It would contain SAS jobs submitted by the Data Management solution.)
 An event is any type of activity in a resource that you are monitoring.
 An alert is a user-defined type of event that acknowledges a critical condition in a selected

resource. You can configure SAS Environment Manager to also log events for log messages and
resource configuration changes.
Note: The pages on the Analyze tab are discussed in a later chapter.
9. Administration: Click the Administration tab. This page enables you to manage resource
definitions in SAS metadata. The page contains a set of modules, each of which enables you to
manage a type of metadata definition. The application displays the Folders module by default.
10. To switch to a different module, click the Side menu button , which displays a list of all of the
available modules.
In the first exercise, you add Ahmed to a SAS Environment Manager group in metadata and then it is
synchronized to the corresponding role in SAS Environment Manager.
11. Select the Users module.
12. Filter on Group.
13. Enter SAS in the Search field to get to SAS Environment Manager Super Users.
14. Right-click SAS Environment Manager Super Users and select Open to open the metadata
properties.
15. From the Basic Properties drop-down menu (accessed by clicking the arrow), select Members.
16. Add Ahmed to the group by clicking the Edit button in the upper right toolbar.
17. Move Ahmed over from the Available identities list to the Direct members list. Click OK.
18. Do not click Close until you save your changes by clicking the Save button . Click Close.
19. The Administration page is a separate web application, as you can see by the URL.
Return to SAS Environment Manager by clicking its name on the Favorites toolbar.
20. Click the Manage tab. The pages under Manage control how the SAS Environment Manager
application works.
 Authentication/Authorization: enables the management of users and roles. (These are not
the same as the users and roles in SAS metadata that control access to SAS metadata objects,
although SAS Environment Manager users are synchronized with users that are defined in metadata
and added to specific groups.)
 Server Settings: change settings for the SAS Environment Manager server; set default monitoring
and alerting definitions for all types of platforms, servers, and services; define notification or
logging actions that are taken for alerts; list currently loaded plug-ins; and enable deleting or adding
plug-ins.
 Plug-ins: contain functions that are added to the base functionality of SAS Environment Manager
to perform a specific action.
 Licenses Usage Status: displays the number of licenses in use on the platform as well as the total
number of licenses that are permitted.
21. Click Synchronize Users.
22. Click OK twice.
Now Ahmed can log on to SAS Environment Manager.

Note: Beginning with SAS Environment Manager 2.4, it is no longer necessary to synchronize
users. You can log off of the application and log back in as Ahmed.
Authentication is discussed in a later chapter.
Exercises
8. Adding a SAS Administrator to the Super User Role in SAS Environment Manager
The internal account sasadm@saspw is the default account for signing on to SAS Environment
Manager. In order to have other users such as Ahmed access SAS Environment Manager, the user
needs to be added to a SAS Environment Manager group in metadata and then synchronized to the
corresponding role in SAS Environment Manager.
a. Sign in to SAS Environment Manager as sasadm@saspw using the password Student1 if you
have not done so from the previous exercise.
b. Go to the Manage page and select List Users to see a list of the current users in Environment
Manager. Three users will be listed.
c. Click List Roles to see the Environment Manager Roles. There should be three.
These three roles map to three user groups created in SAS metadata.
d. Add Ahmed to the SAS EV Super User group in metadata.
Go to the Administration page and select Users from the Side menu.
e. Filter on Group.
f. Enter SAS in the Search field to get to the SAS Environment Manager Super Users.
g. Right-click SAS Environment Manager Super Users and select Open to open the metadata
properties.
h. From the Basic Properties drop-down menu, select Members.
i. Add Ahmed to the group by clicking the Edit button in the upper right toolbar.
j. Move Ahmed from the Available identities list to the Direct members list. Click OK.
k. Do not click Close until you save your changes by clicking the Save button . Click Close.
l. You do not need to synchronize users from the Manage page. Instead, Sign out as sasadm@saspw
and sign back in as Ahmed to verify that he now has access to SAS Environment Manager. Stay
signed in as Ahmed for the rest of the exercises.
9. Adding an Availability Summary Portlet to Your Dashboard

a. In SAS Environment Manager, click the Dashboard tab if you are not already there. Make sure
that you are logged on as Ahmed.
b. Create an OS and SAS Server Tier availability summary portlet.

1) On the left side of the Dashboard page, select Availability Summary in the Add Content
to this column field.
2) Click the Configure button to display the Dashboard Settings page for the portlet.
3) Click Add to List in the Selected Resources area.
4) In the View field, make sure that Platforms is selected. Move both resources to the right.
Click OK.
5) Specify the name OS and SAS Server Tier in the Description field. Click OK.
6) Move the OS and SAS Server Tier availability summary portlet to the top by clicking
the heading and dragging it to the top of the left column.
10. Evaluating Resource and Memory Usage on a Host
System Resources can approach their limits and cause the system to become slow or unstable. If you
see a problem with system responsiveness from the users’ point of view, there are some metrics that
can be checked to give us clues as to why. It is also possible for system resources to be nearing their
limits, but with no obvious effect on user experience. Regardless, you can monitor these items
through SAS Environment Manager.
a. Review metrics for the server machine.
For Linux Server
Click Linux under your OS and SAS Server Tier summary portlet that you just created.
For Windows Server

Click Win32 under your OS and SAS Server Tier summary portlet that you just created.
b. Click sasserver.demo.sas.com, and that takes you to the same view as Resources  Browse 
Platform  sasserver.demo.sas.com.
What is the RAM for this machine? What is the CPU speed?
The RAM field (in the upper right) specifies the total memory for the host.
The CPU Speed field (in the upper left) specifies the number and speed of the processors on the
machine.
c. Click Metric Data to view the table of metrics for the host.
Use these metrics to evaluate memory usage for the host:
 Total Memory (this value will match the value of the RAM field, although RAM is specified in
MB and Total Memory in GB)
 Used Memory
 Used Memory (-buffers/cache)
 Percent Used Memory
 Percent Free Memory
Use these metrics to evaluate swap space usage:

 Swap Free
 Percent Swap Free
 Percent Swap used
Use these metrics to determine CPU and I/O usage for a host in a deployment:
 CPU Usage
 CPU Wait
 User CPU
 CPU Idle
 CPU IRQ
 File System Read/Writes per Minute metric to evaluate I/O performance over time
d. Click Indicators to view these metrics in chart form. The charts can be useful for evaluating
changes in memory usage over time, for example.
Note: If the chart for one or more of the metrics is not displayed, select the Problem Metrics
field on the bottom left of the page and change the selection to All Metrics. Move the
metric that you want added in the Indicators display by clicking the black arrow next to
the metric
e. By clicking the metric, a chart is brought up with more detailed information. Scroll to the bottom
of the metric charts and click Zombie Processes. This is one metric at the Platform level that can
indicate too many “runaway” or “stuck” processes. If there are any numbers above zero
consistently, it might be time to reboot the machine when there is opportunity to do so.
You have options within the chart view such as editing ranges, saving a chart to dashboards, and
defining an alert for this metric.
f. Click the down arrow next to Map to see a visual representation of resources and the next level of
parent and child resources. How many servers are under this machine platform?
Note: The map for a platform displays the servers under the platform, and the map for a server
displays the services under the server. Servers as well as services under the platform are
also listed on the left of the Monitor page.
g. Click Views  Live Exec.
h. Select a query to run from the drop-down menu, such as df and top.
On the Resources page in SAS Environment Manager, where would you find
the SAS Object Spawner resource?
a. Services
b. Servers
c. Platforms
d. Mixed Groups
51
Which statement is true regarding the SAS Environment Manager Agent?
a. You can have only one SAS Environment Manager Agent in a SAS
deployment.
b. The SAS Environment Manager Agent summarizes the metric
information and writes it to the PostgreSQL database.
c. The SAS Environment Manager Agent can be monitored under Platforms
in SAS Environment Manager’s Resource page.
d. You will have a SAS Environment Manager Agent running on every
platform where SAS components are configured in your SAS deployment.
53
2.4 Exploring SAS Environment Manager

Service Architecture
Objectives
• Explore the SAS Environment Manager Service Architecture.
56
continued...
SAS Environment Manager Service Architecture
The SAS Environment Manager Extended Monitoring package implements

best practices for resource monitoring, automates and extends the
application’s auditing and user monitoring capabilities, and follows industry
standards to enable servers to use Application Response Measurement
(ARM). The framework consists of two components:
• predefined alerts, groups, logging, Ex t ended Monitoring
Best Practices
and metric configurations • Predefined alerts
• Automate resource configuration
• Additional resource groups
• Metric collection adjustments
• Additional resources
• Event importing and exporting
57
2.4 Exploring SAS Environment Manager Service Architecture 2-55
Extended monitoring includes these components:

Resource configuration: You must configure resources such as platforms and servers that are added to
your SAS Environment Manager inventory during installation so that they can begin collecting metric
data. Initializing extended monitoring automates the process of configuring these resources, enabling you
to start monitoring resources without having to go through a manual configuration process.
Tuned alerts: Extended monitoring provides a set of optimized alerts, developed by SAS. These alerts
notify you of operational issues that might be encountered in a SAS environment (such as storage issues,
server status, and hardware issues).
Defined resource groups: Resources that form a logical group (such as all platforms, servers, and services
in the SAS App Tier) are automatically collected into predefined groups that are defined in extended
monitoring. These groups are automatically updated as you add and delete resources, so they always stay
current. A resource group for every reporting table in the data mart is automatically created and
maintained.
Event importing and exporting: You can export events that are generated by SAS Environment Manager
to support third-party monitoring applications. In addition, you can import events from other SAS
applications and from third-party applications into SAS Environment Manager for processing.
HTTP checks of web applications: Enabling extended monitoring defines a set of resources that monitor
the availability and responsiveness of key SAS web applications such as SAS Stored Process Web
Application.
Adjustments to monitoring metrics: As part of the process of optimizing resource monitoring, some
adjustments are made in the metrics collected for system resources. Collection is started for some metrics,
and graphing intervals are changed for others in order to make them easier to follow.
• Data mart infrastructure, which provides empty data tables, stored

processes, and reports that are populated by data that is provided
by APM or ACM ETL (Extract, Transform, and Load) processes
Data Mart
Audit, Performance
Measurement Data
E xt ended Mo nitoring (APM)
Best Practices
• Predefined alerts
• Automate resource Agent-Collected
configuration Report Center
• Additional resource groups Metrics (ACM)
• Metric collection adjustments
• Event importing and exporting VA auto-load Feed Kits Data
58
SAS Environment Manager Data Mart
59
SAS Environment Service Architecture consists of the following components:

SAS Environment Manager Data Mart: The data mart is the key component of the Service Architecture
and is created if you enable either one or both of the ETL (Extract, Transform, and Load) processes in the
service architecture. The data mart consists of a set of tables that hold the data collected by the ETL
processes. The collected data is stored in a standard format, which makes it easy to run reports and
perform analysis. The stored processes in the Report Center use the data in the data mart to produce
predefined reports. Data is retained in the data mart for 60 days.
Audit, Performance, and Measurement (APM) ETL: When this component is initialized, it collects
information from various log files (including those generated by SAS servers and web application
servers), standardizes it, and stores it in the data mart. A log discovery process runs approximately every
15 minutes to locate all of the logs that need to be included in the APM ETL. After the data is stored in
the data mart, you can use it to produce reports in the Report Center or to perform custom reporting and
analysis.
Agent-Collected Metrics (ACM) ETL: When this component is initialized, it uses information that was
collected by the SAS Environment Manager agent from the computing resources and components in your
deployment. The data is processed and loaded into the data mart. After the data is stored in the data mart,
you can use it to produce reports in the Report Center or to perform custom reporting and analysis.
Report Center: The Report Center provides a convenient access point for the reports that are provided as
part of the Service Architecture. After one or more of the ETL components have been initialized and
enabled, data is available in the data mart. This data is then used to feed the predefined reports in the
Report Center. The Report Center is not available until either one or both of the ETL proc esses is enabled.
Solution kit framework : The solution kit framework can extend the capabilities of SAS Environment
Manager to support specific solutions or applications. The framework includes support for collecting and
storing operation information about the solution in the data mart and for using the associated reporting
capabilities.
SAS Visual Analytics data feed: Data from the data mart can be easily loaded into SAS Visual Analytics.
If the data feed option is enabled in SAS Environment Manager, selected data tables from the data mart
are copied to a specified drop zone directory. SAS Visual Analytics can then automatically load the tables
from the drop zone into the application. For more information, see “Feeding Data from the Data Mart into
SAS Visual Analytics” in SAS® Environment Manager 2.5: User’s Guide.
Federated data mart: If you are using a data mart on multiple deployments in your organization, you
can create a federated data mart to consolidate analysis and monitoring for all of the deployments. The
federated data mart collects into one location the ACM data from the data marts of each deployment. Each
deployment still retains its own data mart, but the federated data mart enables you to easily compare the
metric data across your organization. For more information, see “Creating a Federated Data Mart” in
SAS® Environment Manager 2.5: User’s Guide.
ETL jobs are run once per 24-hour period (overnight by default). This process collects and standardizes
the data and put it into the data mart. Data is stored for 60 days by default. The data is then used to drive
reports from the Report Center or by SAS Visual Analytics for further analysis.
ACM ETL
The Agent Collected Metrics data is loaded into the SAS Environment
Manager database. The ACM ETL process then copies data from the
database, standardizes the data, and loads it into the data mart.
S AS Web
S AS Environment
ACM Infrastructure
Ma nager Data Mart
Pla tform Database
(E VManager)
60 rolling days
11 rolling days of data
of data
60
ACM data is processed and loaded into the data mart in these steps:
1. Metric data is collected from the SAS Environment Manager agents and sent to the SAS Environment
Manager database.
2. At specified intervals, the ACM ETL process runs. The process copies data from the database,
standardizes the data, and loads the data into the data mart.
3. ACM data in the data mart is available for analysis and reporting.
The Report Center contains reports that are produced by ACM that display the following types of
information:
 response time for SAS HTTP web services
 workload, CPU usage, and memory usage for each platform in your environment
 usage and response information for file mounts
 total number of clients per minute on the SAS Metadata Server machine
APM ETL
The APM ETL process extracts performance metric information from various
SAS server logs, HTTP access logs, SAS job logs, and SAS metadata audit data
and loads that information into the data mart.
61
APM data is processed and loaded into the data mart in these steps:
1. The APM ETL process scans the components in your SAS system for log files and includes the logs
that it finds that are supported by the APM ETL. By default, the log discovery process runs every 15
minutes throughout each day, so any new logs created by new components in your SAS environment
are discovered and included in the log collection process. You can also choose to run the log
discovery process manually though a control action, which enables you to start collecting log data
sooner than if you waited for the scheduled process. See Manually Discovering and Collecting
Logs in SAS® Environment Manager 2.5: User’s Guide, Second Edition.
Note: SAS logs are discovered and collected only if they are in default locations. If you customize
the log location, SAS Environment Manager cannot discover or collect the log.
2. The discovered logs are collected locally on the machine where they are created and stored in the
landing zone directory, which is [LevelRoot]/Web/SASEnvironmentManager/emi-
client/LandingZone. By default, the logs are collected nightly, but they can be collected manually as
often as every 30 minutes in order to obtain an update view of the log information.
3. The locally collected logs are collected from the local landing zone directories to a central landing
zone directory, which is located on the SAS Environment Manager Enablement Kit Server. This
machine is the machine containing the alphabetically first SAS Application Server context that
contains a SAS Workspace Server. Beginning with the third maintenance release after SAS 9.4, you
can use SAS Deployment Agent to automatically copy the log files from the local landing zone
directories to the central landing zone directory. You can configure the SAS Deployment Agent in
unsecured mode, or you can use unsecured mode or NFS mounts and shares and symbolic links.
Beginning with the fourth maintenance release after SAS 9.4, you can use the SAS Deployment
Agent in secure mode to copy the log files. You can also set up file mounts or NFS shares to the local
landing zone directories so that the central landing zone directory has access to the log files whenever
they are saved to the local landing zone directories. After the logs are collected in the central landing
zone directory, they are deleted from the local landing zone directories.
4. The ETL process parses the logs in the central landing zone directory, puts the information into a
standard format, and archives the original log files. The data is then put into the appropriate tables in
the data mart.
Caution: Enabling the APM ETL process causes a separate log to be created for each spawned
SAS Workspace Server. You must plan for the large number of log files that this process
could create. A best practice is to create a daily archive file of the day’s log files and then
to copy the file to archive storage.
Report Center
The Report Center is a collection of stored processes that produce reports

from data in SAS Environment Manager Data Mart. The reports provide a
view of the performance and status of your SAS environment and its
resources.
62
The Report Center has three main folders:

Products: contains most of the stored processes to generate reports based on APM or ACM ETL
processes.
System: contains stored processes for ad hoc reports.
User folders: contains any custom reports that you have created and saved in your user folder.
Note: The stored processes are based on standard procedures from Base SAS and ODS.
You can find a complete listing of Report Center bundled reports here:
http://support.sas.com/rnd/emi/SASEnvMgr/EVSAF/Report_Center_Report_Listings.pdf
Data Mart Reports

These stored processes generate reports that display information about the content of the SAS
Environment Manager Data Mart tables, the resources that support the data mart, and the alerts that are
defined in the data mart. Here are some example reports:
 All Alert Definitions
 ACM Data Mart Server Resources
 Data Mart PROC CONTENTS Full Listing
The reports are located at Stored Processes  Products  SAS Environment Manager 
Dynamic Reports  Datamart.
Metadata Inventory Reports

These stored processes generate reports that display information about the metadata that is stored on the
SAS Metadata Server. Here are some example reports:
 Groups Roles and Users
 Metadata Content
 Server Properties
Dynamic Reports  Metadata Inventory.
ACM Reports
These stored processes generate reports that display and chart detailed metrics for the computing
resources in your environment. They are generated by data from ACM ETL processes. Here are some
example reports:
 File Mounts Summary Report
 Metadata Server Total Clients per Minute
 Platform Workload 1 Min Average
Nightly Reports  ACM Reports.
ARM Reports
These stored processes generate reports that display and chart detailed metrics and information for
SAS jobs and processes. They are generated by data from APM ETL processes. Here are some
example reports:
 Resource – Procedure Usage
 User – Server Activity by User
 Workspace Server – Top Users by Memory Consumption
Nightly Reports  ARM Performance Reports.
Note: In ARM reports, time metrics are charted in seconds and memory capacity metrics are charted in
kilobytes.
Metadata Audit Reports

These stored processes generate reports that display events recorded in SAS logs. They are generated by
data from APM ETL processes. Here are some example reports:
 Access Activity Events
 Metadata Client Activity
 Group Changes
Nightly Reports  Audit Reports (Log Forensics).
SAS Environment Manager Service Architecture ETL Process Reports

These stored processes generate reports that display information and metrics about the APM ETL
processes. Here are some example reports:
 ETL Logfile Analysis
 Logfile Analysis Overview Report
 PROC Usage Summary
Nightly Reports  Service Architecture ETL Reports.
Event Reports
These stored processes generate reports that display information and metrics about the events that are
generated and recorded in the data mart. They are generated by data from ACM ETL processes. Here are
some example reports:
 Event Summary Chart
 Event Summary Counts
 Log Event Details
Nightly Reports  Event and Alerts.
Solution Kit Reports

These stored processes generate reports that display information that was stored in the data mart by the
solution kit. Each kit contains its own set of stored processes and custom reports.
Nightly Reports  Kits  solution kit name.
Log File Job Reports

These stored processes generate reports that display information about the jobs and processes used to
analyze the SAS logs. They are generated by data from APM ETL processes. Here are some example
reports:
 Logfile Analysis Overview
 Logfile Summary by Logfile and Job Name
 PROC Usage Summary
Nightly Reports  SASJobs.
Sample Reports
These stored processes generate reports that contain samples of different types of report styles. They are
generated by data from APM ETL processes. Here are some example reports:
 Pie Chart CPU Usage Profile by Platform
 Daily Resource Usage Summary
 Top 5 Ranked on CPU Usage
Nightly Reports  Sample Gallery.
Report Center
Metadata Server: Metadata Inventory:

• Metadata Server Client Activity • Duplications
• Authentication Errors • Groups, Roles, and Users
• Audit Report on Access Control Changes • Paths
• Access Activity by User ID • Portal Activity
63
Report Center
Server Activity:
• Workspace Server Top 10 Memory Users
• Server Usage by User
• Data Usage
• Directory Usage
• Procedure Usage
64
Report Center
Data Mart Reports:

• Weekly Events from SAS Environment Manager
• All Alert Definitions
• Data Mart PROC Contents Full Listing
ACM Reports:
• Daily Resource Usage Summary
• Top 5 Ranked on CPU Usage
65
Initializing SAS Environment Manager

Service Architecture
The process of initializing and configuring the service architecture consists of
two main processes:
• validating the Service Architecture

framework and initializing the
extended monitoring bundle
• enabling the ACM and APM ETL
framework, and initializing the APM
ETL framework
66
You must enable Extended Monitoring to use the SAS Environment Manager Data Mart. Instructions can
be found in these two places:
 the SAS Environment Manager configuration directory:
<configdir>/Lev1/Web/SASEnvironmentManager/emi-framework/
SAS_Environment_Manager_Service_Architecture_Quickstart.pdf
 “Initializing and Enabling the Service Architecture” in SAS® Environment Manager 2.5: User’s Guide.
Exercises
11. Reviewing Service Architecture Enablement Steps and Locating Logs Created by Enabling and
Initializing the APM ETL
a. Navigate to the emi-framework directory where the instruction document
SAS_Environment_Manager_Service_Architecture_Quickstart.pdf is located.
For
11.Linux Server
/opt/sas/config/Lev1/Web/SASEnvironmentManager/emi-framework
For Windows Server

D:\SAS\Config\Lev1\Web\SASEnvironmentManager\emi-framework
Note: The document can also be found here:

http://support.sas.com/rnd/emi/SASEnvMgr/EVSAF/SAS_Environment_Manager
_Service_Architecture_Quickstart_9.4M4.pdf
The Initialization steps start on page 4 of the PDF. Initialization commands are located in the bin
directory.
Configuration of the package is broadly defined in three phases or stages. The main phases of
configuration are as follows:
1) Pre-check, validation of the initial deployment of SAS and SAS Environment Manager.
2) Validation of the SAS Environment Manager Service Architecture framework and the
initialization of the enhanced monitoring bundle.
3) Enabling either ACM or APM ETLs, including an additional initialization step for the APM
ETL. All ETL processes are optional and can be enabled at any time after the framework has
been initialized. However, one or more ETLs are required to construct the data dart.
Note: The Service Architecture has already been initialized in the classroom environment.
b. If the APM ETL package is enabled and initialized, a potentially large volume of log files is
created. The ETL process extracts data from SAS logs and loads that data into the data mart so
that the applicable stored process reports have data to work with. Data is extracted from the SAS
logs only when the logs roll over (usually after midnight).
1) Locate log files that are generated.
For
12.Linux Server
Navigate to /opt/sas/config/Lev1/SASApp/WorkspaceServer.
For Windows Server
Navigate to D:\SAS\Config\Lev1\ SASApp\WorkspaceServer.
2) Open the PerfLogs directory. Logging of this server causes a separate log file to be created in
this directory for each spawned SAS Workspace Server. This means that there is a log file for
each session of SAS Enterprise Guide or SAS Data Integration Studio users.
With the enablement and initialization of the APM ETL package, the SAS Application server
environment is modified to enable ARM (Application Response Measurement), as well as the
activation of SAS logging facility loggers and log appenders, to support the ARM-enabled
SASApp deployment.
Caution: Be aware of the potential for the large number of log files that can be created in
this directory. You can create a daily archive of the logs in a ZIP or TAR file and
then copy the daily archive to another storage location. This process enables you
to manage the large number of log files while maintaining IT best practices for
retaining usage logs.
Refer to the following notes:
Problem Note 52668, “A SAS® Environment Manager agent either fails to start, or it starts and
does not send data”:
http://support.sas.com/kb/52/668.html
Usage Note 54744, “Frequently asked questions about the SAS ® Environment Manager in the
UNIX operating environment”:
http://supportprod.unx.sas.com/fusionpreview/previewhtml/54/744.html
12. Running Stored Processes from the Report Center
a. Select Analyze  Report Center. The Report Center is displayed in a separate window or tab in
your browser. The Report Center uses the SAS Stored Process web application, so the window is
titled Stored Processes.
To create a report, click the stored process entry. The viewing pane of the Report Center window
displays prompts for the information in the report. You can select the categories of inputs on the
left side of the display area to fully customize the report. Click Run to produce the report.
b. Run a report that shows a full listing of available reports. Select Products  SAS Environment
Manager  Dynamic Reports  Datamart  Report Center Report Listings.
c. Run a report that shows a full listing of data mart tables and variables. Select Products  SAS
Environment Manager  Dynamic Reports  Datamart  Data Mart Proc Contents Full
Listing.
d. Run a report that shows all alert definitions. Select Products  SAS Environment Manager 
Dynamic Reports  Datamart  All Alert Definitions.
13. Importing Events

You can turn additional items into events by using the SAS macro %evevent to simulate an external
event, which is then imported into SAS Environment Manager.
a. Go to Resources  Services and search for Event Importer.
b. Select the Service Architecture Event Importer and go to the Inventory page.
c. In the Configuration Properties section of the screen, click Edit.
d. Review the event importer settings. The settings should be as follows:
Enable Event Importer check box selected
Enable Log Tracking check box selected
Track event log level: INFO
Log files: Events/sasev.events
Note: If you do not have the Services Architecture initialized, you can create your own event
importer by going to Resources  Platforms (select platform)  Tools Menu 
New Platform Service. Under Service Type, select SAS Event Importer and then fill in
the same fields as shown above.
e. Click OK to exit the properties of the event importer.
f. Navigate to the following directory:
For
5. Linux Server
/opt/sas/Workshop/spaft
The program CreateEvent.sas generates an event, using the %evevent macro.
For Windows Server
D:\Workshop\spaft
The program CreateEvent.sas generates an event, using the %evevent macro.
The SAS macro library with sample macros used with the Service Architecture is in the following
location:
Linux Server: /opt/sas/config/Lev1/Web/SASEnvironmentManager/emi-framework
Windows Server: D:\SAS\Config\Lev1\Web\SASEnvironmentManager\emi-framework
g. View the contents of the program through a text editor, but do not make changes.
The syntax for the macro is as follows:

src= specifies the originator of the event. You can also use this parameter to specify the format of
the text in the msgtext= parameter. The value that you specify for the format is specified by the
parser. Use a colon (:) to separate the originator and the format information.
msglevel= specifies the level of the event. Valid values are DEBUG, INFO, WARN, and
ERROR.
msgtext= specifies the text of the event message.
h. Generate the external event.
For Linux Server

6.
1. Note: Use mRemoteNg and not WINSCP because you will be issuing a command.
Navigate to the following directory:
/opt/sas/config/Lev1/Web/SASEnvironmentManager/emi-framework/bin
2. Execute the following command:

./runSASjob.sh /opt/sas/Workshop/spaft/CreateEvent.sas
For Windows Server

1. Note: Open a CMD window because you will be issuing a command.
D:\SAS\Config\Lev1\Web\SASEnvironmentManager\emi-framework\bin
runSASjob.bat D:\Workshop\spaft\CreateEvent.sas
Note: The runSASJob.sh script sets up the SAS environment needed to run the job.
i. In SAS Environment Manager, select Analyze  Event Center. The event should appear in a
few minutes.
j. Check the sasev.events file located here:
For
7. Linux Server
/opt/sas/config/Lev1/Web/SASEnvironmentManager/emi-framework/Events/sasev.events
The event is included in the file. You can open up the file with the command gedit sasev.events
or use WINSCP application.
For Windows Server

D:\SAS\Config\Lev1\Web\SASEnvironmentManager\emi-framework\Events\sasev.events
The event is included in the file. You can open the file with Notepad or WordPad.
14. (Optional) Exporting Events

a. Create an Event Exporter Service in SAS Environment Manager. Navigate to Resources 
Platforms  sasserver.demo.sas.com.
b. From the Tools menu, select New Platform Service.
1) Enter a name: sasserver export event.
2) Enter a description: sasserver export event.
3) Select the service type SAS Event Exporter.
4) Click OK.
c. In the new exporter, select Configuration Properties and enter the following properties:
1) Enable Event Exporter: select
2) Events File Name: For Linux Server: /opt/sas/config/Lev1/AppData/EventsOut.txt
For Windows Server: D:\SAS\Config\Lev1\AppData\EventsOut.txt
3) User Name: Ahmed
4) Password: Student1
Click OK.
d. Generate an event by restarting the object spawner.
1) Go to Resources  Servers  sasserver.demo.sas.com Object Spawner -sasserver.
2) Click Control in the Quick Control section.
3) Change Control Action to Restart and click the arrow to the right.
e. Go to Analyze  Event Center to verify that the events occurred.
f. Navigate to the following text file to see the events being written to it:
For
13.Linux Server
/opt/sas/config/Lev1/AppData/EventsOut.txt
For Windows Server
D:\SAS\Config\Lev1\AppData\EventsOut.txt
Note: The event exporter does not allow subsetting of the events that are exported. All events
that SAS Environment Manager generates are written to the file.
2.5 Solutions 2-71
2.5 Solutions
1. Locating the Installation and Configuration Directories of the SAS Deployment
a. On the server machine, locate the installation directory.
For Linux Server

Navigate to /opt/sas/SASHome. Are any desktop applications installed on the server
machine? Yes, SAS Management Console and SAS Deployment Manager.
For Windows Server

Access Windows Explorer and navigate to D:\Program Files\SASHome. Are any desktop
applications installed on the server machine? Yes, SAS Management Console and
SAS Deployment Manager.
b. Locate the configuration directory.

For Linux Server
Navigate to /opt/sas/config/Lev1.
2.5 Solutions 2-73
For Windows Server

Access Windows Explorer and navigate to D:\SAS\Config\Lev1.
Note: The Levn subdirectory contains configuration information and other files for a particular
installation instance. Lev1 is generally used for production environments. Additional levels,
such as Lev2 and Lev3, can be used for environments that you install for purposes such as
development and testing. During installation, the SAS Deployment Wizard enables you to
select the level number.
2. Examining details_diagram.html
A 9.4 Standard Deployment plan is an XML-based description of the topology for your SAS system.
Similar to an architect’s floor plan, the plan describes the intended final SAS software environment.
The plan is used in the SAS software deployment process to “tell” the SAS Deployment Wizard
which software components to install and configure on each machine. A diagram of your customized
deployment plan, called details_diagram.html (optimized for Firefox) or
details_diagram_for_ie7.mht (optimized for Internet Explorer), comes with your custom plan file.
Note: See Installation Note 44320, Using deployment plans during a SAS ® installation.
a. On the server machine, locate and open the details_diagram.html file.
For Linux Server

Navigate to /opt/sas/depot/plan_files.
For Windows Server

Access Windows Explorer, and navigate to D:\SAS\depot\plan_files
b. Where is SAS Management Console installed? Configured? For both, server and middle tier
machine and client machine
Where is SAS Foundation software installed? Server and middle tier machine
Configured? It is not configured.
Where is SAS Enterprise Guide installed? Client machine
Configured? It is not configured.
3. Creating an Environment Snapshot

The Environment Snapshot contains a comprehensive listing of the system information in the SAS
Environment Manager database. It collects and displays the most current performance measures
and configuration parameters and also executes and gathers real-time usage information.
2.5 Solutions 2-75
a. Log on to SAS Environment Manager as sasadm@saspw using the password Student1.

b. Select Analyze  Environment Snapshot.
c. Under Summary Table, select sasserver.demo.sas as your system.
d. Click the Snapshot Environment button.

e. Click the SAS tab and notice the metadata server configuration attributes.
f. Click the Logs tab. A comprehensive list of server log locations is displayed. Notice that many of
the middle tier servers do not have log tracking enabled, whereas the SAS servers do.
g. You can change this by going to a resource inventory property and enable log tracking. Go to
Resources  Browse  Servers and select sasserver.demo.sas.com tc Runtime
SASServer1_1.
h. Click the Inventory tab and scroll down to Configuration Properties and click Edit.
i. Check server.log_track.enable and change the value of server.log_track files to logs/server.log.
j. Click OK.
Many of the server-level resources enable the administrator to set up log tracking. This is a
method of monitoring log files for specific messages, such as severe errors or other critical
information. By doing this, you do not need to open the log files directly. You can access only the
portion that you need from the user interface. These log file entries are one type of event that can
be configured and customized in SAS Environment Manager.
For SAS Servers, a special file, sev_logtracker_plugin.properties, is automatically set up by the
SAS Deployment Wizard. For servers that are not SAS servers, you have to turn on log tracking
and specify the log messages that you want to capture.
Note: Setting up log tracking will be covered in a later chapter.
2.5 Solutions 2-77
k. Return to Environment Snapshot on the Analyze tab and select sasserver.demo.sas.com as

your system. Click the Logs tab to see that the tc runtime SASServer1_1 now has the logging
file location.
l. Click the Snapshot environment under Create a Snapshot.
m. When the processing is complete, click the Snapshots tab. A text file is created. Where is the
physical location?
Take note of the snapshot location displayed on the screen. The path is on the middle-tier machine
where SAS Environment Manager Server is located and is relative to the SAS configuration
directory.
n. Navigate to the file location and view the file contents:
For Linux Server

14.
/opt/sas/config/Lev1/Web/SASEnvironmentManager/server-5.8.0-EE and
For Windows Server

D:\SAS\Config\ Lev1\Web\SASEnvironmentManager\server-5.8.0-EE and
4. Diagramming Your SAS Environment

a. At your site, how many physical servers are used for your SAS environment?
b. What operating systems run on your servers?
c. Use the blank diagram to indicate where the components are installed in your environment.
Draw additional boxes if necessary.
SAS Servers Middle Tier Data Sources
2.5 Solutions 2-79
5. Operating the SAS Servers

a. Check the status of the SAS Servers.
For Linux Server

1. On UNIX systems, scripts are designed to enforce the correct order of stopping and
starting SAS Servers. They are called sas.servers.pre, sas.servers, and sas.servers.mid.
Some servers are started directly by the sas.servers script. Other servers are started by the
sas.servers.pre and sas.servers.mid scripts, which are called by sas.servers. The table on
page 2-24 of your Course Notes shows the script names, the components that are included
in each script, and the order in which the components are started. For Linux Server
SAS servers: ./sas.servers status. (The valid commands are stop, start, restart, and
status.)
For Windows Server

1. On your Windows Server machine, it is fastest to use the Windows Services application to
check status, stop, and start SAS servers. Click the Services icon in the system tray. With
Services selected, scroll down to the SAS services. Verify that the status for all the SAS
services is Started.
2. Check the built-in Windows Service dependencies for the SAS Metadata Server.
Right-click SAS[Config-Lev1] SASMeta-Metadata Server and select Properties.
2.5 Solutions 2-81
3. Click the Dependencies tab.
Note: The dependencies do not include any middle-tier servers. It is not recommended
that you include them in the dependencies. However, it is possible. See
Installation Note 52100: http://support.sas.com/kb/52/100.html
b. Review the start-up order of the SAS servers.
For Linux Server

Use gedit, vi, or WinSCP to open the sas.servers script. Review the start-up order of the
SAS servers.
2.5 Solutions 2-83
For Windows Server

Navigate to D:\scripts. Right-click StartSAS.bat and select Edit. Review the start-up order
of the servers.
How much time is built in for the web server to wait for the cache locator to start up? What
is being read before it starts up?
Caution: You might use a script similar to this one in your environment. However,
be aware that this script deletes log files, which you would not want for a
SAS Environment outside of the classroom.
6. (Optional) Stopping and Starting Servers in the Correct Order

Caution: It is important to start servers in the correct order. When shutting down, use the
reverse order that is used when starting up.
For Linux Server

On the Linux server, use the sas.servers script.
Issue the following command to restart the servers because you did restart the SAS Web
Server in the previous exercise: ./sas.servers restart
(You could also issue a command of stop, wait for the servers to go down, and then issues a
start command.)
For Windows Server

1. Note: You would use the Windows Services application to shut down and then restart all
of the servers in the correct order in a typical deployment.
The classroom image uses a batch file to start and stop Windows Services.
In order to make sure that servers in our environment are started up in the correct order,
first use the stopSAS script. The scripts are located here: D:\scripts.You can monitor the
stopping and then starting of the servers via the command window.
This displays the services being stopped. A message is displayed when the script is done.
2.5 Solutions 2-85
2. Start the servers with the startSAS script.

The services are displayed as they are starting. (You can start the Task Manager to watch
the CPU activity.)
Note: The SAS Web Application Server takes from 15 to 20 minutes to start, depending on how
many SAS applications are deployed. You can examine the log files to monitor its
progress and verify that everything started successfully.
7. Validating the Servers in SAS Management Console
a. On the client machine, log on to SAS Management Console as Ahmed using the Student1
password.
b. Expand Server Manager  SASApp  SASApp - Logical Workspace Server 
SASApp - Workspace Server. Right-click sasserver.demo.sas.com and select Validate.
Was the validation successful? If not, verify that the object spawner is running.
c. View the details of the validation. What autoexec file was executed at server initialization?
Note: An autoexec file contains SAS statements that are executed immediately after
SAS initializes the server.
8. Adding a SAS Administrator to the Super User Role in SAS Environment Manager
The internal account sasadm@saspw is the default account for signing on to SAS Environment
Manager. In order to have other users such as Ahmed access SAS Environment Manager, the user
needs to be added to a SAS Environment Manager group in metadata and then synchronized to the
corresponding role in SAS Environment Manager.
a. Sign in to SAS Environment Manager as sasadm@saspw using the password Student1 if you
have not done so from the previous exercise.
b. Go to the Manage page and select List Users to see a list of the current users in Environment
Manager.
Three users will be listed.
c. Click List Roles to see the Environment Manager Roles. There should be three.
These three roles map to three user groups created in SAS metadata.
d. Add Ahmed to the SAS EV Super User group in metadata.
Go to the Administration page and select Users from the Side menu.
2.5 Solutions 2-87
e. Filter on Group.
f. Enter SAS in the Search field to get to the SAS Environment Manager Super Users.
g. Right-click SAS Environment Manager Super Users and select Open to open the metadata
properties.
h. From the Basic Properties drop-down menu, select Members.
i. Add Ahmed to the group by clicking the Edit button in the upper right toolbar.
j. Move Ahmed from the Available identities list to the Direct members list. Click OK.
k. Do not click Close until you save your changes by clicking the Save button . Click Close.
l. You do not need to synchronize users from the Manage page. Instead, Sign out as
sasadm@saspw and sign back in as Ahmed to verify that he now has access to
SAS Environment Manager. Stay signed in as Ahmed for the rest of the exercises.
9. Adding an Availability Summary Portlet to Your Dashboard

a. In SAS Environment Manager, click the Dashboard tab if not already there. Make sure you are
logged in as Ahmed.
b. Create an OS and SAS Server Tier availability summary portlet.
1) On the left side of the Dashboard page, select Availability Summary in the Add Content
to this column field.
2) Click the Configure button to display the Dashboard Settings page for the portlet.
2.5 Solutions 2-89
3) Click Add to List in the Selected Resources area.
4) In the View field, make sure that Platforms is selected. Move both resources to the right.
Click OK.
5) Specify the name OS and SAS Server Tier in the Description field. Click OK.
6) Move the OS and SAS Server Tier availability summary portlet to the top by clicking
the heading and dragging it to the top of the left column.
10. Evaluating Resource and Memory Usage on a Host
System Resources can approach their limits and cause the system to become slow or unstable. If you
see a problem with system responsiveness from the users’ point of view, there are some metrics that
can be checked to give us clues as to why. It is also possible for system resources to be nearing their
limits, but with no obvious effect on user experience. Regardless, you can monitor these items
through SAS Environment Manager.
a. Review metrics for the server machine.
For Linux Server

Click Linux under your OS and SAS Server Tier summary portlet that you just created.
For Windows Server
Click Win32 under your OS and SAS Server Tier summary portlet that you just created.
b. Click sasserver.demo.sas.com and that takes you to the same view as Resources  Browse 
Platform  sasserver.demo.sas.com.
What is the RAM for this machine? What is the CPU speed?
It varies: 15952 MB on Linux and 16384 MB on Windows
The RAM field (in the upper right) specifies the total memory for the host.
The CPU Speed field (in the upper left) specifies the number and speed of the proc essors on the
machine.
2.5 Solutions 2-91
c. Click Metric Data to view the table of metrics for the host.
Use these metrics to evaluate memory usage for the host:

 Total Memory (this value will match the value of the RAM field, although RAM is specified in
MB and Total Memory in GB)
 Used Memory
 Used Memory (-buffers/cache)
 Percent Used Memory
 Percent Free Memory
Use these metrics to evaluate swap space usage:
 Swap Free
 Percent Swap Free
 Percent Swap used
Use these metrics to determine CPU and I/O usage for a host in a deployment:
 CPU Usage
 CPU Wait
 User CPU
 CPU Idle
 CPU IRQ
 File System Read/Writes per Minute metric to evaluate I/O performance over time
2.5 Solutions 2-93
d. Click Indicators to view these metrics in chart form. The charts can be useful for evaluating
changes in memory usage over time, for example.
Note: If the chart for one or more of the metrics is not displayed, select the Problem Metrics
field on the bottom left of the page and change the selection to All Metrics. Move the
metric that you want added in the Indicators display by clicking the black arrow next to
the metric.
e. By clicking the metric, a chart is brought up with more detailed information. Scroll to the bottom
of the metric charts and click Zombie Processes. This is one metric at the Platform level that can
indicate too many “runaway” or “stuck” processes. If there are any numbers above zero
consistently, it might be time to reboot the machine when there is opportunity to do so.
You have options within the chart view such as editing ranges, saving the chart to dashboards,
and defining an alert for this metric.
f. Click the down arrow next to Map to see a visual representation of resources and the next level of
parent and child resources. How many servers are under this machine platform?
Note: The map for a platform displays the servers under the platform, and the map for a server
displays the services under the server. Servers as well as Services under the platform are
also listed on the left of the Monitor page.
2.5 Solutions 2-95
g. Click Views  Live Exec.
h. Select a query to run from the drop-down menu, such as df and top.
11. Reviewing Service Architecture Enablement Steps and Locating Logs Created by Enabling and
Initializing the APM ETL
a. Navigate to the emi-framework directory where the instruction document
SAS_Environment_Manager_Service_Architecture_Quickstart.pdf is located.
For
15.Linux Server
/opt/sas/config/Lev1/Web/SASEnvironmentManager/emi-framework
For Windows Server

D:\SAS\Config\Lev1\Web\SASEnvironmentManager\emi-framework
Note: The document can also be found here:
http://support.sas.com/rnd/emi/SASEnvMgr/EVSAF/SAS_Environment_Manager
_Service_Architecture_Quickstart_9.4M4.pdf
The Initialization steps start on page 4 of the PDF. Initialization commands are located in the bin
directory.
Configuration of the package is broadly defined in three phases or stages. The main phases of
configuration are as follows:
1) Pre-check, validation of the initial deployment of SAS and SAS Environment Manager.
2) Validation of the SAS Environment Manager Service Architecture framework and the
initialization of the enhanced monitoring bundle.
3) Enabling either ACM or APM ETLs, including an additional initialization step for the APM
ETL. All ETL processes are optional and can be enabled at any time after the framework has
been initialized. However, one or more ETLs are required to construct the data dart.
Note: The Service Architecture has already been initialized in the classroom environment.
b. If the APM ETL package is enabled and initialized, a potentially large volume of log files is
created. The ETL process extracts data from SAS logs and loads that data into the data mart so
that the applicable stored process reports have data to work with. Data is extracted from the SAS
logs only when the logs roll over (usually after midnight).
1) Locate log files that are generated.
For
16.Linux Server
Navigate to /opt/sas/config/Lev1/SASApp/WorkspaceServer.
For Windows Server

Navigate to D:\SAS\Config\Lev1\ SASApp\WorkspaceServer.
2) Open the PerfLogs directory. Logging of this server causes a separate log file to be created in
this directory for each spawned SAS Workspace Server. This means that there is a log file for
each session of SAS Enterprise Guide or SAS Data Integration Studio users.
With the enablement and initialization of the APM ETL package, the SAS Application server
environment is modified to enable ARM (Application Response Measurement), as well as the
activation of SAS logging facility loggers and log appenders, to support the ARM-enabled
SASApp deployment.
Caution: Be aware of the potential for the large number of log files that can be created in
this directory. You can create a daily archive of the logs in a .zip or .tar file and
then copy the daily archive to another storage location. This process enables you
to manage the large number of log files while maintaining IT best practices for
retaining usage logs.
Refer to the following notes:
Problem Note 52668, A SAS® Environment Manager agent either fails to start, or it starts and
does not send data
http://support.sas.com/kb/52/668.html
Usage Note 54744, “Frequently asked questions about the SAS ® Environment Manager in the
UNIX operating environment”:
http://supportprod.unx.sas.com/fusionpreview/previewhtml/54/744.html
2.5 Solutions 2-97
12. Running Stored Processes from the Report Center

a. Select Analyze  Report Center. The Report Center is displayed in a separate window or tab in
your browser. The Report Center uses the SAS Stored Process web application, so the window is
titled Stored Processes.
b. Run a report that shows a full listing of available reports. Select Products  SAS Environment
Manager  Dynamic Reports  Datamart  Report Center Report Listings.
c. Run a report that shows a full listing of data mart tables and variables. Select Products  SAS
Environment Manager  Dynamic Reports  Datamart  Data Mart Proc Contents Full
Listing.
d. Run a report that shows all alert definitions. Select Products  SAS Environment Manager 
Dynamic Reports  Datamart  All Alert Definitions.
13. Importing Events

You can turn additional items into events by using the SAS macro %evevent to simulate an external
event, which is then imported into SAS Environment Manager.
a. Go to Resources  Services and search for Event Importer.
2.5 Solutions 2-99
b. Select the Service Architecture Event Importer and go to the Inventory page.
c. In the Configuration Properties section of the screen, click Edit.
d. Review the event importer settings. The settings should be as follows:

Enable Event Importer check box selected
Enable Log Tracking check box selected
Track event log level: INFO
Log files: Events/sasev.events
Note: If you do not have the Services Architecture initialized, you can create your own event
importer by going to Resources  Platforms (select platform)  Tools Menu  New
Platform Service. Under Service Type, select SAS Event Importer and then fill in the
same fields as shown above.
e. Click OK to exit the properties of the event importer.
f. Navigate to the following directory:
17. For Linux Server

/opt/sas/Workshop/spaft
The program CreateEvent.sas generates an event using the %evevent macro.
For Windows Server

D:\Workshop\spaft
The program CreateEvent.sas generates an event using the %evevent macro.
The SAS macro library with samples macros used with the Service Architecture is in the
following location:
Linux Server: /opt/sas/config/Lev1/Web/SASEnvironmentManager/emi-framework
Windows Server: D:\SAS\Config\Lev1\Web\SASEnvironmentManager\emi-framework
g. View the contents of the program through a text editor, but do not make changes.
The syntax for the macro is as follows:

src= specifies the originator of the event. You can also use this parameter to specify the format of
the text in the msgtext= parameter. The value that you specify for the format is specified by the
parser. Use a colon (:) to separate the originator and the format information.
msglevel= specifies the level of the event. Valid values are DEBUG, INFO, WARN, and
ERROR.
msgtext= specifies the text of the event message.
2.5 Solutions 2-101
h. Generate the external event.
For
18. Linux Server
1. Note: Use mRemoteNg and not WINSCP because you will be issuing a command.
/opt/sas/config/Lev1/Web/SASEnvironmentManager/emi-framework/bin

./runSASjob.sh /opt/sas/Workshop/spaft/CreateEvent.sas
For Windows Server

1. Note: Open a CMD window because you will be issuing a command.
D:\SAS\Config\Lev1\Web\SASEnvironmentManager\emi-framework\bin

runSASjob.bat D:\Workshop\spaft\CreateEvent.sas
Note: The runSASJob.sh script sets up the SAS environment needed to run the job.
i. In SAS Environment Manager, select Analyze  Event Center. The event should appear in a few
minutes.
j. Check the sasev.events file located here:
For
19.Linux Server
/opt/sas/config/Lev1/Web/SASEnvironmentManager/emi-framework/Events/sasev.events
The event is included in the file. You can open up the file with the command gedit sasev.events.
For Windows Server

D:\SAS\Config\Lev1\Web\SASEnvironmentManager\emi-framework\Events\sasev.events
The event is included in the file. You can open the file with Notepad or WordPad.
14. (Optional) Exporting Events

a. Create an Event Exporter Service in SAS Environment Manager. Navigate to Resources 
Platforms  sasserver.demo.sas.com.
b. From the Tools menu, select New Platform Service.
1) Enter a Name: sasserver export event.
2) Enter a Description: sasserver export event.
3) Select the Service Type SAS Event Exporter.
2.5 Solutions 2-103
4) Click OK.
c. In the new exporter, select Configuration Properties and enter the following properties;
1) Enable Event Exporter: select
2) Events File Name: For Linux Server: /opt/sas/config/Lev1/AppData/EventsOut.txt
For Windows Server: D:\SAS\Config\Lev1\AppData\EventsOut.txt
3) User Name: Ahmed
4) Password: Student1
Click OK.
d. Generate an event by restarting the object spawner.
1) Go to Resources  Servers  sasserver.demo.sas.com Object Spawner -sasserver.
2) Click Control in the Quick Control section.
3) Change Control Action to Restart and click the arrow to the right.
e. Go to Analyze  Event Center to verify that the events occurred.
f. Navigate to the following text file to see the events being written to it:
For
20.Linux Server
/opt/sas/config/Lev1/AppData/EventsOut.txt
For Windows Server
D:\SAS\Config\Lev1\AppData\EventsOut.txt
Note: The event exporter does not allow subsetting of the events that are exported. All events
that SAS Environment Manager generates are written to the file.
2.5 Solutions 2-105
The SAS configuration directory under Levn will include which of the
following subdirectories?
a. SASApp, SASMeta, ObjectSpawner, Binaries

b. SASMeta, AppData, SASPlatformObjectFramework
c. SASApp, SASMeta, AppData, Documents
d. Documents, SASManagementConsole, SASApp, SASMeta
21
On the Resources page in SAS Environment Manager, where would you find
the SAS Object Spawner resource?
a. Services
b. Servers
c. Platforms
d. Mixed Groups
52
Which statement is true regarding the SAS Environment Manager Agent?
a. You can have only one SAS Environment Manager Agent in a SAS
deployment.
b. The SAS Environment Manager Agent summarizes the metric
information and writes it to the PostgreSQL database.
c. The SAS Environment Manager Agent can be monitored under Platforms
in SAS Environment Manager’s Resource page.
d. You will have a SAS Environment Manager Agent running on every
platform where SAS components are configured in your SAS deployment.
54
Chapter 3 Understanding SAS®
Metadata and the Metadata Server
3.1 Exploring the SAS Metadata Server and Metadata Repositories ............................. 3-3
Exercises............................................................................................................. 3-11
3.2 Exploring SAS Metadata Objects ............................................................................ 3-16

Demonstration: Exploring SAS Metadata in SAS Environment Manager........................ 3-27
Exercises............................................................................................................. 3-31
3.3 Implementing a SAS Metadata Server Cluster ........................................................ 3-36
3.4 Backing Up the SAS Metadata Server..................................................................... 3-49

Exercises............................................................................................................. 3-61
3.5 Backing Up the SAS Environment .......................................................................... 3-63

Demonstration: Listing the Deployment Schedule and Using the Backup Manager in
SAS Environment Manager.............................................................. 3-74
Exercises............................................................................................................. 3-80
3.6 Solutions ................................................................................................................. 3-84


3-2 Chapter 3 Understanding SAS® Metadata and the Metadata Server
3.1 Exploring the SAS Metadata Server and Metadata Repositories 3-3
3.1 Exploring the SAS Metadata Server

and Metadata Repositories
Objectives
• Explore the role of the metadata server.

• Identify how metadata is stored.
• Examine the types of metadata repositories.
• Explore how the metadata server locates, accesses, and updates metadata
repositories.
• Explore how the metadata server starts up.
3
SAS Metadata Server
SAS applications connect to the

S A S Environment Manager
metadata server. S A S Enterprise Miner
S A S D ata Integ ration Studio
S A S Information Delivery Portal
S AS Add-In for Microsoft Office
S A S Enterprise Guide
M etadata Server
i S A S S tudio
S A S M odel M anag er
S A S Information Map Studio

S A S BI Dashboard
D a t a F lux D ata
M an agement Studio
S A S M anagement Console
S A S W eb Report S tudio
4
In most cases, users access and update metadata using SAS applications, including SAS Management
Console, SAS Environment Manager, SAS Data Integration Studio, and SAS Enterprise Guide. Web-
based applications need only a web browser. The connection profile is built into the web application.
You can also access and manage SAS metadata through programmatic interfaces, including the
METADATA and METALIB procedures, DATA step functions, and the batch tools for metadata
management. The tools are documented in SAS® 9.4 Intelligence Platform: System Administration Guide.
Other parts of the SAS platform also communicate with the metadata server, including SAS spawners,
SAS servers, and SAS middle-tier applications.
SAS Metadata Server
The metadata server’s role is to read and write metadata.
i
Metadata SA S Metadata
Server Repositories
5
The management and use of threads are controlled by the MAXACTIVETHREADS, THREADSMIN,
and THREADSMAX options. See “Configuring the Number of Threads Used by the Metadata Server”
in SAS® 9.4 Intelligence Platform: System Administration Guide.
The metadata server
 uses multi-threaded processing to read metadata but uses a single thread to write
and update.
 is an ‘in-memory’ server, enabling high-speed access by applications.
 supports concurrent users.
 provides centralized management of metadata resources.
 enables metadata exchange between applications so that applications can work together easily and
efficiently.
 is built on the SAS Open Metadata Architecture, a metadata management facility that provides
common metadata services to applications, including creating, accessing, and updating metadata.
Note: SAS 9.4 provides the option of implementing a metadata server cluster. Client applications and
users interact with the cluster in the same way that they would interact with a metadata server that
is not clustered.
SAS Metadata
The SAS Metadata Server provides centralized management of metadata

resources. Metadata describes the location and structure of the SAS
platform.
• server definitions
• data definitions
• users and groups
• security settings
• business intelligence content
6
SAS applications connect to the SAS Metadata Server and issue SAS Open Metadata interface method
calls that access metadata from repositories.
Metadata Repositories
A metadata repository is
• a library of tables in which a collection of related metadata objects is stored
• stored in a physical location
• managed by a repository manager.
7
Repository Manager
The repository manager is a library of tables that holds information about the
other repositories in the environment.
OBJNAME ID REPTYPE RPOSPATH
Foundation A0000001.A5STDM7N FOUNDATION MetadataServ er\M etadataR epositories\Foundation

Ole’s Work Repository A0000001.A5590EKV PROJECT MetadataServ er\M etadataR epositories\OleWo rk
Barbara’s Work Repository A0000001.A5WWW6FH PROJECT MetadataServ er\M etadataR epositories\Barbara Work
8
A metadata server cannot be started without a repository manager. Each metadata server can have only
one repository manager.
Metadata Repositories
The metadata server supports these types of metadata repositories:

Foundation Required metadata store for a metadata server. You
repository cannot create more than one foundation repository.
Custom An optional metadata store that is useful for physically
repository separating metadata for storage or security purposes.
N ote: A third type of metadata repository is available for data management

solutions, called project repositories.
9
The BI Lineage repository created for the BI Lineage plug-in is a custom repository. Custom repositories
appear as folders in the metadata folder tree under the SAS root folder.
A project repository is an optional metadata store that acts as an isolated work area for SAS Data
Integration Studio. Each user who participates in change management has a project repository.
You can use the Metadata Manager plug-in to create and manage repositories.
Creating a new repository Creates initial repository content and all the metadata that defines the
repository.
Registering a repository Creates the metadata that defines the repository and points to existing
repository content.
Deleting a repository Deletes the repository content and all the metadata that defines the
repository.
Unregistering a repository Removes the metadata that describes the repository without removing
the content of the repository itself.
SAS Metadata Server
To enable high-speed access by users, the metadata server is an “in-memory”

server. As clients submit queries, the requested records are read from
repository data sets on disk into the server’s memory.
i
M etadata Server
In -memory database
10
When the first query for a specific type of metadata object (for example, a table) is submitted, all table
metadata is loaded into memory. The in-memory database remains until the metadata server is paused
or stopped.
SAS Metadata Server Journaling

When journaling is enabled, access is returned to clients as soon as the
metadata updates are written to the in-memory database and the journal
file. The more time-consuming updates to the repository data sets
are performed later in the background.
J o urnal file
i
M etadata Server
In -memory database
11
Journaling is enabled by default for the metadata server. For best performance, it is recommended that
journaling be enabled at all times. If the metadata server fails before the update process can apply
all updates from the journal file, the metadata server automatically recovers them from the journal file
when it is restarted.
In addition, journaling must be properly configured in order for roll-forward recovery to be available
in the event that you need to restore the metadata server. When the OMA JOURNALTYPE= option is set
to ROLL_FORWARD, the metadata server creates a linear journal file that permanently stores
all transactions that occurred since the most recent backup.
The metadata server is initially set up to write journal entries to a journal file that is stored in </SAS
Configuration Directory/Levn/>SASMeta/MetadataServer/Journal. Each time a new backup is executed,
journaling stops and a new journal file is started in this location.
Journaling is controlled by options set in the omaconfig.xml file.
Metadata Server Start-up
The metadata server reads the om a config.xml file at start-up. The

omaconfig.xml file contains SAS Metadata Server settings, including the
following:
• location of the repository manager
• email addresses to which alert emails are to be sent
• journaling options
N ote: Any changes to this file require a restart of the metadata server in
order for the changes to take effect.
12
Alert emails that are generated by the metadata server are sent to the addresses that are specified
in the OMA ALERTEMAIL option in the omaconfig.xml file. The generated email has Metadata Server
Alert in the subject line. The body of the message specifies the error that occurred, the name
of the metadata server host machine, the metadata server port, and the location of the metadata server log.
The metadata server sends alert emails in these situations:
 An error occurs during metadata server backup or recovery.
 A problem occurs and prevents the repository data sets from being updated from the journal.
To test the alert email configuration, do the following:

1. Log on to SAS Management Console.
2. Expand the Metadata Manager plug-in. Right-click Active Server and select Properties.
3. In the Active Server Properties dialog box, select Send Test Message.
4. In the Send Alert E-mail Message dialog box, enter text to be included in the email. Click OK.
Metadata Server Start-up
i R epository Manager
M etadata Server 3
1 2
5
o maconfig.xml M etadata Repositories
18
1. The metadata server is launched from the operating system either as a Windows service or from
a command. As part of the start-up, the metadata server reads the omaconfig.xml file in the metadata
server configuration directory.
2. One of the settings in the omaconfig.xml file is the location of the repository manager.
3. The metadata server connects to the repository manager.
4. The repository manager provides information about the metadata repositories including location, type,
and name.
5. The metadata server connects to the metadata repositories.
Exercises
1. Exploring Metadata Pointers in SAS Management Console and the Contents of the Metadata
Server Directory
a. On your client machine, log on to SAS Management Console as Ahmed with the password
Student1. (SAS Management Console is listed under the start menu.)
b. Where is all the metadata physically stored? Expand the Metadata Manager plug-in.
Select Active Server.
c. Where is the Foundation repository physically located? Under Active Server, select Foundation.
d. In what format is the metadata in the repository stored?
For Linux Server

Navigate to /opt/sas/config/Lev1/SASMeta/MetadataServer/
MetadataRepositories/Foundation.
For Windows Server

Use Windows Explorer to navigate to D:\SAS\Config\Lev1\SASMeta\
MetadataServer\MetadataRepositories\Foundation.
The metadata is stored in specially formatted SAS data sets. You should never access these tables
directly. While the metadata server is running, these tables are locked. Any access (query, update,
and so on) to these must be done via the metadata server. If you do not use the metadata server
to access these tables, you risk corrupting the metadata.
Note: Metadata queries that are made using SAS applications, PROC METADATA, batch tools
for metadata management, or DATA step functions are processed by the metadata server.
2. Checking the Availability of the Metadata Server in SAS Environment Manager

In the SAS platform, the metadata server is the most critical component. It must always be running
and responsive. In this exercise, you check the availability and health of the metadata server.
a. Open Internet Explorer or Google Chrome on the client machine and select SAS Environment
Manager on the Favorites toolbar.
b. Sign in to SAS Environment Manager as Ahmed with password Student1.

c. Click the Resources tab.
d. Click Servers. How many Servers are listed?
e. Click sasserver.demo.sas.com SASMeta - SAS Metadata Server.

Note: You might need to go to the second page of server listings, by clicking the arrow at the
bottom right of the page.
Note: You can use the Search field and type in Metadata Server. Make sure All Server Types is
selected in the second field, and then click to the far right.
f. Look for the following metrics for a quick overview:
Availability
Server Health
g. If the metadata server is overusing virtual memory (too much page swapping), that could indicate
trouble and might cause slow responses. These metrics are helpful:
Process Page Faults Per Minute
Time in Calls Per Minute
Not all metrics for this resource, the metadata server, are displayed by default, such as Time in
Calls Per Minute.
h. Select All Metrics in the drop-down list on the left to see a list of all the metrics for this resource.
(Currently Problem Metrics is displayed in the drop-down list.)
i. Add the Time in Calls Per Minute to the list of metrics displayed by clicking the black arrow
next to the metric.
j. Move the Time in Calls Per Minute and Process Page Faults Per Minute to the top using the up
arrow to the right of the named metric.
k. Click Apply next to View: Update Default located above the Availability metric and to the right.
Note: You want to know how much the metadata server is having to use disk space because it
does not have enough memory available to it. Paging is when individual memory
segments, or pages, are moved to or from the swap area. When memory is low, portions
of a process are moved to use disk space as a temporary place to store information that it
would normally just hold in memory. This is called swapping to disk. When a process
needs to swap some data from disk to memory so that it can access the data in memory, a
page fault occurs. It is an event that occurs because the page of memory the process
wanted is currently not in memory; it is held on the swap file on the disk. Thus, when a
page fault occurs, the operating system knows that it needs to swap the data that the
process wants back into memory, and it will swap some other existing data from memory
to the disk to free up the required memory so that there is room for the required page.
One of the metrics available from the OS that describes what a process does when it
enters this memory-constrained state is the number of page faults (swaps between disk
and memory) per period of time. You can see this metric for the process examined here,
the SAS metadata server.
You expect some degree of virtual memory swapping (page faults), which is normal, but
if you see a trend of increase over time, then you should probably investigate.
l. The data for the past eight -hour time period is displayed. Change this to a 30-minute interval. Use
the Last (number)/(Unit) drop-down list to change the length of the time period displayed. Click
OK. (You can use the Previous Page/Next Page buttons to scroll through earlier time periods as
well.)
m. Select the Metric Data button to display the data underlying the charts.
You see all of the metrics displayed here in a tabular table, whereas with the Indicators selected,
there is only a subset showing, unless you add a metric to be displayed (step i).
Note: You can also click the Chart button next to an entry in the table to see a chart of that
metric. However, the chart is different from the indicator chart.
n. Select Alert.
o. Select Configure. How many alerts are configured? How many alerts are active?
There are built-in alerts because Extended Monitoring has been enabled in this environment.
Note: Two alerts that might be useful are “Metadata Server ERROR message in log” and
“Metadata User Lockout”. If either of these alerts is fired, you might want to check the
logs for the metadata server to get more details about why these events are happening.
p. Click Metadata Time in Calls per Minute to look at the alert definition.
3. Searching for Resources in SAS Environment Manager
a. Click the Resources tab. You can search for resources within a resource category (Platforms,
Servers, Services, or groups).
1) Select a resource category, such as Servers.
2) Type in a search string (for example, ‘config’) and Resource type (for example, ‘SAS Config
Level Dir’).
3) After selections are made, click the arrow to the right .
b. Use the Search menu and the resource level selector to locate the following resources:
Servers
SAS Spawners (1 object and 1 connect spawner—search on the string “spawner”)
SAS OLAP Server
SAS Home Directory
SAS Config Level Directory
Services
SAS Stored Process Server
Note: The SAS spawners, the metadata server, and OLAP server are at the Servers level in the
platform hierarchy. The SAS Application Server Tier is considered a Platform. The
SAS Logical workspace servers and SAS Logical stored process servers are at the
Services level in the platform hierarchy.
c. Open SAS Management Console and log on as Ahmed using the password Student1. Expand the
Server Manager plug-in. The components above conform to the servers shown here.
3.01 Poll
By default, journaling is not enabled for the metadata server.
 True
 False
21
The Metadata Server knows the location of the Repository Manager because
it is specified in the following file:
a. sasv9_usermods.cfg
b. sasv9.cfg
c. omaconfig.xml
d. logconfig.xml
23
3.2 Exploring SAS Metadata Objects
Objectives
• Define SAS metadata.

• Explore SAS metadata types.
• Explore connections between metadata objects and external content.
• Identify associations between metadata objects using the Export SAS
Package Wizard.
• Identify associations between metadata objects using the BI Lineage Plug-in.
• Identify associations between metadata objects using SAS Platform batch
tools.
26
SAS Metadata
A metadata object, a l so known a s a metadata definition, i s a SAS res ource

tha t i s us ed by SAS a pplications.
Report
Exploration
27
Users (directly or through the groups to which they belong) need access to metadata as well
as to the non-metadata elements that they reference.
3.2 Exploring SAS Metadata Objects 3-17
SAS Metadata Types
The SAS metadata model includes metadata types. Each metadata object
is a unique instance of a metadata type.
28
SAS Metadata
SAS metadata is displayed in

• SAS Management Console on the Plug-ins tab
• SAS Environment Manager’s Administration tab
• the folder structure in SAS applications.
M et adata Administrat ion
M et adata is organized in folders.

29
Caution: Renaming, moving, or deleting SAS folders and the objects that they contain can cause
unpredictable results.
Before renaming, moving, or deleting an object or a folder, see the guidelines in “Best Practices for
Managing SAS Folders” and “Best Practices for Maintaining Associations among Objects in
SAS Folders,” in SAS® 9.4 Intelligence Platform: System Administration Guide.
The initial folder structure includes the following main components:

SAS Folders is the root folder for the folder structure. This folder cannot be renamed, moved, or deleted.
It can contain other folders, but it cannot contain individual objects.
My Folder ( ) is a shortcut to the personal folder of the user who is currently logged on.
BILineage is the root folder for the BILineage metadata repository. This repository stores results from
scans that have been run using the BI Lineage plug-in. This folder should not be renamed, moved, or
deleted. The repository and folder should not be used for any purpose other than storing scan results
Products contains folders for individual SAS products. These folders contain content that is installed
along with the product. For example, some products have a set of initial jobs, transformations, stored
processes, or reports that users can modify for their own purposes. Other products include sample content
(for example, sample stored processes) to demonstrate product capabilities. Where applicable, the content
is stored under the product's folder in subfolders that indicate the release number for the product.
Note: During installation, the SAS Deployment Wizard enables the installer to assign a different name
to this folder. Therefore, your Products folder might have a different name.
Shared Data is provided for you to store user-created content that is shared among multiple users. Under
this folder, you can create any number of subfolders, each with the appropriate permissions, to further
organize this content.
Note: You can also create additional folders under SAS Folders in which to store shared content.
System contains SAS system objects that are not directly accessed by business users. This folder contains
the following folders:
 Administration is not currently used.
 Applications contains folders for individual SAS applications that have system objects. Under these
folders, the objects are stored in subfolders that correspond to individual release numbers.
 Publishing contains channel and subscriber objects that are used by the Publishing Framew ork.
 Secured Libraries contains secured data folders, secured library objects, and secured table objects that
have been created to support metadata-bound libraries. See the SAS Guide to Metadata-Bound
Libraries.
 Security and Servers contain references to security objects (users, user groups, roles, access control
templates, and authentication domains) and server objects. The white folders indicate that these are
virtual folders. The folders are displayed only in SAS Management Console to support operations such
as promotion. See “Promoting Security Objects and Server Objects.”
 Services is used by SAS BI Web Services to store metadata for generated web services.
 Types contains type definitions for public objects that exist on this metadata server.
User Folders contains folders that belong to individual users. These folders are referred to as the users'
home folders. The name of each home folder is based on the value of the user's Name field in the
User Manager plug-in for SAS Management Console.
The first time a user logs on to an application that requires a home folder, the user's home folder
is automatically created. That same folder is then used by other applications that the user logs on to.
SAS Metadata: SAS Servers
M et adata server objects
A sso ciated server directory

c o ntaining configuration files
30
SAS Metadata: Users and Groups
N ote: Typically, groups contain metadata users. An external account can be

associated with a group for third-party database access.
31
Users, Groups, and Roles can be created, viewed, and managed in the following:
 User Manager plug-in in SAS Management Console
 Administration tab of SAS Environment Manager
SAS Metadata: Folders

Folder Metadata Object Folder
Hierarchical organization of metadata In most cases, no direct physical content
objects
N o d irect physical
c o ntent
N ote: Content mapping is in place. Digital content is stored on the

SAS Content Server.
32
SAS Metadata: Libraries and Tables
Library Metadata Object Library

Connection information and nickname (libref) Collection of tables stored in the operating
for library system or RDBMS
Table Metadata Object Table

Description of the table including columns Physical store of relational data
(names, types, attributes), indexes, and library
33
Create and manage libraries and registration using one of the following:
 Data Library Manager plug-in in SAS Management Console.
 Administration tab of SAS Environment Manager.
In SAS Environment Manager 2.5 (the current release), SAS LASR analytic Server and SAS BASE
libraries are the only two available values for the Type field.
Note: Some of the metadata representations described above, such as tables, are actually a collection
of associated metadata objects.
SAS Metadata: Information Maps and OLAP Cubes
Information Map Metadata Object Information Map

Collection of data items and filters that No direct physical content, but
provide a user-friendly view of the data information map points to tables or
cubes for input
OLAP Cube Metadata Object OLAP Cube

Description of cube, including Hierarchical, multidimensional
dimensions, levels, measures, drill- arrangement of data to enable quick
through table, and schema analysis
34
SAS Metadata: Reports and Stored Processes
Report Metadata Object Report

Location of report definition and Report definition and additional files like
associated files graphics stored in SAS Content Server
Stored Process Metadata Object Stored Process

Location of SAS code (or code itself) and SAS code stored if stored outside of
execution parameters (including server metadata on a server
used for execution, type of output
created)
35
Metadata Object Associations
Many metadata objects are also associated with other metadata objects.
The following tools can help with discovering the associations:
• Export SAS Package Wizard,
part of the SAS Promotion Tools server library folder
• BI Lineage plug-in
• Batch tools
table information report
map
folder folder folder

36
For example, a library metadata object is associated with a server and a folder. A table depends
on a library and is associated with a folder. An information map can depend on a table and be associated
with a folder. A report can depend on an information map and be associated with a folder.
Some of these associations are also the paths through which metadata permissions are inherited.
Export SAS Package Wizard
The Export SAS Package Wizard is available

through SAS Management Console. The wizard
enables you to see metadata associations that
would be packaged up on the export.
Promotion
(selected content)
Export
Import
Review: Promotion is the process of copying s e lected metadata and

associated content within or between 3planned
7 deployments of SAS.
If using the Export SAS Package Wizard to create a package and not just to see dependencies, you can
selectively promote content.
 Select multiple nested folders.
 Include all or selected objects
in a folder.
 Include or exclude dependent objects.
 Use a filter to select objects based on the object
name, object type, or time period during which
the object was created or last modified.
 Include empty folders.
 Include associated physical content.
Caution: In order for objects to function properly in the target environment, you must import the
resources that objects depend on, unless those resources already exist in the target
environment. For example, if you want reports to function properly, the information maps
that the reports depend on must be present. If a report has stored processes or images
associated with it, then those objects must be present in the target system.
Virtual folders called Servers and Security are displayed in the SAS Folders tree in SAS Management
Console for use in promoting these objects.
BI Lineage Plug-in
The BI Lineage plug-in for SAS Management Console identifies connections

between BI objects.
• Scan results are stored in a special metadata repository called the BILineage
repository.
• BI Lineage scans can be run and viewed only by an unrestricted
administrative user.
38
The BILineage repository is created automatically the first time an unrestricted administrative user logs
on to SAS Management Console. The BILineage repository should not be used for any purpose other than
storing scan results.
To give users permission to view scan results, you must update the BILineage repository's Default ACT
to grant ReadMetadata permissions.
Note: You cannot provide access by setting permissions on the BILineage folder that appears in the
SAS Folders tree, because scan results are not stored in the folder.
Because the lineage information is not generated in real time, it is important to keep the scan information
updated. To make this task easier, you can create jobs and then schedule them to run at regular intervals.
The plug-in can generate jobs for running, exporting, or deleting BI Lineage scans. After the jobs are
generated, you can use the Schedule Manager plug-in to schedule the jobs. For details about these tasks,
see the BI Lineage plug-in Help in SAS Management Console.
SAS Intelligence Platform Batch Tools
The SAS platform provides a variety of batch tools that you can use to perform
actions on objects and other components of the SAS platform. The batch tools
are located in the path
SAS-install-directory/SASPlatformObjectFramework/9.4/ and fall under these
categories:
• metadata management tools
• export and import tools
• batch relationship reporting tools
• metadata server administration tools (…/tools)
• the Deployment Backup and Recovery tool (…/tools/admin)
39
The batch tools can be incorporated into scripts so that you can run them repeatedly on either an ad hoc
or scheduled basis.
 Metadata management tools can be used for tasks such as listing selected objects, deleting selected
objects, creating new folders, and managing metadata access.
 Export and import tools enable you to promote individual objects or groups of objects from one SAS
deployment to another, or from one folder location to another within the same deployment.
The promotion includes all associated content except physical files for tables and external files.
 Batch relationship reporting tools enable you to identify relationships among the content objects
in the SAS Folder tree. For example, you can identify the objects that a given object depends
on or contains; the objects that depend on or contain a given object; and the objects that are associated
with a given object. Both direct and nested relationships can be identified.
 Metadata server administration tools can be used by administrators to perform tasks such as executing
metadata server backups and restores, creating and deleting metadata repositories, and updating
metadata profiles.
 The Deployment and Backup and Recovery tool provides an integrated method for backing
up and recovering your SAS content across multiple tiers and machines.
Additional batch tools are available for middle-tier administration. See “Using the SAS Web
Infrastructure Platform Utilities” in SAS® Intelligence Platform: Middle-Tier Administration Guide.
Note: In all of the SAS Intelligence Platform batch tools, you must use the correct case for option
names (for example, -includeDep and –newOnly) and object types (for example,
InformationMap). All other elements of the commands are case insensitive.
Common Options for Batch Tools
For the Deployment Backup and Recovery batch commands and batch relationship
reporting tools:
Option Description
-host host-name Identifies the host machine for the SAS Web Server or SAS Web Application Server.
-port port Specifies the port on which the SAS Web Server or SAS Web Application Server
runs.
-user user-ID Specifies the user ID of the connecting user.
-password password Specifies the password of the connecting user.
-protocol HTTP|HTTPS Specifies the communication protocol that is used by the specified host machine
and port.
-profile file-name Specifies the name of a file that contains the host, port, user ID, and password
options. This option can be provided in place of -host, -port, -user, and –password.
40
 The password should be encrypted using SAS proprietary 32-bit encryption. To obtain the encrypted
password, use PROC PWENCODE.
 If the –protocol option is not specified, the default protocol (HTTP) is assumed.
 A sample profile called environment.properties is located in SAS-installation-
directory/SASPlatformObjectFramework/9.4/tools/admin/conf/sample. If you use this file, be sure to
use operating system controls to protect access to the file.
 The sas-recover-offline command uses different connection options. This command needs to connect to
the metadata server, not the web server or web application server.
The following additional options can be specified for the Deployment Backup and Recovery batch
commands:
-maxattempt maximum-number-of-attempts: The maximum number of attempts that are to be made to
execute the command if the first attempt fails. The default value is 2.
-help
Common Options for Metadata Batch Tools
You mus t provi de connection opti ons to l og on to the SAS Meta data Server.
Option Description
-host host-name Identifies the host machine for the metadata server.
-port port Specifies the port on which the metadata server runs.
-user user-ID Specifies the user ID of the connecting user.

-password password Specifies the password of the connecting user.
-profile profile-name Specifies the name of the connection profile that is to be used to connect
to the metadata server. This option can be provided in place of -host,
-port, -user, and –password.
41
The connection profile must exist on the computer where the command is executed. You can specify any
connection profile that has been created for use with client applications such as SAS Management
Console, SAS Data Integration Studio, and SAS OLAP Cube Studio. When you open one of these
applications, the available connection profiles are displayed in the drop-down box in the Connection
Profile dialog box.
The following additional options can be specified with any of the metadata server administration batch
commands:
-log log-path | log-path-and-filename specifies the path (or the path and filename) where the log file
is to be written.
-help
Exploring SAS Metadata in SAS Environment Manager
This demonstration illustrates how to use SAS Environment Manager to explore a library metadata object,
the tables registered to that library in metadata, and the physical location of the tables.
1. Log on to SAS Environment Manager with Ahmed’s credentials.

2. On the Administration page, click Side menu.
3. Select Libraries.
4. Here is a list of the registered library definitions in metadata.
5. Right-click Orion Star Library and select Open. With what metadata folder is the library
associated?
Note: Time stamps will be different for the SAS deployment on Windows versus Linux.
6. From the drop-down menu select Options. To what physical location does the library point?
The path for data stored on the Windows server would be D:\Workshop\OrionStar\orstar.
7. From the drop-down menu select Assigned SAS Servers.
8. With what server grouping is the library associated?
9. From the drop-down menu select Tables. The tables registered to this library and their metadata
folder location are listed.
10. Right-click Orion Star Customers and select Open to see the metadata definition of this table.
11. Click the Side menu button and select Folders.
12. Expand Orion Star  Marketing Department  Data. The library and tables are listed here.
13. Navigate to the location of the physical data.
For Linux Server

Navigate to /opt/sas/Workshop/OrionStar/orstar. The customer_dim.sas7bdat SAS data
set is stored in this location.
For Windows Server
Use Windows Explorer to navigate to D:\Workshop\OrionStar\orstar. The

customer_dim.sas7bdat SAS data set is stored in this location.
Exercises
4. Using the Export SAS Package Wizard to Examine Dependencies and Associations between
Metadata Objects
The Export SAS Package Wizard and Import SAS Package Wizard enable you to promote individual
metadata objects or groups of objects from one SAS deployment to another or from one folder
location to another within the same deployment. The wizards display the associations and
dependencies between metadata objects.
a. In SAS Management Console, on the Folders tab, expand the Orion Star folder. Right-click
the Marketing Department folder and select Export SAS Package.
b. Accept the defaults and click Next. (You are not going to create this package,
so the location and options will not matter.)
c. Under the Data folder, select Orion Star Customers. The Dependencies tab identifies
the metadata objects on which the Orion Star Customers table depends.
d. Click the Used By tab. The Used By tab identifies the metadata objects that depend
on the Orion Star Customers table.
e. Click Cancel.
5. Using the List Objects Batch Tool
Use the List Objects batch tool (sas-list-objects) to create a list of metadata objects that are stored
in the SAS Folders tree. You can filter the list based on criteria such as object name, object type,
folder location, creation date and time, modification date and time, keywords, notes, and responsible
user. You can create the list in text, comma-separated values (CSV), or XML format.
a. First, find the metadata object type for a stored process. In SAS Management Console, under
the Folders tab, navigate to System  Types. Right-click Stored process and select Properties.
Click the Advanced tab. Find the value for TypeName. This will be used for the type option
when using the batch tool.
b. Navigate to the location of the SAS batch tools and run the sas-list-objects batch tool to list all
stored processes in the Orion Star  Marketing Department. How many objects were found?
For Linux Server

1. In mRemoteNG use the cd (change directory) command to navigate to
/opt/sas/SASHome/SASPlatformObjectFramework/9.4/tools
2. List the contents of the directory.

3. Issue the following command: ./sas-list-objects -help
This displays the available options for this command.

4. Generate the list of stored processes with the following options:
./sas-list-objects -host sasserver.demo.sas.com -port 8561 -user Ahmed -password
“Student1” -folderTree “Orion Star/Marketing Department” -types StoredProcess
-format LIST
For Windows Server
1. Open the CMD window. It is under the Start menu. Navigate to

D:\Program Files\SASHome\SASPlatformObjectFramework \9.4\tools.
2. Change the drive to D.
3. Use the cd (change directory) command to navigate to D:\Program

Files\SASHome\SASPlatformObjectFramework \9.4\tools.
4. Use the dir command to list the contents of the directory.
5. Issue the following command: sas-list-objects.exe –help


sas-list-objects.exe -host sasserver.demo.sas.com –port 8561 –user Ahmed –password
“Student1” –folderTree “Orion Star/Marketing Department” –types StoredProcess
–format LIST
6. (Optional) Using Relationship Reporting Tools

The sas-relationship-loader batch tool first scans folders and objects, retrieves their relationship
information, and loads the information into a database in the Web Infrastructure Platform Data Server.
Note: Effective with the third maintenance release for SAS 9.4, automatic loading of relationship
data is configured by default to execute on an hourly basis. The load process scans the SAS
Folders tree for content items that were created or modified since the last scheduled load
operation. Cleaning of relationship data is configured by default to execute daily at 11:00
p.m. The cleaning operation removes relationship information for objects that have been
deleted from your content repositories.
Secondly, the sas-relationship-reporter batch tool is used to read the database populated by the
Relationship Loader and report on the relationships between selected objects.
a. Automatic loading of relationship data is configured by default. Look at the configuration details
in SAS Management Console.
1) Open SAS Management Console and log on as Ahmed using the password Student1.
2) On the Plug-ins tab, select Application Management  Configuration Manager 
SAS Application Infrastructure  Web Infra Platform Services 9.4.
3) Under Web Infra Platform Services 9.4, right-click RelationshipContentService and select
Properties.
4) Select the Settings tab.

Is Scheduling for Load Task Enabled?
How often is the relationship data automatically loaded?
Is the cleaning of relationship data configured by default?
When and how often does this cleaning occur?
Note: The cleaning operation removes relationship information for objects that have been
Note: You can configure a different schedule for the loading and cleaning process here (or
set the schedule if you are using a release earlier than the third maintenance release).
If you make any schedule changes, you must restart the SAS Web Application Server.
5) Click Cancel to close the Properties window.

b. To report on the relationships, use the sas-relationship-reporter tool. To execute a standard report
on direct dependencies for objects in the /Orion Star/Marketing Department/Information
Maps folder:
For Linux Server
1. Navigate to /opt/sas/SASHome/SASPlatformObjectFramework/9.4/tools.
./sas-relationship-reporter -host sasserver.demo.sas.com –port 7980 –user
sasadm@saspw –password Student1 –report directDependencies “/Orion
Star/Marketing Department/Information Maps”
Note: The relationship direction is noted with an arrow.
For Windows Server

1. Open the CMD windows under the Start Menu. Navigate to D:\Program
2. Issue the command:

sas-relationship-reporter.exe -host sasserver.demo.sas.com –port 80 –user
sasadm@saspw –password Student1 –report directDependencies “/Orion
c. To determine the impact of changing one table, create an impact report.
For Linux Server
./sas-relationship-reporter -host sasserver.demo.sas.com –port 7980 –user
sasadm@saspw –password Student1 –report impact “/Orion Star/Marketing
Department/Data/GOLDORDERS (Table)”
For Windows Server
1. Navigate to D:\Program Files\SASHome\SASPlatformObjectFramework \9.4\tools.

Issue the command:
2.
Note: If your environment is SAS 9.4 and prior to M3, you would first need to run the sas-
relationship-loader batch tool and load all relationships to the database before running
reports in steps b and c. See the solution 6d for an example of this.
7. (Optional) Using the BI Lineage Plug-in to Identify Connections between Objects

To generate lineage information, run a scan on a subset of folders. The scan examines reports
and information maps that are stored in the selected folders. It also identifies objects (regardless
of their locations in metadata) that are connected to those reports and information maps.
a. In SAS Management Console, on the Plug-ins tab, right-click BI Lineage and select New Scan.
b. Enter Orion Star Marketing Department Information Map Scan in the Name field.
Click Browse to navigate to Orion Star  Marketing Department  Information Maps.
Click OK  Next  Finish  Yes.
c. Under the BI Lineage plug-in, expand Orion Star Marketing Department Information Map
Scan  Information Maps  SAS Folders  Orion Star  Marketing Department  and
select Information Maps. These are the objects that were examined during the lineage scan.
d. Right-click Orion Star Gold Orders Cube and select Lineage.
Note: Lineage identifies all connected objects regardless of their locations in the metadata.
Reverse lineage includes only those objects in the folders that were selected for the scan.
e. Examine the contents of the Report and Graph tabs.
Note: The Report tab displays the connected objects in a hierarchical view. The Graph tab
displays the connected objects in a process flow view.
There are two types of lineage results: high level and low level. High-level results illustrate
connections between high-level objects such as tables, reports, information maps, cubes,
and stored processes. Low-level results illustrate connections to other low-level objects such
as columns, hierarchies, or data items.
The results that you viewed in the last step are high-level results.
f. Click Cancel twice.
g. Right-click Orion Star Gold Orders Cube and select Properties. Right-click Average Quantity
and select Low Level Lineage. Examine the Report and Graph tabs.
h. Click Cancel.
3.3 Implementing a SAS Metadata Server

Cluster
Objectives
• Explore how a metadata server cluster operates.
46
SAS Metadata Server Cluster
A metadata server cluster is a coordinated set of metadata servers that act as

a single metadata server for a SAS software deployment. Client applications
and users interact with the cluster in the same way that they would interact
with a metadata server that is not clustered.
Metadata Server Clustering • Provides redundancy and high availability of the

metadata server.
• Ensures that the server continues to operate
if a server host machine fails.
47
3.3 Implementing a SAS Metadata Server Cluster 3-37
For documentation about metadata server clustering, refer to SAS® 9.4 Intelligence Platform: System
Administration Guide.
SAS Metadata Server Cluster
A cluster is three or more metadata server nodes. Each node

• typically runs on a separate machine
• runs its own server process
• has a complete copy of all metadata
• has its own server configuration directory, configuration files, journal file,
and logs.
If you change a configuration file or start-up script that is associated with

the metadata server, be sure to make the identical changes on each
node in the cluster.
48
Each node also maintains a complete in-memory copy of the metadata repository.
Master Node and Slave Nodes
49
When a clustered metadata server is started, the nodes establish communication with one another. One
of the nodes becomes the master node that coordinates activity within the cluster. The other nodes are
considered slave nodes. A load-balancing process automatically distributes work among the slave nodes.
Maintaining Quorum in a Clustered Environment
For a cluster to operate, a quorum of nodes must be running. If a quorum

is not achieved, the server is paused to offline status. A quorum exists if
• in clusters with an odd number of nodes, more than one half of the nodes
are running
• in clusters with an even number of nodes, one half of the nodes are
running as long as the initially configured server is running.
50
Quorum Determination with an Odd Number of Nodes
Node 1 Node 2 Node 3 Quorum? Server (Cluster)

Status
Yes Online
Yes Online
No Offline
Yes Online
No Offline
Quorum Determination with an Even Number of Nodes
Node 1 (initially Node 2 Node 3 Node 4 Quorum? Server (Cluster)

configured server) Status
Yes Online
Yes Online
Yes Online
No Offline
Yes Online
No Offline
No Offline
How Clients Connect to a Metadata Server Cluster
51
...
A client application can connect to any of the three nodes. If a client application attempted to connect to
the master node, it would be redirected to a slave node.
In this example, the first client application connects to node 1, which is a slave node.
How Clients Connect to a Metadata Server Cluster
53
When the second client application attempts to connect to node1, it is redirected to one of the other slave
nodes (node 2 in this example) by a load-balancing process. Currently, the load-balancing algorithm
is a round-robin process.
After a client application is connected, it can never be redirected to another node. If the node fails,
the client must reconnect to another node.
Metadata Read Requests
54
...
Client applications request metadata from the slave node to which they are connected. If the request does
not require an update to metadata, the slave node executes the request using the metadata that is stored
on that node (or in memory). The other nodes are not aware and do not participate.
Metadata Update Requests
59
...
1. If the request requires an update to metadata, the slave node forwards the request to the master node.
2. The master node performs all of the needed preparation work before the metadata is updated,
including constraint checks and permission checks. After it is accepted, the master node creates
a journal entry in its journal and queues the update to its in-memory copy of the metadata.
3. The master node forwards the journal entry to the slave nodes. The slave nodes add the journal entry
to their individual journal files and queue the update to their in-memory copy of the metadata.
4. The slave node updates its in-memory copy of the metadata. When it completes the update, the slave
node responds to the client application that is connected to the slave node. Be aware that the other
slave nodes might not have performed the update to their in-memory metadata yet. If any read
requests come to the other slave nodes, they respond with consistent data without the pending
updates.
Slave Node Failure
60
...
If a slave node fails, it drops out of the cluster. The master node becomes aware that the slave node is
gone and no longer sends updates there. If quorum is maintained, load balancing uses only the remaining
slave nodes for new connections. When a slave node fails, in-flight transactions can fail.
If a client application is currently connected to a node that dies, the application automatically tries
to connect to another node.
Slave Node Failure
61
The client application reconnects to another slave node. The reconnection is either automatic
or the application prompts the user. Most applications have access to a list of nodes in the cluster.
For most applications, the list is updated automatically. On each machine that includes an object spawner,
a SAS/CONNECT spawner, or components of SAS Application Servers (such as workspace servers,
pooled workspace servers, OLAP servers, and stored process servers), you need to use the sas -update-
metadata-profile batch tool to update the metadata profiles.
Master Node Failure
62
...
If the master node fails, one of the slave nodes is promoted to the server when the master node
and the cluster resume operation.
Master Node Failure
63
When the master node goes away, the slave nodes go offline. The remaining nodes immediately establish
communication with each other and select a new master node. After a quorum is available, the cluster
comes back online.
Master Node Failure
64
In this particular example, a client application was connected to a node that became the master node.
Because connection redirects happen only at connection time, this client application is not redirected
and stays connected to the master node, which services its requests. The new master node does not accept
new connections.
Prerequisites for Cluster Configuration
All of the host machines in the cluster must have the same operating system
and meet the requirements to run a metadata server.
In addition, all of the servers in the cluster must do the following:
• use the same network path to access the metadata server backup location
• be started using a single user account
N ote: On a Windows Server, SAS Metadata Server service needs to be

changed over to a user account. It is currently running under System.
65
When setting up metadata server clustering, you must use a deployment plan that specifies a multiple-
machine deployment.
The single user account must be recognized by all of the machines that participate in the cluster.
Configuring a Metadata Server Cluster
To configure the cluster, do the following:
Step1: Configure the initial metadata server to use the network location for
backups and the service login account.
N ote: This can be done during the initial configuration of the
metadata server or you can modify an existing metadata
server.
Step 2: Install and configure additional metadata server nodes.
66
If you want to configure the initial metadata during the initial configuration, do the following
in the SAS Deployment Wizard:
 Override the default metadata server backup location and specify the network path to a backup location
that all of the nodes in the cluster can access.
 If necessary (for example, on Windows), specify the external account that is used to start the server
(service logon account).
To modify the configuration of an existing metadata server in preparation for clustering, do the following:
 Specify the network location for the metadata server backup path. You can use SAS Management
Console and select Metadata Manager  Metadata Utilities  Server Backup 
Backup Configuration.
 Ensure that the metadata server is started with an external account that is recognized
by all the machines that participate in the cluster. On the Windows system, follow these steps:
– Stop the metadata server.
– In the Windows Services Manager, open the properties of the SASMeta – Metadata Server service.
On the Log On tab, specify the appropriate external account.
– Start the metadata server.
Monitoring Clustered Metadata Servers
There are two ways to monitor clustered metadata servers:

67
SAS Management Console enables you to view the overall status of a metadata server cluster and to
individually monitor each node in the cluster.
 To view the overall status of the cluster: Expand the Metadata Manager plug-in. Right-click the
Active Server node and select Properties. Select the Cluster tab to see the overall status of the cluster
(including the presence or absence of a quorum) and the status of each of the nodes in the cluster.
 To view more detail about the individual nodes in a cluster: Navigate to Server Manager 
SASMeta  SASMeta - Logical Metadata Server. Expand SASMeta - Logical Metadata Server.
Each node appears on a separate line.
Select a node and connect to it.
Use the tabs on the right pane to view the node’s connections, clients, options, loggers, and log events.
Select Stop to stop only the selected node. Select Pause, Resume, Quiesce, or Validate. These actions
affect the entire cluster.
SAS Environment Manager supports monitoring of SAS metadata server clusters, effective with the
second maintenance release for SAS 9.4. To view status indicators and metrics for the cluster:
 On the Resources tab, select Platforms. In the list of platforms, select SAS 9.4 Application Server
Tier. Deployment-wide information is displayed at the top of the page, including the message
Metadata Clustered: Yes.
Select Monitor and then select a time period to display.
Select Indicators, and then scroll down to display Metadata Cluster Nodes Available, Metadata Cluster
Nodes Defined, Metadata Cluster Percent Available, and Metadata Cluster Quorum Available.
If quorum is not achieved in a metadata server clustered environment:
a. The foundation repository is set to read only

b. The server is paused to administration status
c. The server is paused to offline status
d. The server stays available
69
If the master node fails:
a. The remaining nodes go offline, establish communication with each

other and select a new master node.
b. One of the remaining nodes immediately performs a backup.
c. The server is paused to offline status until the SAS Administrator brings
the master node back online.
d. The metadata server takes itself out of the cluster.
71
3.4 Backing Up the SAS Metadata Server 3-49
3.4 Backing Up the SAS Metadata Server
Objectives
• Examine the best practices for backing up your SAS environment.

• Examine the automatic metadata backup schedule and backup
configuration.
• Use the metadata server backup facility to perform an ad hoc backup
and recovery.
74
Backing Up the SAS Platform
To ensure the integrity of the content that is created and managed by the
SAS platform, the following are recommended best practices:
• Always use the metadata server backup facility to back up the repository
manager and metadata repositories.
• Perform regularly scheduled full backups.
• Perform backups before and after major changes.
• Specify a reliable backup destination that is included in daily system
backups.
75
Note: In some situations, it might be appropriate to back up specific objects or folders in the metadata
folders (SAS Folders) tree. In these situations, you can use the promotion tools, which include
the Export SAS Package Wizard, the Import SAS Package Wizard, and the batch export and
import tools.
Suggested Approach for Synchronizing Metadata Backups with Physical Backups

 Back up the metadata server, the SAS Content Server, the SAS Web Infrastructure Platform Data
Server, and the physical files concurrently (that is, in the same backup window). One way to do this
is to use the Deployment Backup and Recovery tool.
 Back up the SAS Content Server, the SAS Web Infrastructure Platform Data Server, and the physical
files immediately after the metadata server is backed up, and do not allow clients to update metadata
while you are performing these backups. If you are running the backup on a batch basis (for example,
as part of a daily schedule), then you can do the following to implement this approach:
1. Write a program that uses PROC METAOPERATE to pause the metadata server to an Offline state.
See “Example of a PROC METAOPERATE Program That Pauses the Metadata Server to an
Offline State” in SAS® 9.4 Intelligence Platform: System Administration Guide, Third Edition.
You can use this program to pause the metadata server while you back up the SAS Content Server,
the SAS Web Infrastructure Platform Data Server, and associated physical data.
If you use operating system commands to back up the metadata server, then you can use this
program to pause the server before running the backup.
2. Write another program that resumes the metadata server to an Online state. See “Example
of a PROC METAOPERATE Program That Resumes the Metadata Server,” in SAS® 9.4
Intelligence Platform: System Administration Guide, Third Edition. You can use this program after
using operating system commands to back up the metadata server, or you can use it after backing up
the SAS Content Server, the SAS Web Infrastructure Platform Data Server, and associated physical
data.
 If you are running an ad hoc (unscheduled) backup and you need to also back up associated data, then
you can do the following to prevent clients from updating metadata while you are backing up the
associated data:
1. Use the metadata backup facility to back up the metadata server. Then immediately use
SAS Management Console to pause the metadata server. As an alternative, you can use
SAS Management Console to temporarily change the registered access mode of the repositories
to ReadOnly.
2. Back up the SAS Content Server, the SAS Web Infrastructure Platform Data Server,
and the physical data.
3. When you are finished backing up the SAS Content Server, the SAS Web Infrastructure Platform
Data Server, and the physical data, use SAS Management Console to resume the metadata server
(or to return the registered access mode of the repositories to Online).
Note: In addition, you should synchronize the backups with the backup of other physical files.
Back Up and Restore Tools
Formal, regularly scheduled backups are scheduled at deployment of your

SAS platform with these tools:
• Metadata Server Backup Facility in SAS Management Console
• SAS Backup Manager in SAS Environment Manager or Deployment Backup
and Recovery Tool
76
SAS Metadata Server Backup Facility
The metadata server backup facility automatically backs up these files:

• the metadata repositories
• the repository manager
• all of the files in the metadata server configuration directory
• the journal file
77
SAS Metadata Server Backup Facility
The metadata server includes a server-based facility that

• executes in a separate thread while the metadata server is running
• is configured by default to perform automatic scheduled backups
• can also be used to perform ad hoc
backups and roll-forward recovery
• can be managed from the Metadata
Manager plug-in.
78
Caution: If you use operating system commands to back up your metadata repositories and
metadata server instead of using the metadata server’s backup facility, then you must be
sure to pause the metadata server to an Offline state before you perform the backup. If the
metadata server is in an Online state or is paused to an Administration state, then the
backup files are not usable.
Note: You can use PROC METAOPERATE to pause the server to an Offline state before the backup
is taken and to resume the server to an Online state when the backup is complete.
The backup facility executes in a separate thread while the metadata server is running. Therefore,
the metadata server does not need to be paused during backups unless certain options are selected.
If journaling is disabled or if the Reorganize Repositories backup option is selected, the server is paused
for Read-Only use so that queries (but not updates) can continue to be processed.
In addition to running scheduled backups, the metadata server automatically backs itself up under certain
unscheduled situations. Unscheduled backups use the same server-based facility and the same
configuration options that are used for scheduled backups.
A backup is run automatically in the following situations:
 after the SAS Deployment Wizard configures a metadata server.
 after you complete a successful recovery of the metadata server.
 if you change the JOURNALTYPE option in the omaconfig.xml file to NONE or SINGLE (which
is not recommended), and later change the option back to ROLL_FORWARD. A metadata server
backup is run automatically when you restart the metadata server.
You can also run an ad hoc backup using the MetadataServer command or the backupServer.sas program.
Backups that are run using these methods use the same server-based backup facility and the same backup
options that are used for scheduled backups.
You can schedule a backup using the MetadataServer command or the backupServer.sas program. First,
disable the automatic backups in the Backup Schedule properties.
Caution: You cannot reorganize repositories when you run a backup with the MetadataServer
command or the backupServer.sas program.
Automatically Configured Backups
Backups are performed daily at 1:00 a.m.

server local time. On Mondays, the
Reorganize Repositories option is used.
Backups are stored in

/Lev1/SASMeta/MetadataServer/Backups.
Backups are retained for seven days. Each time a

backup is completed successfully, backup files that
are more than seven days old are deleted.
79
Note: If the backup is unsuccessful, no backups are deleted.

Note: If you do not want backups to be deleted automatically based on a retention policy, select 0 for
the Number of days to retain backups field in the Backup Configuration.
Note: In a metadata server clustered environment, a network accessible absolute path needs to be
specified.
To access the backup schedule, expand Metadata Manager  Metadata Utilities. Right-click
Server Backup and select Backup Schedule.
To access the backup configuration, expand Metadata Manager  Metadata Utilities. Right-click
Server Backup and select Backup Configuration.
Backup Location
By default, the metadata server backup facility writes backup files to the
Backups subdirectory of the metadata server’s configuration directory.
80
Within the backup location, each set of backup files (along with the associated journal file) is stored
in a directory whose name is based on the date and time that the backup is started.
Note: As a best practice, you should modify your backup configuration to specify a storage device
other than the device that is used to store the metadata repositories and server configuration
files. Specifying a separate device ensures that the backup files and their associated journal files
(including the most current journal file) are available in the event of a disk failure.
Note: Make sure that the Backups directory (or the backup destination that you specify) is included
in your regular system backups.
Backup Retention Policy and Backup History
Each time a successful backup is completed, previous backups that are older
than the specified number of days are deleted automatically. The backup
history automatically displays the offline status icon for deleted backups.
deleted backups
81
It is strongly recommended that you use operating system tools to copy backups to another location.
These copies are no longer under the control of the backup retention policy. In particular, it is a very
good idea to retain the backups that you did at critical times, such as the initial backup that you did after
configuration.
If you do not want backups to be deleted automatically based on a retention policy, select 0 for the
Number of days to retain backups field in the Backup Configuration. If you make this selection, you
need to delete files manually from the backup location on a regular basis to ensure disk space availability.
Note: The offline status icon ( ) is not displayed automatically for backups that you delete manually.
To update the status icon for a manually deleted backup, you must access the backup’s Properties
dialog box.
The check-mark icon means that the backup or recovery was successful. For backups, this icon also
means that the backup was determined to be valid the last time the files were checked. A backup
is considered valid if all of the files are present in the backup location, all of the files have the correct
universally unique identifier (GUID), and all of the filenames and file sizes are correct.
The x icon indicates that either the backup or recovery was not successful or the backup was successful,
but when the files were last checked, they were invalid.
Reorganize Repositories Option
When metadata is removed from a metadata repository, the record is

removed from both memory and disk. However, the disk space allocated for
the record remains in the data set.
When you use the Reorganize Repositories option as part of a backup, the
unused disk space from previously deleted records is reclaimed.
The Reorganize Repositories option should be used only during times

of little or no user activity. The metadata server is paused during the
reorganization process, and any update transactions that are issued
during this process fail.
82
The default backup schedule specifies a weekly reorganization. It is not necessary to reorganize
the repositories more frequently than once a week, except in extraordinary situations such as deletions
of a large amount of metadata. The repository reorganization process affects disk space only. It does not
affect the memory usage of the metadata server.
If the Reorganize Repositories option is selected, the backup process does the following:
 pauses the server, placing it in a READONLY state
 copies the metadata server files to the backup destination
 re-creates the repository data sets in place, which eliminates the unused disk space in the process
 resumes the server to an ONLINE state
Backing Up a Metadata Server Cluster
The metadata server facility backs up the node that is acting as the master
node.
• In the backup configuration for each node, make sure that you have
specified the same backup destination.
• Make sure that the backup destination is accessible to all of the nodes via
the same network path so that the backup occurs regardless of which node
is the master node.
• The Reorganize Repositories option is ignored.
83
The REORG backup option is ignored when you back up a server that was started with the clustering
option. However, you can use this option when you back up a single node that was started without
the clustering option.
To start a single node without the clustering option, use the following command:
For Linux Server
opt/sas/config/Lev1/SASMeta/MetadataServer/metadataserver.sh –startNoCluster
For Windows Server

D:\SAS\Config\Lev1\SASMeta\MetadataServer\metadataserver.bat –startNoCluster
The node starts as a single, non-clustered metadata server that is paused to the Administration state.
This action is useful when you want to perform one of the following administrative tasks on a node:
 perform a metadata server recovery
 back up the metadata server with the REORG option
 run the optimizeIMDB command option of the metadata server script
 run the Metadata Analyze and Repair tools (except for the Metadata Server Cluster Synchronization
tool, which runs on a server that has been started with clustering)
Caution: After you perform one of these functions, you must restart the node to place it in the
cluster mode as the master node. Then start the other nodes in the cluster. The master
node updates the other nodes with the new data from the recovery, REORG,
optimizeIMDB, or analyze and repair operation.
Recovering the Metadata Server
You can use the Metadata Manager plug-in to recover the metadata
repositories and repository manager.
You can choose to recover

the configuration files.
You can choose to apply updates

stored in the journal file.
84
Caution: If you need to recover an unresponsive metadata server, refer to “What to Do If the SAS
Metadata Server Is Unresponsive” in SAS 9.4 Intelligence Platform: System
The recovery facility provides safeguards to ensure the integrity of the backup files from which you are
recovering. The recovery operation checks that the backup directory contains the correct files and that
the files have the correct name and file sizes. In addition, each backup file contains a universally unique
identifier that is used to make sure that you are recovering files for the correct metadata server. If any
problems exist, the recovery is not started and a warning message is displayed.
During recovery operations, the metadata server is paused automatically to a RECOVERY state. The state
is similar to an OFFLINE state but more restrictive. After the recovery, the metadata server performs
an automatic backup. If the recovery is successful, the metadata server is returned to the state that it was
in before the recovery process.
Note: In the first maintenance release for SAS 9.4, the metadata server script includes a –recover
option. This option starts a server that is not currently running, and then restores the server’s
metadata repository from the most recent backup. The option provides an easy way to recover
a server or node that is unresponsive. The option does not provide roll-forward recovery, recovery
of configuration files, or recovery from a backup other than the most recent backup.
You can recover from a backup that is listed in the backup history pane.
You can also recover from backup files stored in an alternate network-accessible location.
Note: When recovering from a metadata backup, you replace all of the metadata with the backup copy.
If you might need to restore only a small portion of the metadata, use the Export Wizard
on a regular basis to create package files that include metadata and associated objects
if appropriate. If you then need to restore part or all of the package, use the Import Wizard.
The Export and Import Wizards’ functionality is also available in batch mode. Refer to SAS® 9.4
Intelligence Platform: System Administration Guide for details about how to use the promotion
tools, and the batch export and import tools in particular.
Recovering a Clustered Metadata Server
You can use the metadata server recovery facility only on a single metadata
server node.
Step 1: Stop all of the nodes in the cluster.
Step 2: Start one of the metadata server nodes with the - s tartNoCluster
option.
Step 3: Use the metadata server recovery facility on the single node.
Step 4: Restart the node and place it in cluster mode.
Step 5: Start all of the other nodes in the cluster.
85
Caution: Recovering configuration files from a backup is not recommended for clustered servers.
Backup up configuration files could contain node-specific paths or options.
After you recover the single node, the master node updates the other nodes with the new data from
the recovery operation.
If you use operating system commands to back up your metadata

repositories:
a. You must pause the metadata server to an Administration state.

b. The backup executes in a separate thread while the metadata server is
running.
c. You must pause the metadata server to an Offline state before you
perform the backup.
d. You must pause the metadata server for Read-Only use before you
perform the backup.
87
The metadata server backup facility automatically backs up:
a. Foundation repository, web infrastructure Platform Data Server, the

journal file.
b. Metadata repositories, metadata server configuration directory, Levn
directory, journal file.
c. Metadata repositories, journal file, metadata server, and web servers
configuration directories.
d. Metadata repositories, metadata server configuration directory, the
journal file.
89
Exercises
8. Exploring the Backup Schedule and Backup Configuration in SAS Management Console
a. In SAS Management Console, on the Plug-ins tab, expand Metadata Manager  Metadata
Utilities. Right-click Server Backup and select Backup Schedule.
When did the last automatic backup occur? Did it invoke the Reorganize Repositories option?
Click Cancel.
b. Expand Metadata Manager  Metadata Utilities. Right-click Server Backup and select
Backup Configuration. Where are the metadata server backups stored? And how many days of
backups are stored there?
Click Cancel.
c. Locate backup files.
For Linux Server
Navigate to /opt/sas/config/Lev1/SASMeta/MetadataServer/Backups.
For Windows Server

MetadataServer\Backups.
How many backup subdirectories are there in the Backups directory? Does this match the number
of usable backups in the backup history pane in SAS Management Console?
9. Performing an Ad Hoc Backup

a. Use the Metadata Manager to perform an ad hoc backup of the metadata. Provide a comment
when you are prompted.
b. Verify that the backup is marked with a green check mark in the backup history.
c. Verify that the backup directory was created and populated in the backup destination.
10. (Optional) Restoring the Metadata
a. On the Folders tab, create a new folder. Include the current time in the name of the folder.
Make a note of the current time.
b. Wait a few minutes and create another new folder. Include the current time in the name.
c. Delete the two new folders.
d. As a best practice, it is recommended that you pause the metadata server to the Administration
state before you perform a recovery. On the Plug-ins tab, expand Metadata Manager.
Right-click Active Server and select Pause  Administration. Provide a comment and
click OK.
e. Expand Metadata Manager  Metadata Utilities and select Server Backup. Right-click
the ad hoc backup that you created in the last exercise. Select Recover from this backup.
f. Provide comments for the backup history and for the server that you paused. Use the
ROLLFORWARD transaction option to restore the metadata from the last backup
to a time immediately after you created the first folder but before you created the second folder.
Was the backup successful?

In addition to the ad hoc backup and the restore, what else now appears in the backup history?
g. Resume the metadata server by expanding Metadata Manager. Right-click Active Server
and select Resume.
Switch to the Folders tab. Verify that only the first folder now appears on the Folder tab.
3.5 Backing Up the SAS Environment 3-63
3.5 Backing Up the SAS Environment
Objectives
• Explore the Deployment Backup and Recovery tool.

• Explore and use the Backup Manager in SAS Environment Manager.
93
Back Up and Restore Tools
Formal, regularly scheduled backups are scheduled at deployment of your

SAS platform with these tools:
• Metadata Server Backup Facility in SAS Management Console
• SAS Backup Manager in SAS Environment Manager or Deployment Backup
and Recovery Tool
94
The Deployment Backup and Recovery tool is the underlying software used for SAS Backup Manager in
SAS Environment Manager.
The SAS Deployment Agent must be running on each middle-tier and server-tier host machine. The
Deployment Backup and Recovery tool connects with the agent and automatically discovers the tiers in
your deployment and their installed components. New components in your deployment are detected
automatically and added to the backup. For example, the tool detects new instances of the SAS Web
Infrastructure Data Server and new databases that are managed by the server.
An alert email is generated if a backup or recovery is unsuccessful. By default, the email is sent to the
system administrator email address that was specified in the SAS Deployment Wizard. You can use either
SAS Backup Manager or the sas-update-backup-config command to specify different email addresses.
By default, backups on Windows systems are performed by the Local system account for the SAS
Deployment Agent. On UNIX, backups are performed by the SAS Installer user for each server and
middle-tier machine. A special user account to perform backups must be defined in the following
situations:
 If you have specified a central vault location and your environment includes one or more Windows
hosts
 If a clustered metadata server has been configured and your environment includes one or more
Windows hosts
What Is Backed Up?
• The Config Directories include the contents of the Data directories,

SASEnvironment directories, and server configuration directories for each
server on the SAS server tier. Additional directories can be included using
the command s a s-update-backup-config.
• By default, all of the databases are backed up that are managed by the SAS
Web Infrastructure Platform Data Server.
95
Note: For metadata server backups, the metadata server backup utility is used.
Note: If symbolic links in the configuration directories point to other locations, the referenced locations
are not backed up.
Note: Additional directories under SAS-configuration-directory/Levn can be included in the backup,

using the command sas-update-backup-config. If your deployment is not current with the third
maintenance release for SAS 9.4, then use the command sas-update-backup-config.
Note: If you need to exclude specific tiers, servers, databases, directories, or files from the backup, you
can do so by using the command sas-update-backup-config. You can also use the SAS Backup
Manager user interface to update the basic backup configuration. You cannot use the user
interface to define filters.
The SAS Content Server contains content that is associated with metadata objects including content for
the SAS Information Delivery Portal, report definition files, other supporting files for reports including
PDF files and images, and content for SAS solutions.
You can use the Deployment Backup and Recovery tool to back up the SAS Content Server.
Alternatively, if you are storing SAS Content Server content in the file system, you can back it up
as follows:
1. As a best practice, stop either the SAS Web Application Server or the SAS Content Server before
making the backup.
2. Use operating system commands or third-party tools to copy all of the files and subdirectories from
the following path:
SAS-configuration-directory/Lev1/AppData/SASContentServer/Repository
If you need to back up just a subset of the SAS Content Server, you can use the WebDAVDump
and WebDAVRestore utilities. For instructions, see SAS Usage Note 38667.
Deployment Backup and Recovery Tool
The Deployment Backup and Recovery tool consists of a variety of batch

commands that you can use to do the following:
• execute an ad hoc (unscheduled)
backup
• customize your backups
• display information such as the
current schedule, the current
configuration, and detailed
backup history
• perform a full or partial recovery
from one of the backups
96
The Deployment Backup and Recovery tool is a collection of commands that provides an integrated
method for backing up and recovering your SAS content across multiple tiers and machines. The tool is
installed on the middle tier as part of the SAS Web Infrastructure Platform. It connects with the SAS
Deployment Agent on each middle-tier and server-tier host machine.
SAS Backup Manager
SAS Backup Manager is a user interface, accessed in SAS Environment

Manager, that enables you to schedule, configure, monitor, and perform
integrated backups of your SAS content across multiple tiers and machines.
97
The SAS Backup Manager interface, which is new with the third maintenance release of SAS 9.4, enables
you to perform most of the functions of the Deployment Backup and Recovery tool. In previous SAS
releases, these functions were available only through batch commands.
Backup Schedule
By default, the Deployment Backup and Recovery tool runs automatically

each Sunday at 1:00 a.m.
Backup files are retained for a period of 30 days.
98
Coordination of Backups
The two backup tools provided by SAS coordinate their backup schedules to
avoid conflicts.
• The SAS Metadata Server Backup and Recovery Facility is scheduled to run
by default at 1:00 a.m. local machine time every day except Sunday.
• The SAS Deployment Backup and Recovery Tool performs a scheduled
backup each Sunday at 1:00 a.m. local machine time.
99
The backup schedules might be modified as appropriate for your deployment. However, be sure not to
schedule the Deployment Backup and Recovery tool to run at the same time as the stand-alone metadata
server backups. Also, if you schedule multiple backups per day, be sure to leave enough time for each
backup job to complete before the next scheduled backup starts.
Default Backup Location
All components, except for the metadata server, are backed up to the following
path on each host machine: SA S-configuration-directory/Lev1/Backup/Vault
The directory is created on each
machine the first time a backup
is executed.
100
By default, backup files are stored locally on the same machine where the backed up component is
located.
For metadata server backups, the tool uses the backup files that are created by the metadata server backup
utility. The tool copies these files to SAS-configuration-directory/Lev1/Backup/Vault on the metadata
server machine.
If metadata server clustering is configured, the files are copied to the initially configured metadata server.
Central Vault Locations
In addition, if you specify a central, network-accessible vault location, the

backups from each host machine are copied to that location following each
backup operation.
101
A central vault location is:

 required in clustered middle-tier environments
 highly recommended for multiple machine deployments
 highly recommended to avoid the loss of backup files in the event that a host machine fails.
The SAS Deployment Wizard enables you to specify a central vault location during the installation and
configuration process, if you have a homogeneous operating system environment. Otherwise, you can use
either SAS Backup Manager or the sas-update-backup-config command to specify a central vault
location. A homogeneous environment is one in which all of the host machines that are included in the
backup are in the same operating system family. For example, Solaris and HP-UX machines are both
considered to be in the UNIX operating system family.
Effective with the second maintenance release for SAS 9.4, the local backups are deleted from SAS-
configuration-directory/Lev1/Backup/Vault on each host machine after they are successfully copied. (The
original metadata server backups that were created by the metadata server backup utility are not deleted.)
Caution: Immediately after creating or modifying the central vault configuration, it is strongly
recommended that you perform a backup with either SAS Backup Manager or the
sas-backup command. You cannot recover using local backups after a central vault has
been defined.
Backup and Recovery Tool Architecture

T i e r 1: T i e r 2: T i e r 3:
L o c al storage L o c al storage L o c al storag e
M i d dle Tier M e tad ata Server Co mp u te Tier
M i d dle Tier M etadata S erver S A S App Server

c o mponents c o mponents c o mponents
Config Config L o cal
files L o cal files B ackup L o cal
f o r BRT Config
WIP DB B a c kup B a c kup
files
f o r BRT Metadata f o r BRT
Content
Server
SAS Deployment SAS Deployment SAS Deployment

Agent Agent Agent
SAS Backup and
Recovery Tool
/CentralBackupVault - S t ep 1
S h a red stora ge
/MetadataBackupByFacility - S t ep 2
102
Step 1:
1. A backup is created on each participating host machine and stored locally in /SAS-configuration-
directory/Lev1/Backup. This includes SAS components (Configuration files, WIP database, SAS
Content server repositories, custom directories), except for SAS Metadata Server content.
2. Metadata server content backup is getting created with SAS metadata Server Backup Utility and
stored in a location configured for this utility (on the diagram, this is /MetadataBackupByFacility in
a Shared storage). Local Backup history files are updated.
Step 2:
1. For non-metadata content, backup files are copied from local storage (/SAS-configuration-
directory/Lev1/Backup) to Central Backup Vault
2. For metadata content, backup files are copied from /MetadataBackupByFacility to Central Backup
Vault. Central Backup Vault Backup History file is updated.
Backup and Recovery Logs
The log file on the middle-tier machine reports errors and warnings about the tool:
SAS-config-directory /Lev1/Web/Logs/SASServer1_1/SASDeploymentBackup9.4.log
For backup, recovery, and purge operations, log files are created in the directories where local backups
are stored. The default location is:
SAS-config-directory/Lev1/Backup/Logs/<backup-ID>
Information about server-side activity: SAS-config-directory/Lev1/Backup/backupserver.log
By default, the SASDeploymentBackup9.4.log reports only errors and warnings. If you want to set
different logging levels, you can do so by editing SASDeploymentBackup-log4j.xml, which is located in
SAS-configuration-directory/Lev1/Web/Common/LogConfig/.
What Is Not Backed Up?
The Deployment Backup and Recovery Tool has the following limitations:
• Host machines on which the SAS Deployment Agent is not installed are
excluded from backups.
• The tool backs up only SAS content and configuration information. It does
not back up your SAS software.
• If you are using a third-party vendor database (instead of the SAS Web
Infrastructure Platform Data Server) for the SharedServices database, the
Deployment Backup and Recovery Tool cannot back it up.
• The tool does not back up the entire contents of your SAS configuration
directories, only Data directories, the SASEnvironment directories, and the
server configuration directories for each server on the SAS server tier.
103
To back up additional subdirectories under SAS-configuration-directory/Levn, add them with the

command sas-update-backup-config.
For commands that require input data, you supply the data using the JavaScript Object Notation (JSON)
format. Sample JSON files are provided in SAS-installation-
directory/SASPlatformObjectFramework/9.4/tools/admin/conf/sample.
What Needs to Be Backed Up
Files to Include How Often Tools to Back Up
SAS binaries and • After initial install Any tool that will clone the operating
associated files • After each hot fix, patch, and system, all applications, and home
maintenance update directory of the account used to
install SAS
SAS deployment files • After any change to the files SAS Deployment Backup and
• Daily Recovery Tool or SAS Environment
Manager
SAS application files • After any changes to the files Any tool
that cannot easily be
reproduced
• Daily
104
SAS Support for Disaster Recovery
Disaster recovery for a SAS deployment is usually based on cloning production

systems to back up hardware using system imaging or ghosting tools (Disk
Cloning or Disk Imaging) or other virtual machine (VM) cloning techniques.
• Backup machines must use the same hostnames as the production machines.
• Third-party applications and SAS customer data must be considered as part
of a disaster recovery plan.
• External systems and processes SAS uses or depends on must be considered.
• SAS data files must be closed before backing them up.
105
Disaster-recovery planning is important for any critical business system, including production systems
running the SAS Intelligence Platform and SAS solutions.
Because the implementation of the SAS Intelligence Platform and SAS solutions is often highly
customized and each customer can have different requirements for replicating SAS content, there is no
single tool or process that comprehensively meets all of the SAS disaster-recovery needs.
Note: Disaster recovery is not the same as high availability. Though both concepts are related to
business continuity, high availability is about providing undisrupted continuity of operations
whereas disaster recovery involves some amount of downtime, typically measured in days.
Batch Tool Commands
sas-backup Execute an ad hoc (unscheduled) deployment backup.
sas-status-backup Display status information for a particular backup or recovery operation.
sas-list-backups Display details about backups and recoveries that are recorded in backup history,
including backups that were purged due to the retention policy.
sas-display-backup Display details about a particular backup recorded in backup history.
sas-set-backup- Specify days and times that are to be added to the deployment backup schedule.
schedule
sas-set-backup- Display detailed information about the contents of a specific backup that was
source-content taken from a particular source on a particular host machine.
sas-list-backup- Display the deployment backup schedule that is currently in effect.

schedule
sas-remove-backup- Remove specified days and times from your deployment backup schedule.
schedule
sas-display-backup- List the configuration properties that are currently in effect for your deployment
config backups.
sas-update-backup- Update the backup configuration properties that are in effect for your
config deployment.
sas-update-backup- Specify custom directories that are to be backed up (in addition to the directories
config included by default). Each directory must be located under SAS-configuration-
directory/Levn on a host machine where the Deployment Backup and Recovery
tool is installed.
sas-recover-offline Perform a full or partial recovery when some of the resources in the deployment
are unavailable or have been taken offline to prevent user activity.
sas-display-recovery Display details about a particular recovery that was performed.
When submitting a deployment backup or recovery command, you must provide the following connection
options to log on to the SAS Web Application Server:
-host host-name Identifies the host machine for the SAS Web Server. If your deployment does
not include SAS Web Server, specify the host machine for the SAS Web
Application Server.
The option is required if the –profile option is not set.
-port port Specifies the port on which the SAS Web Server runs. If your deployment does
not include SAS Web Server, specify the port on which the SAS Web
Application Server runs.
The option is required if the –profile option is not set.
-user user-ID Specifies the user ID of an unrestricted user.

This option is required if the –profile option is not set.
-password password Specifies the password of the specified user.

This option is required if the –profile option is not set.
-protocol Specifies the communication protocol that is used by the specified host machine
HTTP|HTTPS and port. If the option is not specified, the default protocol (HTTP) is assumed.
You can specify this option either on the command line or in the file that is
specified in the –profile option.
-profile filename Specifies the name of a file that contains the host, port, user ID, and password
options. It can also contain the –protocol option. A sample profile file named
environment.properties is in the SAS-installation-
directory/SASPlatformObjectFramework/9.4/tools/admin/conf/sample.
Listing the Deployment Schedule and Using the Backup

Manager in SAS Environment Manager
This demonstration illustrates how to use a command to list the deployment schedule and locate the
Backup Manager in SAS Environment Manager.
1. The SAS Deployment Agent must be running on every machine that has a SAS deployment.
We will start the Agent using SAS Environment Manager. Open SAS Environment Manager if not
already open.
Note: You can also start the SAS Deployment Agent in the Operating System or it can be started in
SAS Deployment Manager.)
 For Windows Server use Window Services.
 For Linux Server the command is located in the SASHome directory: SASHome
Directory/SASDeploymentAgent/9.4. The command to start the agent is agent.sh start.
The command to check the status of the agent is agentadmin.sh stat up.
2. Sign in as Ahmed with password Student1.
3. Go to Resources  Servers and select sasserver SAS Deployment Agent 1.0.
4. It is not currently up as seen by the Availability. Select Control.
5. Under Quick Control section, select Start from the drop down menu next to Control Action: and
click the arrow to the right.
6. Navigate to the location where the Deployment Backup tools are installed.
For Linux Server

Navigate to:
/opt/sas/SASHome/SASPlatformObjectFramework/9.4/tools/admin
For Windows Server
Open a command window and issue the following command:

cd D: \Program Files\SASHome\SASPlatformObjectFramework\9.4\tools\admin
7. Run the sas-list-backup-schedule tool.
For Linux Server

1. ./sas-list-backup-schedule –help
2. ./sas-list-backup-schedule –host sasserver.demo.sas.com –port 7980 –user

sasadm@saspw –password Student1
For Windows Server
1. In the command window, issue this command: sas-list-backup-schedule.exe –help
2. sas-list-backup-schedule.exe –host sasserver.demo.sas.com –port 80 –user

8. Access Backup Manager in SAS Environment Manager.

Note: We are logged in as Ahmed. But to run an ad hoc backup, which you will do in the exercises,
you need to be logged in as sasadm@saspw in order for the SAS Web Infrastructure
Platform Data Server to be backup up.
9. Select Administration tab.
Note: For SAS 9.4 M3 release and prior you must maximize the Administration window.
Maximizing the window addresses Problem Note 56368: The SAS® Backup Manager module
in SAS® Environment Manager Administration does not open, even after several minutes.
10. Click the Side menu button in the SAS Environment Manager banner and select SAS Backup
Manager.
Note: The SAS Backup Manager takes several minutes to discover the assets in your deployment
that are available for backup.
11. Select Policy from the drop-down menu. The Policy page displays the following:
a. Diagram (Source View and Machine View) – displays a tree diagram of the currently defined
backup sources. To see a different view of the diagram:
 Click the Source View button in the toolbar to display a node for each backup source.
Under each backup source, a child node is displayed for each host machine for that source.
 Click the Machine View button in the toolbar to display a node for each host machine.
Under each machine, child nodes are displayed for the backup sources that are on the machine.
When a diagram is displayed, you can do the following:
 Zoom in or out by clicking the diagram to select it and then pressing the Ctrl key while
scrolling the mouse wheel.
 If parts of the diagram are not visible, drag the entire diagram right, left, upward, or
downward.
 Click a node to collapse its child nodes.
 Click the node again to expand it so that its child nodes reappear.
b. Configuration Details - displays details about the current backup configuration.
Note: You can also use the sas-display-backup-config command to display the backup policy.
Backup sources are discovered automatically. The sources are displayed in the Source View and
Machine View diagrams, and they are also listed at the bottom of the Configuration Details pane.
To view additional information about a source, click the Collapsed arrow ( ) to the left of the
source name. The following information is displayed:
 Host – the host name of the machine where the source is located.
 Included – indicates whether the source is currently included or excluded from backups.
This setting cannot be changed in the SAS Backup Manager user interface. To include or
exclude a backup source, use the command sas-update-backup-config.
 Operating System – the host name of the machine where the source is located.
 Configurable Path – the path to the configuration directory for this source. This field is not
applicable to all source types.
 SAS Config – the path to the Levn directory that is associated with this backup source.
 Includes and Excludes – lists any filters that are associated with this backup source. Filters are
applied using the batch commands via JSON files.
The source information is for display only. To filter physical data or add or remove tiers,
servers, or database instances from the backup configuration, use the sas-update-backup-
config command.
12. From the drop-down menu, select Schedule.

The Schedule page displays a row for each time of day that backups are scheduled to run. Check
marks in the columns indicate the scheduled days of the week for each time. By default, the SAS
Deployment Wizard schedules backups to be performed automatically each Sunday at 1:00 a.m.
You can modify this scheduled backup here by clicking the Add button or Edit button in the
toolbar.
For example, if you add a row, a new row is added to the schedule with the default time (1:00 a.m.)
and default day (Sunday) selected. In the new row, click the Time field. Use the time selector to
specify the additional backup start time and then click OK.
You can verify the updated backup schedule using the Deployment Backup and Recovery tool batch
command sas-list-backup-schedule.
Exercises
11. Using Backup Manager to Run an Unscheduled Backup and View the Backup Contents
The third maintenance release for SAS 9.4 includes SAS Backup Manager, an easy-to-use interface
for the Deployment Backup and Recovery tool. You can use SAS Backup Manager for the following
tasks:
 view backup and recovery history
 run an immediate (ad hoc) backup
 view the backup configuration
 modify the backup configuration (except backup filters and custom directories)
 view information about backup and recovery sources
 view and modify the backup schedule
In previous SAS 9.4 releases, these functions were available only through batch commands.
SAS Backup Manager can be accessed from the Administration tab of SAS Environment Manager.
a. Start the SAS Deployment Agent using SAS Environment Manager.
1) Open SAS Environment Manager . (Go to a web browser on the client machine and select
SAS Environment Manager from the Favorites bar or you can type in the following URL:
http://sasserver.demo.sas.com:7080 .) Sign in as sasadm@saspw with password Student1.
Note: In order to run a full backup, you must be logged in to SAS Environment Manager
as sasadm@saspw with the password Student1.
2) Go to Resources  Servers and select sasserver SAS Deployment Agent 1.0.
3) Select Control.
4) Under Quick Control section, select Start from the drop down menu next to Control
Action: and click the arrow to the right.
Note: You can also start the SAS Deployment Agent in the Operating System, or it can be
started in SAS Deployment Manager.
b. Access Backup Manager in SAS Environment Manager.

1) Click the Administration tab in SAS Environment Manager. When the Administration page
appears, maximize the window.
2) Click the Side menu button in the SAS Environment Manager banner and select SAS
Backup Manager.
Note: The SAS Backup Manager takes several minutes to discover the assets in your
deployment that are available for backup.
The drop-down menu shows the following selections:
 History – view information about a particular backup or recovery
 Policy – view details of the current backup policy
 Schedule – view and modify the current backup schedule
Keep the current selection, History.
c. Run an unscheduled backup.
1) With History selected in the drop-down menu, select the Start Backup button in the upper
right of the SAS Backup Manager Window.
2) Provide a meaningful name and comment for the backup. The backup name must be unique.
Both the name and comment are optional and are recorded in backup history and displayed in
the backup’s Operation Details.
3) Select Start.
A notification is displayed when the backup starts and when it is completed.
4) To see the status of the backup on the History page, refresh your browser.
Note: Recoveries cannot be run from SAS Backup Manager. Instead, use the sas-recover-
offline command.
d. View the list of Sources. Click the backup to display the details. It might take a minute to load the
data.
The sources for the currently selected backup or recovery are listed in the right pane, below the
operation details. Items appear only as they complete. For example, you might see only the
Metadata Server at first after running the back up. (If you are viewing details for a recovery, only
the sources that were recovered are listed.)
The status icon next to each source indicates the status of its backup or recovery.
By default, the backup sources include the following:
 Metadata Server
 Content Server
 Config Directories
 Database
Note: Custom might also be listed. This means additional directories under SAS-configuration-
directory/Levn, as specified by the administrator, were backed up or recovered.
To view details about a particular backup or recovery source, click the Collapsed arrow ( ) to the
left of the source name. The following details are displayed:
 the host name of the machine where the source is located
 the status of the source’s backup or recovery
 the directory location of the source’s local backup files on the host machine
 the total size of the backup files for this source
 the directory location of the source’s configuration files
 the operating system of the source’s host machine
e. Select View Diagram from the lower right of the screen.

The diagram includes the following:
 The root node specifies the ID of the backup or recovery, which is based on the date and time
that the backup or recovery started (for example, 2015-02-01T03_13_01). For backups, the ID
is also the name of corresponding backup directory.
 Under the root node, a child node is displayed for each backup source that was included in the
backup or recovery. You can click a node to collapse its child nodes.
 Under each source node, a child node is displayed for each host machine for that source.
f. Hold the mouse pointer on a node to see the size of the files that were backed up or recovered.
g. Click the node sasserver.demo.sas.com under the Database node. The child node of Web
Infrastructure Platform Data Server 9.4 appears under the Database tree.
h. Click the node Web Infrastructure Platform Data Server 9.4. The databases that are a part of
the node appear.
The green check mark in the bottom right of the node indicate its backup status. The green check
indicates that the backup or recovery was completed without errors or warnings.
i. Place your mouse pointer over each of the databases in the Web Infrastructure Platform Data
Server 9.4 node. Notice that many of the databases are relatively small in size.
j. Select Close to close the Backup Details window.

k. Find the location of the backup. Select History from the drop-down menu.
l. Click the Collapsed arrow ( ) to the left of the Content Server. The directory location of the
source’s local backup files on the host machine is under Backup Location.
m. Find this location on the server’s local file system. There is a directory for each of the sources
listed in Backup Manager.
For Linux Server
Navigate to /opt/sas/config/Lev1/Backup/Vault.
For Windows Server

Navigate to D: \sas\config\Lev1\Backup\Vault.
n. Click the Collapsed arrow ( ) to the left of the Metadata Server and examine the Backup
Location.
Why is this location different from the others?
Verify that the content for the Metadata Server backup specified by the Backup Manager is the
same as the metadataserver directory in the backup vault location.
12. Displaying the Backup Configuration Using Batch Tools
a. Navigate to the location where the Deployment Backup tools are installed.
For Linux Server

Navigate to /opt/sas/SASHome/SASPlatformObjectFramework/9.4/tools/admin.
For Windows Server
Open a command window, and issue the following command:

D: cd \Program Files\SASHome\SASPlatformObjectFramework\9.4\tools\admin
b. Run the sas-display-backup-config tool.
For Linux Server
Issue the following command:

./sas-display-backup-config –host sasserver.demo.sas.com –port 7980 –user
For Windows Server

In the command window, issue the following command:
sas-display-backup-config.exe –host sasserver.demo.sas.com –port 80 –user
3.6 Solutions
1. Exploring Metadata Pointers in SAS Management Console and the Contents of the Metadata
Server Directory
a. On your client machine, log on to SAS Management Console as Ahmed with the password
Student1. (SAS Management Console is listed under the start menu.)
b. Where is all the metadata physically stored? Expand the Metadata Manager plug-in.
Select Active Server.
The metadata is stored in repositories. Most metadata is stored in the Foundation repository.
Every metadata server has exactly one Foundation repository.
c. Where is the Foundation repository physically located? Under Active Server, select Foundation.
The Foundation repository is a foundation-type repository. The repository path indicates where
the content of the Foundation repository is stored. It is a relative path.
3.6 Solutions 3-85
d. In what format is the metadata in the repository stored?
For Linux Server

Navigate to /opt/sas/config/Lev1/SASMeta/MetadataServer/
MetadataRepositories/Foundation.
For Windows Server

MetadataServer\MetadataRepositories\Foundation.
The metadata is stored in specially formatted SAS data sets. You should never access these tables
directly. While the metadata server is running, these tables are locked. Any access (query, update,
and so on) to these must be done via the metadata server. If you do not use the metadata server
to access these tables, you risk corrupting the metadata.
Note: Metadata queries that are made using SAS applications, PROC METADATA, batch tools
for metadata management, or DATA step functions are processed by the metadata server.
2. Checking the Availability of the Metadata Server in SAS Environment Manager
In the SAS platform, the metadata server is the most critical component. It must always be running
and responsive. In this exercise, you check the availability and health of the metadata server.
a. Open Internet Explorer or Google Chrome on the client machine and select SAS Environment
Manager on the Favorites toolbar.
b. Sign in to SAS Environment Manager as Ahmed with the password Student1.
c. Click the Resources tab.

d. Click Servers. How many Servers are listed? Answers can vary.
e. Click sasserver.demo.sas.com SASMeta - SAS Metadata Server.

Note: You might need to go to the second page of server listings, by clicking the arrow at the
bottom right of the page.
Note: You can use the Search field and type in Metadata Server. Make sure All Server Types
is selected in the second field, and then select the to the far right.
3.6 Solutions 3-87
f. Look for the following metrics for a quick overview:

Availability
Server Health
g. If the metadata server is overusing virtual memory (too much page swapping), that could indicate
trouble, and might cause slow responses. Metrics that will be helpful are these:
Process Page Faults Per Minute
Time in Calls Per Minute
Not all metrics for this resource, the metadata server, are displayed by default, such as Time in
Calls Per Minute.
h. Select All Metrics in the drop-down list on the left to see a list of all the metrics for this resource.
(Currently Problem Metrics is displayed in the drop-down list.)
i. Add the Time in Calls Per Minute to the list of metrics displayed, by clicking the black arrow
next to the metric.
j. Move the Time in Calls Per Minute and Process Page Faults Per Minute to the top using the up
arrow to the right of the named metric.
k. Click Apply next to View: Update Default located above the Availability metric and to the right.
Note: You want to know how much the metadata server is having to use disk space because it
does not have enough memory available to it. Paging is when individual memory
segments, or pages, are moved to or from the swap area. When memory is low, portions
of a process are moved to use disk space as a temporary place to store information that it
would normally just hold in memory. This is called swapping to disk. When a process
needs to swap some data from disk to memory so that it can access the data in memory, a
page fault occurs. It is an event that occurs because the page of memory the process
wanted is currently not in memory; it is held on the swap file on the disk. Thus, when a
page fault occurs, the operating system knows that it needs to swap the data that the
process wants back into memory, and will swap some other existing data from memory to
the disk to free up the required memory so that there is room for the required page.
One of the metrics available from the OS that describes what a process does when it
enters this memory-constrained state is the number of page faults (swaps between disk
and memory) per period of time. We can see this metric for the process examined here,
the SAS metadata server.
You expect some degree of virtual memory swapping (page faults), which is normal, but
if you see a trend of increase over time, then you should probably investigate.
3.6 Solutions 3-89
l. The data for the past 8-hour time period is displayed. Change this to a 30-minute interval. Use the
Last (number)/(Unit) drop-down list to change the length of the time period displayed. Click OK.
(You can use the Previous Page/Next Page buttons to scroll through earlier time periods as well.)
m. Select the Metric Data button to display the data underlying the charts.
You see all of the metrics displayed here in a tabular table, whereas with the Indicators selected
there is only a subset showing, unless you add a metric to be displayed (step i).
Note: You can also click the chart icon next to an entry in the table to see a chart of that
metric. However, the chart is different from the indicator chart.
n. Select Alert.
o. Select Configure. How many alerts are configured? 7 How many alerts are active? 5
There are built-in alerts because Extended Monitoring has been enabled in this environment.
(Extending Monitoring is discussed in a later chapter.)
Note: Two alerts that might be useful are “Metadata Server ERROR message in log” and
“Metadata User Lockout.” If either of these alerts are fired, you might want to check the
logs for the metadata server to get more details about why these events are happening.
p. Click Metadata Time in Calls per Minute to look at the alert definition.
3. Searching for Resources in SAS Environment Manager

a. Click the Resources tab. You can search for resources within a resource category (Platforms,
Servers, Services, or groups).
1) Select a resource category, such as Servers.
3.6 Solutions 3-91
2) Type in a search string (for example, ‘config’) and Resource type (for example, ‘SAS Config
Level Dir’).
3) After selections are made, click the arrow to the right ( ).
b. Use the Search menu and the resource level selector to locate the following resources:
Servers
SAS Spawners (1 object and 1 connect spawner—search on the string “spawner”)
SAS OLAP Server
SAS Home Directory
SAS Config Level Directory
Services
Note: The SAS spawners, the metadata server, and OLAP server are at the Servers level in the
platform hierarchy. The SAS Application Server Tier is considered a Platform. The SAS
Logical workspace servers and SAS Logical stored process servers are at the Services
level in the platform hierarchy.
c. Open SAS Management Console and log on as Ahmed using the password Student1. Expand
Server Manager plug-in. The components above conform to the servers shown here.
4. Using the Export SAS Package Wizard to Examine Dependencies and Associations between
Metadata Objects
The Export SAS Package Wizard and Import SAS Package Wizard enable you to promote individual
metadata objects or groups of objects from one SAS deployment to another or from one folder
location to another within the same deployment. The wizards display the associations
and dependencies between metadata objects.
a. In SAS Management Console, on the Folders tab, expand the Orion Star folder. Right-click
the Marketing Department folder and select Export SAS Package.
b. Accept the defaults and click Next. (You are not going to create this package,
so the location and options will not matter.)
3.6 Solutions 3-93
c. Under the Data folder, select Orion Star Customers. The Dependencies tab identifies
the metadata objects on which the Orion Star Customers table depends.
d. Click the Used By tab. The Used By tab identifies the metadata objects that depend
on the Orion Star Customers table.
e. Click Cancel.
5. Using the List Objects Batch Tool

Use the List Objects batch tool (sas-list-objects) to create a list of metadata objects that are stored
in the SAS Folders tree. You can filter the list based on criteria such as object name, object type,
folder location, creation date and time, modification date and time, keywords, notes, and responsible
user. You can create the list in text, comma-separated values (CSV), or XML format.
a. First, find the metadata object type for a stored process. In SAS Management Console, under
the Folders tab, navigate to System  Types. Right-click Stored process and select Properties.
Click the Advanced tab. Find the value for TypeName. This will be used for the type option
when using the batch tool.
b. Navigate to the location of the SAS batch tools and run the sas-list-objects batch tool to list
all stored processes in the Orion Star  Marketing Department. How many objects were
found?
3.6 Solutions 3-95
For Linux Server

1. In mRemoteNG use the cd (change directory) command to navigate to
/opt/sas/SASHome/SASPlatformObjectFramework/9.4/tools
2. List the contents of the directory.
3. Issue the following command: ./sas-list-objects -help


./sas-list-objects -host sasserver.demo.sas.com -port 8561 -user Ahmed -password
-format LIST
For Windows Server
1. Open the CMD window. It is under the Start menu. Navigate to

D:\Program Files\SASHome\SASPlatformObjectFramework \9.4\tools.
2. Change the drive to D.
3. Use the cd (change directory) command to navigate to D:\Program

4. Use the dir command to list the contents of the directory.
5. Issue the following command: sas-list-objects.exe -help


sas-list-objects.exe -host sasserver.demo.sas.com -port 8561 -user Ahmed -password
-format LIST
6. (Optional) Using Relationship Reporting Tools

The sas-relationship-loader batch tool first scans folders and objects, retrieves their relationship
information, and loads the information into a database in the Web Infrastructure Platform Data Server.
Note: Effective with the third maintenance release for SAS 9.4, automatic loading of relationship
data is configured by default to execute on an hourly basis. The load process scans the SAS
Folders tree for content items that were created or modified since the last scheduled load
operation. Cleaning of relationship data is configured by default to execute daily at 11:00
p.m. The cleaning operation removes relationship information for objects that have been
Secondly, use the sas-relationship-reporter batch tool to read the database populated by the
Relationship Loader and report on the relationships between selected objects.
3.6 Solutions 3-97
a. Automatic loading of relationship data is configured by default. Look at the configuration details
in SAS Management Console.
1) Open SAS Management Console and log on as Ahmed using the password Student1.
2) On the Plug-ins tab, select Application Management  Configuration Manager 
SAS Application Infrastructure  Web Infra Platform Services 9.4.
3) Under Web Infra Platform Services 9.4, right-click RelationshipContentService and select
Properties.
4) Select the Settings tab.

Is Scheduling for Load Task Enabled? Yes
How often is the relationship data automatically loaded? Hourly
Is the cleaning of relationship data configured by default? Yes
When and how often does this cleaning occur? 11pm daily
Note: The cleaning operation removes relationship information for objects that have been
Note: You can configure a different schedule for the loading and cleaning process here (or
set the schedule if you are using a release earlier than the third maintenance release).
If you make any schedule changes, you must restart the SAS Web Application Server.
5) Click Cancel to close the Properties window.
3.6 Solutions 3-99
b. To report on the relationships, use the sas-relationship-reporter tool. To execute a standard

report on direct dependencies for objects in the /Orion Star/Marketing
Department/Information Maps folder:
For Linux Server

./sas-relationship-reporter -host sasserver.demo.sas.com -port 7980 -user
sasadm@saspw -password Student1 -report directDependencies “/Orion Star/Marketing
Department/Information Maps”
For Windows Server

1. Open the CMD windows from the Start Menu. Navigate to D:\Program
2. Issue the command:

sas-relationship-reporter.exe -host sasserver.demo.sas.com -port 80 -user
sasadm@saspw -password Student1 -report directDependencies “/Orion
c. To determine the impact of changing one table, create an impact report.
For Linux Server


./sas-relationship-reporter -host sasserver.demo.sas.com -port 7980 -user sasadm@saspw
-password Student1 -report impact “/Orion Star/Marketing
For Windows Server

Issue the command:
2.
Note: If your environment was SAS 9.4 but prior to M3, you would first need to run the sas -
relationship-loader batch tool first and load all relationships to the database before
running reports in steps b and c. The steps are below.
3.6 Solutions 3-101
d. The first time you run the Relationship Loader tool, consider specifying the -loadAll option so
that relationships will be loaded for all content objects in the SAS Folders tree. Doing so ensures
that the Relationship Reporter tool (sas-relationship-reporter) has all of the information that it
needs to produce accurate and complete reports.
For Linux Server
1. Use MRemote to navigate to

/opt/sas/SASHome/SASPlatformObjectFramework/9.4/tools/admin.
2. Issue the following command: sas-relationship-loader.exe -help

3. Issue the command with the following options:

sas-relationship-loader.exe -host sasserver.demo.sas.com -port 7980 -user sasadm@saspw
-password Student1 -loadAll
For Windows Server

1. Open the CMD window. (It is under the Start menu.) Navigate to D:\Program
Files\SASHome\SASPlatformObjectFramework \9.4\tools\admin.
2. Issue the following command: sas-relationship-loader.exe -help

3. Issue the command with the following options:

sas-relationship-loader.exe -host sasserver.demo.sas.com -port 80 -user sasadm@saspw -
password Student1 -loadAll
7. (Optional) Using the BI Lineage Plug-in to Identify Connections between Objects

To generate lineage information, run a scan on a subset of folders. The scan examines reports
and information maps that are stored in the selected folders. It also identifies objects (regardless
of their locations in metadata) that are connected to those reports and information maps.
a. In SAS Management Console, on the Plug-ins tab, right-click BI Lineage and select New Scan.
b. Enter Orion Star Marketing Department Information Map Scan in the Name field.
Click Browse to navigate to Orion Star  Marketing Department  Information Maps.
Click OK  Next  Finish  Yes.
3.6 Solutions 3-103
c. Under the BI Lineage plug-in, expand Orion Star Marketing Department Information Map
Scan  Information Maps  SAS Folders  Orion Star  Marketing Department  and
select Information Maps. These are the objects that were examined during the lineage scan.
d. Right-click Orion Star Gold Orders Cube and select Lineage.

Note: Lineage identifies all connected objects regardless of their locations in the metadata.
Reverse lineage includes only those objects in the folders that were selected for the scan.
e. Examine the contents of the Report and Graph tabs.

Note: The Report tab displays the connected objects in a hierarchical view. The Graph tab
displays the connected objects in a process flow view.
There are two types of lineage results: high level and low level. High-level results illustrate
connections between high-level objects such as tables, reports, information maps, cubes,
and stored processes. Low-level results illustrate connections to other low -level objects such
as columns, hierarchies, or data items.
The results that you viewed in the last step are high-level results.
f. Click Cancel.
3.6 Solutions 3-105
g. Right-click Orion Star Gold Orders Cube and select Properties. Right-click Average Quantity
and select Low Level Lineage. Examine the Report and Graph tabs.
h. Click Cancel.
8. Exploring the Backup Schedule and Backup Configuration in SAS Management Console
a. In SAS Management Console, on the Plug-ins tab, expand Metadata Manager 
Metadata Utilities. Right-click Server Backup and select Backup Schedule.
When did the last automatic backup occur? Did it invoke the Reorganize Repositories option?
Click Cancel.
b. Expand Metadata Manager  Metadata Utilities. Right-click Server Backup and select
Backup Configuration. Where are the metadata server backups stored? And how many days of
backups are stored there?
Click Cancel.
3.6 Solutions 3-107
c. Locate backup files.
For Linux Server

Navigate to /opt/sas/config/Lev1/SASMeta/MetadataServer/Backups.
For Windows Server

MetadataServer\Backups.
How many backup subdirectories are there in the Backups directory? Does this match the number
of usable backups in the backup history pane in SAS Management Console?
9. Performing an Ad Hoc Backup

a. Use the Metadata Manager to perform an ad hoc backup of the metadata. Provide a comment
when prompted.
1) Expand Metadata Manager  Metadata Utilities. Right-click Server Backup and select
Run Backup Now.
2) Provide a comment for the backup history. Click OK.
3) Click OK.
b. Verify that the backup is marked with a green check mark in the backup history.
3.6 Solutions 3-109
c. Verify that the backup directory was created and populated in the backup destination.
For Linux Server

Navigate to /opt/sas/config/Lev1/SASMeta/MetadataServer/Backups. Open the directory
created by the ad hoc backup.
For Windows Server
Use the Windows Explorer to navigate to

D:\SAS\Config\Lev1\SASMeta\MetadataServer\Backups. Open the folder created by the
ad hoc backup.
10. (Optional) Restoring the Metadata

a. On the Folders tab, right-click SAS Folders and select New Folder. Include the current time
in the name of the folder. Make a note of the current time.
1) Enter Added Before Restore in the Name field. Click Finish.
2) Verify that the folder is now listed under SAS Folders.
b. Wait a few minutes and create another new folder. Include the current time in the name.
c. Delete the two new folders.

d. As a best practice, it is recommended that you pause the metadata server to the Administration
state before you perform a recovery. On the Plug-ins tab, expand Metadata Manager.
Right-click Active Server and select Pause  Administration. Provide a comment and
click OK.
e. Expand Metadata Manager  Metadata Utilities and select Server Backup. Right-click
the ad hoc backup created in the last exercise. Select Recover from this backup.
3.6 Solutions 3-111
f. Provide comments for the backup history and for the server that you paused. Use the
ROLLFORWARD option to restore the metadata from the last backup to a time immediately
after you created the first folder but before you created the second folder.
Click OK.
Was the backup successful? Yes

In addition to the ad hoc backup and the restore, what else now appears in the backup history?
A backup was automatically done immediately after the recovery.
g. Resume the metadata server by expanding Metadata Manager. Right-click Active Server and
select Resume.
Switch to the Folders tab. Verify that only the first folder now appears on the Folder tab.
11. Using Backup Manager to Run an Unscheduled Backup and View the Backup Contents
The third maintenance release for SAS 9.4 includes SAS Backup Manager, an easy-to-use interface
for the Deployment Backup and Recovery tool. You can use SAS Backup Manager for the following
tasks:
 view backup and recovery history
 run an immediate (ad hoc) backup
 view the backup configuration
 modify the backup configuration (except backup filters and custom directories)
 view information about backup and recovery sources
 view and modify the backup schedule
In previous SAS 9.4 releases, these functions were available only through batch commands.
SAS Backup Manager can be accessed from the Administration tab of SAS Environment Manager.
a. Start the SAS Deployment Agent using SAS Environment Manager.
1) Open SAS Environment Manager . (Go to a web browser on the client machine and select
SAS Environment Manager from the Favorites bar, or you can type in the following URL:
http://sasserver.demo.sas.com:7080 .) Sign in as sasadm@saspw with password Student1.
Note: In order to run a full backup, you must be logged in to SAS Environment Manager
as sasadm@saspw with the password Student1.
2) Go to Resources  Servers and select sasserver SAS Deployment Agent 1.0.
3.6 Solutions 3-113
3) Select Control.
4) Under Quick Control section, select Start from the drop down menu next to Control
Action: and click the arrow to the right.
Note:You can also start the SAS Deployment Agent in the Operating System, or it can be
started in SAS Deployment Manager.
b. Access Backup Manager in SAS Environment Manager.
1) Click the Administration tab in SAS Environment Manager. When the Administration page
appears, maximize the window.
2) Click the Side menu button in the SAS Environment Manager banner and select SAS
Backup Manager.
Note: The SAS Backup Manager takes several minutes to discover the assets in your
deployment that are available for backup.
Notice that the drop-down menu shows the following selections:
 History – view information about a particular backup or recovery
 Policy – view details of the current backup policy
 Schedule – view and modify the current backup schedule
Keep the current selection, History.

c. Run an unscheduled backup.
1) With History selected in the drop-down menu, select the Start Backup button in the upper
right of the SAS Backup Manager Window.
2) Provide a meaningful name and comment for the backup. The backup name must be unique.
Both the name and comment are optional and are recorded in backup history and are
displayed in the backup’s Operation Details.
3) Select Start.
A notification is displayed when the backup starts and when it is completed.
4) To see the status of the backup on the History page, refresh your browser.
Note: Recoveries cannot be run from SAS Backup Manager. Instead, use the sas-recover-
offline command.
3.6 Solutions 3-115
d. View the list of Sources. Click the backup to display the details. It might take a minute to load the
data.
The sources for the currently selected backup or recovery are listed in the right pane, below the
operation details. If you are viewing details for a recovery, only the sources that were recovered
are listed.
The status icon next to each source indicates the status of its backup or recovery.
By default, the backup sources include the following:
 Metadata Server
 Content Server
 Config Directories
 Database
Note: Custom might also be listed. This means additional directories under SAS-configuration-
directory/Levn, as specified by the administrator, were backed up or recovered.
To view details about a particular backup or recovery source, click the Collapsed arrow ( ) to the
left of the source name. The following details are displayed:
 the host name of the machine where the source is located
 the status of the source’s backup or recovery
 the directory location of the source’s local backup files on the host machine
 the total size of the backup files for this source
 the directory location of the source’s configuration files
 the operating system of the source’s host machine
e. Select View Diagram from the lower right of the screen.

The diagram includes the following:
 The root node specifies the ID of the backup or recovery, which is based on the date and time
that the backup or recovery started (for example, 2015-02-01T03_13_01). For backups, the ID
is also the name of corresponding backup directory.
 Under the root node, a child node is displayed for each backup source that was included in the
backup or recovery. You can click a node to collapse its child nodes.
 Under each source node, a child node is displayed for each host machine for that source.
3.6 Solutions 3-117
f. Hold the mouse pointer on a node to see the size of the files that were backed up or recovered.
g. Click the node sasserver.demo.sas.com under the Database node. The child node of Web
Infrastructure Platform Data Server 9.4 appears under the Database tree.
h. Click the node Web Infrastructure Platform Data Server 9.4. The databases that are a part of
the node appear.
The green check mark in the bottom right of the node indicate its backup status. The green check
indicates that the backup or recovery was completed without errors or warnings.
i. Place your mouse pointer over each of the databases in the Web Infrastructure Platform Data
Server 9.4 node. Notice that many of the databases are relatively small in size.
j. Select Close to close the Backup Details window.

k. Find the location of the backup. Select History from the drop-down menu.
l. Click the Collapsed arrow ( ) to the left of the Content Server. The directory location of the
source’s local backup files on the host machine is under Backup Location.
m. Find this location on the server’s local file system. There is a directory for each of the sources
listed in Backup Manager.
For Linux Server

Navigate to /opt/sas/config/Lev1/Backup/Vault.
For Windows Server
Navigate to D: \sas\config\Lev1\Backup\Vault.
3.6 Solutions 3-119
n. Click the Collapsed arrow ( ) to the left of the Metadata Server and examine the Backup
Location.
Why is this location different from the others? This is where the metadata server backups are
stored by default.
Verify that the content for the Metadata Server backup specified by the Backup Manager is the
same as the metadataserver directory in the backup vault location.
12. Displaying the Backup Configuration Using Batch Tools

a. Navigate to the location where the Deployment Backup tools are installed.
For Linux Server
Navigate to /opt/sas/SASHome/SASPlatformObjectFramework/9.4/tools/admin.
For Windows Server
Open a command window, and issue the following command:

D: cd \Program Files\SASHome\SASPlatformObjectFramework\9.4\tools\admin
b. Run the sas-display-backup-config tool.
For Linux Server

Issue the following command:
./sas-display-backup-config –host sasserver.demo.sas.com –port 7980 –user

For Windows Server
In the command window, issue the following command:

sas-display-backup-config.exe –host sasserver.demo.sas.com –port 80 –user
3.6 Solutions 3-121
By default, journaling is not enabled for the metadata server.
 True
 False
The SAS Deployment Wizard sets the value of JOURNALTYPE option to

ROLL_FORWARD, which creates a linear journal file that permanently stores
all transactions that have occurred since the most recent backup. The journal
file is written to the same location as the associated backup files. Each time a
new backup is executed, journaling stops and a new journal file is started in
the new backup location.
22
The Metadata Server knows the location of the Repository Manager because
it is specified in the following file:
a. sasv9_usermods.cfg
b. sasv9.cfg
c. omaconfig.xml
d. logconfig.xml
24
If quorum is not achieved in a metadata server clustered environment:
a. The foundation repository is set to read only

b. The server is paused to administration status
c. The server is paused to offline status
d. The server stays available
70
If the master node fails:
a. The remaining nodes go offline, establish communication with each

other and select a new master node.
b. One of the remaining nodes immediately performs a backup.
c. The server is paused to offline status until the SAS Administrator brings
the master node back online.
d. The metadata server takes itself out of the cluster.
72
3.6 Solutions 3-123
If you use operating system commands to back up your metadata

repositories:
a. You must pause the metadata server to an Administration state.

b. The backup executes in a separate thread while the metadata server is
running.
c. You must pause the metadata server to an Offline state before you
perform the backup.
d. You must pause the metadata server for Read-Only use before you
perform the backup.
88
The metadata server backup facility automatically backs up:
a. Foundation repository, web infrastructure Platform Data Server, the

journal file.
b. Metadata repositories, metadata server configuration directory, Levn
directory, journal file.
c. Metadata repositories, journal file, metadata server, and web servers
configuration directories.
d. Metadata repositories, metadata server configuration directory, the
journal file.
90
Chapter 4 Understanding Initial
Authentication and Administering
Users, Groups, and Roles
4.1 Exploring Initial Authentication to the Metadata Server ........................................... 4-3

Exercises............................................................................................................... 4-8
4.2 Administering Users and Groups ........................................................................... 4-13

Exercises............................................................................................................. 4-19
4.3 Using Import Macros ............................................................................................... 4-22

Exercises............................................................................................................. 4-32
4.4 Exploring Internal Accounts and Internal Authentication Mechanisms................. 4-35

Exercises............................................................................................................. 4-42
4.5 Administering Roles and Administrative Identities ................................................ 4-44

Exercises............................................................................................................. 4-50
4.6 Solutions ................................................................................................................. 4-53

Solutions to Student Activities (Polls/Quizzes) ........................................................... 4-98
4-2 Chapter 4 Understanding Initial Authentication and Administering Users, Groups, and Roles
4.1 Exploring Initial Authentication to the Metadata Server 4-3
4.1 Exploring Initial Authentication to the

Metadata Server
Objectives
• Explore initial authentication to the metadata server.
3
SAS 9.4 Authentication Mechanisms
Authentication is the process of verifying the identity of a person or process

for security purposes.
External • Host authentication

• Direct LDAP authentication
• Integrated Windows Authentication
• Web authentication
Internal • SAS internal authentication
• SAS token authentication
4
External authentication mechanisms integrate SAS into your computing environment.
SAS Metadata Server
SAS desktop applications connect to the metadata server using connection

profiles. A connection profile is a file stored on the user’s machine. It contains
the information necessary for connection to the metadata server.
S AS Information Map
S t udio
S A S Add-In for
M i crosoftOffice
Connection Profile Connection Profile
S A S Enterprise Guide
(ConfigurationV71.xml)
M etadata S erver
i (sasserver.swa)
S A S OLAP Cube Studio
S A S Management Console
W i n dows Applications J av a Applications
5
Web-based applications connect through the SAS Logon Manager, a web application that handles all
authentication requests for SAS web applications. As a result, users see the same sign-in page when they
access any of the SAS web applications.
Connection Profiles
Connection information is stored in different files for Java applications and

Windows applications.
Regardless, the connection information includes the metadata server host
name and port. By default, users have the option to save a user ID and
password in the profile.
6
The Connection Profile window enables a user to open an existing profile, edit an existing profile,
or create a new profile. Profiles are stored locally on the user’s machine:
C:\Users\Student\AppData\Roaming\SAS\MetadataServerProfiles. If there are no profiles on the
machine, the user is prompted to create one before logging on. In that location, Java applications have the
connection information in .swa files. Windows applications are in a file named ConfigurationV71.xml.
(The version might be different.)
Initial Connection to the SAS Metadata Server
SAS Management
Console 6
1
i
Metadata Server
4

Metadata
Repositories
2 3
Object
Spawner
Authentication Provider
13
1. Ahmed supplies these credentials to log on to the metadata server:

 user ID: Ahmed
 password: Student1
Note: An alternative to providing credentials is to use Integrated Windows Authentication.

2. The metadata server passes Ahmed’s credentials to its host authentication provider. By default,
the metadata server passes the credentials to its host. If the accounts are local, they are verified
by the host. The host can also be configured to pass the authentication request to LDAP
or Microsoft Active Directory.
3. The authentication provider verifies that the credentials are valid and returns the fully qualified
user ID (sasserver\Ahmed) to the metadata server.
Note: The authentication provider does not return the password to the metadata server.
Note: The form of the fully qualified user ID varies depending on the authentication provider.
For example, if the account is a UNIX account, the returned user ID is Ahmed.
4. The metadata server searches for the fully qualified user ID in the metadata repository (inbound
logon).
5. The metadata server determines which metadata identity owns the user ID. Based on the metadata
identity, the metadata server can determine what level of access Ahmed has to the metadata. Access
to the metadata server is set in the repository ACT (access control template). Only users with
ReadMetadata and WriteMetadata in the repository ACT, named Default ACT by default, are allowed
to connect to the metadata server.
6. The metadata server sends a credential handle to the application so that when the application requests
information from the metadata server, it can pass the handle. The metadata server then knows
the metadata identity of the user.
Initial Connection Using Integrated Windows

Authentication (IWA)
22
Integrated Windows Authentication (IWA)
1. The client asks Windows for a token that represents the user who is currently logged on to the client
computer.
2. Windows provides the token to the client.
3. The client sends the Windows token to the metadata server. Notice that only the token is sent. The
user's password is not available to the metadata server.
4. The metadata server sends the token back to Windows for verification.
5. Windows tells the metadata server that the token is valid.
6. The metadata server identifies the user and verifies that the user was granted access to the metadata
in the repository ACT.
7. The metadata server accepts the connection from the client.

Note: For initial connection to the metadata server, this represents the verification phase.
The identification phase is essentially the same in all authentication models. After
verification, the authenticated token includes the user ID. The metadata server searches its
logons for a match. An inbound logon is still required.
Note: There are limitations to IWA for servers on UNIX. In order to use IWA on UNIX platforms:
 For the first maintenance release for SAS 9.4 on all platforms, you must purchase, install,
and configure an additional third-party product (Quest Authentication Services 4.0).
 For the second maintenance release for SAS 9.4 on Linux platforms, you must ensure that
a shared library that implements the GSSAPI with Kerberos 5 extensions is installed and
configured to allow authentication against your Active Directory domain or Kerberos
realm. Quest Authentication Services fulfills this requirement, as do the krb5 packages
provided in supported operating system distributions and in various third-party solutions.
 When you use IWA on UNIX, only Kerberos connections are supported. (There is no
support for NTLM on UNIX.) If you use IWA for a UNIX workspace server that makes
outbound Kerberos requests, the service principal account in Active Directory must have
the trusted for delegation to all services privilege.
For additional information about Integrated Windows Authentication, refer to SAS® 9.4 Platform
Intelligence: Security Administration Guide.
Exercises
1. Exploring the Initial Connection to the Metadata Server

This exercise demonstrates the initial authentication process to the metadata server.
a. On the client machine, select Start  All Programs  SAS  SAS Enterprise Guide 7.1.
Close the Welcome to SAS Enterprise Guide window. Place the pointer on the words My Server
in the lower right of the application interface. Who is logged in?
b. Click My Server. With the My Server profile highlighted, click Modify.

c. Clear the Save login in profile check box.
d. Delete Jacques as the user and enter sas. Delete the asterisks for the password and enter Student1.
Note: This is the SAS install account, but this account is not linked to a metadata identity.
e. Click Save.
f. Click Yes to continue.
g. Click Close.
h. An Error window appears. Click Show Details. How is SAS identified by the metadata server?
Note: At initial deployment, the implicit group, PUBLIC, is denied access to all metadata
through the Repository ACT. The authorization layer of the SAS environment is
discussed in a later chapter.
i. Click Close.
j. Click Modify to change the login back to Jacques. You can choose to select Save login in profile.
k. Click Save. Click Set Active. Click Close.
l. Use SAS Environment Manager or SAS Management Console to look at the properties of Jacques.
1) Open Internet Explorer and select SAS Environment Manager on the Favorites toolbar.
2) On the Sign In to SAS page, enter Ahmed in the User ID field and Student1 in the
Password field. Click SIGN IN.
3) Click the Administration tab, which opens in another browser.

4) Click the Side menu button in the upper left of the page.
5) Select Users.
6) Click to bring up a drop-down list on which you can filter. Select User.
7) Double-click Jacques to see the metadata definition.

8) Click the drop-down arrow next to Basic Properties and select Accounts to see the ID that is
used and stored with the metadata identity for initial authentication to the metadata server.
9) Click Close in the upper right to close out of the metadata properties for Jacques.
1) Start SAS Management Console, if it is not already open. (Select Start  All Programs 
SAS  SAS Management Console 9.4.) If you are already logged on, go to step 4.
2) In the Connection Profile window, click OK.

3) When prompted, enter Ahmed in the User ID field and Student1 in the Password field.
Click OK.
4) After you are connected, you can see the name of the user logged on, the machine that hosts
the metadata server, and the port in the lower right corner of SAS Management Console.
Note: Ahmed is an unrestricted user of the metadata.

5) Click the Plug-ins tab and select the User Manager plug-in. The User Manager plug-in is
where SAS identities are viewed, created, and modified. SAS metadata identities can be an
individual user or a group. Metadata roles are also listed in this plug-in. Most SAS identities
have stored, external IDs as part of their metadata definitions. The external IDs are used for
authentication to the SAS Metadata Server. The identities use these credentials when logging
on to SAS applications, such as SAS Enterprise Guide, SAS Web Report Studio, or SAS
Information Delivery Portal.
Note: You can deselect the Show Groups and Show Roles options to see only a list of
users.
Note: You can use the Options dialog box in the User Manager plug-in to change your
default view from View All to Search. This becomes your default view. This is useful
if you have many user identities.
6) Right-click Jacques and select Properties.
7) Go to the Accounts tab to see the ID that is used for initial authentication to the metadata
server.
8) Click Cancel.
2. Exploring Connection Profiles
Connection profiles are stored in files on the user’s desktop, but stored passwords are encrypted.
Examine an existing connection profile.
a. On the client machine, use Windows Explorer to navigate to
C:\Users\student\AppData\Roaming\SAS\MetadataServerProfiles. View the contents
of ConfigurationV71.xml, using a text editor such as Notepad.
What is the value of SaveLogin?
Note: If the AppData folder is hidden, you can enter the path into Windows Explorer or unhide
the folder. To unhide it, in Windows Explorer, select Organize  Folder  Search
options. On the View tab, select Show hidden files, folders, and drives.
On the View tab, clear the Hide extensions for known file types check box.
Click OK.
b. Open SAS Enterprise Guide. Select File  New  Program. In the Program window, enter the
following code:
proc pwencode in="Student1";
run;
c. Click Run.
d. On the Log tab, locate the value that begins with {sas002}. Does the value match the password
value in the ConfigurationV71.xml file?
Note: A password string beginning with {sas002} is encoded using the SAS Proprietary
algorithm.
e. Close SAS Enterprise Guide.

f. View the metadata server log. Verify the SAS Enterprise Guide initial connection to the metadata
server.
1) Open the most recent metadata server log.
For Linux Server
/opt/sas/config/Lev1/SASMeta/MetadataServer/Logs
For Windows Server
D:\SAS\Config\Lev1\SASMeta\MetadataServer\Logs
2) Scroll down closer to the bottom and look for the name of the user ID that was used to log
on to SAS Enterprise Guide. (Otherwise, you can simplify the search by using the Find tool
for the name. Hold down the Ctrl key and press F.)
3. Exploring the omaconfig.xml File
The omaconfig.xml file is the start-up file for the SAS Metadata Server. You can specify changes
to standard features of the SAS Metadata Server, the repository manager, and policies related to
internal users in this file.
a. Open the omaconfig.xml file.
For Linux Server
Navigate to /opt/sas/config/Lev1/SASMeta/MetadataServer.
For Windows Server

Use Windows Explorer to navigate to
D:\SAS\Config\Lev1\SASMeta\MetadataServer.
b. What is the setting in this file that governs saving a password in a connection profile?
Note: For a few solutions desktop clients (for example, SAS Model Manager, SAS Enterprise
Miner, and SAS Forecast Studio), the ability to store credentials in client-side connection
profiles is instead controlled by the Policy.AllowClientPasswordStorage property. To
access this property, open the Plug-ins tab of SAS Management Console and navigate to
Application Management  Configuration Manager  SAS Application
Infrastructure. Right-click and select Properties  Settings  Policies Allow client
password storage.
c. What is the default value? What other values are possible?
Note: To find the possible values, go to support.sas.com and search Reference Information
for omaconfig.xml.
d. If you make changes to this file, what steps need to be performed?
4.01 Poll
An alternative to using credentials is to use Integrated Windows

Authentication.
 True
 False
25
If you make changes to the omaconfig.xml file what would you need to do to
ensure the changes are in effect:
a. Nothing
b. Make sure no users are connected to the metadata server
c. Pause the metadata server
d. Restart the metadata server
27
4.2 Administer ing Users and Groups 4-13
A SAS user cannot log on to SAS Enterprise Guide. Here is the message that
is received:
What is the problem?
a. The user does not have an LDAP account.

b. The user is using an internal account and therefore cannot be
authenticated to the host.
c. The user does not have a SAS identity, or her SAS identity does not
have the correct fully qualified ID in her identity definition.
d. There is no group called PUBLIC in metadata.
29
4.2 Administering Users and Groups
Objectives
• Explore user and group identities.

• Understand predefined groups: PUBLIC and SASUSERS.
• Review users, groups and authentication.
• Review identity hierarchy.
32
Registering Users
For accountability, each person who uses the SAS environment should have
an individual SAS metadata identity.
Users
This allows
• control over a user’s access to metadata resources
Ellen
• control over a user’s access to application features Henri
• the ability to audit individual actions in the metadata layer

• access for each user to a personal folder in the repository.
33
In order to make access distinctions and track user activity, a security system must know who is making
each request.
Registering Users
A user’s metadata identity includes a copy of the external account that the
user uses to log on to SAS applications.
34
In the platform, the primary user administration task is to store each user’s external account ID in the SAS
metadata. All of a user’s metadata-layer memberships, permissions, and capabilities are ultimately tied to
the user’s SAS identity.
Note: It is not necessary to store passwords in the SAS metadata for the purpose of identifying a user.
SAS identity is determined by examining stored user IDs, not by examining stored passwords.
Unique Names and IDs
The metadata server enforces certain identity-related constraints.

• You cannot create a user definition that has the same name as an existing
user definition.
• You cannot assign the same fully qualified external account to two different
identities.
35
Caution: Do not use spaces or special characters in the name of a user, group, or role.
Not all components support spaces and special characters in identity names.
Note: In SAS 9.4, you cannot change the name of an existing user, group, or role in SAS Management
Console.
All of the logons that include a particular ID must be owned by the same identity. This requirement
enables the metadata server to resolve each ID to a single identity. This requirement is case insensitive
and applies to the fully qualified form of the ID.
To enable multiple users to share an account, store the credentials for that account in a logon as part
of a group definition. Then add the users who share the account as members of that group definition.
If you give a user two logons that contain the same ID, the logons must be associated with different
authentication domains. Authentication domains are discussed later in this chapter.
Group Identities
For administration and ease of maintenance and accountability, you should

create group identities.
Groups can be used to do the following:
• assign permissions
• share credentials Groups
• populate roles
Sales
Marketing
36
Predefined Groups in Metadata
The following groups are predefined:
PUBLIC Group with implicit membership

P UBLIC
that includes everyone who can
access the metadata server
SASUSERS Group with implicit membership SASUSERS
that includes the members of the
PUBLIC group who have an
individual metadata identity
37
Initial Connection to the SAS Metadata Server
Only the verification phase varies; the SAS identity phase is always the same.
You need a well-formed user definition for each user who is not a PUBLIC-only
identity.
P U BLIC
V erification phase
S A S USERS
Id entification phase
38
Users, Groups, and Authentication
All of a user's metadata-layer memberships, permissions, and capabilities are

ultimately tied to the user's SAS identity. For example:
PUBLIC
Implicit memberships
Generic SAS identity SASUSERS
No SAS identity PUBLIC Marketing
Direct membership
Susan
Bill
Jacques Individual SAS identity
User account? User account?
User account? User definition? User definition?
39
Identity Hierarchy
All of a user’s group memberships are part of the user’s identity.
S el f S el f
P UB LIC
HR R ep ort
C reator
S A S US ERS S A S US ERS
F i n ance
P UB LIC P UB LIC
40
Creating Users and Groups
Here are two ways to define user and group identities:

• manually, using the User Manager plug-in in SAS Management Console
or in SAS Environment Manager Administration
• using the user import macros supplied by SAS to import identity
information from an authentication provider
41
There are other programmatic methods that can be used to create metadata identities.
Exercises
4. Adding a User Manually into Metadata

Add Ben to metadata. Use SAS Environment Manager Administration or the User Manager plug-in in
a. Open Internet Explorer and select SAS Environment Manager on the Favorites toolbar. On the
Sign In to SAS page, enter Ahmed in the User ID field and Student1 in the Password field.
Click SIGN IN.
b. Click the Administration tab, which opens in another browser.
c. Click the Side menu button in the upper left of the page.
d. Select Users.
e. Click the New user/group button located in the upper right toolbar.
f. Select New User. Enter the name Ben and click Save.
g. Add the following information under the appropriate drop-down menu categories:
Note: Use the Add button to add information for each property.
Note: Be sure to save your changes by clicking the Save button in the upper right toolbar
after every entry that you make. An asterisk to the left of the drop-down menu property is
shown if the values have not been saved.
Basic Properties:
Name Ben
Display Name Ben
Job Title Power User
External Identities:
External Identity Context IdentityImport
External Identity Identifier P110
Accounts:
 Windows server: sasserver\Ben
Account User ID
 Linux server: Ben
DefaultAuth
Account Authentication Domain
Contact Information:
Email Type Business
Email Address ben@example.com
Phone Type Office
Phone Number +19196775555
Address Type Office
Street 123 Orion Star Boulevard
City Cary
State/Province NC
ZIP/Postal Code 27513
Country USA
Member of:
Finance
Group
h. Save your changes by clicking the Save button in the upper right toolbar.
a. Right-click the User Manager plug-in and select New  User.

b. Add the following information:
Name Ben
Display Name Ben
E-mail Type Business
E-mail Address ben@example.com
Phone Type Office
Address Type Office
City Cary
State/Province NC
Country USA
Group Finance
Account User ID
Account Authentication Domain DefaultAuth
5. Using SAS Environment Manager Administration to View Identity Hierarchy

a. Open Internet Explorer and select SAS Environment Manager on the Favorites toolbar.
b. On the Sign In to SAS page, enter Ahmed in the User ID field and Student1 in the Password
field. Click SIGN IN.
c. Click the Administration tab, which opens in another browser.

d. Click the Side menu button in the upper left of the page.
e. Select Users.
f. Click to bring up a drop-down list on which you can filter. Select User.
g. Right-click Eric and select Open to see the metadata definition.

h. From the drop-down menu, select Member of.
Which groups is Eric directly a member of?
Which groups is Eric indirectly a member of?
Which groups is Eric implicitly a member of?
i. Click Close in the upper right to close out of the metadata properties for Eric.
In the identification phase of authentication, the metadata server searches

for the following in the metadata repository:
a. Fully qualified user ID

b. Authentication domain, fully qualified user ID, password
c. Fully qualified user ID and password
d. The user’s password only
44
4.3 Using Import Macros
Objectives
• Import user and group information from an authentication provider into

metadata.
47
4.3 Using Import Macros 4-23
Importing User and Group Identities
The user import macros enable the batch import and synchronization of user
and group identity information from a provider such as LDAP into the SAS
metadata.
This process follows these general steps:
• Extract information from your authentication provider.
• Extract information from the SAS metadata.
• Compare the sets of tables and identify additions and updates that need
to be made to the metadata.
• Validate the changes.
• Load the updates into the metadata.
48
User Import Macros
1. So urce specific extraction code extracts

information from the authentication provider.
% MD UIMPC creates the canonical tables.
2. % MD UEXTR extracts information from the
SAS metadata.
3. % MD UCMP compares the two sets of tables
and identifies updates that need to be made
to the metadata
4. % MD UCHGV validates the changes to make
sure that they will not violate the metadata
server's integrity constraints.
5. % MD UCHGLB loads the updates into the
metadata. 49
The synchronization process performs two extractions (one from your authentication provider and another
from the SAS metadata) and then loads updates into the metadata.
Canonical tables define the standard attributes and associations for identity metadata objects. A canonical
table is a table with a fixed, predefined structure constructed to hold user and group information.
Caution: Back up the metadata before synchronizing user or group information.
Data Extracted from AD/LDAP
• Keyid must be
unique and
unchanging.
• Tables and columns
must be present but
do not all have to be
used.
In the metadata, the

keyid value is stored
as an external identity.
50
The keyids in the person table (users), idgrps table (groups and roles), and authdomain table
(authentication domains) tie each of those primary objects to its related information.
In the metadata, the keyid value is stored as an external identity. For each keyid column, use a fixed,
enterprise-wide identifier. For example:
 In the person table, consider using an employee identification number, user ID, or saMAcountName (a
default schema for AD).
 In the idgrps table, consider using group names (or LDAP Distinguished Names).
 In the authdomain table, consider using authentication domain names.
The authentication domain name can serve as the keyid because the metadata server enforces uniqueness
across authentication domain names.
External Identities
An external identity is a value used to map the user information in the SAS
metadata to the information from the authentication provider.
An external identity
• must be unique to each user or group and unchanging
• must exist as a field in the user or group information
in the authentication provider and in the SAS metadata
• is used during the synchronization process to compare information stored
in metadata to information from the authentication provider.
Example: An employee account name or employee ID is often used as
the external identity value.
51
If you need to perform periodic synchronization and want existing users and groups that you created
manually to be included in the process, add the appropriate external identity value to the user or group
metadata identity.
Import Identities into Metadata
Two sets of sample code are provided, i m portad.sas and i m portpw.sas.

This code can be modified to meet a sites’ requirements. Modifications are
likely required to do the following:
• supply connection information to the metadata server
• supply connection parameters for the Active Directory (AD) server
containing the user and group information
• provide the unique keyid
• filter the users or groups returned
52
Linux Server
sample programs:
/opt/sas/SASHome/SASFoundation/9.4/samples/base
import macros:
/opt/sas/SASHome/SASFoundation/9.4/sasautos
Windows Server
sample programs:
D:\Program Files\SASHome\SASFoundation\9.4\core\samples
import macros:
D:\Program Files\SASHome\SASFoundation\9.4\core\sasmacro
The usage of these import macros is well documented under “User Import Macros” in the appendix of
®
SAS 9.4 Intelligence Platform Security Administration Guide.
IMPORTAD.SAS Program
Connection parameters
for the Active Directory
Server include the
following:
• host
• port
• baseDN
user search
group search
• user
• password
53
Here is some information about this code:

 It uses the SAS interface to LDAP (the LDAP CALL Routine interface) to extract information from
Active Directory.
 It references standard Active Directory schemas to identify user and group attributes. If your site has
extended the standard schema, you might need to make changes in section 3 to reference additional or
alternate attributes.
 It uses filters to segment retrieval. It might be necessary to alter the filters to better fit the contents of
your Active Directory server. The filters are defined in sections 3 of the code (user extraction) and
section 4 (group extraction).
 It will not import membership information for a group that has more than 1500 members.
Additional macro variables that you will change for each environment:
Macro variable Purpose Notes
Keyidvar External identity value for each LDAP attribute that contains a unique and
metadata user that this program unchanging value for each user.
creates
MetadataAuthDomain SAS Authentication Domain Usually, DefaultAuth
WindowsDomain Enables construction of a qualified Prepended to each extracted user ID to yield

user ID in each login that this qualified IDs in the form supplied-
program creates value\user ID
ADExtIDTag A label for all metadata items that Used in the Context field of the external
this program creates identity in metadata
Distinguished Name Search
Active Directory and LDAP reference objects by

their “distinguished name.” The import macros
accept distinguished name parameters as the
location in the tree to start searching for users
and groups to import.
Distinguished Name:
Made up of attribute value pairs
Organizational Unit (OU)=US

Domain Component (DC)=na , SAS, com
OU=US,DC=na,DC=SAS,DC=com
54
In the example, we are searching from the base distinguished name DC=na, DC=SAS, DC=com, starting
at the organizational unit US.
You can use a free LDAP/AD browser to view the hierarchy and identify the required values.
Softera LDAP Browser: http://www.ldapadministrator.com/download.htm
Filtering on Distinguished Name
The program calls two in-line macros to do the import. Before the call, you
can filter which users or groups to import. The filters are built in the LDAP
query syntax.
filter="&(region=OH)
Filter on any attribute defined
(employeeID=*)) "; for a user: Only users in the
%ldapextrpersons Ohio region that have an
employee ID.
filter="(&(&(displayName>=A)
(displayName<=C)) The sample code calls the
(employeeID=*) )"; macro multiple times for a
%ldapextrpersons range of users each time.
55
Useful article on LDAP queries:
https://technet.microsoft.com/en-us/library/aa996205(v=exchg.65).aspx
Imported Identity
Identity information is synchronized from the external provider.

All users and groups participating in
synchronization have an external identity.
ADExtIDTag Keyid
56
Importing from LDAP/Active Directory
Identifying groups and users to import requires coordination with LDAP

or AD administrator in order to identify
• users and groups to synchronize
• users and groups who will not be synchronized
• (potentially) the creation of new groups to support the synchronization
process.
57
Exercises
6. Loading Users and Groups with User Import Macros

a. On the client machine, use SAS Management Console to perform an ad hoc backup.
1) Log on to SAS Management Console as Ahmed using the Student1 password.
Run Backup Now.
3) Provide a comment for the backup history and click OK.
4) Click OK when the backup is complete.
b. Create the following folders on the server:
For Linux Server

/opt/sas/Workshop/spaft/Metids
/opt/sas/Workshop/spaft/Updates
/opt/sas/Workshop/spaft/Extids
Note: You can also run the makedir.sh located in the same directory to create the
folders.
For Windows Server
D:\Workshop\spaft\Metids
D:\Workshop\spaft\Updates
D:\Workshop\spaft\Extids
Note: You can also run makefolders.bat in the same directory to create the folders.
c. Make sure that permissions are set on these directories to allow for Full Control.
Note: On the Linux server, you can use WinSCP or the chmod command.
d. On the client machine, use SAS Enterprise Guide to open the LoadUsers.sas program.
1) Select File  Open  Program.
2) Navigate to My Computer  Local Disk (D:)  Workshop  spaft.
3) Select LoadUsers and click Open.
4) At the top of the program, there is an OPTIONS statement. Verify that the values are the
following:
options metaserver="sasserver"
metauser="Ahmed"
metapass="Student1";
 The extids folder holds the tables of user and group information from the external source.
 The %mduimpc macro defines canonical tables, and the DATA step is used to extract data
from an external source and append them to the tables. However, this program has the data
directly in the DATA step.
Note: Nine users will be added to metadata: Jennifer, Megan, Peter, Alex, Katie,
James, Cecily, Jim, Ray
Note: All of the groups in the program will be added to metadata. (You can compare the
information in the group table to the groups currently listed in the User Manager
plug-in to see this.)
Note: The group members table (&idgrpmemstbla) is adding users to groups based on
the external identity.
 The metids folder holds the tables of user and group information from the metadata.
 The %mduextr macro extracts identity information from metadata and adds them to user
and groups tables in the metids library.
 The updates folder holds the user and group updates.
 The %mducmp macro compares user and group information to metadata and populates
the updates library with this information.
 The %mduchgv macro validates changes from the tables in the metids library and the
updates library
 The %mduchglb macro loads the changes into metadata.
e. Run the program. Review the log and search for errors.
Note: You can disregard this warning: Character expression will be truncated when assigned
to character column filter.
If no errors are found, close SAS Enterprise Guide.
Use SAS Environment Manager or SAS Management Console to verify that the new users and
groups were created. Verify that the group membership is correct.
Group Name Members
Power Users Groups: Application Developers, Data Integrators,

Report Content Creators
Report Content Creators Ellen, Eric, Gloria, Harvey, Jacques, Kari, Stephanie
Data Integrators Barbara, Bruno, Kari, Marcel, Ole
Application Developers Anita, George, Sally, Samantha
Group Name Members
Orion Star Users Groups: Finance, Marketing, Sales, Shipping
Analysts Cecily, James
Finance Alex, Jennifer, Katie, Megan, Peter
Marketing Eric, Henri, Jacques, Lynn, Stephanie
Sales Ellen, Gloria, Harvey, Linda, Mark, Robert, Susan
Shipping Ray, Jim
f. The usage of these import macros is well documented under “User Import Macros” in the
appendix of SAS® 9.4 Intelligence Platform Security Administration Guide.
The macros and sample programs importad.sas and importpw.sas are located under the SAS
installation directory.
For Linux Server
Navigate to the sample programs:

Navigate to the macros:
For Windows Server
Use Windows Explorer to navigate to the sample programs:

4.4 Exploring Internal Accounts and Internal Authentication Mechanis ms 4-35
4.4 Exploring Internal Accounts and

Internal Authentication Mechanisms
Objectives
• Explore SAS internal service accounts.

• Explore SAS internal authentication.
• Review default users and groups in the SAS platform.
• Review authentication to SAS Environment Manager.
61
SAS Administrator Identity
In default installations, the SAS Administrator is an i nternal user account,

created during the deployment.
SAS Administrator sasadm@saspw
• Has access to all SAS Management Console application capabilities

• Has access to all SAS Environment Manager application capabilities
• Has all capabilities provided by the metadata server regardless of metadata
permission settings, due to membership of the Metadata Server:
Unrestricted role
• Can perform all user management functions and metadata administration
tasks 62
Other Service Accounts
SAS Trusted User A service identity that can act on behalf of other
sastrust@saspw users.
SAS Environment Manager This account is required for communications

Service Account between the SAS Environment Manager agent and
sasevs@saspw the SAS Environment Manager server. It also
enables SAS Environment Manager plug-ins to
access the SAS Metadata Server.
SAS Anonymous Web User A service identity that functions as a surrogate for
webanon@saspw users who connect without supplying credentials.
63
The SAS Anonymous Web User (webanon) is an optional account that can be used to grant web clients
anonymous access to certain SAS Web Infrastructure Platform applications (SAS BI Web Services and
SAS Stored Process Web Application). This anonymous account is configured with the SAS Deployment
Wizard and is applicable only when SAS authentication is being used. If web authentication is used, the
web application server processes authentication requests, and this anonymous account has no effect.
For more information, see “Public Access and Anonymous Access” in SAS® 9.4 Intelligence Platform:
Security Administration, Second Edition.


• Integrated Windows authentication
64
A supporting feature of internal authentication mechanisms unifies the SAS realm and provides a degree
of independence from your general computing environment.
Internal Accounts
• Internal accounts are primarily used to connect to the metadata server

and exist only in the metadata.
• They are authenticated by the metadata server.
• They are created by the SAS Deployment Wizard and by the User Manager
plug-in in SAS Management Console or in SAS Environment
Manager Administration.
65
By initial policy, these server-level settings for internal account policies are in effect.
 Accounts do not expire and are not suspended due to inactivity.
 Passwords must be at least six characters, do not have to include mixed case or numbers, and do not expire.
 The five most recent passwords for an account cannot be reused for that account.
 There is no mandatory time delay between password changes.
 After three failed attempts to log on, an account is locked. If an account is locked because of logon
failures, further logon attempts cannot be made for one hour.
 For an account that has a password expiration period, there is a forced password change on the first us e
after the password is reset by someone other than the account owner.
 An internal account has the format userID@saspw.
If you need to unlock an internal account and you have the necessary host access, do the following:
1. Edit the adminUsers.txt file to create a new unrestricted user by adding the fully qualified user ID
preceded by an asterisk. Restart the metadata server for the change to take effect.
2. Log on to SAS Management Console with the new unrestricted user and unlock the account.
3. Verify that the account is unlocked by logging on to SAS Management Console with the account.
Remove the unrestricted user that you added from the adminUsers.txt file and restart the metadata server.
SAS Internal Authentication
66
Internal Authentication
1. At a logon prompt, sasadm@saspw and password are entered. The client sends those credentials
to the metadata server for verification.
2. The metadata server recognizes that the ID is for an internal account (because the ID has the @saspw
suffix), so the metadata server checks the credentials against its list of internal accounts.
3. After validating the ID and password, the metadata server accepts the client connection.
The connection is accepted using the SAS identity associated with the internal account.
Internal authentication alone is not sufficient to allow a user access to a standard workspace server
because a host account is required.
Caution: Internal accounts are not designed to be used as end users.
continued...
Metadata Users and Groups
P UBLIC
Initial users
S A SUSERS
S A S A dministrator
sasad m@saspw
S A S Environment
M an ager Service
S A S Trusted User A c c ount
sast rust@saspw sasev @saspw
S A S Demo User
ex t ernal account
67
SAS Trusted User: This is a privileged service account that can act on behalf of other users on a
connection to the metadata server. No user should log on directly as a trusted user, except to perform
certain administrative tasks associated with the SAS Information Delivery Portal.
SAS Administrator: In default installations, it is an internal user account that is known only to SAS
and that is authenticated internally in metadata. When internal authentication is used, it is not necessary
for this user to have a local or network account. The SAS Administrator user account has privileges that
are associated with the Metadata Server: Unrestricted role. In addition, the SAS Administrator account
is initially a member of the SAS Administrators group.
SAS Environment Manager Service Account: Effective with the first maintenance release for SAS 9.4,
the SAS Environment Manager Service Account is required for communications between the SAS
Environment Manager agent and the SAS Environment Manager server. The account also enables
SAS Environment Manager plug-ins to access the SAS Metadata Server.
This account is an internal user account that is known only to SAS and that is authenticated internally
in metadata. The account has privileges that are associated with the Metadata Server: Unrestricted role
and is initially a member of the SAS Administrators group and the SAS Environment Manager Guests
group.
Optional Accounts
SAS Demo User: Serves as a generic end user when you are testing any of the SAS client applications.
The default user ID is sasdemo, and the user’s account is defined in metadata and in the operating system
of the metadata server machine and the workspace server machine.
SAS Anonymous Web User: Is used to grant clients access to applicable SAS Web Infrastructure
Platform components. When web clients request access to web services, they are not prompted for
credentials but instead are granted access under this user account. In default installations, this user
is an internal user.
continued...
PUBLIC Initial
Initial users groups
SASUSERS
S A S S ystem
SAS Administrator
s a sadm@saspw
S erv ices
SAS Trusted User
SAS
SAS EnvironmentManager
S e rvice Account S A S EV App
A d minist rators
s a s ev@saspw S erver Tier Users S A S Administrator
S AS Trusted User SAS EV Service
A c c oun t
S A S EV Service
s a s trust@saspw S A S EV Super Users A c count
S A S Ad ministrator
S A S General
S erv ers
s assrv and pw
SAS EV Guests
SAS Trusted User

68
SAS Administrators: a standard group for metadata administrators. By default, this group is granted
broad access to the metadata and has all roles other than the Metadata Server: Unrestricted role.
SAS System Services: a standard group for service identities that need to read server definitions or other
system resources.
SAS General Servers: a standard group whose members can be used for launching stored process servers
and pooled workspace servers.
SAS Environment Manager User groups: standard groups for SAS Environment Manager users. These
groups are new with the first maintenance releases for SAS 9.4. The groups include SAS Environment
Manager Guests, SAS Environment Manager App Server Tier Users, and SAS Environment Manager
Super Users. Users that are members of these groups are mapped to user definitions in SAS Environment
Manager with corresponding SAS Environment Manager roles. For more information, see “Controlling
Access to SAS Environment Manager” in SAS® Environment Manager: User’s Guide.
There might be other initial groups depending on your SAS software and solutions.
4.4 Exploring Internal Accounts and Internal Auth entication Mechanis ms 4-41

Initial users P UBLIC Initial
groups
S A SUSERS
S A S Administrator
s a s adm@saspw S AS Administrators
S AS System SAS Administrator
S A S Environment Mana ger
S e r vice Account
S ervices
s a s ev@saspw SAS Trusted User SAS EV Service
A c c ount
S A S Trusted User S A S General
s a strust@saspw S e rvers
s assrv and pw
S A S EV App Server
S A S EV Super Users T i e r Users D ata Integrators SAS Trusted User
SAS EV Service
A c c oun t
A pplication R eport Content

D ev elopers C reators
SAS EV Guests
O rion Star …
S A S Ad ministrator Us ers
A n alysts
S ales
M arketing custom groups
M anagers
69
Exercises
7. Running Metadata Inventory Reports

These stored processes generate reports that display information about the metadata that is stored on
the SAS Metadata Server, such as Groups Roles and Users Metadata Content. Because we
added users and groups in the previous section, we want to ensure that the imported identities
show up in the reports by manually running log collection, log centralization and the APM
ETL processes.
a. Log on to SAS Environment Manager as Ahmed using the password Student1.
b. Select Resources  Browse  Services and search for collection.
c. Select sasserver Log Collection  Control.
d. Next to Control Action, select Collect from the drop-down menu and click the arrow to the right
to run the collection process.
e. After the log collection has run, run the Log Centralization service to collect the logs from the
local landing zone to a landing zone on the SAS Environment Manager Enablement Kit Server.
Select Resources  Browse  Services and search for cent.
f. Select Log Centralization  Control.
g. Next to Control Action, select Run from the drop-down menu and click the arrow to the right to
run the centralization process. Wait for the process to complete.
h. Finally, run the APM ETL process, which parses the logs in the central landing zone.
Go to Resources  Browse  Service and search for APM. (Or you might see it at the top of
the list.)
i. Select the APM ETL Processing service and then select Control.
j. Select Run from the drop-down menu next to Control Action and click the arrow to the right to
run the collection process. Wait for the process to complete.
k. Go to the Report Center under the Analyze tab.

l. Expand Products  SAS Environment Manager  Dynamic Reports  Metadata
Inventory.
m. Click the Groups Roles and Users stored process. Click Run. You should see the newly added
users.
n. Expand Products  SAS Environment Manager  Nightly Reports  Audit Reports (Log
Forensic).
o. Run the Group Changes and User Accounts Added stored processes to see what was logged
when users were added.
4.5 Administering Roles and

Administrative Identities
Objectives
• Explore metadata roles and their key features.

• Explore differences between roles and groups.
• Explore predefined roles.
• Explore administrative identities.
• Create administrators and unrestricted users.
73
What Are Metadata Roles?
Roles determine which user interface elements (such as buttons, tabs, and
menu items) are visible to which users. For example, role memberships
determine who can see the Server Manager plug-in in SAS Management
Console, or who can see the Compare Data Task as a menu choice in SAS
Enterprise Guide.
Here are some applications that
support roles:
• SAS Add-In for Microsoft Office
• SAS Enterprise Guide
• SAS Studio
• SAS Web Report Studio
74 • SAS Visual Analytics
4.5 Administer ing Roles and Administrative Identities 4-45
Roles can be accessed and managed from the Administration page in SAS Environment Manager or the
User Manager plug-in in SAS Management Console.
Not all applications have roles.
Role Capabilities
The various features in applications that are under role management are called
capabilities. Each role has application capabilities that are assigned to it.
no capabilities selected
some capabilities selected
all capabilities selected
75
Not all application features are under role management. Each application that supports roles provides a
fixed set of capabilities. You cannot convert a feature that is not a capability into a capability.
You can add existing roles to a current role under the Contributing Roles tab. Capabilities from
a contributing role cannot be removed individually.
Role Features
Below are some key points of metadata-based roles.

• Roles do not protect data or metadata. Roles control which features in a
particular application are available to which users.
• Having a certain capability is not an alternative to meeting permission
requirements.
• Capabilities are additive. There are no negative capabilities (capabilities that
limit what a user can do). It is not possible to deny a capability. (Capabilities
are either granted or not granted.) For example, if a group is in two roles,
that group has all the capabilities from both roles.
76
Differences between Roles and Groups
Roles and groups serve distinct purposes.

• The identity hierarchy is relevant for groups, but not for roles. If you are a
member of a role, you have all of that role’s capabilities, regardless of whether
you are a direct member of that role and what your other memberships are.
• A group’s permissions are not displayed as part of a group definition, but a
role’s capabilities are displayed as part of a role definition.
• A group can be a member of another group, but a role cannot be a member of
another role. Instead, one role can contribute its capabilities to another role.
• You cannot assign permissions to a role. You cannot assign capabilities to a
group.
77
Roles
The initial configuration of the software includes some predefined roles.

• If these roles meet your needs, assign the correct membership.
• If these roles do not meet your needs, create new roles, assign appropriate
membership, and explicitly select application capabilities and designate
contributing roles.
Ca ution: Do not change the name of predefined roles.
78
SAS Management Console Roles
There are two predefined roles:
Management Console: • Provides access to the Folders tab and all

Advanced of the plug-ins under role management.
• Default member: SAS Administrators
Management Console: • Provides access to the Folders tab,

Content Management User Manager, Library Manager,
and Authorization Manager plug-in.
• Default member: SASUSERS
79
The capabilities for the SAS Management Console roles also affect controlling access to modules on the
Administration page of SAS Environment Manager:
 Data Library Manager controls access to the Libraries module
 Folders View controls access to the Folders module
 Server Manager controls access to the Servers module
 User Manager controls access to the Users module
In order to control which SAS Management Console plug-ins (and the Folders tab) are under role
management, select Tools  Plug-in Manager. Only unrestricted users can access the Plug-in Manager.
Administrative Roles
In addition to the client application roles, the following implicit metadata

server roles are defined at installation:
Metadata Server: All capabilities provided by the metadata server
Unrestricted regardless of metadata permission settings
Metadata Server: Create, update, and delete users; groups, roles,

User Administration internal accounts, logins, and authentication
domains
Metadata Server: Administration of the metadata server (monitor,

Operation stop, pause, resume, quiesce)
and its repositories (add, initialize, register,
unregister, delete)
80
The metadata server roles have implicit capabilities. This means that the default capabilities for these
roles cannot be viewed or modified. However, additional capabilities can be added to these roles.
Unrestricted users can use only those logons that are assigned to them (or to groups to which they
belong). They do not automatically have implicit capabilities that are provided by components other than
the metadata server.
Two Levels of Administrative Users
Administrative users have special abilities and privileged access to metadata

based on their assignments to roles. There are two basic levels of
administrative users.
Administrators • Have metadata access capabilities that

a typical end user does not have.
• Are subject to metadata layer access
controls.
Unrestricted • Have unrestricted access to metadata.
Users • Can perform tasks when the metadata
server is paused for administration.
81
Administrative Tasks
Many administrative tasks have permission requirements in addition to

capability requirements. For example, to operate servers other than the
metadata server, you need the Administer permission.
If a user needs to function as both an administrator and as a non-administrator,

create two user definitions as follows:
• one definition that is based on an internal account and is a member of the
SAS Administrators group, and if needed, the Metadata Server: Unrestricted
role
• another definition based on an external account and not a member of the
SAS Administrators group
82
Exercises
8. Exploring SAS Enterprise Guide Roles

You can use SAS Environment Manager or SAS Management Console for this exercise.
a. In SAS Environment Manager, on the Administration page, click Side menu and then select
Users.
b. Click to bring up a drop-down list on which you can filter. Select Role.
c. Open the properties of the Enterprise Guide: Advanced role by right-clicking the role and
selecting Open.
d. Remove the group PUBLIC as the current member. From the drop-down menu, select Members.
e. Click the Edit button in the upper right toolbar. Highlight PUBLIC and move the identity to
the left by selecting the arrow pointing to the left. Click OK.
f. Click the Save button in the upper right toolbar. Click Close.
g. Right-click the Enterprise Guide: Analysis role and select Open.
h. Add Gloria to the Current Members by selecting Members in the drop-down menu.
i. Click the Edit button in the upper right toolbar.

j. Enter Gloria in the search field. Highlight Gloria on the left and move her to the right by
selecting the arrow pointing to the right. Click OK.
k. Click the Save button in the upper right toolbar. Click Close.
l. Open SAS Enterprise Guide and connect as Marcel using the password Student1.
m. On the status bar, select Functions. Which capabilities does Marcel have?
n. Change the connection to connect as Gloria. On the status bar, select Functions. Compare the list
of authorized functions to the list of capabilities in the Enterprise Guide: Analysis role.
Do the lists match?
o. Close SAS Enterprise Guide.
p. In SAS Environment Manager, open the properties of the Enterprise Guide: Advanced role
and add the group PUBLIC back to Current Members. Save the changes.
q. Open the properties of the Enterprise Guide: Analysis role. Remove Gloria from Current
Members. Save the changes.

a. In the User Manager plug-in in SAS Management Console, open the properties of the Enterprise
Guide: Advanced role. Remove the group PUBLIC as a current member. Click OK.
b. Open the properties of the Enterprise Guide: Analysis role. Add Gloria to the Current Members
list box. Click OK.
c. Open SAS Enterprise Guide and connect as Marcel using the password Student1.
d. On the status bar at the bottom, select Functions. Which capabilities does Marcel have?
e. Change the connection to connect as Gloria. On the status bar, select Functions. Compare the list
Do the lists match?
f. Close SAS Enterprise Guide.
g. In the User Manager plug-in in SAS Management Console, open the properties of the
Enterprise Guide: Advanced role. Add PUBLIC to the Current Members list box. Click
OK.
h. Open the properties of the Enterprise Guide: Analysis role. Remove Gloria from the Current
Members list box. Click OK.
9. Creating a Dual User

a. Christine needs to connect to the metadata server as an unrestricted user sometimes and as a
regular user other times. On the Administration page in SAS Environment Manager, or the User
Manager plug-in in SAS Management Console, create the following two metadata identities:
Name: Christine AdminChristine
Display Name: Christine Administrator | Christine
Groups and Roles: Data Integrators SAS Administrators
Orion Star Users Metadata Server: Unrestricted
Accounts: User ID: Internal User ID:

AdminChristine@saspw
Windows Server: sasserver\Christine
Password: Student1
Linux Server: Christine
Do not store the password!
Authentication Domain: DefaultAuth
b. Log on to SAS Management Console. Use the external Christine account with the Student1
password. Open a second instance of SAS Management Console and log on using the
AdminChristine@saspw account.
How are the two instances of SAS Management Console similar? How are they different?
10. (Optional) Creating a Role

Create a role that enables the Data Integrators group to have access to the BI Lineage plug-in
and permission to view scan results. There are three steps:
 Enable role-based access for the BI Lineage plug-in.
 Create the role so that the Data Integrators group can see a limited number of plug-ins
in SAS Management Console, including the BI Lineage plug-in.
 Give the group permission to view scan results.
a. Log on to SAS Management Console as Ahmed. The BI Lineage plug-in by default is not under
role management. Select Tools  Plug-in Manager. Enable role-based access for the BI Lineage
plug-in by selecting the box next to the plug-in. Click OK. Click Yes in the pop-up box to save
changes.
b. In the User Manager plug-in, create the following role:
 Name: BI Lineage Scan
 Description: Members of this role can view scan results.
 Members: Data Integrators
 Capabilities (expand Management Console 9.4  Plug-ins): Select Data Library Manager,
User Manager, BI Lineage, and Folder View.
Click OK to save new role.
c. You must update the BI Lineage repository’s Default ACT to grant ReadMetadata permissions.
1) On the Plug-ins tab, select BILineage from the Repository drop-down list.
2) Expand the Authorization Manager plug-in. Expand the Access Control Templates folder.
Access the properties window for the Default ACT.
3) Click the Permission Pattern tab. Click Add and select the Data Integrators group. When
you add the group, the Authorization Manager automatically grants the group the
ReadMetadata permission.
4) Click OK.
d. Verify that a member of the Data Integrators group can see the BI Lineage plug-in in SAS
Management Console and can view scan results. Log on to SAS Management Console as Kari, a
member of the group.
4.6 Solutions 4-53
4.6 Solutions
1. Exploring the Initial Connection to the Metadata Server
This exercise demonstrates the initial authentication process to the metadata server.
a. On the client machine, select Start  All Programs  SAS  SAS Enterprise Guide 7.1.
Close the Welcome to SAS Enterprise Guide window. Place the pointer on the words My Server
in the lower right of the application interface, and you see the user who is logged on.
b. Click My Server. With the My Server profile highlighted, click Modify.
c. Clear the Save login in profile check box.

d. Delete Jacques as the user and enter sas. Delete the asterisks for the password and enter
Student1.
Note: This is the SAS install account. But this account is not linked with a metadata identity.
e. Click Save.
f. Click Yes to continue.
g. Click Close.
h. An Error window appears. Click Show Details. How is sas identified by the metadata server?
Note: At initial deployment, the implicit group, PUBLIC, is denied access to all metadata
through the Repository ACT. The authorization layer of the SAS environment is
discussed in a later chaper.
4.6 Solutions 4-55
i. Click Close.
j. Click Modify to change the login back to Jacques. You can choose to select Save login in profile.
k. Click Save. Click Set Active. Click Close.
l. Use SAS Environment Manager or SAS Management Console to look at the properties of
Jacques.
1) Open Internet Explorer and select SAS Environment Manager on the Favorites toolbar.
2) On the Sign In to SAS page, enter Ahmed in the User ID field and Student1 in the
Password field. Click SIGN IN.
3) Click the Administration tab, which opens in another browser.

4) Select the Side menu button in the upper left of the page.
5) Select Users.
4.6 Solutions 4-57
6) Click to bring up a drop-down list on which you can filter. Select User.
7) Double-click Jacques to see the metadata definition.
8) Click the drop-down arrow next to Basic Properties and select Accounts to see the ID that is
used and stored with the metadata identity for initial authentication to the metadata server.
9) Click Close in the upper right to close out of the metadata properties for Jacques.
1) Start SAS Management Console, if it is not already open. (Select Start  All Programs 
SAS  SAS Management Console 9.4.) If you are already logged on, go to step 4.
2) In the Connection Profile window, click OK.
3) When prompted, enter Ahmed in the User ID field and Student1 in the Password field.
Click OK.
4) After you are connected, you can see the name of the user logged on, the machine that hosts
the metadata server, and the port in the lower right corner of SAS Management Console.
Note: Ahmed is an unrestricted user of the metadata.

5) Click the Plug-ins tab and select the User Manager plug-in. The User Manager plug-in is
where SAS identities are viewed, created, and modified. SAS metadata identities can be an
individual user or a group. Metadata roles are also listed in this plug-in. Most SAS identities
have stored, external IDs as part of their metadata definitions. The external IDs are used for
authentication to the SAS Metadata Server. The identities use these credentials when logging
on to SAS applications, such as SAS Enterprise Guide, SAS Web Report Studio, or SAS
Information Delivery Portal.
Note: You can deselect the Show Groups and Show Roles options to see only a list of
users.
4.6 Solutions 4-59
Note: You can use the Options dialog box in the User Manager plug-in to change your
default view from View All to Search. This becomes your default view. This is useful
if you have many user identities.
6) Right-click Jacques and select Properties.
7) Go to the Accounts tab to see the ID that is used for initial authentication to the metadata
server.
8) Click Cancel.
2. Exploring Connection Profiles
Connection profiles are stored in files on the user’s desktop, but stored passwords are encrypted.
Examine an existing connection profile.
a. On the client machine, use Windows Explorer to navigate to
C:\Users\Student\AppData\Roaming\SAS\MetadataServerProfiles. View the contents
of ConfigurationV71.xml, using a text editor such as Notepad.
What is the value of SaveLogin? True

Note: If the AppData folder is hidden, you can enter the path into Windows Explorer or
unhide the folder. To unhide it, in Windows Explorer, select Organize  Folder 
Search options. On the View tab, select Show hidden files, folders, and drives.
On the View tab, clear the Hide extensions for known file types check box.
Click OK.
b. Open SAS Enterprise Guide. Select File  New  Program. In the Program window, enter the
following code:
proc pwencode in="Student1";
run;
c. Click Run.
d. On the Log tab, locate the value that begins with {sas002}. Does the value match the password
value in the ConfigurationV71.xml file?
Note: A password string beginning with {sas002} is encoded using the SAS Proprietary
algorithm.
e. Close SAS Enterprise Guide.
f. View the metadata server log. Verify the SAS Enterprise Guide initial connection to the metadata
server.
1) Open the most recent metadata server log.
For Linux Server
/opt/sas/config/Lev1/SASMeta/MetadataServer/Logs
For Windows Server
D:\SAS\Config\Lev1\SASMeta\MetadataServer\Logs
2) Scroll down closer to the bottom and look for the name of the user ID that was used to log
on to SAS Enterprise Guide. (Otherwise, you can simplify the search by using the Find tool
for the name. Hold down the Ctrl key and press F.)
3. Exploring the omaconfig.xml File
The omaconfig.xml file is the start-up file for the SAS Metadata Server. You can specify changes
to standard features of the SAS Metadata Server, the repository manager, and policies related to
internal users in this file.
a. Open the omaconfig.xml file.
For Linux Server
Navigate to /opt/sas/config/Lev1/SASMeta/MetadataServer
For Windows Server
Use Windows Explorer to navigate to

D:\SAS\Config\Lev1\SASMeta\MetadataServer.
4.6 Solutions 4-61
b. What is the setting in this file that governs saving a password in a connection profile?
SASSEC_LOCAL_PW_SAVE= which specifies whether users of desktop applications can
save their user IDs and passwords in a local metadata connection profile.
Note: For a few solutions desktop clients (for example, SAS Model Manager, SAS Enterprise
Miner, and SAS Forecast Studio), the ability to store credentials in client-side connection
profiles is instead controlled by the Policy.AllowClientPasswordStorage property. To
access this property, open the Plug-ins tab of SAS Management Console and navigate to
Application Management  Configuration Manager  SAS Application
Infrastructure. Right-click and select Properties  Settings  Policies 
Allow client password storage.
c. What is the default value? Y What other values are possible?
SASSEC_LOCAL_PW_SAVE="1 | Y | T | 0 | N | F"
Note: To find the possible values, go to support.sas.com and search Reference Information
for omaconfig.xml.
d. If you make changes to this file, what steps need to be performed?
1) Make sure there is a backup of the file.
2) The Metadata Server needs to be restarted.
4. Adding a User Manually into Metadata

Add Ben to metadata. Use SAS Environment Manager Administration or the User Manager plug-in in
a. Open Internet Explorer and select SAS Environment Manager on the Favorites toolbar. On the
Sign In to SAS page, enter Ahmed in the User ID field and Student1 in the Password field.
Click SIGN IN.
b. Click the Administration tab, which opens in another browser.

c. Click the Side menu button in the upper left of the page.
d. Select Users.
e. Click the New user/group button located in the upper right toolbar.
f. Select New User. Enter the name Ben and click Save.
4.6 Solutions 4-63
g. Add the following information under the appropriate drop-down menu categories:
Note: Use the Add button to add information for each property.
Note: Be sure to save your changes by clicking the Save button in the upper right toolbar
after every entry that you make. An asterisk to the left of the drop-down menu property is
shown if the values have not been saved.
Basic Properties:
Name Ben
Display Name Ben
External Identities:
Accounts:
Account User ID
Account Authentication Domain DefaultAuth
Contact Information:
Email Type Business
Phone Type Office
Address Type Office
City Cary
State/Province NC
Country USA
4.6 Solutions 4-65
Member of:
Group Finance
h. Save your changes by clicking the Save button in the upper right toolbar.
a. Right-click the User Manager plug-in and select New  User.
b. Add the following information:
Name Ben
Display Name Ben
Email Type Business
Phone Type Office
Address Type Office
City Cary
State/Province NC
Country USA
4.6 Solutions 4-67

Finance
Group
 Windows server:
Account User ID
sasserver\Ben
DefaultAuth
Account Authentication Domain
5. Using SAS Environment Manager Administration to View the Identity Hierarchy

a. Open Internet Explorer and select SAS Environment Manager on the Favorites toolbar.
b. On the Sign In to SAS page, enter Ahmed in the User ID field and Student1 in the Password
field. Click SIGN IN.
c. Click the Administration tab, which opens in another browser.
d. Click the Side menu button in the upper left of the page.
e. Select Users.
f. Click to bring up a drop-down list on which you can filter. Choose User.
g. Right-click Eric and select Open to see the metadata definition.
h. From the drop-down menu select Member of.
Which groups is Eric directly a member of? Marketing, Marketing Managers, Report Content
Creators
Which groups is Eric indirectly a member of? Orion Star Users, Power Users
Which groups is Eric implicitly a member of? PUBLIC, SASUSERS
i. Click Close in the upper right to close out of the metadata properties for Eric.
6. Loading Users and Groups with User Import Macros
a. On the client machine, use SAS Management Console to perform an ad hoc backup.
1) Log on to SAS Management Console as Ahmed using the Student1 password.
Run Backup Now.
3) Provide a comment for the backup history and click OK.

4) Click OK when the backup is complete.
4.6 Solutions 4-69
b. Create the following folders on the server:
For Linux Server

opt/sas/ Workshop/spaft/Metids
/opt/sas/ Workshop/spaft/Updates
/opt/sas/Workshop/spaft/Extids
Use WinSCP. Right-click in /opt/sas/Workshop/spaft and select New  Directory.
Or use the mkdir command in MRemoteNG.

Note: You can also run the makedir.sh located in the same directory to create the
folders.
For Windows Server
D:\Workshop\spaft\Metids
D:\Workshop\spaft\Updates
D:\Workshop\spaft\Extids
Note: You can also run makefolders.bat in the same directory to create the folders.
c. Make sure that permissions are set on these directories to allow for Full Control.
Note: On the Linux server, you can use WinSCP or the chmod command.
Or on the command line:

chmod 777 /opt/sas/Workshop/spaft/Metids/
Repeat for the Updates and Extids directories.
d. On the client machine, use SAS Enterprise Guide to open the LoadUsers.sas program.
1) Select File  Open  Program.
2) Navigate to My Computer  Local Disk (D:)  Workshop  spaft.
3) Select LoadUsers and click Open.
4) At the top of the program, there is an OPTIONS statement. Verify that the values are the
following:
metauser="Ahmed"
 The extids folder holds the tables of user and group information from the external source.
 The %mduimpc macro defines canonical tables, and the DATA step is used to extract data
from an external source and append them to the tables. However, this program has the data
directly in the DATA step.
Note: Nine users will be added to metadata: Jennifer, Megan, Peter, Alex, Katie, James,
Cecily, Jim, Ray
Note: All of the groups in the program will be added to metadata. (You can compare the
information in the group table to the groups currently listed in the User Manager
plug-in to see this.)
Note: The group members table (&idgrpmemstbla) is adding users to groups based on
the external identity.
 The metids folder holds the tables of user and group information from the metadata.
4.6 Solutions 4-71
 The %mduextr macro extracts identity information from metadata and adds them to user
and groups tables in the metids library.
 The updates folder holds the user and group updates.
 The %mducmp macro compares user and group information to metadata and populates the
updates library with this information.
 The %mduchgv macro validates changes from the tables in the metids library and the
updates library
 The %mduchglb macro loads the changes into metadata.
e. Run the program. Review the log and search for errors.
Note: You can disregard this warning: Character expression will be truncated when assigned
to character column filter.
If no errors are found, close SAS Enterprise Guide.
Use SAS Environment Manager or SAS Management Console to verify that the new users and
groups were created. Verify that the group membership is correct.
Group Name Members
Power Users Groups: Application Developers, Data Integrators,

Report Content Creators
Report Content Ellen, Eric, Gloria, Harvey, Jacques, Kari, Stephanie

Creators
Data Integrators Barbara, Bruno, Kari, Marcel, Ole
Application Developers Anita, George, Sally, Samantha

Group Name Members
Orion Star Users Groups: Finance, Marketing, Sales, Shipping
Analysts Cecily, James
Finance Alex, Jennifer, Katie, Megan, Peter
Marketing Eric, Henri, Jacques, Lynn, Stephanie
Sales Ellen, Gloria, Harvey, Linda, Mark, Robert, Susan
Shipping Ray, Jim
f. The usage of these import macros is well documented under “User Import Macros” in the
appendix of SAS® 9.4 Intelligence Platform Security Administration Guide.
The macros and sample programs importad.sas and importpw.sas are located under the SAS
installation directory.
For Linux Server

Navigate to the sample programs:
For Windows Server
Use Windows Explorer to navigate to the sample programs:

7. Running Metadata Inventory Reports
These stored processes generate reports that display information about the metadata that is stored on
the SAS Metadata Server, such as Groups Roles and Users Metadata Content. Because we
added users and groups in the previous section, we want to ensure that the imported identities
show up in the reports by manually running log collection, log centralization and the APM
ETL processes.
a. Log on to SAS Environment Manager as Ahmed using the password Student1.
b. Select Resources  Browse  Services and search for collection.
c. Select sasserver Log Collection  Control.
4.6 Solutions 4-73
d. Next to Control Action, select Collect from the drop-down menu and click the arrow to the right
to run the collection process.
e. After the log collection has run, run the Log Centralization service to collect the logs from the
local landing zone to a landing zone on the SAS Environment Manager Enablement Kit Server.
Select Resources  Browse  Services and search for cent.
f. Select Log Centralization  Control.
g. Next to Control Action, select Run from the drop-down menu and click the arrow to the right to
run the centralization process. Wait for the process to complete.
h. Finally, run the APM ETL process, which parses the logs in the central landing zone.
Go to Resources  Browse  Service and search for APM. (Or you might see it at the top of
the list.)
i. Select the APM ETL Processing service and then select Control.
j. Select Run from the drop-down menu next to Control Action and click the arrow to the right to
run the collection process. Wait for the process to complete.
k. Go to the Report Center under the Analyze tab.

l. Expand Products  SAS Environment Manager  Dynamic Reports  Metadata Inventory.
4.6 Solutions 4-75
m. Click the Groups Roles and Users stored process. Click Run. You should see the newly added
users.
n. Expand Products  SAS Environment Manager  Nightly Reports  Audit Reports (Log
Forensic).
o. Run Group Changes and User Accounts Added stored processes to see what was logged when
users were added.
8. Exploring SAS Enterprise Guide Roles

You can use SAS Environment Manager or SAS Management Console for this exercise.
a. In SAS Environment Manager, on the Administration page, click Side menu and then select
Users.
b. Click to bring up a drop-down list on which you can filter. Select Role.
c. Open the properties of the Enterprise Guide: Advanced role by right-clicking the role and
selecting Open.
d. Remove the group PUBLIC as the current member. From the drop-down menu, select Members.
4.6 Solutions 4-77
e. Click the Edit button in the upper right toolbar.
Highlight PUBLIC and move the identity to the left by selecting the arrow pointing to the left.
Click OK.
f. Click the Save button in the upper right toolbar. Click Close.
g. Right-click the Enterprise Guide: Analysis role and select Open.
h. Add Gloria to the Current Members by selecting Members in the drop-down menu.
i. Click the Edit button in the upper right toolbar.
j. Enter Gloria in the search field. Highlight Gloria on the left and move her to the right by
selecting the arrow pointing to the right. Click OK.
k. Click the Save button in the upper right toolbar. Click Close.
l. Open SAS Enterprise Guide and connect as Marcel using the password Student1.
m. On the status bar, select Functions. Which capabilities does Marcel have?
4.6 Solutions 4-79
n. Change the connection to connect as Gloria. On the status bar, select Functions. Compare the list
Do the lists match? Yes
o. Close SAS Enterprise Guide.

p. In SAS Environment Manager, open the properties of the Enterprise Guide: Advanced role
and add the group PUBLIC back to Current Members. Save the changes.
q. Open the properties of the Enterprise Guide: Analysis role. Remove Gloria from Current
Members. Save the changes.
a. In the User Manager plug-in in SAS Management Console, open the properties of the Enterprise
Guide: Advanced role. Remove the group PUBLIC as a current member. Click OK.
4.6 Solutions 4-81
b. Open the properties of the Enterprise Guide: Analysis role. Add Gloria to the Current Members
list box. Click OK.
c. Open SAS Enterprise Guide and connect as Marcel using the password Student1.
d. On the status bar at the bottom, select Functions. Which capabilities does Marcel have?
e. Change the connection to connect as Gloria. On the status bar, select Functions. Compare
the list of authorized functions to the list of capabilities in the Enterprise Guide: Analysis role.
Do the lists match? Yes
f. Close SAS Enterprise Guide.

g. In the User Manager plug-in in SAS Management Console’s, open the properties of the
Enterprise Guide: Advanced role. Add PUBLIC to the Current Members list box. Click
OK.
4.6 Solutions 4-83
h. Open the properties of the Enterprise Guide: Analysis role. Remove Gloria from the Current
Members list box. Click OK.
9. Creating a Dual User

a. Christine needs to connect to the metadata server as an unrestricted user sometimes and as a
regular user other times. On the Administration page in SAS Environment Manager, or the User
Manager plug-in in SAS Management Console, create the following two metadata identities:
Name: Christine AdminChristine
Display Name: Christine Administrator | Christine
Groups and Roles: Data Integrators SAS Administrators
Orion Star Users Metadata Server: Unrestricted
Accounts: User ID: Internal User ID:

AdminChristine@saspw
Windows Server: sasserver\Christine
Password: Student1
Linux Server: Christine
Do not store the password!
Authentication DefaultAuth
Domain:
1) In SAS Environment Manager, go to the Administration page. Click Side menu and
select Users.
2) Click the Add User/Group/Role button in the upper right toolbar and select New User.
3) Enter Christine in the Name and Display Name fields and click Save.
4.6 Solutions 4-85
4) From the drop-down menu, select Member of.
5) Click the Edit button in the upper right toolbar.
6) Enter Orion in the search field. Highlight Orion Star Users and use the arrow pointing to the
right to move the identity to the Direct member of pane.
Enter Data I in the search field. Highlight Data Integrators and use the arrow pointing to the
right to move the identity to the Direct member of pane.
7) Click OK.
8) Click the Save button.
9) From the drop-down menu, select Accounts.
10) Click the Add button in the upper right toolbar.
11) Enter the user ID that is appropriate for the server. Click the Save button.
For Windows Server
sasserver\Christine
4.6 Solutions 4-87
For Linux Server

Christine
12) Click Close.
13) Click the Add User/Group/Role button in the upper right toolbar and select New
User.
14) Enter AdminChristine in the Name field and Administrator | Christine in the Display
Name field and click Save.
15) From the drop-down menu, select Member of.
17) Enter SAS Administrators in the search field. Highlight SAS Administrators and use the
arrow pointing to the right to move the identity to the Direct member of pane.
Enter Metadata in the search field. Highlight Metadata Server: Unrestricted and use the
arrow pointing to the right to move the identity to the Direct member of pane.
4.6 Solutions 4-89
18) Click OK.

19) Click the Save button.
20) From the drop-down menu, select Accounts.
22) Click the button to the right of Internal Account to create an internal account.
23) Enter Student1 in the New Password field and again in the Confirm field. Click Save.
24) Click Close.
4.6 Solutions 4-91
1) Right-click User Manager and select New  User.

2) Enter Christine in the Name and Display Name fields.
3) Click the Accounts tab and click New.

4) Enter Christine as the user ID for the LNX server.
5) Enter sasserver\Christine for the user ID for the WIN server.
6) Verify that the authentication domain is DefaultAuth. Click OK  OK.

7) Right-click User Manager and select New  User.
8) Enter AdminChristine in the Name field. Enter Administrator | Christine in the Display
Name field.
4.6 Solutions 4-93
9) Click the Groups and Roles tab. Hold down the Ctrl key. Select Metadata Server:
Unrestricted and SAS Administrators. Click to move these to the Member of list box.
10) Click the Accounts tab and click Create Internal Account. This is located at the bottom.
Verify that the internal user ID is AdminChristine@saspw. Enter Student1 in the New
Password and Confirm Password fields. Click OK twice.
b. Log on to SAS Management Console. Use the external Christine account with the Student1
password. Open a second instance of SAS Management Console and log on. Use the
AdminChristine@saspw account.
How are the two instances of SAS Management Console similar? There are some of the same
plug-ins.
How are they different? There are many more available plug-ins for AdminChristine@saspw.
10. (Optional) Creating a Role
Create a role that enables the Data Integrators group to have access to the BI Lineage plug-in
and permission to view scan results. There are three steps:
 Enable role-based access for the BI Lineage plug-in.
 Create the role so that the Data Integrators group can see a limited number of plug-ins
in SAS Management Console, including the BI Lineage plug-in.
 Give the group permission to view scan results.
a. Log on to SAS Management Console as Ahmed. The BI Lineage plug-in by default is not under
role management. Select Tools  Plug-in Manager. Enable role-based access for the BI Lineage
plug-in by selecting the box next to the plug-in. Click OK. Click Yes in the pop-up box to save
changes.
4.6 Solutions 4-95
b. In the User Manager plug-in, create the following role:

 Name: BI Lineage Scan
 Description: Members of this role can view scan results.
 Member: Data Integrators
 Capabilities (expand Management Console 9.4  Plug-ins): Data Library Manager, User
Manager and BI Lineage plug-ins, and Folder View
Click OK to save the new role.

c. You must update the BI Lineage repository’s Default ACT to grant ReadMetadata permissions.
1) On the plug-ins tab, select BILineage from the Repository drop-down list.
2) Expand the Authorization Manager plug-in. Expand the Access Control Templates folder.
Open the properties window for the Default ACT.
4.6 Solutions 4-97
3) Click the Permission Pattern tab. Click Add and select the Data Integrators group. When
you add the group, the Authorization Manager automatically grants the group the
ReadMetadata permission.
4) Click OK.
d. Verify that a member of the Data Integrators group can see the BI Lineage plug-in in SAS
Management Console and can view scan results. Log on to SAS Management Console as Kari,
a member of the group.
An alternative to using credentials is to use Integrated Windows

Authentication.
 True
 False
26
If you make changes to the omaconfig.xml file what would you need to do to
ensure the changes are in effect:
a. Nothing
b. Make sure no users are connected to the metadata server
c. Pause the metadata server
d. Restart the metadata server
28
4.6 Solutions 4-99
A SAS user cannot log on to SAS Enterprise Guide. Here is the message that
is received:
a. The user does not have an LDAP account.

b. The user is using an internal account and therefore cannot be
authenticated to the host.
c. The user does not have a SAS identity, or her SAS identity does not
have the correct fully qualified ID in her identity definition.
d. There is no group called PUBLIC in metadata.
30
In the identification phase of authentication, the metadata server searches

for the following in the metadata repository:
a. Fully qualified user ID

b. Authentication domain, fully qualified user ID, password
c. Fully qualified user ID and password
d. The user’s password only
45
Chapter 5 Managing SAS®
Compute Servers and Spawners
5.1 Understanding SAS Compute Servers ......................................................................... 5-3
Demonstration: Monitoring SAS Servers and Sessions from SAS Management
Console ...................................................................................................... 5-20
Exercises .............................................................................................................................. 5-22
5.2 Exploring Credential Management ............................................................................. 5-28

Demonstration: (Optional) Configuring Access to a Database in SAS Management
Console ...................................................................................................... 5-34
Exercises .............................................................................................................................. 5-42
5.3 Administering Server Logging .................................................................................... 5-43

Demonstration: Viewing Metadata Server Logging in SAS Management Console ............. 5-54
Exercises .............................................................................................................................. 5-58
5.4 Solutions ....................................................................................................................... 5-62

5-2 Chapter 5 Managing SAS® Compute Servers and Spawners
5.1 Understanding SAS Compute Servers 5-3
5.1 Understanding SAS Compute Servers
Objectives
• Explore the functionality of a workspace server.

• Explore the functionality of a pooled workspace server.
• Explore the functionality of a stored process server.
• Identify the role of the object spawner.
• Explore SAS Token Authentication.
3
SAS Servers
SAS Servers
Metadata Server Whether users enter their own code, execute
a stored process, or enable SAS applications to
SAS Workspace Server generate code for them, the code is executed
SAS Pooled Workspace
Server
on a SAS server. Each server type has different
SAS Stored Process capabilities.
Server
SAS Grid Servers
SAS OLAP Server
SAS LASR Analytics

Server
4
Most code generated by SAS applications is executed on a workspace server.

A workspace server is a SAS session that executes SAS code to do the
following:
• access data libraries
• perform tasks using the SAS language
• retrieve results
5
By default, the following events occur:

• The object spawner launches a workspace server under the user’s
credentials.
• The user’s credentials are authenticated by the host operating system.
• The workspace server is shut down when the client application is shut
down.
Note: You can convert a standard workspace server to use SAS Token
Authentication.
Note: In some cases, you can convert a standard workspace server to use
Integrated Windows Authentication.
6
SAS token authentication is when the metadata server generates and validates a single-use identity token
for each authentication event.
continued...
Connecting to a SAS Workspace Server
i
3
1
2
SAS Enterprise Guide 4 Metadata Server
Metadata
Repositories
Object 7
Spawner
14
1. Using the established connection to the metadata server, SAS Enterprise Guide requests access
2. The metadata server searches the metadata for the workspace server in question.
3. The metadata server retrieves the name of the machine hosting the workspace server, the port
on which the object spawner listens for request for this server, and the authentication domain
associated with the workspace server.
4. The connection information is returned to SAS Enterprise Guide.
5. SAS Enterprise Guide uses the connection information to make the request for a workspace server.
If the authentication domain for the server matches that of the initial inbound login, SAS Enterprise
Guide passes along the credentials as well.
Note: If the server is assigned a different authentication domain, SAS Enterprise Guide searches
its in-memory list of credentials for Jacques for credentials with the appropriate authentication
domain. If none is found, SAS Enterprise Guide queries the metadata server for credentials for
Jacques for that particular authentication domain (outbound login). If none is found, Jacques
is prompted for credentials.
6. The object spawner sends Jacques’ credentials to its authentication provider. The default
authentication provider is the host.
7. The authentication provider verifies that the credentials are valid.
continued...

i
Metadata Server
Metadata
Repositories
10 9
Object
Spawner
18
8. The object spawner launches the workspace server. It uses the launch command that was retrieved
from the metadata at start-up. The workspace server runs under the credentials provided
by SAS Enterprise Guide and authenticated by the host.
9. The object spawner provides SAS Enterprise Guide with a TCP connection to the workspace server
session.
10. SAS Enterprise Guide communicates directly with the workspace server.
continued...

i
Metadata Server
Metadata
Repositories
results returned code submitted
Object
Spawner
19
11. SAS Enterprise Guide submits one or more requests for processing. Results are returned
to SAS Enterprise Guide as appropriate.
i
Metadata Server
Metadata
Repositories
Object
Spawner
20
12. After Jacques closes SAS Enterprise Guide, the workspace server session ends.
Note: The connection could close earlier if there is a TCP time-out.
Workspace Server Pooling
In pooling, a set of workspace server processes are

• made available to process certain types of requests
• reused for subsequent requests
• owned by a shared identity.
21
Workspace Server Pooling
The primary purpose of workspace server pooling is to enhance performance

by avoiding the time associated with launching workspace servers on
demand.
In general, pooling is used when a relational information map is queried,

processed, opened, or used indirectly through a report.
22
What Is a SAS Stored Process?
A SAS Stored Process has the following characteristics:

• is a SAS program that is hosted on a server or in metadata and registered in
metadata
• can be executed by many of the platform for SAS Business Analytics
applications
• consists of a SAS program along with a metadata definition that describes
how the stored process should execute
23
The stored process metadata properties determine which type of server the stored process is executed
on, where the source code is stored, and the type of output that is produced.
Executing a Stored Process
Stored processes are typically executed on a stored process server but can
also be executed on a workspace server.
24
SAS Stored Process Servers interact with SAS by executing stored processes.
Each stored process server
• handles multiple users
• is reused for subsequent requests
• is owned by a shared identity
• includes load-balancing settings that the object spawner uses to distribute
requests between the server processes.
25
continued...
Connecting to a Stored Process Server
i
1
2
Metadata
Repositories
6
5
9
Object
Spawner
35
1. Using the established connection, SAS Enterprise Guide requests access to a stored process server.
2. The metadata server searches the metadata for the stored process server in question.
3. The metadata server retrieves the machine name hosting the stored process server, the port on which
the object spawner listens for request for this server, and a token.
Note: A SAS identity token is a single-use, proprietary software representation of an identity.

5. SAS Enterprise Guide uses the connection information and the token provided by the metadata server
to make the request for a stored process server.
6. The object spawner sends the token to the metadata server for verification.
7. The metadata server verifies that the token is valid.
8. If there is no stored process server currently available and more can be spawned, the object spawner
sends the shared credentials, typically sassrv, to the host for authentication.
Note: During its own start-up, the object spawner not only retrieves the launch command for the
stored process server from the metadata, but also the shared credentials, user ID, and password.
9. The authentication provider authenticates the credentials.
continued...

i
Metadata Server
Metadata
Repositories
11
13 12
10
Object
Spawner
40
10. The object spawner launches the stored process server. It uses the launch command that it retrieved
from the metadata at start-up. The stored process server runs under shared credentials.
11. The object spawner provides SAS Enterprise Guide with a TCP connection to the stored process
server. During the execution of the stored process, metadata server requests are done as an individual
user, and operating system requests are done as the shared account.
12. SAS Enterprise Guide communicates directly with the stored process server. SAS Enterprise Guide
submits a request to execute a stored process.
13. The results from the stored process are returned to SAS Enterprise Guide as appropriate.
continued...

i
Metadata Server
Metadata
Repositories
Object
Spawner
41
After the execution of the stored process is complete, the stored process server is available for reuse
by other requests from the same or a different user.
continued...
16
i
14
15
Metadata
Repositories
19
18
20
Object
Spawner
49
14. Using the established connection, SAS Enterprise Guide requests access to a stored process server.
15. The metadata server searches the metadata for the stored process server in question.
16. The metadata server retrieves the machine name hosting the stored process server, the port on which
the object spawner listens for request for this server, and a token.
Note: A SAS identity token is a single-use, proprietary software representation of an identity.

18. SAS Enterprise Guide makes the request for a stored process server. It uses the connection
information and the token provided by the metadata server.
19. The object spawner sends the token to the metadata server for verification.
20. The metadata server verifies that the token is valid.
continued...

i
Metadata Server
Metadata
Repositories
23 22 21
Object
Spawner
53
21. If there is an available stored process server, the object spawner provides SAS Enterprise Guide with
a TCP connection to the stored process server.
22. SAS Enterprise Guide communicates directly with the stored process server to submit a request
to execute a stored process.
23. The results from the stored process are returned to SAS Enterprise Guide as appropriate.
Note: The stored process server can be reused by the same user or by a different user.
i
Metadata Server
Metadata
Repositories
Object
Spawner
54
After the execution of the stored process is complete, the stored process server is available for reuse
by other requests.
Stored Process Server
By default, the stored process server is configured with

• one connection
• three multibridge connections. This is the port on which an object spawner
listens for stored process server requests.
Each multibridge connection maps to a stored

process server process and uses the specified
port to communicate with applications.
55

• Integrated Windows Authentication
56
SAS Token Authentication
SAS token authentication is when the metadata server generates and

validates a single-use identity token for each authentication event. This
enables the following SAS processing servers to accept users who are already
connected to the metadata server:
• OLAP server
• stored process server
• pooled workspace server
The workspace server can also use SAS Token Authentication.
57
SAS Token Authentication
58
SAS Token Authentication is when the metadata server generates and validates a single-use identity token
for each authentication event. This enables participating SAS servers to accept users who are already
connected to the metadata server:
1. The user initiates a request that requires access to a target server (for example, a request in SAS
Enterprise Guide to open a cube associated with the OLAP server). Using the existing connection
to the metadata server, the client requests an identity token for the target server.
2. The metadata server generates the token and returns it to the client.
3. The client sends the token to the target server.
4. The target server sends the token back to the metadata server for validation.
5. The metadata server validates the token and returns an acceptance message and a representation
of the user to the target server.
6. The target server accepts the connection.
The benefits of SAS token authentication are listed here:
 Individual, external accounts for credential-based authentication are not required.
 SAS copies of individual, external passwords do not need to be stored in the metadata.
 Reusable credentials are not transmitted across the network.
 Metadata layer evaluations are based on the requesting user’s identity.
The limitations of using SAS token authentication are as follows:
 Host access is based on a shared login, if implemented for use on a standard workspace server.
 It is available only for metadata-aware connections to the target server.
 This authentication is not available for access to third-party database servers.
Because SAS token authentication essentially uses a shared login (typically, sassrv), host access
to resources is based on access rights associated with that account.
Converting a standard workspace server to use SAS token authentication requires some changes
to the server’s metadata.
In the Properties window for the logical workspace server, select SAS token authentication
on the Options tab.
In the Properties window for the physical workspace server, select Launch credentials on the
Options tab.
SAS Object Spawners
Workspace servers and stored process servers are initialized by the

SAS Object Spawner.
An object spawner does the following:
• runs on each machine where you want to run
a workspace server or stored process server
• listens for requests
and launches servers,
as necessary
59
SAS Object Spawners
When the object spawner starts, it uses the information in its metadata
configuration file to access the metadata server. The file is named
metadataConfig.xml, by default.
60
If changes are made to the server or spawner configurations, the spawner can be refreshed in order
to pick up and apply these new changes. The refresh reinitializes the spawner and forces it to reread its
configuration in the metadata. As part of this refresh, the spawner quiesces any servers that it has started.
The servers shut down when their clients have completed their work.
To refresh an object spawner, follow these steps:
1. Expand the Server Manager node  Object Spawner. Then right-click the Object Spawner
machine name node.
2. From the pop-up menu, select Connect.
3. Right-click the Object Spawner node again. From the pop-up menu, select Refresh Spawner.
4. In the confirmation dialog box, click Yes.
Note: When an object spawner manages more than one SAS Application Server context, you can
refresh a specific application server by selecting Refresh Application Server.
SAS Object Spawners
During start-up, the object spawner retrieves, from the metadata, information
about how to launch the servers.
61
Monitoring SAS Servers and Sessions from SAS Management

Console
This demonstration illustrates how to monitor SAS servers and sessions from SAS Management Console.
1. In SAS Management Console, right-click the Server Manager plug-in and select Options.
Select Active, Inactive and Ended and click OK.
2. Expand the Server Manager plug-in and then select SASApp  SASApp - Logical Workspace
Server  SASApp - Workspace Server  sasserver.demo.sas.com. Right-click
sasserver.demo.sas.com and select Connect.
3. Connect also to the stored process server. Expand SASApp - Logical Stored Process Server 
SASApp - Stored Process Server. Right-click sasserver.demo.sas.com and select Connect.
Notice that the tabs become active when you are connected.
4. On the Folders tab, navigate to Orion Star  Marketing Department  Stored Processes.
Right-click Analysis of Product Orders by Gender.
5. On the Execution tab, select Stored process server only. Click OK.
6. Start a SAS Enterprise Guide session, select Start  All Programs  SAS 
SAS Enterprise Guide 7.1. Close the Welcome window.
7. In the Server list, expand Servers  SASApp.
8. Locate the process running under Jacques’ credentials. What is the process ID?
9. In SAS Enterprise Guide, select File  Open  Stored Process. Navigate to Orion Star 
Marketing Department  Stored Processes. Select Analysis of Product Order by Gender.
Click Open.
10. With the stored process highlighted in the Process Flow window, select Run  Run Analysis
of Product Order by Gender.
Switch back to SAS Management Console. What is the process ID? The process ID varies.
Who is the process owner? sassrv
11. Expand sasserver.demo.sas.com and select the process ID. Click the Sessions tab.
Are any sessions listed? If not, why not? The session is listed while the stored process executes,
but that might be too fast to see.
12. Return to SAS Enterprise Guide and rerun the stored process. While the stored process executes,
return to SAS Management Console and select the stored process server PID.
Was a new process started? No, the process was reused.
Exercises
1. Exploring the Object Spawner

a. On the server machine, open the metadataConfig.xml file that the object spawner reads at
start-up.
For Linux Server

Use mRemoteNG or WINSCP to navigate to /opt/sas/config/Lev1/ObjectSpawner.
Open metadataConfig.xml with gedit or vi in MRemoteNG, or use WINSCP.
For Windows Server

Use Windows Explorer to navigate to D:\SAS\Config\Lev1\ObjectSpawner.
Open metadataConfig.xml with Notepad.
What account does the object spawner use to connect to the metadata server?
b. Use SAS Environment Manager or SAS Management Console on the client machine to look at
the metadata properties of the object spawner. Use credentials of Ahmed with the password
Student1.
1) On the Administration page, click Side menu and select Servers.

2) Right-click Object Spawner - sasserver and select Open to view metadata properties.
3) From the drop-down menu, select Servers.
What servers is the object spawner responsible for starting?
Expand Server Manager. Right-click Object Spawner - SASSERVER and select Properties.
c. Use SAS Environment Manager to view metrics for the Object Spawner.
1) On the Resources tab, select sasserver.demo.sas.com Object Spawner - sasserver.
2) Find the following metrics:
Current Clients: shows how many clients are connected to the object spawner at the
moment.
Current Servers: shows how many servers of any type this object spawner has currently
launched.
Total Servers: shows how many servers of any type have been started by this object spawner
since it was launched.
3) You can use the up arrow ( ) to sequentially position the metrics next to each other on the
Monitor page. Click Apply button located at the top right of the Indicator Charts.
d. Create a Server’s Launched by Object Spawner availability summary portlet.

1) On the left side of the Dashboard page, select Availability Summary in the Add content to
this column field and click the plus icon.
2) Click the Configure icon to display the Dashboard Settings page for the portlet.
3) Click Add to List in the selected Resources area.
4) In the View field, select Services and in the Filter By Name field, enter spawner and
click .
5) Select all workspace servers, pooled workspace servers, and stored process servers. (You
should have selected six of the seven available.) Click to move them to the Add
Resources pane. Click OK.
6) Specify the name Spawned Servers in the Description field. Click OK.
7) Move the Spawned Servers availability summary portlet just below the OS and SAS Server
Tier availability summary portlet. Click the heading and drag it to the location.
2. Identifying the Command Line, Shared ID, and Port of the Workspace Server and Stored
Process Server
Use SAS Environment Manager or SAS Management Console to look at metadata properties of the
servers.
a. On the Administration page, click Side menu and select Servers. Expand SASApp  SASApp -
Logical Workspace Server. Right-click SASApp - Workspace Server and select Open.
What command is used by the object spawner to start the workspace server?
What port does the object spawner listen on for requests for the workspace server?
Note: The information can be found on the properties pages. Use the drop-down menu next to
Basic Properties.
b. On the Administration page, click Side menu and select Servers. Expand SASApp  SASApp -
Logical StoredProcess Server. Right-click SASApp - Stored Process Server and select Open.
What command is used by the object spawner to start the stored process server?
What shared ID does the object spawner use to launch the stored process server?
What port does the object spawner listen on for requests for the stored process server?
Note: The information can be found on the properties pages. Use the drop-down menu next to
Basic Properties.
a. Under Server Manager, expand SASApp  SASApp - Logical Workspace Server.

Right-click SASApp - Workspace Server and select Properties. Click the Options tab.
What port does the object spawner listen on for requests for the workspace server?
b. Under Server Manager, expand SASApp  SASApp - Logical Stored Process Server.
Right-click SASApp - Stored Process Server and select Properties. Click the Options tab.
What port does the object spawner listen on for requests for the stored process server?
3. Locating the Shared ID Credentials

a. Click Side menu and select Users.
b. In the Search field, type SAS General Servers.
c. Right-click SAS General Servers and select Open.
What is the description of this group?
Who is the member of this group?
What account is attached to this group?
Note: Members of a group can access credentials stored on a group. Because the object spawner
connects to the metadata server with the sastrust@saspw account, the object spawner
is a member of the SAS General Server group.
a. Expand User Manager.

b. Right-click SAS General Servers and select Properties.
What is the description of this group?
Who is the member of this group?
4. Running Stored Processes from the Report Center about Server Activity
a. Select Analyze  Report Center.
b. Select Products  SAS Environment Manager  Nightly Reports  ARM Performance
Reports.
The following reports can be useful regarding SAS Servers:
User – Server Activity by User

How many SAS servers have been used and within what period of time?
Answers will vary
5. (Optional) Adding a Saved Chart Portlet on the Dashboard in SAS Environment Manager
The Saved Chart portlet displays a rotation of all of the resource metric charts that you have saved.
The process of creating this type of portlet consists of navigating to the resources that you want
to chart, finding the metric charts that you want to display, and saving them to your dashboard. When
you create the portlet, all of your saved charts automatically appear.
a. Make sure you are logged on to SAS Environment Manager as Ahmed and using the password
Student1.
b. Create a Free Memory chart.
1) Select Resources  Browse.
2) On the Resources page, select Platforms.
3) Click sasserver.demo.sas.com.
4) Scroll down to the Free Memory chart.
5) Click Free Memory.
6) On the Metric Chart page, select Save Chart to Dashboards.
7) Select Ahmed and click Add.
8) Go to Dashboards to see the chart saved. It is displayed on the left side.
c. Create a Number of Spawned Servers chart.
1) Select Resources  Browse  Servers.
2) In the All Server Types field, select SAS Object Spawner 9.4.
3) Click the arrow at the right of the filter fields.
4) Click sasserver.demo.sas.com Object Spawner - sasserver.
5) Scroll down to the Current Servers chart.
6) Click Current Servers.
9) Go to Dashboards to see the chart saved. It is added to the charts list of the Saved Charts
portlet.
Note: You can toggle between the two saved charts or remove them from the pane on the left of
the Saved Charts portlet.
d. Create a Metadata Server Clients Per Minute chart.
2) In the All Groups field, select SAS Metadata Servers.
4) Click sasserver.demo.sas.com SASMeta - Metadata Server.
5) On the left side of the Resource Detail page, select All Metrics from the drop-down menu.
6) In the table of metrics, find Total Clients per Minute and position your mouse pointer
on the information icon ( ).
7) From the tooltip, select View Full Chart. The Metric Chart page appears.
portlet.
5.2 Exploring Credential Management
Objectives
• Explore logons and single sign-on.

• Identify when outbound logons are needed.
• Examine the process of authentication to SAS servers and third-party
database servers.
66
How Logons Are Used
Purpose
1. To enable the metadata server to match an incoming user ID with a

particular SAS identity (inbound use)
Joe: ID &
password
Metadata Server
i
Internal acct:
sasadm@saspw &
password i
Metadata Server ID & password
67
Joe’s logon is only for inbound use to determine his metadata identity. His password is available (cached
in the user context, not stored in the metadata) but is not used to determine his identity. This logon should
be in DefaultAuth, but that relationship is not used in determining his metadata identity.
5.2 Exploring Credential Management 5-29
How Logons Are Used
Purpose
2. To designate one host account as the account under which

a particular server runs and to make that account's ID and password
available to the spawner
(SAS Token Authentication)
Stored Process Server
SAS General Servers group’s logins:

Pooled Workspace Server
sassrv & password
Workspace Server
(standard using SAS Token
Authentication)
68
The designated launch credential for each of the depicted processing servers is stored on the SAS General
Servers group definition. In this example, the servers all use the same credentials. Logons that contain
designated launch credentials are usually in the DefaultAuth authentication domain, because these
processing servers are usually in DefaultAuth. However, those logons are directly paired with each server,
not looked up by authentication domain. Because the authentication domain assignment for these logons
is not used, the figure does not depict that assignment.
How Logons Are Used

Purpose
3. To enable clients to seamlessly obtain user credentials for disparate

systems, for outbound use, logins are stored in Metadata: User ID,
Password, Authentication domain.
JoeOra &
password
OracleAuth Oracle DBMS
GroupOra &
password
Note: An example of outbound use is a DBMS or workspace server on a machine

with separate authentication from where the metadata server resides.
69
Joe’s second logon provides seamless access to Oracle using an individual account. This logon includes a
password and must be in the Oracle server's authentication domain. The ETL group's logon is a shared
logon for the Oracle server. Joe’s personal Oracle logon has a higher priority.
Note: If you choose to store passwords for the workspace server, the relationships would be comparable
to the depiction of the Oracle DBMS, OracleAuth authentication domain, and Oracle logons. For
example, you might put the workspace server in WorkspaceAuth and create individual and group
logons in that authentication domain.
Outbound Logons
Outbound logons can be defined on the Accounts tab of individual and group
identities and must include these items:
• a fully qualified external account
• password
• authentication domain
70
Clients use authentication domain assignments to determine which credentials are valid for which servers.
The target server validates the client-supplied credentials against its authentication provider.
In most deployments of the platform for SAS Business Analytics, passwords for external accounts need
to be stored in the metadata to support these types of access only:
 seamless access to an external database
 seamless access to the standard workspace server in a mixed provider environment where Integrated
Windows Authentication and SAS token authentication is not applicable
Authentication Domains
An authentication domain is a SAS metadata object that pairs logons with the
server definitions where those credentials are correctly authenticated.
71
For example, an Oracle server definition and the SAS copies of Oracle credentials (outbound logons)
have the same authentication domain value (for example, “OracleAuth”) if those credentials authenticate
on that Oracle server. Authentication domains can be managed using the Server Manager plug-in
or the User Manager plug-in. Right-click the plug-in and select Authentication Domains.
How many authentication domains do you need to define in the metadata?
a. one for each registered user

b. one for each registered server
c. one for each metadata server
d. one for each server that requires different credentials
72
Credential Management
Each client application maintains an in-memory list of credentials (user

context) for each connected user. The list includes the following:
• Credentials provided when the application is launched (cached credentials)
• Credentials provided interactively during the session (prompting)
• Retrieval of credentials from metadata, either from the user’s account
properties or from a group’s account properties in the user’s identity
hierarchy Example: Contents of a User Context
User ID Password Authentication Domain
myWINID ******* DefaultAuth
GroupDBMSid ******* DBMSauth

74
Note: Credentials from a user or group's metadata definition are not included in the initial list that is
created when a user logs on. Instead, such credentials are added to the list dynamically (when and
if they are needed in the course of the user's session).
Connection to DBMS Data Libraries
Three authentications and permissions take place when accessing DBMS

data:
• Metadata authentication
• SAS Workspace Server authentication
• DBMS authentication
75
Three authentications and permissions take place when accessing DBMS data. Metadata authentication is
the first, and this is mainly for the metadata server to know who is requesting the data and verify that the
user has metadata permissions to the data.
Workspace server authentication is the second authentication. If metadata permissions allow the user to
access the workspace server, then the metadata server retrieves and passes the user’s credentials to the
host OS of the SAS workspace server for authentication (via the object spawner).
When the first two authentications and authorizations have been met, the metadata server will fetch the
corresponding metadata stored DBMS credentials to pass to the DBMS for authentication (these
credentials must be stored in metadata via groups for shared credentials or at the individual user level,
except when using SQL Server Windows Integration Authentication).
Next, the DBMS system controls which data the credentials have permission to access. SAS cannot and
will not override the DBMS permissions on DBMS data. However, SAS is able to add/enhance DBMS
data permissions through metadata permissions.
(Optional) Configuring Access to a Database in

This demonstration illustrates how to create a group for the purposes of storing credentials that access a
database server, define a database server, and register a library in SAS Management Console.
1. In SAS Management Console, define a group that will store credentials that authenticate to a database
server.
Right-click the User Manager plug-in and select New  Group.
2. On the General tab, enter the group name Oragroup.
3. Click the Members tab. Uncheck Groups. Add the first four users that are listed by pressing and
holding the Shift key while highlighting the names. Click the arrow facing to the right.
4. Click the Accounts tab and click New.
5. Enter:
oracleid for User ID
Student1 for Password twice
Click New next to Authentication Domain to create a new Authentication Domain that will also be
attached to the registered database server and libraries.
6. Enter OraAuth. Click OK.
7. Click OK to create the group.

8. Define the Oracle server.
Right-click Server Manager and select the New Server option to access the New Server Wizard.
9. Select Oracle Server from the Database Servers list. Click Next.
10. Enter an appropriate server name in the Name field: Oracle Server. You can supply an optional
description. Click Next.
11. The server properties that are displayed in the window are default values and should not be changed.
To change the Associated Machine property, click the down arrow at the right of the field and select
the appropriate server from the drop-down list.
Click Next.
12. Enter the following connection properties:

Path to the Oracle server: newserver10G. (This value is contained in the tnsnames.ora file generated
during the Oracle installation. The file is stored in an Oracle installation directory such as
/opt/oracle/app/oracle/product/10.2.0/db_1/network/admin/tnsnames.ora. The alias for the connection
information is contained in this file.)
Authentication Domain: Click the arrow at the right of the field and select the Authentication domain
that you created when creating the Oracle group. This enables the appropriate Oracle User ID and
password to be used with this server.
Click Next.
13. Click Finish.
14. Define an Oracle Library.

Expand Data Library Manager plug-in. Right-click Libraries and select New Library option to
access the New Library Wizard.
15. Select Oracle from the Database Data list. Click Next.
16. Enter Oracle Library in the Name field. Click Next.
17. Move SASApp over so that this library is assigned to the SASApp server context. Click Next.
18. Enter oracle as the libref. Click Next.
19. The database server is Oracle Server, and for the database schema name, add Scott. Click Next.
20. Click Finish.
21. Right-click the Oracle Library and select Display LIBNAME Statement.
22. The interface generated the LIBNAME statement that will be processed when a user in that group is
accessing Oracle tables from this library, but they will not be prompted.
Note: If you are logged on as the unrestricted user, you will be prompted because the unrestricted user
cannot retrieve passwords from metadata.
Exercises
6. Maintaining Passwords for End Users in Metadata

If users have logons to third-party database servers, their IDs and passwords are stored in metadata.
They will need to update their passwords according to company security policy. This can be done
through the following applications: SAS Personal Login Manager and SAS Enterprise Guide.
Maintaining Passwords with SAS Personal Login Manager:
a. Select Start  All Programs  SAS  SAS Personal Login Manager 9.4.
b. Log on with the My Server connection profile as Marcel using the Student1 password.
c. Where in SAS Management Console can you find what is displayed in the SAS Personal Login
Manager?______________________ In SAS Environment Manager? _____________________
d. Can Marcel modify an existing login?
e. Can Marcel add a new login?
f. Can Marcel add a new authentication domain?
Maintaining Passwords with SAS Enterprise Guide:
a. Connect to SAS Enterprise Guide as Marcel.
b. Select Tools  SAS Enterprise Guide Explorer. In SAS Enterprise Guide Explorer, select
File  Manager Logins.
c. Can Marcel modify an existing login?
d. Can Marcel add a new login?
e. Can Marcel add a new authentication domain?
5.3 Administering Server Logging 5-43
5.3 Administering Server Logging
Objectives
• Explore the SAS logging facility.

• View logging in SAS Management Console.
• Create audit logging on SAS data sets.
80
SAS Server and Spawner Logging
The SAS servers and spawners generate messages as events occur. These
messages can be of different severity levels from informational to severe.
They can be directed to a number of different locations, including the
following:
• log files
• operating system logs
81
The SAS Logging Facility is a flexible, configurable framework that you can use to collect, categorize,
and filter events and write them to a variety of output devices. The facility logs information in support
of the following:
 problem diagnosis and resolution
 performance and capacity management
 auditing and regulatory compliance.
Configuring Server Logging
Logging for each server is enabled by a system option and configured in an

XML file.
• The LOGCONFIGLOC= system option is specified in the server’s sasv9.cfg file
and points to the logging configuration file.
• The logging configuration file is an XML file that configures what messages
are captured and where they are sent.
82
Initial logging settings for each SAS server are detailed in SAS® 9.4 Intelligence Platform: System
Administration Guide under System Monitoring and Logging  Administering Logging for
SAS Servers  Initial Logging Configuration for SAS Servers.
Loggers and Appenders
Loggers and appenders define what messages are captured and where they
are sent.
Loggers Use a hierarchical system to categorize log events.
They can be configured to go to multiple
appenders.
Appenders Represent a specific output destination for
messages, including fixed files, rolling files,
operating system facilities, and client applications.
83
Loggers
SAS server logger names begin Admin Relevant to systems administrators

with one of the following categories, and computer operators
which process the following types
App Related to specific applications
of events:
Audit Related to user authentication and
Settings of the Root logger are security administration
inherited by all other loggers
by default. IOM For servers that use Integrated Object
Model (IOM) workspace server interface
Perf Related to system performance
84
The App loggers process logs events related to specific applications such as metadata servers, OLAP
servers, stored process servers, and workspace servers.
The IOM interface provides access to SAS Foundation features such as the SAS language, SAS libraries,
the server file system, results content, and formatting services. IOM servers include metadata servers,
OLAP servers, stored process servers, and workspace servers.
Below is a list of some sample loggers that are useful for monitoring the metadata server and metadata.
App.Meta is the parent logger for metadata server events. Logging levels that are defined for this logger
are inherited by its child loggers unless they are explicitly overridden. They include:
 App.Meta.CM, which logs change management events, including check-in and check-out.
 App.Meta.IO, which logs low-level input and output activity.
 App.Meta.Mgmt, which logs metadata server management activity such as server operation actions,
creating and deleting repositories, modifying repository access modes, and repository backup and
migration.
Audit.Meta.Security is the parent logger for metadata server security events. No events are written
directly to this logger. Logging levels that are defined for this logger are inherited by its child loggers
unless the levels are explicitly overridden. Examples are: Audit.Meta.Security.AccCtrlAdm,
Audit.Meta.security.GrpAdm, Audit.Meta.Security.UserAdm.
Perf.Meta.Expensive logs requests that take longer than a specified time threshold so that application
developers and administrators can identify high-cost metadata requests. The performance threshold is 30
seconds. (This is new in SAS 9.4.)
Admin.Operations processes log events that are related to server operations, such as starting, pausing,
and stopping an instance of a workspace server.
Audit.Authentication processes log events for server authentication requests.
Diagnostic Levels
Log events have an associated diagnostic level.

TRACE Fine-grained informational events intended for SAS Technical Support
DEBUG Fine-grained informational events useful in debugging an application

and intended for SAS Technical Support
INFO Informational events that highlight the process of an application
WARN Warning events or minor problems that are external to the

application
ERROR Error events that might still enable the application to continue
running
FATAL Very severe events that most likely cause the application to end
85
The logging levels are listed from the lowest (most detailed) to the highest: TRACE, DEBUG, INFO,
WARN, ERROR, FATAL.
Appenders
SAS has several appender classes for processing messages.

IOMServerAppender An IOM server appender to log messages
from any IOM server
FileAppender File appenders for writing log messages
RollingFileAppender to a file on disk
UNIXFacilityAppender Appenders to write to Windows, UNIX,
WindowsEventAppender and z/OS operating system logs
ZOSFAcilityAppender
ConsoleAppender Appenders to log messages to an
ZOSWtoAppender operating system
Note: Log files are not deleted from log
86
directories by default.
Appender specifications can include additional parameters to specify the following:

 filename (fileNamePattern)
 file header information (HeaderPattern)
 layout of messages in file (ConversionPattern)
These parameters typically use conversion characters referenced with a preceding percent sign, including
the following:
Conversion Description
Character
d Date of logging event

The date conversion specifier, %d, can be followed by a set of braces that contains a date
and time pattern string such as %d{HH:mm:ss, SSS} or %d{DATE}.
t Identifier for the thread that generated logging event
m Application-supplied message lines associated with the logging event
c Used to trigger the output of the logger name of the logging event
p Used to trigger the output of the level of the logging event
S Used to trigger the output of various pieces of system information and must be followed
by the key for the system information desired, placed between braces such as
%S{os_name}
Valid system information keys include the following:
 host_name
 os_name
 os_version
 user_name: identity that owns the process and not client identity associated with
current thread
 startup_cmd
u Client identity associated with current thread
IOMServerAppender and SAS Management Console
The IOM Server Appender writes log messages from IOM servers to a volatile
run-time cache. The contents of the cache are available for display in SAS
Management Console.
Use the Server Manager options to specify a message level or threshold filter
level.
87
The option settings filter the events that are already generated, based on the server’s logging settings.
Message Level Specifies a specific level of messages to be displayed in

Threshold Level Specifies the lowest level of messages to be displayed in

How Did the Message Make It to the Log?
Event type is Audit, so send to Audit Logger. Audit Logger decides:

level INFO >= threshold INFO
Event is passed to referenced Appender: AuditTimeBasedRollingFile.

Appender decides: level INFO >= THRESHOLD INFO
3. Message is written to the log file.

88
In addition to filtering log events based on thresholds that are assigned to loggers or appender definitions,
the logging facility enables you to use filter classes to filter log events based on one of the following: a
character string in the message, a single threshold, a range of thresholds, and a combination of strings and
thresholds.
Common Terminology
Log event: an occurrence that is reported by a program for possible inclusion in a log.
Filter: a set of character strings or thresholds, or a combination of strings and thresholds
that you specify. Log events are compared to the filter to determine whether they
should be processed.
Message category: a classification for messages that are produced by a SAS subsystem. Message
categories for the logging facility are administrative messages, application-specific
messages, audit messages, IOM messages, and performance messages.
Threshold: the lowest event level that is processed. Log events whose levels are below the
threshold are ignored.
Logging Process
Stop Processing Stop Processing
Event Event
Log Event
Log Event
Log Event
< Threshold For
< Threshold
Appender or
For Logger
Filter
Route to Log Event Log Event

Logger Based Logger >=Threshold Appender >=Threshold For
On Name For Logger Appender
Output Destination
89
1. A SAS process (for example, a SAS server process) issues a log event. Each event includes
the following attributes: name that indicates the message category, diagnostic level, and message .
2. The log event is routed to a logger based on the event’s name.
3. The log event’s diagnostic level is compared to the threshold that is specified for the logger
in the logging configuration. If the event’s level is at or above the specified threshold, then processing
continues. If the level is below the threshold, then the event is ignored.
If no threshold is specified for the event’s logger, then the event inherits the threshold setting of the
nearest ancestor logger. For example, if an Audit.Meta.Security event is being processed, then
inheritance occurs as follows:
a. The event’s level is compared to the threshold for the Audit.Meta.Security logger.
b. If no threshold is specified for Audit.Meta.Security, then the threshold for Audit.Meta is applied.
c. If no threshold is specified for Audit.Meta, then the threshold for Audit is applied.
d. If no threshold is specified for Audit, then the threshold for Root is applied.
If no threshold is assigned to the logger or its ancestors, then the event is ignored.
4. The log event is processed by the appenders that are assigned to the logger. Each appender
processes the log event. If the appender configuration includes a
a. threshold, the event’s level is compared to the threshold
b. filter, the event is compared to the filtering criteria.
5. If the log event passes the filter and threshold for the appender, it is written to the output
destination.
Note: Multiple appenders can be associated with a single logger. An event that passes the logger
might be written to one appender, but not to another. For example, a warning might be
written to a log file, but not to the terminal window.
Modifying Server Logging Configurations
The best practice is to use the initial logging configuration files created
by the SAS Deployment Wizard.
If necessary, you can use the following methods for modifying server logging
configurations:
• adjust logging levels dynamically using the Server Manager plug-in
• use alternative logging configuration files provided for troubleshooting
• modify the server’s logconfig.xml file
90
Adjusting Logging Levels Dynamically
The dynamic changes affect all logging produced by the server in question,
but do not modify the logconfig.xml file. The changes persist until changed
dynamically or the server is restarted.
91
By default, the Audit.Meta logger inherits the Information logging level from its parent, Audit. You can
assign a different level for this logger.
When the server is restarted, it rereads the logconfig.xml file.
Alternative Logging Configuration Files
To assist in troubleshooting, alternative logging configuration files are

provided for some servers, including metadata servers, OLAP servers, pooled
workspace servers, stored process servers, and workspace servers.
• The files are named logconfig.trace.xml.
• Messages are written to the server’s rolling log file.
Performance issues can result from using these files.
Do not modify the logconfig.trace.xml logging configuration files unless

you are requested to do so by SAS Technical Support.
92
Note: Alternate logging configuration files named logconfig.apm.xml are provided and used if the SAS
Environment Manager Service Architecture is enabled.
Using Alternative Logging Configuration Files

To use an alternative logging configuration file, follow these steps:
1. Stop the server if it is running.
2. Rename the server’s logconfig.xml file as logconfig_orig.xml.
3. Rename the server’s logconfig.trace.xml file
as logconfig.xml.
4. Restart the server if necessary.
5. When troubleshooting is complete, stop the server if it is running. Rename logconfig.xml as
logconfig.trace.xml and logconfig_orig.xml as logconfig.xml. Restart the server if necessary.
Caution: Make backup copies of any files that are modified.
Modifying logconfig.xml Files
The following are some examples of changes that you might want to make
to a server’s log configuration file:
• Configure the RollingFileAppender to use a different log filename or to
store the files in a different location.
• Configure a different message layout for an appender.
Caution: If you choose to modify the server’s logconfig.xml file, make

a backup copy first.
93
For more information about the SAS logging facility, refer to SAS® 9.4 Logging: Configuration
and Programming Reference.
Viewing Metadata Server Logging in SAS Management

Console
This demonstration illustrates how to view logging for the metadata server under the Server Manager
plug-in.
1. In SAS Management Console, expand Server Manager plug-in  SAS Meta  SASMeta - Logical
Metadata Server. Right-click SASMeta - Metadata Server and select Connect.
2. The tabs on the right are no longer grayed out. Click the Clients tab. The Clients tab lists the user,
host, and entry time for each client connected to the metadata server.
3. Click the Options tab. The Options tab lists the name, description, value, and category for the server
and spawner options, counters, and properties.
4. Click the Loggers tab. The Loggers tab lists the logging services that are in use for the server, as well
as the logging level that is captured, or inherited. This is configured for the IOM Server Appender in
the logconfig.apm.xml for the metadata server.
Note: The logconfig.apm.xml is in use because Extended Monitoring has been enabled in this
environment.
5. For example, Perf shows a level of <inherited>. It is inheriting the level from <Root> of Error. Right-
click Perf and select Properties.
6. You can assign a different diagnostic level here. The dynamic changes affect all logging produced by
the server in question, but do not modify the logging configuration file that is read at server start-up.
The changes persist until changed dynamically or the server is restarted.
7. Click Cancel.
8. Click the Log tab. The Log tab displays the log for the server when configured to do so.
9. Right-click the Server Manager plug-in and select Options.
10. Select the Logging tab.
11. Select Information for Threshold Level. Click OK.
12. Right-click SASMeta and select Refresh.
13. Highlight again the SASMeta - Metadata Server and select the Log tab.
Exercises
7. Enabling Trace Logging for Object Spawner

a. Open Internet Explorer on the client machine. Go to the SAS Home page if not already there by
clicking the Home button in the upper right toolbar.
b. Type enable object spawner trace logging in the Search field and click Search.
c. Click Enable More Detailed Logging for SAS Object Spawner Troubleshooting, dated
2015-07-16.
Note: You might need to click Date so that the most recent search results are at the top.
d. (Optional) You can choose to temporarily increase the logging level dynamically in SAS
Management Console (the second bullet).
8. Auditing Data Access

A common request to SAS Administrators is to be able to log and report on which users are accessing
SAS tables. The relevant information needs to be captured, which is the user, the table and the date
and time that the table was accessed. The SAS Logging Facility includes a logger for auditing access
to SAS libraries, which supports the ability to ‘log’ who has accessed data in a SAS library, including
SAS tables and database tables accessed via a SAS LIBNAME. The AUDIT.DATA logger will
record who has opened, deleted, or renamed a table.
In this exercise you define a logger, Audit.Data.Dataset and a RollingFileAppender named
TimeBasedRollingFileAudit for the Stored Process Server. You could use the existing
RollingFileAppender, but instead you will write to a new directory location that will hold only data
access entries in its log files.
a. Open sasv9_usermods.cfg for the Stored Process Server to find which logconfig.xml file is being
read at server start-up.
Note: In this environment, the SAS Environment Manager service architecture framework is
configured so that the logging configuration points to logconfig.apm.xml.
For Linux Server

Navigate to /opt/sas/config/Lev1/SASApp/StoredProcessServer. Open
sasv9_usermods.cfg and find the value for the locconfigloc system option.
For Windows Server

Navigate to D:\SAS\Config\Lev1\SASApp\StoredProcessServer. Open
b. Rename logconfig.apm.xml to logconfig.apm.orig.xml.

c. For this exercise, there is a logconfig.apm.xml file located on the server that already has the new
logger and appender.
Locate the file and copy it over to the Stored Process Server directory.
For Linux Server

Navigate to /opt/sas/Workshop/spaft. Copy the logconfig.apm.xml to
/opt/sas/config/Lev1/SASApp/StoredProcessServer.
For Windows Server

Navigate to D:\Workshop\spaft. Copy logconfig.apm.xml to
D:\SAS\Config\Lev1\SASApp\StoredProcessServer.
d. The Audit.Data.Dataset logger and the TimeBased RollingFileAudit appender was already
added. Open the logconfig.apm.xml to view.
The new logger will route Audit.Data.Dataset messages with a diagnostic level of TRACEand
above (TRACE, DEBUG, INFO, WARN, ERROR, and FATAL) to the appender named
TimeBasedRollingFileAudit.
The appender definition determines where the logger messages are written and what format is
used to trigger the output of the messages. Note the following:
 The appender name matches the name specified in the appender tag of the logger definition
(TimeBasedRollingFileAudit).
 The ConversionPattern parameter values specifies the log message. This is the same as what is
written to an existing log file with the addition of LOGGER=%c. So the entry in the log file
will include the text LOGGER= and the name of the logger, Audit.Data.Dataset. (The %c is a
conversion character that writes out the logger name.)
 The FileNamePattern parameter value specifies where the log file will be written out and what
the name of the log file will be.
For Linux Server

name= “FileNamePattern”
value=“/opt/sas/config/Lev1/SASApp/StoredProcessServer/AuditLogs
For Windows Server

name=“FileNamePattern”
value=“D:\SAS\Config\Lev1\SASApp\StoredProcessServer\AuditLogs
e. Close logconfig.apm.xml.
f. The AuditLogs directory needs to be created.
For Linux Server

Navigate to /opt/sas/config/Lev1/SASApp/StoredProcessServer.
Create AuditLogs directory. Verify that SAS Users and the sassrv account can write to
this location.
For Windows Server

Navigate to D:\SAS\Config\Lev1\SASApp\StoredProcessServer.
Create AuditLogs directory. Verify that SAS Users and the sassrv account can write to
this location.
g. Refresh the object spawner in SAS Management Console and validate that the Stored Process
Server is still operational.
1) Expand Server Manager plug-in  Object Spawner - sasserver. Right-click
2) Right-click sasserver.demo.sas.com and select Refresh Spawner.
3) Click OK to continue.
4) Expand SASApp  SASApp - Logical Stored Process Server  SASApp - Stored
Process Server. Right-click sasserver.demo.sas.com and select Validate.
5) Click OK.
h. Run a stored process and check the audit log.
1) Open Internet Explorer on the client machine and select SASWebReportStudio on the
Favorites bar. Log on as Ahmed using the password Student1.
2) Select Open on the Getting Started Page.
3) Navigate to Orion Star  Marketing Department  Stored Processes.
4) Highlight Analysis of Product Orders by Gender and click Open.
5) Check the log.
For Linux Server

Navigate to /opt/sas/config/Lev1/SASApp/StoredProcessServer/AuditLogs and open the
log file.
For Windows Server

Navigate to D:\SAS\Config\Lev1\SASApp\StoredProcessServer\AuditLogs and open the
log file.
5.4 Solutions
1. Exploring the Object Spawner
a. On the server, open the metadataConfig.xml file that the object spawner reads at start-up.
For Linux Server

Use mRemoteNG or WINSCP to navigate to /opt/sas/config/Lev1/ObjectSpawner.
Open metadataConfig.xml with gedit or vi in MRemoteNG, or use WINSCP.
For Windows Server

Use Windows Explorer to navigate to D:\SAS\Config\Lev1\ObjectSpawner.
Open metadataConfig.xml with Notepad.
What account does the object spawner use to connect to the metadata server? sastrust@saspw
b. Use SAS Environment Manager or SAS Management Console on the client machine to look at
the metadata properties of the object spawner. Use credentials of Ahmed using the password
Student1.
1) On the Administration page, click Side menu and select Servers.
2) Right-click Object Spawner - sasserver and select Open to view metadata properties.
5.4 Solutions 5-63
From the drop-down menu select Servers.
Expand Server Manager. Right-click Object Spawner - SASSERVER and select Properties.
c. Use SAS Environment Manager to view the metrics for the object spawner.
On the Resources tab, select sasserver.demo.sas.com Object Spawner - sasserver.
Find the following metrics:
Current Clients shows how many clients are connected to the object spawner at the moment.
Current Servers shows how many servers of any type this object spawner has currently
launched.
Total Servers shows how many servers of any type have been started by this object spawner
since it was launched.
You can use the up arrow ( ) to sequentially position the metrics next to each other on the
Monitor page. Click Apply button located at the top right of the Indicator Charts.
5.4 Solutions 5-65
d. Create a Server’s Launched by Object Spawner availability summary portlet.

1) On the left side of the Dashboard page, select Availability Summary in the Add content to
this column field and click the plus icon.
2) Click the Configure icon to display the Dashboard Settings page for the portlet.
3) Click Add to List in the selected Resources area.

4) In the View field, select Services and in the Filter By Name field, enter spawner and
click .
5) Select all workspace servers, pooled workspace servers, and stored process servers.
(You should have selected six of the seven available.) Click to move them to the
Add Resources pane. Click OK.
6) Specify the name Spawned Servers in the Description field. Click OK.
7) Move the Spawned Servers availability summary portlet just below the OS and SAS Server
Tier availability summary portlet. Click the heading and drag it to the location.
2. Identifying the Command Line, Shared ID, and Port of the Workspace Server and Stored
Process Server
Use SAS Environment Manager or SAS Management Console to look at metadata properties of the
servers.
a. On the Administration page, click Side menu and select Servers. Expand SASApp  SASApp -
Logical Workspace Server. Right-click SASApp - Workspace Server and select Open.
5.4 Solutions 5-67
1) From the drop-down menu, select Options.
On the Linux Server

/opt/sas/ config /Lev1/SASApp/WorkspaceServer/WorkspaceServer.sh
On the Windows Server

"D:\SAS\Config\Lev1\SASApp\WorkspaceServer\WorkspaceServer.bat"
What port does the object spawner listen on for requests for the workspace server? 8591
2) From the drop-down menu select Connections.
b. On the Administration page, click Side menu and select Servers. Expand SASApp  SASApp -
Logical StoredProcess Server. Right-click SASApp - Stored Process Server and select Open.
1) From the drop-down menu, select Options.
On the Linux Server

/opt/sas/ config /Lev1/SASApp/StoredProcessServer/StoredProcessServer.sh

"D:\SAS\Config\Lev1\SASApp\StoredProcessServer\StoredProcessServer.bat"
5.4 Solutions 5-69
On the Linux Server

sassrv

sasserver\sassrv
What port does the object spawner listen on for requests for the stored process server? 8601
2) From the drop-down menu, select Connections.
a. Under Server Manager, expand SASApp  SASApp - Logical Workspace Server.

Right-click SASApp - Workspace Server and select Properties. Click the Options tab.
On the Linux Server

/opt/sas/config /Lev1/SASApp/WorkspaceServer/WorkspaceServer.sh

"D:\SAS\Config\Lev1\SASApp\WorkspaceServer\WorkspaceServer.bat"
What port does the object spawner listen on for requests for the workspace server? 8591
b. Under Server Manager, expand SASApp  SASApp - Logical Stored Process Server.
Right-click SASApp - Stored Process Server and select Properties. Click the Options tab.
On the Linux Server

/opt/sas/config /Lev1/SASApp/StoredProcessServer/StoredProcessServer.sh

"D:\SAS\Config\Lev1\SASApp\StoredProcessServer\StoredProcessServer.bat"
On the Linux Server

sassrv
5.4 Solutions 5-71

sasserver\sassrv
What port does the object spawner listen on for requests for the stored process server? 8601
3. Locating the Shared ID Credentials
a. Click Side menu and select Users.

b. In the Search field, type SAS General Servers.
c. Right-click SAS General Servers and select Open.
What is the description of this group? Allows members to be used for launching stored process
servers and pooled workspace servers
Who is the member of this group? SAS Trusted User
On the Linux Server

sassrv

sasserver\sassrv
a. Expand User Manager.

b. Right-click SAS General Servers and select Properties.
What is the description of this group? Allows members to be used for launching stored process
servers and pooled workspace servers
Who is the member of this group? SAS Trusted User
On the Linux Server

sassrv

sasserver\sassrv
4. Running Stored Processes from the Report Center about Server Activity
a. Select Analyze  Report Center.
5.4 Solutions 5-73
b. Select Products  SAS Environment Manager  Nightly Reports  ARM Performance

Reports.
The following reports can be useful regarding SAS Servers:
User – Server Activity by User

How many SAS servers have been used and within what period of time?
Answers will vary
5. (Optional) Adding a Saved Chart Portlet on the Dashboard in SAS Environment Manager
The Saved Chart portlet displays a rotation of all of the resource metric charts that you have saved.
The process of creating this type of portlet consists of navigating to the resources that you want
to chart, finding the metric charts that you want to display, and saving them to your dashboard. When
you create the portlet, all of your saved charts automatically appear.
a. Make sure you are logged on to SAS Environment Manager as Ahmed using the password
Student1.
b. Create a Free Memory chart.
1) Select Resources  Browse.
2) On the Resources page, select Platforms.
3) Click sasserver.demo.sas.com.
4) Scroll down to the Free Memory chart.
5) Click Free Memory.

5.4 Solutions 5-75
8) Go to Dashboards to see the chart saved. It is displayed on the left side.
c. Create a Number of Spawned Servers chart.

2) In the All Server Types field, select SAS Object Spawner 9.4.
4) Click sasserver.demo.sas.com Object Spawner - sasserver.
5) Scroll down to the Current Servers chart.
6) Click Current Servers.

5.4 Solutions 5-77
portlet.
Note: You can toggle between the two saved charts or remove them from the pane on the
left of the Saved Charts portlet.
d. Create a Metadata Server Clients Per Minute chart.
2) In the All Groups field, select SAS Metadata Servers.
4) Click sasserver.demo.sas.com SASMeta - Metadata Server.
5) On the left side of the Resource Detail page, select All Metrics from the drop-down menu.
6) In the table of metrics, find Total Clients per Minute and position your mouse pointer
on the information icon ( ).
7) From the tooltip, select View Full Chart. The Metric Chart page appears.
5.4 Solutions 5-79
portlet.
6. Maintaining Passwords for End Users in Metadata

If users have logons to third-party database servers, their IDs and passwords are stored in metadata.
They will need to update their passwords according to company security policy. This can be done
through the following applications: SAS Personal Login Manager and SAS Enterprise Guide.
Maintaining Passwords with SAS Personal Login Manager:
a. Select Start  All Programs  SAS  SAS Personal Login Manager 9.4.
b. Log on with the My Server connection profile as Marcel using the Student1 password.
c. Where in SAS Management Console can you find what is displayed in the SAS Personal Login
Manager? On the Accounts tab of a user definition In SAS Environment Manager? On the
Accounts properties of a user definition in the Administration page.
d. Can Marcel modify an existing login? Yes
e. Can Marcel add a new login? Yes
f. Can Marcel add a new authentication domain? No
Maintaining Passwords with SAS Enterprise Guide:
a. Connect to SAS Enterprise Guide as Marcel.
b. Select Tools  SAS Enterprise Guide Explorer. In SAS Enterprise Guide Explorer, select
File  Manager Logins.
c. Can Marcel modify an existing login? Yes
d. Can Marcel add a new login? Yes
e. Can Marcel add a new authentication domain? No
7. Enabling Trace Logging for Object Spawner
b. Type enable object spawner trace logging in the Search field and click Search.
5.4 Solutions 5-81
c. Click Enable More Detailed Logging for SAS Object Spawner Troubleshooting, dated
2015-07-16.
Note: You might need to click Date so that the most recent search results are at the top.
d. (Optional) You can choose to temporarily increase the logging level dynamically in
SAS Management Console (the second bullet).
8. Auditing Data Access

A common request to SAS Administrators is to be able to log and report on which users are accessing
SAS tables. The relevant information needs to be captured, which is the user, the table and the date
and time that the table was accessed. The SAS Logging Facility includes a logger for auditing access
to SAS libraries that supports the ability to ‘log’ who has accessed data in a SAS library, including
SAS tables and database tables accessed via a SAS LIBNAME. The AUDIT.DATA logger will
record who has opened, deleted, or renamed a table.
In this exercise you will define a logger, Audit.Data.Dataset and a RollingFileAppender named
TimeBasedRollingFileAudit for the Stored Process Server. You could use the existing
RollingFileAppender, but instead you will write to a new directory location that will hold only data
access entries in its log files.
a. Open sasv9_usermods.cfg for the Stored Process Server to find which logconfig.xml file is being
read at server start-up.
Note: In this environment, the SAS Environment Manager service architecture framework is
configured so that the logging configuration points to logconfig.apm.xml.
For Linux Server

Navigate to /opt/sas/config/Lev1/SASApp/StoredProcessServer. Open
For Windows Server

Navigate to D:\SAS\Config\Lev1\SASApp\StoredProcessServer. Open
b. Rename logconfig.apm.xml to logconfig.apm.orig.xml.
5.4 Solutions 5-83
c. For this exercise, there is a logconfig.apm.xml file located on the server that already has the new
logger and appender.
Locate the file and copy it over to the Stored Process Server directory.
For Linux Server

Navigate to /opt/sas/Workshop/spaft. Copy the logconfig.apm.xml to
/opt/sas/config/Lev1/SASApp/StoredProcessServer.
For Windows Server

Navigate to D:\Workshop\spaft.
Copy the logconfig.apm.xml to D:\SAS\Config\Lev1\SASApp\StoredProcessServer.
d. The Audit.Data.Dataset logger and the TimeBased RollingFileAudit appender was already
added. Open the logconfig.apm.xml to view.
The new logger will route Audit.Data.Dataset messages with a diagnostic level of TRACEand
above (TRACE, DEBUG, INFO, WARN, ERROR, and FATAL) to the appender named
TimeBasedRollingFileAudit.
The appender definition determines where the logger messages are written and what format is
used for the written messages. Note the following:
 The appender name matches the name specified in the appender tag of the logger definition
(TimeBasedRollingFileAudit).
 The ConversionPattern parameter values specifies the log message. This is the same as what is
written to an existing log file with the addition of LOGGER=%c. So the entry in the log file
will include the text LOGGER= and the name of the logger, Audit.Data.Dataset. (The %c is a
conversion character that writes out the logger name.)
 The FileNamePattern parameter value specifies where the log file will be written out and what
the name of the log file will be.
For Linux Server

name=”FileNamePattern”
value=”/opt/sas/config/Lev1/SASApp/StoredProcessServer/AuditLogs
5.4 Solutions 5-85
For Windows Server

name=”FileNamePattern”
value=”D:\SAS\Config\Lev1\SASApp\StoredProcessServer\AuditLogs
e. Close logconfig.apm.xml.
f. The AuditLogs directory needs to be created.
For Linux Server

Navigate to /opt/sas/config/Lev1/SASApp/StoredProcessServer.
Create AuditLogs directory. Verify that SAS Users and the sassrv account can write to this
location.
For Windows Server

Navigate to D:\SAS\Config\Lev1\SASApp\StoredProcessServer.
Create AuditLogs directory. Verify that SAS Users and the sassrv account can write to this
location.
g. Refresh the object spawner in SAS Management Console and validate that the Stored Process
Server is still operational.
1) Expand Server Manager plug-in  Object Spawner - sasserver. Right-click
2) Right-click sasserver.demo.sas.com and select Refresh Spawner.
3) Click OK to continue.
5.4 Solutions 5-87
4) Expand SASApp  SASApp - Logical Stored Process Server  SASApp - Stored

Process Server. Right-click sasserver.demo.sas.com and select Validate.
5) Click OK.
h. Run a stored process and check the audit log.

1) Open Internet Explorer on the client machine and select SASWebReportStudio on the
Favorites bar. Log on as Ahmed using the password Student1.
2) Select Open on the Getting Started Page.
3) Navigate to Orion Star  Marketing Department  Stored Processes.
4) Highlight Analysis of Product Orders by Gender and click Open.
5) Check the log.
For Linux Server

Navigate to /opt/sas/config/Lev1/SASApp/StoredProcessServer/AuditLogs and open
the log file.
5.4 Solutions 5-89
For Windows Server

Navigate to D:\SAS\Config\Lev1\SASApp\StoredProcessServer\AuditLogs and open the
log file.
How many authentication domains do you need to define in the metadata?
a. one for each registered user

b. one for each registered server
c. one for each metadata server
d. one for each server that requires different credentials
73
Chapter 6 Securing Metadata
6.1 Reviewing Metadata Security.................................................................................... 6-3
Demonstration: Exploring the Repository ACT........................................................... 6-12
Exercises............................................................................................................. 6-20
6.2 Exploring Metadata Permissions and ACTs ........................................................... 6-25

Demonstration: Identifying Applicable Permissions .................................................... 6-35
Exercises............................................................................................................. 6-38
6.3 Customizing SAS Folders ....................................................................................... 6-45

Exercises............................................................................................................. 6-53
6.4 Solutions ................................................................................................................. 6-68

6-2 Chapter 6 Securing Metadata
6.1 Review ing Metadata Security 6-3
6.1 Reviewing Metadata Security
Objectives
• Identify how the metadata authorization layer interacts with other security
layers.
• Identify where metadata permissions are assigned.
• Identify to whom metadata permissions are assigned.
• Explore how metadata authorization decisions are made.
3
SAS Metadata Authorization
The SAS platform implements a SAS Advanced Analytic Platform

Applications and interfaces
metadata-based authorization layer,
which provides an abstraction from the
underlying digital and physical resources
Metadata Layer
used in this advanced analytics platform.
• The metadata layer supplements
protections from the host Digital Resources
environment and other systems. Tables, reports, models, and so on
• In order to access a resource, a user Physical Resources

servers, databases, and so on
must have sufficient access in al l
layers that are relevant.
4
Authorization is the process of determining which users have which permissions for which resources.
The metadata layer offers a number of benefits, including but not limited to the following:
 tighter integration across platform applications and interfaces
 flexibility and portability in underlying implementation
 enterprise level security and governance
Metadata Authorization Layer

The outcome of the authorization process is a decision that either grants or denies a
specific action on a specific resource, based on the user ’s identity and group
memberships.
5
...
Across authorization layers, protections are cumulative. In order to perform a task, a user must have
sufficient access in all applicable layers.
Some clients enable power users to create and run SAS programs that access data directly, bypassing
metadata-layer controls. It is essential to manage physical layer access in addition to metadata-layer
controls.
Access Management
You can use the metadata authorization layer to manage access to the following
resources:
6
Access to a SAS metadata resource is controlled by granting or denying the metadata permissions that are
enforced for the resource.
Metadata Authorization
The metadata authorization model is object-centric, not identity-centric. The effective

permissions are viewed and managed through the authorization of the metadata
properties.
right-click  Properties 
A uthorization tab

Administration
right-click  Open  drop-
down menu  A uthorization
7
To programmatically define or query authorization settings, use either batch tools or DATA step functions.
Metadata Permissions
In the metadata layer, the following permissions are always enforced:

• ReadMetadata (RM), which controls the ability to see an object or navigate
past a folder
• WriteMetadata (WM), which controls the ability to edit, delete, rename,
or change permissions on an item
8
Other permissions are specialized and affect only certain types of items.
To examine a user’s permissions, do not begin by finding the user definition. Instead, begin by navigating
to the object that you want to examine.
Three Levels of Granularity
You can set permissions at the following levels of granularity:

• Repository-level controls act as a gateway and as parent-of-last-resort.
• Object-level controls manage access to a specific object.
• Fine-grained controls affect access to subsets of data within a resource.
9
Repository-level controls are managed from the permission pattern of the repository ACT (Default ACT).
You can define object-level controls individually (as explicit settings) or in patterns (by applying access
control templates).
To establish fine-grained controls, you add constraints called permission conditions to explicit grants
of the Read or Select permission. Fine-grained controls are supported for only some objects, including
SAS Information Maps, SAS OLAP cubes, and metadata-bound data sets.
continued...
Repository ACT
Repository-level controls are managed from the permission pattern of the

repository ACT (de fault ACT).
• A user must have ReadMetadata and
WriteMetadata in the repository ACT
to navigate and create an object
anywhere in the metadata.
10
Repository ACT
The repository ACT is a template that is designated to provide repository-level

controls.
• Permissions on the repository ACT are applied indirectly to all objects in the
metadata.
• If there are no direct settings on the object or on any of that object’s parents,
then the repository ACT determines the outcome.
• If the repository ACT’s pattern neither grants nor denies the permissions, then
the permission is denied.
• I f t here is no repository ACT, all permissions are granted.
11
Caution: You should always have a designated repository ACT.
Two Relationship Networks
Permission settings are conveyed across two distinct relationship networks:

• Identity relationships network
S el f
HR R ep ort • Object inheritance

C reator
S A S US ERS
F i n ance
P UB LIC
12
Identity Relationships Network
In the identity relationships network, permissions that you assign to one

identity can affect many other identities.
S el f
HR R ep ort
C rea tor
S A S US ERS
F i n ance
P UB LIC
13
From top to bottom, the elements in the diagram are ordered as follows:
 from highest precedence (hardest to override) to lowest precedence (easiest to override)
 from narrowest impact (most specific) to broadest impact (least specific)
For example, if you grant a group access to a report, that grant applies to everyone who is a member
of the group. This relationship network is governed by a precedence order that starts with the primary
(usually individual) identity, can incorporate multiple levels of nested group memberships, and ends with
implicit memberships in SASUSERS and then PUBLIC.
To avoid introducing unnecessary complexity, do not make PUBLIC or SASUSERS a member of another
group. This is not an issue for roles.
Object Inheritance
In object inheritance, permissions that you set on one object can affect many
other objects.
Explicit controls and ACTS have priority over settings on the object’s parent
(inheritance).
14
From top to bottom, the elements in the diagram are ordered as follows:
 from highest precedence (hardest to override) to lowest precedence (easiest to override)
 from narrowest impact (most specific) to broadest impact (least specific)
For example, a report inherits permissions from the folder in which the report is located. This network
is a simple folder tree, with exceptions such as the following:
 The root folder is not the ultimate parent. This folder inherits from the repository (through the
permission pattern of the repository ACT).
 The root folder is not a universal parent. Some system resources (such as application servers, identities,
and ACTs) are not in the folder tree. For these items, the repository ACT is the immediate and only
parent.
 Inheritance within a table or cube follows the data structure. For example, neither table columns nor
cube dimensions have folders as immediate parents. Instead, a column inherits from its parent table
and a dimension inherits from its parent cube.
 Inheritance does not flow through specialty folders such as favorites folders, virtual folders, or search
folders.
The diagram depicts a separated view of the object inheritance paths. The arrows on the slide flow from
child to parent.
In the metadata layer, parent objects convey their effective permissions to child objects. Children inherit
the net effect of their parents’ access controls, not the access controls themselves.
Below is the integrated view of the object inheritance paths. The arrows in the diagram below flow from
parent to child. For example, a folder conveys its effective permissions to the items that it contains.
Exploring the Repository ACT

This demonstration illustrates how to use SAS Environment Manager and SAS Management Console to
view the Repository ACT and identify the security applied to objects coming from the Repository ACT’s
permission pattern.
1. Sign in to SAS Environment Manager as Ahmed with the password Student1, if you are not already
signed in.
2. Click the Administration tab. Click Side menu and select Folders.
3. Expand SAS Folders  System  Security Access Control Templates.
4. Right-click Default ACT and select Open. This brings you to the metadata properties.
5. The Basic Properties are displayed. Open the drop-down menu by clicking the down arrow next to
Basic Properties and select ACT: Usage.
The box has a check mark, which signifies that this ACT is used for the Repository ACT.
6. From the drop-down menu, select ACT: Pattern.
The repository ACT is a template that is designated to provide repository-level controls.

 A user must have RM and WM permission in the repository ACT to create an object anywhere
in the metadata. This is SASUSERS.
 Anyone who has a metadata identity is automatically in PUBLIC and also a member of
SASUSERS. (SASUSERS is a subset of PUBLIC.) ReadMetadata and WriteMetadata are denied
for PUBLIC. When you log on to SAS Enterprise Guide with an account that was not associated
with a metadata identity, the person logged on is recognized as belonging to PUBLIC and denied
access to all metadata.
 Permissions on the repository ACT are applied indirectly to all objects in the metadata.
 You can select the Use abbreviations box to abbreviate the permission in order to see more across
the page.
7. From the drop-down menu, select ACT: Pattern Summary.
This gives a listing view of the pattern.
A drop-down menu in the upper right enables you to change the summary view to Group by
permission.
8. Look at the permissions on this object. From the drop-down menu, select Authorization.
9. The Authorization screen shows the security on this object. Every metadata object has the
Authorization screen as part of its properties.
 The hollow square next to the permission represents that the permission is coming from an ACT
applied to the object.
 The filled-in diamond represents that this is an explicit denial. So PUBLIC has an explicit denial of
WriteMetadata, which means that due to identity hierarchy, SASUSERS also has a denial of
WriteMetadata on this object. SAS Administrators would have a denial of WriteMetadata as well if
there was not a direct control of a grant, either by an ACT applied to this object or an explicit grant.
10. To find out what ACT is applied to this object, the Default ACT, select Apply ACT from the drop-
down menu.
The SAS Administrator Settings is applied to the Default ACT.
11. Look at the properties of the repository ACT in SAS Management Console. Log on to SAS
Management Console as Ahmed with the password Student1, if not already logged on.
SAS Management Console can be used to manage ACTs in the Authorization Manager plug-in.
12. Click the Plug-ins tab. Expand Authorization Manager  Access Control Templates.
13. Right-click Default ACT. Notice that the box next to Repository ACT is selected, which signifies
that this ACT is used for the Repository ACT.
14. Select Properties.
15. Click the Permission Pattern tab. This is the template of permissions that is automatically applied
to all of the metadata. Highlight PUBLIC. Notice that ReadMetadata and WriteMetadata are denied.
16. Highlight SASUSERS. Anyone who has a metadata identity is automatically in PUBLIC and also
a member of SASUSERS. SASUSERS is a subset of PUBLIC, but this group has ReadMetadata
and WriteMetadata permissions coming from the repository ACT.
Note: The types of permissions and how they are represented in the interfaces are discussed in the
next section.
17. Click Cancel.
Exercises
1. Exploring Identity Hierarchy and Object Inheritance on a Folder
Note: You have the option of using SAS Environment Manager Administration or SAS
Management Console for the exercises in this chapter. There are step-by-step instructions.
However, the solutions offer more steps and screen shots.
Verify that you are logged on to SAS Management Console as Ahmed. Run an ad hoc backup, with
the following comment: Backup Before Adding Security on Chocolate Enterprises
a. Open Internet Explorer from the client machine using the taskbar. Click SAS Environment
Manager on the Favorites bar. Sign in to SAS Environment Manager as Ahmed with the
password Student1.
b. Click the Administration tab. The Folders page is the initial view. If you are already on the
Administration page and another view, click the Side menu and select Folders. Right-click the
Chocolate Enterprises folder and select Open to get to the metadata properties.
c. From the drop-down menu, select Authorization.
Can you remove any of the groups listed under Users and Groups? Why or why not?
Click the square to the left of the identity to highlight the identity. Click the Remove Identities
button in the upper right toolbar.
d. Add the following three group identities: Application Developers, Data Integrators, and
Report Content Creators.
1) Click the Add button in the upper right toolbar to open the Add Identities window.
2) You can enter a few letters of the group name and press Enter, or click the Search button
. Highlight the group and move it over to the Identities to Add pane.
3) Do this for all three groups before clicking OK.
4) Save the changes by clicking the Save button in the upper right toolbar.
What permission is automatically granted to an identity when added?
Note: You can click a permission field, and a window appears that identifies the type of
permission and where it comes from.
e. Right-click Data Integrators and select Open. From the drop-down menu, select Member of.
What group is Data Integrators a member of?
f. Right-click Power Users and select Open to go to the properties of this group identity.
g. From the drop-down menu, select Members.
Who are members of the Power Users group?
h. Click the Previous Level button in the upper left of the page to go back to the Authorization
properties of Data Integrators and click the Previous Level button again to go back to the
Authorization properties of the Chocolate Enterprises folder.
i. Remove the three group identities (Application Developers, Data Integrators, and Report Content
Creators) from the Authorization properties.
1) Click in the square to the left of the identity to highlight it.
Note: You can hold the Ctrl key while selecting all three group identities and delete all three
at once.
2) Click the Remove Identities button in the upper right toolbar.

3) Click Yes when prompted in the pop-up window.
4) Click the Save button in the upper right toolbar

5) Repeat for the other two group identities.
j. Add Power Users to the Authorization of the Chocolate Enterprises folder.
2) Type Power in Available identities and press Enter. Move Power Users over to the Identities
to Add pane. Click OK.
3) Click the Save button in the upper right toolbar.

k. The ReadMetadata permission is automatically granted. You need to give grants for the
WriteMemberMetadata, CheckInMetadata, and Read permissions.
1) Click within the permission field and select Grant from the list. Do the same for the other
two permissions.
2) Save your changes .

l. Use the Permissions Inspector to look up the effective permissions for any identity. The
Permissions Inspector is represented by the button in the upper right toolbar of the
Authorization page of the object that you are inspecting (in this case, the Chocolate Enterprises
folder).
m. Enter Kari in the field and select Kari from the drop-down list.
Kari’s effective permissions for this object (Chocolate Enterprises folder) are displayed. She is a
member of the Data Integrators group, which is a member of the Power Users group. The same
permissions are applied indirectly for Kari through her identity hierarchy.
n. Click Close to exit the Permissions Inspector and return to the folder tree by clicking the arrow
next to Chocolate Enterprises in the upper left of the page.
o. Go to the Authorization page of the Data folder under the Chocolate Enterprises folder.
Note: You might need to refresh the view or close out completely of the Administration page to
see the permission changes that you made in previous steps.
Right-click Data and select Open. From the drop-down menu, select Authorization.
p. Highlight Power Users.
Where do these permissions come from?
Note: There is also an indirect grant of WriteMetadata. A grant (or deny) of WMM on a folder
becomes an inherited grant (or deny) of WM on the objects in that folder. This is
discussed in the next section.
q. Can you remove the Power Users group from the Authorization page of the Data folder?
Why not?
r. (Optional) If you do not want Power Users to modify or delete these folders below the Chocolate
Enterprises folder, select Deny for WriteMetadata. (Notice that WriteMemberMetadata switches
automatically to indirect deny.) Then select Grant for WriteMemberMetadata. Be sure to save
your changes.
a. Go to the Authorization tab of the Chocolate Enterprises folder. (Right-click Chocolate

Enterprises and select Properties.)
b. Add the following three groups to the Authorization tab: Application Developers, Data
Integrators, and Report Content Creators.
Note: You can hold down the Ctrl key and highlight all three at once, and then select the single
arrow to move them over to the Selected Identities list.
c. Highlight Data Integrators and select Properties. This accesses the properties of the Data
Integrators group, but as Read-only.
d. Click the Groups and Roles tab.
e. Highlight Power Users and select Properties.
f. Click Cancel and then Close to return to the Chocolate Enterprises folder properties.
g. Remove the three groups (Application Developers, Data Integrators, and Report Content Creators)
from the Users and Groups window.
h. Add Power Users to the Authorization tab.
i. The ReadMetadata permission is automatically granted, and you need to give grants for the
WriteMemberMetadata, CheckInMetadata, and Read permissions. Do not click OK. You need to
stay on the Authorization tab to get to the Advanced button referenced in j.
j. Click the Advanced button.
k. Click the Explore Authorizations tab. Enter Kari in the Name or Display Name field.
Click Search Now. Kari’s effective permissions for this item are displayed. She is a member of
the Data Integrators group, which is a member of the Power Users group. The same permissions
are applied indirectly for Kari through her identity hierarchy.
l. Click OK twice to return to the Chocolate Enterprises folder.
m. Go to the Authorization tab of the Data folder under the Chocolate Enterprises folder.
n. Highlight Power Users.
o. Can you remove the Power Users group from the Authorization tab of the Data folder?
Why not?
p. (Optional) If you do not want Power Users to modify or delete these folders below the Chocolate
Enterprises folder, select Deny for WriteMetadata (notice that WriteMemberMetadata switches
automatically to indirect deny) and then select Grant for WriteMemberMetadata.
What would happen if you remove the repository ACT?
a. All permissions are denied.

b. Nothing. Permissions will come from somewhere else.
c. All permissions are granted.
d. Permissions come from the SAS Folders authorization tab.
18
Setup for the Poll
Given the Authorization tab for the Marketing Department folder, which
identities are on the Authorization tab of any item stored directly under
that folder?
20
6.2 Exploring Metadata Per missions and ACTs 6-25
that folder?
a. only the identities that need access to the item

b. only the identities added on the specific item
c. only the identities from the Marketing Department Authorization tab
d. the identities from the Marketing Department folder and any added on
that specific item
21
6.2 Exploring Metadata Permissions and

ACTs
Objectives
• Identify how metadata permissions are assigned.

• Define ACTs and how they are used.
• Explore the use and enforcement of the different metadata permissions.
• Review the metadata authorization layer.
24
How Are Permissions Set?
The check box color on the Authorization tab on the properties of a metadata
object in SAS Management Console indicates how the
permission was assigned.
Direct control: Control set directly on the target object and

explicit (WHITE) assigned directly to identity
D ir ect control: Control set directly on the target object and
ACT (GREEN) assigned directly to identity
Indirect setting Comes from someone else (a group that has
(GRAY) an explicit or ACT setting) or from somewhere
else (a parent object, repository ACT)
25
The Search tab in SAS Management Console returns results based on the individual user’s permissions
on individual objects and ignores the permissions on the folder navigation to the object. In other words,
if the user is denied RM on the metadata folder path to the object but granted RM on the object,
the Search tab returns the object even though the user cannot access it through the metadata folders.
How Are Permissions Set?
The shape on the Authorization properties of a metadata object in

SAS Environment Manager indicates how the permission was assigned.
Direct control: ACT Direct control: explicit
Indirect Setting
(no shape)
26
Icon Meaning
Deny from an explicit control
Deny from an applied ACT
Deny from an indirect source (such as a parent group or parent object)
Grant from an explicit control
Grant from an applied ACT
Grant from an indirect source (such as a parent group or parent object)
ACTs
Each ACT consists of a pattern of grants and denials that are assigned to
different users and groups.
• In SAS Management Console, ACTs
are created and managed using the
Authorization Manager plug-in.
• In SAS Environment Manager, ACTs

are created and managed from the
Folders module on the Administration
page: SAS Folders  System 
Security  Access Control Templates.
27
Caution: Do not confuse an ACT’s Authorization tab with its Permission Pattern tab in SAS
Management Console. Authorization tabs control who can modify the item in question.
The Authorization tab on an ACT controls who can modify the ACT, including the
permission pattern.
Default ACT Acts as the repository ACT initially. This ACT provides registered users
RM and WM permission at the repository level.
Private User Folder Applied automatically to each user’s personal folder in conjunction with
ACT explicit settings to grant the user RM, WMM, CM, and R permission.
SAS Administrator Used to grant the SAS Administrators group and SAS System Services
Settings ACT group access to metadata.
If you have SAS Information Delivery Portal at your site, you have the Portal ACT. You might need to
alter the membership of the Portal ACT.
Note: The permission patterns of these predefined ACTs should not be modified.
Note: If you need to modify the repository ACT, a best practice is to not change the current repository
ACT. Create a new ACT with the settings that you want, and designate it as the repository ACT.
This enables you to revert to the previous repository ACT, if needed.
Applying an ACT
When you apply an ACT to an object, the ACT settings are added to the
object’s protections.
28
Metadata Permissions (Review)
The permissions list on each Authorization tab includes at least two

permissions:
ReadMetadata (RM) Controls the ability to view an

item or navigate past a folder.
WriteMetadata (WM) Controls the ability to edit, delete,
rename, or changes permissions
on an item.
Other permissions are specialized and affect only certain types of items.
29
Only permissions relevant to the item are displayed on the Authorization tab.
WriteMemberMetadata Permission
The WriteMemberMetadata (WMM) permission affects only metadata

folders.
WriteMemberMetadata (WMM) Provides control for adding and

removing objects from a folder.
A grant (or deny) of WMM on a folder becomes an inherited grant (or deny)
of WM on the objects in that folder. WMM is not inherited from one folder
to another.
30
Note: Anyone who has a grant of WM on a folder should not be denied WMM on that same folder.
Note: If WMM is not set directly on a folder, the WMM setting mirrors the WM setting. WMM is never
inherited from a parent object.
CheckInMetadata Permission
Change management is a SAS Data Integration Studio feature.
CheckInMetadata (CM) Check in and check out items in a

change-managed area.
In any change-managed areas of a foundation repository, change-managed

users should have CM instead of WM and WMM.
31
Administer Permission
Administer (A) Monitor an OLAP server; stop, pause, resume,

refresh, or quiesce a server or spawner.
For the metadata server, the ability to stop, pause, resume, and quiesce is
managed by the Metadata Server: Operation role, not by the Administer
permission.
32
New permissions in SAS 9.4M2:

Implicit capabilities enable a member of the MetadataServer: User Administration role to manage
the membership of groups and roles and the accounts of users and groups. These tasks can now
be delegated to additional users:
 ManageMemberMetadata (MMM): Alter the membership of a group or role. This permission applies
only to groups and roles. Any user or group that is granted this permission will have the ability to
change membership of the group or role to which it is applied. Granting the WriteMetadata permission
indirectly grants the ManageMemberMetadata permission. This permission can also be explicitly
granted independent of the WriteMetadata permission.
 ManageCredentialsMetadata (MCM): Alter the account information for a user or group. This
permission applies only to users and groups. Any user or group that is granted this permission will have
the ability to administer the logon information for the user or groups to which it is applied. Granting the
WriteMetadata permission can also be explicitly granted independent of the WriteMetadata permission.
Data Permissions
Read (R) Read data via certain objects (for example, cubes,
information maps, LASR tables, or data accessed via the
metadata LIBNAME engine (MLE)).
Create (C) Add data via the metadata LIBNAME engine.
Write (W) Update data via certain objects: data accessed via
publishing channels or the metadata LIBNAME engine.
Delete (D) Delete data via the metadata LIBNAME engine.
33
Caution: Some clients such as SAS Data Integration Studio and SAS Enterprise Guide enable users to
create and run SAS programs that access data directly and bypass metadata layer controls.
Using metadata-bound libraries will disable these users by passing metadata library controls.
Data Permissions for Metadata-Bound Libraries

For secured library objects and secured table objects, SAS enforces the following special metadata-layer
permissions:
Select (S) Read rows within a physical table.
Delete (D) Delete rows in a physical table.
Insert (I) Add rows to a physical table.
Update (U) Update rows in a physical table.
Create Table (CT) Create new physical table.
Drop Table (DT) Delete a physical table.
Alter Table (AT) Replace a physical table.
Relative Precedence of Access Controls
34
Explicit and ACT settings on an object always have priority over settings on the object’s parent.
Authorization Decision Flowchart
35
Permission conditions constrain explicit grants of the Read permission on OLAP dimensions (limiting
access to members) or information maps (limiting access to rows). On the Authorization tab, the presence
of an Edit Condition or Edit Authorization button indicates that a permission condition is assigned
to the currently selected user or group.
Identifying Applicable Permissions

This demonstration illustrates how to use SAS Management Console to identity the applicable
permissions for an item.
1. In SAS Management Console, on the Plug-ins tab, expand Server Manager.
2. Right-click SASApp and select Properties.
3. Click the Authorization tab. Only the RM, WM, CM, and A permissions are listed.
4. Click Cancel.
5. Click the Folders tab.
6. Expand System and select Types.
7. Right-click Application server and select Properties.
8. Click the Advanced tab. The ApplicablePermissions property identifies the permissions that
are applicable to this type of item.
9. Click Cancel.
Exercises
2. Assigning WriteMetadata and WriteMemberMetadata Permissions
Log on to SAS Management Console as Ahmed. Run an ad hoc backup, with a comment of Before
adding parent and child folders.
a. On the Administration page, click Side menu and select Folders.
b. Right-click the Chocolate Enterprises folder and select New Folder. Name the new folder
Parent and click OK.
c. Right-click the Parent folder and select Open.
d. From the drop-down menu, select Authorization.

e. Add an explicit grant of WM permission for PUBLIC. Click in the WriteMetadata field for
PUBLIC and select Grant from the list. How does this affect WMM permission for PUBLIC?
f. Click in the WriteMemberMetadata field for PUBLIC and select Show Origins.
g. Change the explicit grant of WriteMetadata for PUBLIC back to no explicit control by clicking
the WriteMetadata field and selecting the option. How does this affect WMM permission for
PUBLIC?
h. Add an explicit grant of WMM permission for PUBLIC. How does this affect WM permission for
PUBLIC?
i. Remove the explicit WMM permission grant for PUBLIC. How does this affect WM permission
for PUBLIC?
j. Add Alex to the Authorization for the Parent folder with an explicit denial of WM permission and
an explicit grant of WMM permission.

2) Type Alex in the Available Identities field and press Enter. Move Alex to the Identities to
Add pane. Click OK.
3) Select Deny for WriteMetadata and Grant for WriteMemberMetadata.

4) Click the Save button to save the changes.
5) Click Close.
k. Right-click the Parent folder and select New Folder. Name the new folder Child and click OK.
l. Right-click the Child folder and select Open.
m. From the drop-down menu, select Authorization.
n. On the Authorization page of the Child folder, what are the settings for WM permission and
WMM permission for Alex?
o. Do not log off from SAS Environment Manager.
p. Log on to SAS Management Console as Alex using the password Student1. (You cannot do steps
q through s in SAS Environment Manager because Alex is not a member of any role in SAS
Environment Manager and thus cannot authenticate to the Environment Manager Server.)
Note: You can open another SAS Management Console session by selecting Start 
SAS Management Console. Or you can disconnect as Ahmed in the current session
by selecting File  Connection Profile and reconnecting as Alex.
q. Right-click My Folder.
Are the following actions available or dimmed: New Folder, New Stored Process, Rename,
and Delete?
r. Right-click the Chocolate Enterprises folder. Are the following actions available or dimmed:
New Folder, New Stored Process, Rename, and Delete?
s. Right-click the Parent folder. Are the following actions available or dimmed: New Folder, New
Stored Process, Rename, and Delete?
t. In SAS Environment Manager, delete the Parent folder. However, you must first delete the Child
folder.
1) Right-click the Child folder and select Delete.
2) Click Yes to confirm the delete request.
3) Right-click the Parent folder and select Delete.
a. On the Folders tab, right-click Chocolate Enterprises and select New Folder. Create
a new folder named Parent.
b. Right-click the Parent folder. Select Properties and click the Authorization tab. Select PUBLIC
and add an explicit grant of WM permission. How does this affect WMM permission for
PUBLIC?
c. Select the grant WriteMetadata box for PUBLIC again to clear the explicit setting. How does
this affect WMM permission for PUBLIC?
d. Add an explicit grant of WMM permission for PUBLIC. How does this affect WM permission
for PUBLIC?
e. Remove the explicit WMM permission grant for PUBLIC. How does this affect WM permission
for PUBLIC?
f. Add Alex to the permissions list for the Parent folder with an explicit denial of WM permission
and an explicit grant of WMM permission.
g. Right-click the Parent folder and select New Folder. Create a new folder named Child.
h. On the Authorization tab of the Child folder, select Alex. What are the settings for WM
and WMM permissions?
i. Log on to SAS Management Console as Alex using the password Student1.
j. Right-click My Folder. Are the following actions available or dimmed: New Folder, New Stored
Process, Rename, and Delete?
k. Right-click the Chocolate Enterprises folder. Are the following actions available or dimmed:
l. Right-click the Parent folder. Are the following actions available or dimmed: New Folder, New
m. Delete the Parent folder. You need to log on as Ahmed to delete the Parent folder because Alex
does not have the authorization to do so.
3. Adjusting Conflicting Permission Settings
You can use SAS Environment Manager or SAS Management Console to do this exercise. Refer to
the solutions for step-by-step instructions.
a. Create a new metadata group named Group A. Assign Harvey as a member.
b. Create a new metadata group named Group B. Assign Harvey as a member.
c. Create an ACT named Allow Group A, which grants an RM permission to Group A.
d. Apply the Allow Group A ACT to the Shared Data folder (on the Authorization tab in SAS
Management Console, or the Apply ACT property in SAS Environment Manager).
e. Add Group B to the Authorization of the Shared Data folder and deny RM permission.
f. What is the effective permission for Harvey on the Shared Data folder?
Note: Use the Permissions Inspector in SAS Environment Manager.
Note: Use the Advanced option on the Authorization tab in SAS Management Console.
What is the effect of explicitly denying PUBLIC RM?
a. Only PUBLIC is affected and the settings for the other users and groups
remain unchanged.
b. Only PUBLIC and SASUSERS are affected and the settings for the other
users and groups remain unchanged.
c. PUBLIC is denied RM, which overrides all explicit, ACT, and indirect
settings for the other users and groups.
d. PUBLIC is denied RM, which overrides all indirect settings for the other
users and groups but does not override explicit or ACT settings for other
users and groups.
39
If an ACT includes settings for Ellen and you apply the ACT to an object that
already lists Ellen on the authorization of an object, what happens to Ellen’s
permissions?
a. The settings from the ACT take precedence.

b. The settings from the ACT are ignored.
c. Explicit settings are not affected and indirect settings are changed to ACT
settings.
d. The settings from the groups in her identity hierarchy take precedence.
41
Setup for the Poll
You are given only these settings for the authorization of an object and Eric’s
identity hierarchy:
User or Group Permission Setting
HR Explicit grant RM
Report Creator ACT deny RM
SASUSERS Indirect grant RM
PUBLIC Indirect deny RM
N ote: There are no other groups listed

on the Authorization properties.
43
What is Eric’s effective permission?
a. Grant RM because explicit settings take precedence over ACTs

b. Deny RM because ACT settings take precedence over explicit settings
c. Deny RM because when there is a conflict at the same level of an
identity hierarchy, the outcome is a denial
d. Grant RM because when there is a conflict at the same level of an
identity hierarchy, the outcome is a grant
44
Setup for the Poll
You are given only these settings for the authorization of an object and
Eric’s identity hierarchy:
HR ACT grant RM

46
a. Grant RM because grants take precedence over denials

b. Deny RM because denial settings take precedence over grants
identity hierarchy and both permissions are ACTs (or both are explicit),
the outcome is a denial
the outcome is a grant
47
Setup for the Poll
You are given only these settings for the authorization of an object and
Eric’s identity hierarchy:

Finance Explicit grant RM

49
a. Grant RM because explicit grants always take precedence over denials

b. Deny RM because the denial setting is coming from a direct group and
take precedence over grants from an indirect group
c. Deny RM because grants coming from an ACT always take precedence
d. Grant RM because the HR group inherits the Explicit grant of RM from
the Finance Group
50
6.3 Customizing SAS Folders 6-45
6.3 Customizing SAS Folders
Objectives
• Describe the SAS Folders structure.

• Explore custom SAS Folders.
• Review user and group identities.
• Continue with the exercise scenario.
• Promote content in metadata.
53
Creating Custom Folders
Administrators can use the folder view to do the following:

• set up a custom folder structure for users
• import and export metadata and associated files
• set permissions on folders and their content
N ote: SAS Folders inherit security permissions from parent folders if no

object-level controls are applied.
54
SAS Folders are used to organize and secure SAS metadata.

SAS Folders exist only in SAS metadata. There is no corresponding representation, such
as a directory/folder structure in the operating system.
Creating Custom Folders
Guidelines for setting up the SAS Folders structure:

• Keep the folder structure as simple as possible.
• Develop a folder structure that reflects the organization of your work.
• Develop a folder structure that reflects the access rules that you want to
enforce.
Ex a m ple: Business Unit Separation Ex am ple: Regional Separation, Designated Content Creators
P U B LIC
S A S U SERS
S A S Administrators
S A S System Services
M a r keting S a l es
55
Your folder structure could reflect the following:

 your company’s internal organization. For example, each division or department could have its own
high-level folder.
 types of business activities. For example, you could have separate folders for human resources,
sales, research and development, and marketing.
 geography. For example, each country, sales region, or regional office could have its own folder.
 categories of products. For example, each product line or product group could have its own folder.
 time periods. For example, you could have a folder for each year, quarter, or month.
 categories of users. Generally, this type of folder structure is necessary only in large organizations that
have a clear separation of responsibilities (for example, separate teams for data preparation, map
creation, and report creation).
 change-control status. If you have just one deployment of the SAS Intelligence Platform (instead
of separate deployments for development, test, and production), then you might want to use folders
to separate production-status content from content that is in the development or testing stage.
To do so, you can set up separate sets of folders for development, test, and production. Then you can
use the promotion tools to move content from development to test and from test to production.
Note: Do not set up folders based on SAS client applications. It is not necessary or desirable to
organize objects based on which SAS client applications were used to create them. Organizing
folders on this basis can complicate administration tasks such as the assignment of permissions.
Note: Do not set up folders based on object types unless it is necessary for access control. Organizing
folders based on object types can complicate administration tasks such as the assignment of
permissions. As a general rule, you should avoid setting up folders on this basis.
Folders enable you to easily restrict access to content. For example:

 If you want to prevent departments from accessing each other’s content, then you can create a
high-level folder for each department and apply different permissions to each of the folders.
 If you want to restrict access to sensitive content (for example, content related to a sensitive product
line or a business activity such as human resources), then you can create a separate folder for that
content and apply a restrictive access control template (ACT).
 If your organization requires a clear separation of content among different categories of SAS users,
then you can create separate folders for each group. Generally, this type of folder structure is necessary
only in large organizations that have separate teams of SAS users with different job responsibilities.
For example, suppose you have one group of users that works on data preparation tasks (such as
creating libraries, tables, and cubes) and another group creates information maps, stored processes,
and reports). To ensure that the groups do not interfere with one another’s work, you can create a
separate folder for each group and apply different permissions to each of the folders.
Note: If you have separate environments for development, test, and, production, then use the same
folder structure across environments. Using a uniform folder structure will make it easier to
promote objects from one environment to another.
Metadata Users and Groups (Review)

Initial users P UBLIC Initial
groups
S A SUSERS
S A S Administrator
s a s adm@saspw S AS Administrators
S AS System SAS Administrator
S A S Environment Mana ger
S e r vice Account
S ervices
s a s ev@saspw SAS Trusted User SAS EV Service
A c c ount
S A S Trusted User S A S General
s a strust@saspw S e rvers
s assrv and pw
S A S EV App Server
S A S EV Super Users T i e r Users D ata Integrators SAS Trusted User
SAS EV Service
A c c oun t
A pplication R eport Content

D ev elopers C reators
SAS EV Guests
O rion Star …
S A S Ad ministrator Us ers
A n alysts
S ales
M arketing custom groups
M anagers
56
Custom Groups
Custom groups can be based on the following:
Organization Marketing, Acquisitions, Shipping, Finance
Function Power users, ETL developers, data modelers, report creators,

analysts, information consumers
Data Access Oracle group - group with shared credentials

to access third-party database
Special Projects ProjectA, ProjectB - members are across organizations
Executive Oversight Group that needs limited or complete access across all groups
57
Note: Groups can be synchronized with groups from your authentication provider, such as LDAP.
Baseline ACTs
Most of the metadata that needs to be secured is stored in folders and

inherits permissions from folders. One approach to securing folders is to
create and apply some general-use ACTs.
The ACTs can be applied to folders in combination with
• explicit permissions granting access back to particular groups
• additional ACTs that grant access back to particular groups.
58
Baseline ACTs
The Hi de ACT prevents visibility for users who are not in the
SAS Administrators group and gives SAS administrators and service
identities exclusive Read access to metadata.
RM WM WMM CM A R W C D
PUBLIC 
SAS Administrators 
SAS System Services 
59
Baseline ACTs
The Protect ACT prevents updates, deletions, and contributions by users who
are not in the SAS Administrators group and gives SAS administrators
exclusive Write access to metadata.
RM WM WMM CM A R W C D
PUBLIC     
SAS Administrators      
60
These grants ensure that administrators can manage all metadata. If you need to separate administration
privileges, this approach is not granular enough. If you do not want the SAS Administrators group to have
universal access, consider creating parallel sets of baseline ACTs. For example, to separate administration
for an East region and a West region, you might create ACTs such as Hide_East, Hide_West. In each
baseline ACT pattern, you would replace the SAS Administrators group with a narrower administrative
group (for example, East_Admins, West_Admins). The denials to PUBLIC and grants to the SAS System
Services group would not change. Any unrestricted users can still access everything.
Project Folders
If you choose to create project folders, you need to decide the following:
• who should be able to create and modify the project folders themselves
• who should be able to create and modify content within the folders
61
Securing Project Folders
You can enable all members of the organizational group to access the project
folders and create and modify the content within those folders.
62
Securing Organizational Folders
If you have a central group that creates all content, you could secure the
organizational folders as follows:
P o w er Users: + RM , +R, +WM M
P o w er Users: + RM , +R, +WM M
63
Reporting on Metadata
There are various methods to report on your metadata inventory and security
in your platform environment:
• Report Center in SAS Environment Manager
• SAS security macros
• Batch tools
64
Administration Scenario
The Finance and Shipping Departments of the Orion Star Company need to
be set up in the existing SAS environment. You, as the SAS administrator, need
to do the following:
• create metadata identities

• set up SAS folder structure
• add existing content such as stored processes
• secure the new folders
• verify users have sufficient access
• add data sources and verify access
65
Exercises
Exercise scenario: The Finance and Shipping Departments of the Orion Star Company need
to be set up in the existing SAS environment.
 Metadata identities were added previously with the import macros.
 Exercise 4: Custom folders will be created under the Orion Star folder representing the departments.
 Exercise 5 and 6: Content will be imported into the new folders.
 Exercise 7: Baseline ACTs will be created and applied to the folders.
 Exercise 8: Group identities will be added to the appropriate folders with explicit grants.
Use the Metadata Manager Plug-in in SAS Management Console to run an ad hoc backup of metadata,
with the comment Backup before adding folder content and security on Orion Star.
4. Creating Custom Folders
Management Console for the exercise. There are step-by-step instructions, but the solutions
offer more steps and screen shots.
a. Create the Finance Department and Shipping Department folders under the Orion Star folder.
b. Create the Payables and Receivables folders under Finance Department.
Note: You can use the sas-make-folder batch tool to create the folders. See solution step 4b.
5. Importing a Package of Folders
Note: The import and export tools are available only in SAS Management Console, or as batch
tools.
a. Import Folder Set.spk into Orion Star  Finance Department  Payables.
Right-click the Payables folder and select Import SAS Package.
In the first step, navigate to D:\Workshop\spaft and select Folder Set.spk to import. Click OK.
Follow the wizard window steps without making any changes.
b. Import the same package, Folder Set.spk, but this time import it into Orion Star  Finance
Department  Receivables.
6. Creating a Package
tools.
a. Use the Export SAS Package Wizard to create a package from the Orion Star  Marketing
Department  Stored Processes folder. Save the package in
D:\Workshop\spaft\export_sp.spk. Also, on the first step in the wizard, select Include
dependent objects when retrieving initial collection of objects.
b. Import export_sp.spk in the Orion Star  Shipping Department folder.
7. Creating and Applying Baseline Access Control Templates (ACT)

One approach to setting permissions on folders is to create general-use ACTs, and apply one or more
of those ACTs to each folder that you need to secure. To grant access back to a particular group,
supplement the ACT settings by adding explicit controls on the target folder. (This is done in
Exercise 8.)
You will create two baseline ACTs:
Hide ACT, which prevents visibility for users who are not in the SAS Administrators group, but does
give SAS administrators and service identities exclusive Read access to metadata
Protect ACT, which will prevent updates, deletions, and contributions by all users who are not in the
Then you will apply the Protect ACT to the Orion Star folder and the Hide ACT to the department
folders below the Orion Star folder.
Note: You have the option of using SAS Environment Manager Administration or SAS Management
Console for the exercise. There are step-by-step instructions, but the solutions offer more
steps and display captures.
a. Create the Hide ACT.

The Hide ACT is designed to prevent visibility for users who are not in the SAS Administrators
or SAS System Services groups.
1) In SAS Environment Manager, on the Administration page (signed in as sasadm@saspw and
password Student1), select Folders from the Side menu. Expand System  Security.
2) Right-click Access Control Templates and select New Access Control Templates.
3) Enter Hide ACT in the Name field and add a description if you choose. Click OK.
4) Right-click Hide ACT and select Open.
5) From the drop-down menu, select ACT: Pattern.
6) Click the Add Identities button in the upper right toolbar to add PUBLIC, SAS System
Services, and SAS Administrators.
7) Search PUBLIC and move the identity to the Identities to add pane. Repeat for SAS System
Services and SAS Administrators. Click OK.
Note: In order to see the entire Add Identities window, you might need to maximize the
Administration page.
8) Click in the ReadMetadata field for PUBLIC and select Deny.
Verify that SAS System Services is granted RM.
Verify that SAS Administrators is granted RM.
b. Secure the Hide ACT.

1) From the drop-down menu, select Authorization.
2) Change the indirect Deny of ReadMetadata for PUBLIC to a direct Deny. Notice how this
affects the other identities on the authorization of this object.
3) Save your changes.
4) Apply the SAS Administrator Settings ACT to this object to grant back ReadMetadata to SAS
Administrators and SAS System Services. From the drop-down menu, select Apply ACT.
5) Select the SAS Administrators Settings ACT and click Save.
6) From the drop-down menu, select Authorization to see the effects.
7) Click Close to close out of the properties of the Hide ACT.
c. Create the Protect ACT. Follow step a with the following changes (or follow the step-by-step
solutions):
1) Add only PUBLIC and SAS Administrators to the ACT: Pattern.
2) Use the following diagram for the ACT: Pattern:
d. Secure the Protect ACT. Follow step b (or follow the step-by step solutions).
e. Apply the Protect ACT to the Orion Star folder.
1) Right-click Orion Star folder and select Open.
2) From the drop-down menu, select Apply ACT.
3) Select Protect ACT and click Save.
4) View the authorization settings of the Orion Star folder. From the drop-down menu, select
Authorization.
Notice that the SASUSERS group still has ReadMetadata but only SAS Administrators can
modify or delete any content from this folder and below. And the ReadMetadata permissions
are coming from somewhere else except for SAS Administrators, which is coming from the
Protect ACT.
5) Click Close in the upper right toolbar to return to the Folders view.
f. Apply the Hide ACT to the four department folders below the Orion Star folder.
1) Right-click the Finance Department folder and select Open.
3) Select Hide ACT and click Save.
4) View the authorization settings of the Finance Department folder. From the drop-down menu,
select Authorization.
Notice that only SAS Administrators have visibility because of the Hide ACT that was
applied. We will grant access back to the appropriate groups in the next exercise.
6) Apply the Hide ACT to the Marketing Department, Sales Department, and Shipping
Department folders by repeating steps 1-5.

1) Expand the Authorization Manager plug-in. Right-click the Access Control Templates
folder and select New Access Control Template.
2) Enter Hide ACT in the Name field on the General tab.
3) Move to the Permission Pattern tab. Click Add next to Users and Groups. Clear the Show
Users check box to list only groups. Hold down the Ctrl key and click the desired groups:
PUBLIC, SAS System Services, and SAS Administrators. Click to move them to the
Selected Identities pane.
4) Click OK.
5) Highlight PUBLIC and deny RM.
6) Highlight SAS System Services and verify that RM is granted.
7) Highlight SAS Administrators and verify that RM is granted.
8) Click OK to create the ACT.

1) Right-click Hide ACT and select Properties. Click the Authorization tab.
2) Apply the SAS Administrator Settings ACT. On the Authorization tab of the Hide ACT, select
Access Control Template. Move the SAS Administrators Settings ACT from Available to
Currently Using and click OK.
3) Select PUBLIC and explicitly deny RM, changing the indirect deny of RM to explicit. This
will affect SASUSERS because of identity hierarchy. SASUSERS now have an indirect deny
of RM, whereas before they had indirect grant of RM coming from the Repository ACT.
c. Create the Protect ACT.
The Protect ACT is designed to prevent updates, deletions, and contributions by all users who are
not in the SAS Administrators group.
2) Enter Protect ACT in the Name field on the General tab.
PUBLIC and SAS Administrators. Click to move them to the Selected Identities pane.
4) Click OK.
5) Highlight PUBLIC and deny WM, and then click RM to remove any grant or deny.
6) Highlight SAS Administrators and verify that RM is granted and grant WM, CM, and W.

d. Secure the Protect ACT.
1) Right-click Protect ACT and select Properties. Click the Authorization tab.
2) Apply the SAS Administrator Settings ACT. On the Authorization tab of the Protect ACT,
select Access Control Template. Move the SAS Administrators Settings ACT from
Available to Currently Using and click OK.
1) On the Folders tab, right-click Orion Star folder and select Properties.
2) Click the Authorization tab, and click Access Control Template.
3) Move Protect ACT over to Currently Using and click OK.
4) Review the authorization settings.
Notice that the SASUSERS group still has ReadMetadata, but only SAS Administrators can
Protect ACT.
5) Click OK to save your changes.
1) Right-click the Finance Department folder and select Properties.
3) Move Hide ACT over to Currently Using and click OK.
Notice that SASUSERS is denied ReadMetadata because the group is a subgroup of
PUBLIC, which is denied ReadMetadata through the HIDE ACT. But SAS Administrators
still have visibility. You will grant access back to the appropriate groups in the next exercise.
Apply the Hide ACT to the Marketing Department, Sales Department, and Shipping
8. Adding Groups to Folders
Note: You can use SAS Environment Manager or SAS Management Console to add identities to
folders and set permissions on folders. Refer to the solutions for step-by-step instructions.
Add group identities to folders based on the table below.
Group Name Folder Grant Permissions
Power Users Finance Department,

Marketing Department,
RM, R, WMM, CM
Sales Department,
Shipping Department
Finance Finance Department RM, R

Marketing Marketing Department RM, R
Sales Sales Department RM, R
Shipping Shipping Department RM, R
Note: There is an automatic grant of ReadMetadata for any identity that is added to the
Authorization of an object.
Note: The group identities added will be automatically added to the subfolders’ authorization with
the same permissions inherited, and Power Users will also have WM indirectly granted
because they were given WMM on the parent folder.
a. Right-click the Finance Department folder and select Open.
b. Under the drop-down menu, select Authorization.
c. Add Finance and Power Users to the Authorization.
1) Click the Add Identities button in the upper right toolbar.

2) Search Finance and move the group identity to the Identities to add pane.
3) Search Power Users and move the group identity to the Identities to add pane.
4) Click OK.
d. Verify that the two groups added have ReadMetadata.
1) Click in the Read field for Finance and select Grant.
2) Click in the WriteMemberMetadata field for Power Users and select Grant.
3) Give grants for CheckInMetadata and Read fields for Power Users as well.
e. Save your changes in the upper right toolbar and click Close.
f. Repeat steps a through e for the other three folders: Marketing Department, Sales Department, and
Shipping Department.

RM, R, WMM, CM
Sales Department,
Shipping Department

the same permissions inherited, and Power Users will also have WM indirectly granted
because they were given WMM on the parent folder.
a. Right-click the Finance Department folder and select Properties.
b. Click Add on the Authorization tab of the Finance Department folder.
c. Clear Show Users so that you show only a list of groups.
d. Select Finance and Power Users in the Available Identities list and click to move the
identity to the Selected Identities list.
e. Click OK.
f. Verify that the two groups added have ReadMetadata.
1) Grant Finance the Read permission as well.
2) Grant Power Users the WriteMemberMetadata, CheckinMetadata, and Read permissions as
well.
g. Click OK.
h. Repeat steps a through g for the other three folders: Marketing Department, Sales Department,
and Shipping Department.
9. (Optional) Verifying Access
a. Verify the access of someone who is a power user, such as Kari, who is a member of the Data
Integrators group. She should be able to add and modify content in any subfolders of the Orion
Star folder.
b. Verify the access of someone who is in a department group, and not in Orion Star Users (the
power user group), such as Lynn. She is in the Marketing group, so verify her access to the
Marketing Department folder, as well as her access to one of the other department folders, such as
Finance Department.
c. Impersonating an end user, log on to a client application such as SAS Enterprise Guide.
1) Open SAS Enterprise Guide. Click My Server in the bottom right of the interface to modify
the connection profile.
2) Click Modify.
3) Enter Kari as the user. No other changes are needed. (Student1 is the password for
everyone.)
4) Can Kari rename, delete, and add a new folder to the Finance Department folder? If so, she
has the appropriate permissions for a power user.
5) Click My Server and modify the connection profile, but this time log on as Lynn.
6) Can Lynn see any folders under the Orion Star folder, other than her own department folder
of Marketing Department? Can she rename, delete, and add a new folder to the Marketing
Department folder? If not, she has the appropriate permissions for a report consumer in the
Marketing group.
10. (Optional) Reporting on Security
SAS provides a macro, %Mdsecds, to help you extract, filter, and format authorization data
for a specified set of identities, permissions, and objects. This macro is documented in
SAS® 9.4 Intelligence Platform: Security Administration Guide.
Note: In SAS 9.4, the sas-show-metadata-access batch tool can generate the same information
as the %Mdsecds macro. For information about the batch tool, refer to SAS® 9.4 Intelligence
Platform: Security Administration Guide.
Note: The output of the %Mdsecds macro is SAS data sets. You can create your own reports
from these data sets (through SAS programming or an information map and a web report).
A sample reporting program is provided with your software in the following location:
For Linux Server
SAS-installation-directory/SASFoundation/9.4/samples/base/secrpt.sas
For Windows Server

SAS-installation-directory\SASFoundation\9.4\core\sample\secrpt.sas
a. In SAS Enterprise Guide, use the %Mdsecds macro to identify the permissions that are set
on the Finance folder. (If you did not do the previous exercises from this chapter, use the
Marketing folder.)
Note: For example, if you want to identify the permissions on the Marketing Department folder,
use the following syntax:
options metaserver=sasserver metauser="Ahmed"
%mdsecds(folder="\Orion Star\Marketing Department",

includesubfolders=no);
b. Use the %Mdsecds macro to identify the effective permissions of a Finance member
on the Finance folder.
Note: For example, if you want to identify the effective permissions of Ellen on the Marketing
Department folder, use the following syntax:
includesubfolders=no, identitynames="Ellen",
identitytypes="Person");
c. Use the %Mdsecds macro to identify the effective permissions of a Finance member
and the PUBLIC group on the Finance folder.
Note: For example, if you want to identify the effective permissions of Ellen and PUBLIC
on the Marketing Department folder, use the following syntax:
includesubfolders=no, identitynames="Ellen,PUBLIC",
identitytypes="Person,IdentityGroup");
d. Refer to the %Mdsecds macro documentation to answer the following questions:
Hint: Refer to the %Mdsecds macro syntax in SAS® 9.4 Intelligence Platform: Security
 If you do not specify the Folder option, what is the default starting point?
 What option would you use to limit the types of objects that are searched?
 What option would you use to limit the permissions that are included?
Setup for the Poll
68
What do the settings on the Authorization tab in SAS Management Console

or SAS Environment Manager Administration of the ACT affect?
a. The settings are applied where the ACT is applied.

b. The settings control who can access and modify the ACT itself.
c. The settings control who can access and modify the repository.
d. The settings are ignored and have no effect.
69
Setup for the Poll
71
The Private User Folder ACT does not include permissions for individual users
such as Barbara. How is Barbara granted access to her My Folder?
a. Barbara is a member of PUBLIC, so the ACT settings for PUBLIC

determine Barbara’s access.
b. Barbara is explicitly granted access on the Authorization tab of her
My Folder.
c. Barbara is explicitly granted access on the Authorization tab of the
Barbara folder and the settings are inherited.
d. Users with the same name as the parent folder are implicitly granted
access.
72
What should the setting for PUBLIC for RM be on the Protect ACT?
a. Deny
b. Grant
c. nothing, because the context in which the ACT is applied should
determine the setting
74
continued...
General Guidelines
When you assign permissions:

• All users with a metadata identity should have RM and WM permissions in
the foundation repository ACT.
• To enable someone to interact with a folder’s contents but not with the
folder itself, grant WMM and deny WM.
• Before you deny RM on a folder, consider the navigational consequences.
For simplifying your metadata security implementation and maintenance,
consider following these guidelines:
• In general, it is not necessary to add protection to predefined folders.
• Do not deny access to SAS administrators, and do not deny RM permission
to SAS System Services. 76
General Guidelines
• To hide a subfolder branch, apply the Hide ACT to a particular folder and
grant back RM permission to any groups who should have access.
• Use PUBLIC as the broadest group to deny access and then grant access
back to the appropriate group.
• Secure resources with a combination of inherited settings and ACTs. Use
explicit permission settings sparingly.
• Apply security to groups, not users, Include explicit groups on an ACT only
to grant access, never deny. You can deny access to implicit groups on ACTs.
• Always have a designated repository ACT.
77
Best Practice: Write and Maintain a Security Model

(Review)
The SAS administrator should write and maintain a security policy to include
• authorization (access rights and permissions) in SAS
• any data or databases accessed via SAS
• OS-managed assets.
The security model refers to security-related procedures that apply to the

installation, configuration, and management of the SAS platform. The model
conforms to whatever standards and practices are followed by your
organization.
78
Here are the major components of a security model:

 Users and groups definitions and authentication
 Specification of what users and groups have access to which resources (authorization)
 Organization of SAS assets on the file systems and in SAS metadata
 Encryption procedures
 Backup/recovery of SAS assets.
You should be aware of the following components that have been put in place during the installation and
deployment process:
 SAS Application Server components
 Other SAS Servers
 Ports that are used by each server to listen for incoming requests
 Configuration directories that store configuration files, logs, scripts, and special-purpose SAS data sets
on each SAS server machine and each middle-tier machine
 Initial SAS users, groups, and roles that have been defined, both on your host OS and the SAS
Metadata Repository
6.4 Solutions
1. Exploring Identity Hierarchy and Object Inheritance on a Folder
Management Console for the exercises in this chapter. There are step-by-step instructions, but
the solutions offer more steps and screen shots.
Verify that you are logged on to SAS Management Console as Ahmed. Run an ad hoc backup, with
the following comment: Backup Before Adding Security on Chocolate Enterprises
a. Open Internet Explorer from the client machine using the taskbar. Click SAS Environment
Manager on the Favorites bar. Sign in to SAS Environment Manager as Ahmed with the
password Student1.
b. Click the Administration tab. The Folders page is the initial view. If you are already on the
Administration page and another view, click the Side menu and select Folders. Right-click the
Chocolate Enterprises folder and select Open to get to the metadata properties.
c. From the drop-down menu, select Authorization.
6.4 Solutions 6-69
Click the square to the left of the identity to highlight the identity. Click the Remove Identities
button in the upper right toolbar.
The four groups listed cannot be removed because they are coming from the Repository
ACT.
d. Add the following three group identities: Application Developers, Data Integrators, and
Report Content Creators.
2) You can enter a few letters of the group name and press Enter, or click the Search button
. Highlight the group and move it over to the Identities to Add pane.
3) Do this for all three groups before clicking OK.
4) Save the changes by clicking the Save button in the upper right toolbar.
The newly added groups are automatically given a grant of ReadMetadata.
Note: You can click a permission field, and a window appears that identifies the type of
permission and where it comes from.
e. Right-click Data Integrators and select Open. From the drop-down menu, select Member of.

Power Users
f. Right-click Power Users and select Open to go to the properties of this group identity.
6.4 Solutions 6-71
g. From the drop-down menu, select Members.

h. Click the Previous Level button in the upper left of the page to go back to the Authorization
properties of Data Integrators and click the Previous Level button again to go back to the
Authorization properties of the Chocolate Enterprises folder.
i. Remove the three group identities (Application Developers, Data Integrators, and Report
Content Creators) from the Authorization properties.
1) Click in the square to the left of the identity to highlight it.
Note: You can hold the Ctrl key while selecting all three group identities and delete all three
at once.
2) Click the Remove Identities button in the upper right toolbar.
3) Click Yes when prompted in the pop-up window.

5) Repeat for the other two group identities.
j. Add Power Users to the Authorization of the Chocolate Enterprises folder.
6.4 Solutions 6-73
2) Type Power in Available identities and press Enter. Move Power Users over to the Identities
to Add pane. Click OK.
k. The ReadMetadata permission is automatically granted. You need to give grants for the
WriteMemberMetadata, CheckInMetadata, and Read permissions.
1) Click within the permission field and select Grant from the list. Do the same for the other
two permissions.
l. Use the Permissions Inspector to look up the effective permissions for any identity. The
Permissions Inspector is represented by the button in the upper right toolbar of the
Authorization page of the object that you are inspecting (in this case, the Chocolate Enterprises
folder).
m. Enter Kari in the field and select Kari from the drop-down list.
Kari’s effective permissions for this object (Chocolate Enterprises folder) are displayed. She is a
member of the Data Integrators group, which is a member of the Power Users group. The same
n. Click Close to exit the Permissions Inspector and return to the folder tree by clicking the arrow
next to Chocolate Enterprises in the upper left of the page.
o. Go to the Authorization page of the Data folder under the Chocolate Enterprises folder.
Note: You might need to refresh the view or close out completely of the Administration page to
see the permission changes that you made in previous steps.
Right-click Data and select Open. From the drop-down menu, select Authorization.
6.4 Solutions 6-75
p. Highlight Power Users.

The group was added to the Chocolate Enterprises definition (the parent folder), and the
permissions set for this identity at that level are inherited.
q. Can you remove the Power Users group from the Authorization page of the Data folder?
Why not?
The group was added to the Chocolate Enterprises properties (the parent folder).
Therefore, it cannot be removed from lower objects.
r. (Optional) If you do not want Power Users to modify or delete these folders below the Chocolate
Enterprises folder, select Deny for WriteMetadata. (Notice that WriteMemberMetadata switches
automatically to indirect deny.) Then select Grant for WriteMemberMetadata. Be sure to save
your changes.
a. Go to the Authorization tab of the Chocolate Enterprises folder. (Right-click Chocolate

Enterprises and select Properties.)
The four groups listed cannot be removed because they are coming from the Repository
ACT.
b. Add the following three groups to the Authorization tab: Application Developers, Data
Integrators, and Report Content Creators.
Note: You can hold down the Ctrl key, highlight all three at once, and then select the single
arrow to move them over to the Selected Identities pane.
The newly added groups are automatically given a grant of ReadMetadata.
c. Highlight Data Integrators and select Properties. This displays the properties of the Data
Integrators group, but as Read-only.
6.4 Solutions 6-77
d. Click the Groups and Roles tab. What group is Data Integrators a member of?
e. Highlight Power Users and select Properties.

Data Integrators, Application Developers, and Report Content Creators are members
of Orion Star Users.
f. Click Cancel and then Close to return to the Chocolate Enterprises folder properties.
g. Remove the three groups (Application Developers, Data Integrators, and Report Content Creators)
from the Users and Groups window.
Hold down the Ctrl key and highlight the three groups. Then select Remove.
Click Yes to confirm the removal.
h. Add Power Users to the Authorization tab.
6.4 Solutions 6-79
i. The ReadMetadata permission is automatically granted and you need to give grants for the
WriteMemberMetadata, CheckInMetadata, and Read permissions. Do not click OK. You need to
stay on the Authorization tab to get to the Advanced button referenced in j.
j. Click the Advanced button.
k. Click the Explore Authorizations tab. Enter Kari in the Name or Display Name field.
Click Search Now. Kari’s effective permissions for this item are displayed. She is a member
of the Data Integrators group, which is a member of the Power Users group. The same
l. Click OK twice to return to the Chocolate Enterprises folder.

m. Go to the Authorization tab of the Data folder under the Chocolate Enterprises folder.
Right-click the Data folder under the Chocolate Enterprises folder and select Properties.
6.4 Solutions 6-81
n. Highlight Power Users. Where do these permissions come from?

The permissions that were given on the parent folder, Chocolate Enterprises, are inherited
by the Data folder, a subfolder. The gray background of the Grant and Deny boxes means
that they are indirect settings, coming from somewhere else. In this case, that is the parent
folder: Chocolate Enterprises.
o. Can you remove the Power Users group from the Authorization tab of the Data folder?
Why not?
The group was added to the Chocolate Enterprises properties (the parent folder) and
therefore cannot be removed from lower objects.
p. (Optional) If you do not want Power Users to modify or delete these folders below the Chocolate
Enterprises folder, select Deny for WriteMetadata (notice that WriteMemberMetadata switches
automatically to indirect deny), and then select Grant for WriteMemberMetadata.
2. Assigning WriteMetadata and WriteMemberMetadata Permissions
Log on to SAS Management Console as Ahmed. Run an ad hoc backup, with a comment of Before
adding parent and child folders.
a. On the Administration page, click Side menu and select Folders.
b. Right-click the Chocolate Enterprises folder and select New Folder. Name the new folder
Parent and click OK.
c. Right-click the Parent folder and select Open.
6.4 Solutions 6-83
d. From the drop-down menu, select Authorization.
e. Add an explicit grant of WM permission for PUBLIC. Click in the WriteMetadata field for
PUBLIC and select Grant from the list. How does this affect WMM permission for PUBLIC?
It changes the WMM permission to a Grant.
f. Click in the WriteMemberMetadata field for PUBLIC and select Show Origins.
g. Change the explicit grant of WriteMetadata for PUBLIC back to no explicit control by clicking
the WriteMetadata field and selecting the option.
How does this affect WMM permission for PUBLIC?

It changes both WM and WMM permission back to indirect Deny.
h. Add an explicit grant of WMM permission for PUBLIC.

How does this affect WM permission for PUBLIC?
No change for WM
6.4 Solutions 6-85
i. Remove the explicit WMM permission grant for PUBLIC.

How does this affect WM permission for PUBLIC? No change for WM permission
j. Add Alex to the Authorization page for the Parent folder with an explicit denial of WM permission

2) Type Alex in the Available Identities and press Enter. Move Alex to the Identities to Add
pane. Click OK.
3) Select Deny for WriteMetadata and Grant for WriteMemberMetadata.
4) Click the Save button to save the changes.

5) Click Close .
k. Right-click the Parent folder and select New Folder. Name the new folder Child and click OK.
l. Right-click the Child folder and select Open.
m. From the drop-down menu, select Authorization.
n. On the Authorization page of the Child folder, what are the settings for WM permission and
WMM permission for Alex?
Both WM and WMM permissions are granted indirectly. Because he was explicitly granted
WMM on the Parent folder, he indirectly has WM on the child folder and any objects below
the Parent folder.
6.4 Solutions 6-87
o. Do not log off from SAS Environment Manager.

p. Log on to SAS Management Console as Alex using the password Student1. (You cannot do steps
q through s in SAS Environment Manager because Alex is not a member of any role in SAS
Environment Manager and thus cannot authenticate to the Environment Manager Server.)
q. Right-click My Folder.
and Delete?
New Folder and New Stored Process are available. Rename and Delete are dimmed. Because
it is Alex’s own My Folder, he can add content, as he is implicitly given WMM on his own
folder, but implicitly denied WM (the ability to modify his My Folder definition itself).
r. Right-click the Chocolate Enterprises folder.

and Delete?
None are available. This is because he does not have WMM on the Chocolate Enterprises
folder (the ability to add content in the folder) nor WM (the ability to modify the metadata
folder definition itself).
s. Right-click the Parent folder.

and Delete?
Alex can add a folder and stored process but cannot rename or delete this folder. This
is because he has WMM (the ability to add content in the folder) but not WM (the ability
to modify the metadata folder definition itself).
t. In SAS Environment Manager, delete the Parent folder. However, you must first delete the Child
folder.
1) Right-click the Child folder and select Delete.
6.4 Solutions 6-89
3) Right-click the Parent folder and select Delete.
a. On the Folders tab, right-click Chocolate Enterprises and select New Folder. Create a new
folder named Parent.
1) On the Folders tab, right-click Chocolate Enterprises and select New Folder.
2) Enter the name Parent and click Finish.
b. Right-click the Parent folder. Select Properties, and click the Authorization tab. Select
PUBLIC and add an explicit grant of WM permission. How does this affect WMM permission
for PUBLIC?
It changes the WMM permission to Grant with an indirect background color.
c. Select the grant WriteMetadata box for PUBLIC again to clear the explicit setting. How does
this affect WMM permission for PUBLIC?
It changes both WM and WMM permission back to indirect Deny.
6.4 Solutions 6-91
d. Add an explicit grant of WMM permission for PUBLIC. How does this affect WM permission for
PUBLIC?
No change for WM
e. Remove the explicit WMM permission grant for PUBLIC. How does this affect WM permission
for PUBLIC? No change for WM permission
f. Add Alex to the permissions list for the Parent folder with an explicit denial of WM permission
1) Click Add.
2) Select Alex from the list in the Available Identities list box. Click to move Alex
to the Selected Identities list box. Click OK to add Alex to the folder.
3) Select Deny for WriteMetadata and Grant for WriteMemberMetadata. Click OK to save
the changes.
g. Right-click the Parent folder and select New Folder. Create a new folder named Child.
Click Finish to create the folder.
6.4 Solutions 6-93
h. On the Authorization tab of the Child folder, select Alex. What are the settings for WM
permission and WMM permission?
Both WM and WMM permissions are granted indirectly.
i. Log on to SAS Management Console as Alex using the password Student1.

j. Right-click My Folder. Are the following actions available or dimmed: New Folder, New Stored
Process, Rename, and Delete?
New Folder and New Stored Process are available. Rename and Delete are dimmed. Because
it is Alex’s own My Folder, he can add content, as he is implicitly given WMM on his own
folder, but implicitly denied WM (the ability to modify his My Folder definition itself).
k. Right-click the Chocolate Enterprises folder. Are the following actions available or dimmed:
None are available. This is because he does not have WMM on the Chocolate Enterprises
folder (the ability to add content in the folder) nor WM (the ability to modify the metadata
folder definition itself).
l. Right-click the Parent folder. Are the following actions available or dimmed: New Folder, New
Alex can add a folder and stored process but cannot rename or delete this folder. This
is because he has WMM (the ability to add content in the folder) but not WM (the ability
to modify the metadata folder definition itself).
m. Delete the Parent folder. You need to log on as Ahmed to delete the Parent folder because Alex
does not have the authorization to do so.
1) Right-click the Parent folder and select Delete from the drop-down menu.
6.4 Solutions 6-95
3. Adjusting Conflicting Permission Settings

You can use SAS Environment Manager or SAS Management Console to do the exercise. Refer to the
solutions for step-by-step instructions.
1) On the Administration page, click Side menu and select Users.
2) From the Filter , select Group.
3) Click the Add User/Group/Role button in the upper right toolbar and select New
Group.
4) Enter Group A as the name and click Save.
5) On the drop-down menu, select Members.

7) Search for Harvey and move the identity to the Direct members pane.
Click OK.
8) Click the Save button and click Close.
6.4 Solutions 6-97
1) Click the Add User/Group/Role button in the upper right toolbar and select
New Group.
2) Enter Group B as the name and click Save.
3) From the drop-down menu, select Members.
5) Search for Harvey and move the identity to the Direct members pane. Click OK.

c. Create an ACT named Allow Group A, which grants RM permission to Group A.
1) Click Side menu and select Folders.
2) Navigate to System  Security  Access Control Templates.
3) Right-click Access Control Templates and select New Access Control Template.
6.4 Solutions 6-99
4) Enter Allow Group A for the name. Click OK.
5) Right-click the Allow Group A ACT and select Open.
7) Add Group A by clicking the Add button in the upper right toolbar.
8) Search for Group A and move the identity to the Identities to add pane. Click OK.
9) Verify that Group A has a grant of RM.

1) Right-click the Shared Data folder and select Open.
6.4 Solutions 6-101
3) Check the box next to the Allow Group A ACT. Save the changes but do not close out.

3) Search for Group B and move the identity to the Identities to add pane. Click OK.
4) Click in the ReadMetadata field for Group B and select Deny.
5) Save the changes .
Harvey is denied all permissions.
1) Click the Permissions Inspector button in the upper right toolbar.

2) Type Harvey and select Harvey from the list.
3) Close out of the permissions inspector.

1) Right-click User Manager and select New  Group.
2) Enter Group A as the name.
6.4 Solutions 6-103
3) Click the Members tab. Select Harvey and move it to the Current Members list box.
Click OK.

1) Right-click User Manager and select New  Group.
2) Enter Group B as the name.
3) Click the Members tab. Select Harvey and then click to move it to the Current Members
list box.
4) Click OK.
c. Create an ACT named Allow Group A, which grants RM permission to Group A.
1) Expand Authorization Manager.
2) Right-click Access Control Templates and select New Access Control Template.
3) Enter Allow Group A for the name.
4) On the Permission Pattern tab, add Group A and grant RM permission.
5) Click OK.
1) Right-click the Shared Data folder and select Properties. Click the Authorization tab.
2) Click Access Control Templates.
3) Expand Foundation and select Allow Group A in the Available list box. Click to move
it to the Currently Using list box.
4) Click OK.
1) Click Add. Select Group B and then click to it move it to the Selected Identities list box.
2) Click OK.
3) Explicitly deny RM for Group B and make sure that the other permissions are indirectly
denied.
4) Click OK.
Harvey is denied all permissions.
4. Creating Custom Folders
Use the Metadata Manager Plug-in in SAS Management Console to run an ad hoc backup
of metadata, with the comment Backup before adding folder content and security on Orion Star.
offer more steps and Display captures.
Note: You can use the sas-make-folder batch tool to create the folders. See solution step 4b.
6.4 Solutions 6-105
1) Select Folders from the Side menu. Right-click the Orion Star folder and select New
Folder.
2) Enter Finance Department for Name and click OK.
3) Repeat steps 1 and 2 for the Shipping Department.

Follow the steps in 4a.
1) Right-click Orion Star folder and select New  Folder.
2) Enter Finance Department for Name and click Finish.
3) Repeat steps 1 and 2 for the Shipping Department.

Follow the steps in 4a.
To use the sas-make-folder batch tool, do the following:
For Linux Server
6.4 Solutions 6-107
2. Enter the following: ./sas-make-folder -host “sasserver.demo.sas.com” -port 8561 -

user “Ahmed” -password “Student1” “/Orion Star/Finance
Department/Payables” -makeFullPath
Repeat for Receivables under the Finance Department folder and the Shipping
Department.
For Windows Server

1. Access the CMD window from the Start menu.
3. Enter the following: sas-make-folder.exe -host “sasserver.demo.sas.com” -port 8561

-user “Ahmed” -password “Student1” “/Orion Star/Finance
Department/Payables” -makeFullPath
Repeat for Receivables under the Finance Department folder and the Shipping
Department.
5. Importing a Package of Folders

tools.
a. Import Folder Set.spk into Orion Star  Finance Department  Payables.
1) Right-click the Payables folder and select Import SAS Package.
In the first step, navigate to D:\Workshop\spaft and select Folder Set.spk to import. Click
OK.
Follow the wizard window steps without making any changes.
6.4 Solutions 6-109
2) Click Next.
3) Click Next three more times and click Finish.

b. Import the same package, Folder Set.spk, but this time import it into Orion Star  Finance
Department  Receivables.
6. Creating a Package
tools.
a. Use the Export SAS Package Wizard to create a package from the Orion Star  Marketing
Department  Stored Processes folder. Save the package in
D:\Workshop\spaft\export_sp.spk. Also, in the first step in the wizard, select Include
dependent objects when retrieving initial collection of objects.
1) Right-click Orion Star  Marketing Department  Stored Processes and select
Export SAS Package.
2) Navigate to the location D:\Workshop\spaft. Name the file export_sp.spk. Select Include
dependent objects when retrieving initial collection of objects. Click Next.
6.4 Solutions 6-111
3) Click Next.
4) Click Next twice, and click Finish.

b. Import export_sp.spk in the Orion Star  Shipping Department folder.
1) Right-click Orion Star  Shipping Department and select Import SAS Package.
2) Browse the location of the export_sp.spk file that was just created. If you are doing this
in sequence, the location and file will automatically show up in the browse location.
Click Next.
3) No more changes are needed, so click Next four times. Click Finish.
6.4 Solutions 6-113
7. Creating and Applying Baseline Access Control Templates (ACT)

One approach to setting permissions on folders is to create general-use ACTs, and apply one or more
of those ACTs to each folder that you need to secure. To grant access back to a particular group,
supplement the ACT settings by adding explicit controls on the target folder. (This is done in
exercise 8.)
You will create two baseline ACTs:
Hide ACT, which prevents visibility for users who are not in the SAS Administrators group, but does
give SAS administrators and service identities exclusive Read access to metadata
Protect ACT, which will prevent updates, deletions, and contributions by all users who are not in the
Then you will apply the Protect ACT to the Orion Star folder and the Hide ACT to the department
folders below the Orion Star folder.
Note: You have the option of using the Administration page of SAS Environment Manager or SAS
offer more steps and screen shots.

1) In SAS Environment Manager, on the Administration page (signed in as sasadm@saspw and
password Student1), select Folders from the Side menu. Expand System  Security.
3) Enter Hide ACT in the Name field and add a description if you choose. Click OK.
4) Right-click Hide ACT and select Open.
7) Search PUBLIC and move the identity to the Identities to add pane. Repeat for SAS System
Services and SAS Administrators. Click OK.
6.4 Solutions 6-115
8) Click in the ReadMetadata field for PUBLIC and select Deny.

Verify that SAS System Services is granted RM.
Verify that SAS Administrators is granted RM.

7) Click Close to close out of the properties of the Hide ACT.
6.4 Solutions 6-117

2) Enter Protect ACT in the Name field and add a description if you choose. Click OK.
3) Right-click Protect ACT and select Open.
6) Search PUBLIC and move the identity to the Identities to add pane. Repeat for SAS
Administrators. Click OK.
7) Use the following diagram for the ACT: Pattern:
6.4 Solutions 6-119


7) Click Close to close out of the properties for the Protect ACT.

1) Right-click Orion Star folder and select Open.
6.4 Solutions 6-121
3) Select Protect ACT and click Save.
4) View the authorization settings of the Orion Star folder. From the drop-down menu, select
Authorization.
Protect ACT.
1) Right-click the Finance Department folder and select Open.
2) From drop-down menu, select Apply ACT.
3) Check Hide ACT and click Save.
4) View the authorization settings of the Finance Department folder. From the drop-down menu,
select Authorization.
Notice that only SAS Administrators have visibility, because of the Hide ACT that was
applied. We will grant access back to the appropriate groups in the next exercise.
6) Apply the Hide ACT to the Marketing Department, Sales Department, and Shipping
Department folders by repeating steps 1 through 5.

6.4 Solutions 6-123
2) Enter Hide ACT in the Name field on the General tab.
PUBLIC, SAS System Services, and SAS Administrators. Click to move them to the
Selected Identities pane.
4) Click OK.
5) Highlight PUBLIC and deny RM.
6) Highlight SAS System Services and verify that RM is granted.
7) Highlight SAS Administrators and verify that RM is granted.
6.4 Solutions 6-125

1) Right-click Hide ACT and select Properties. Click the Authorization tab.
2) Apply the SAS Administrator Settings ACT. On the Authorization tab of the Hide ACT, select
Access Control Template. Move the SAS Administrators Settings ACT from the Available
to Currently Using and click OK.

The Protect ACT is designed to prevent updates, deletions, and contributions by all users who are
not in the SAS Administrators group.
2) Enter Protect ACT in the Name field on the General tab.
PUBLIC and SAS Administrators. Click to move them to the Selected Identities pane.
4) Click OK.
6.4 Solutions 6-127
5) Highlight PUBLIC and deny WM, and then click RM, to remove any grant or deny
6) Highlight SAS Administrators and verify that RM is granted and grant WM, CM, and W.

1) Right-click Protect ACT and select Properties. Click the Authorization tab.
2) Apply the SAS Administrator Settings ACT. On the Authorization tab of the Protect ACT,
select Access Control Template. Move the SAS Administrators Settings ACT from
Available to Currently Using and click OK.
6.4 Solutions 6-129

1) On the Folders tab, right-click Orion Star folder and select Properties.
3) Move Protect ACT over to Currently Using and click OK.

Protect ACT.
5) Click OK to save your changes.
1) Right-click the Finance Department folder and select Properties.
6.4 Solutions 6-131
3) Move Hide ACT over to Currently Using and click OK.
Notice that SASUSERS is denied ReadMetadata because the group is a subgroup of

PUBLIC, which is denied ReadMetadata through the HIDE ACT. But SAS Administrators
still have visibility. You will grant access back to the appropriate groups in the next exercise.
Apply the Hide ACT to the Marketing Department, Sales Department, and Shipping
8. Adding Groups to Folders

Note: You can use SAS Environment Manager or SAS Management Console to add identities to
folders and set permissions on folders. Refer to the solutions for step-by-step instructions.

Sales Department, RM, R, WMM, CM
Shipping Department
the same permissions inherited, and Power Users will also have WM indirectly granted since
they were given WMM on the parent folder.
a. Right-click the Finance Department folder and select Open.
b. Under the drop-down menu, select Authorization.
6.4 Solutions 6-133
c. Add Finance and Power Users to the Authorization.

2) Search Finance and move the group identity to the Identities to add pane.
3) Search Power Users and move the group identity to the Identities to add pane.
4) Click OK.
d. Verify that the two groups added have ReadMetadata.

1) Click in the Read field for Finance and select Grant.
2) Click in the WriteMemberMetadata field for Power Users and select Grant.
3) Give grants for CheckInMetadata and Read fields for Power Users as well.
e. Save your changes in the upper right toolbar and click Close.
f. Repeat steps a through e for the other three folders: Marketing Department, Sales Department, and
Shipping Department.

RM, R, WMM, CM
Sales Department,
Shipping Department
the same permissions inherited, and Power Users will also have WM indirectly granted since
they were given WMM on the parent folder.
6.4 Solutions 6-135
a. Right-click the Finance Department folder and select Properties.
b. Click Add on the Authorization tab of the Finance Department folder.
c. Clear Show Users so that you show only a list of groups.
d. Select Finance and Power Users in the Available Identities list and click to move the
identity to the Selected Identities list.
e. Click OK.
f. Verify that the two groups added have ReadMetadata.

1) Grant Finance the Read permission as well.
2) Grant Power Users the WriteMemberMetadata, CheckinMetadata, and Read permissions as

well.
g. Click OK.
6.4 Solutions 6-137
h. Repeat steps a through g for the other three folders: Marketing Department, Sales Department,
and Shipping Department.
9. (Optional) Verifying Access
a. Verify the access of someone who is a power user, such as Kari, who is a member of the Data
Integrators group. She should be able to add and modify content in any subfolders of the Orion
Star folder.
b. Verify the access of someone who is in a department group, and not in Orion Star Users (the
power user group), such as Lynn. She is in the Marketing group, so verify her access to the
Marketing Department folder, as well as her access to one of the other department folders, such as
Finance Department.
c. Impersonating an end user, log on to a client application such as SAS Enterprise Guide:
1) Open SAS Enterprise Guide. Click My Server in the bottom right of the interface to modify
the connection profile.
2) Click Modify.
3) Enter Kari as the user. No other changes are needed. (Student1 is the password for
everyone.)
Click Save  Yes  OK  Close.

4) Can Kari rename, delete, and add a new folder to the Finance Department folder? If so, she
has the appropriate permissions for a power user.
5) Click My Server and modify the connection profile, but this time log on as Lynn.
Repeat step a.
6.4 Solutions 6-139
6) Can Lynn see any folders under the Orion Star folder, other than her own department folder
of Marketing Department? Can she rename, delete, and add a new folder to the Marketing
Department folder? If not, she has the appropriate permissions for a report consumer
in the Marketing group.
10. (Optional) Reporting on Security

SAS provides a macro, %Mdsecds, to help you extract, filter, and format authorization data
for a specified set of identities, permissions, and objects. This macro is documented in
SAS® 9.4 Intelligence Platform: Security Administration Guide.
Note: In SAS 9.4, the sas-show-metadata-access batch tool can generate the same information
as the %Mdsecds macro. For information about the batch tool, refer to SAS® 9.4 Intelligence
Platform: Security Administration Guide.
Note: The output of the %Mdsecds macro is SAS data sets. You can create your own reports
from these data sets (through SAS programming or an information map and a web report).
A sample reporting program is provided with your software in the following location:
For Windows Server

SAS-installation-directory\SASFoundation\9.4\core\sample\secrpt.sas
For Linux Server

SAS-installation-directory/SASFoundation/9.4/samples/base/secrpt.sas
a. In SAS Enterprise Guide, use the %Mdsecds macro to identify the permissions that are set
includesubfolders=no);
b. Use the %Mdsecds macro to identify the effective permissions of a Finance member
includesubfolders=no, identitynames="Ellen",
identitytypes="Person");
c. Use the %Mdsecds macro to identify the effective permissions of a Finance member
and the PUBLIC group on the Finance folder.
includesubfolders=no, identitynames="Ellen,PUBLIC",
identitytypes="Person,IdentityGroup");
d. Refer to the %Mdsecds macro documentation to answer the following questions:
Hint: Refer to the %Mdsecds macro syntax in SAS® 9.4 Intelligence Platform: Security
1) If you do not specify the folder option, what is the default starting point?
By default, the starting point is the server root (the SAS Folders node).
2) What option would you use to limit the types of objects that are searched?
MEMBERTYPES
3) What option would you use to limit the permissions that are included?
PERMS
6.4 Solutions 6-141
What would happen if you remove the repository ACT?
a. All permissions are denied.

b. Nothing. Permissions will come from somewhere else.
c. All permissions are granted.
d. Permissions come from the SAS Folders authorization tab.
19
that folder?
a. only the identities that need access to the item

b. only the identities added on the specific item
c. only the identities from the Marketing Department Authorization tab
d. the identities from the Marketing Department folder and any added on
that specific item
22
What is the effect of explicitly denying PUBLIC RM?
a. Only PUBLIC is affected and the settings for the other users and groups
remain unchanged.
b. Only PUBLIC and SASUSERS are affected and the settings for the other
users and groups remain unchanged.
c. PUBLIC is denied RM, which overrides all explicit, ACT, and indirect
settings for the other users and groups.
d. PUBLIC is denied RM, which overrides all indirect settings for the other
users and groups but does not override explicit or ACT settings for other
users and groups.
40
If an ACT includes settings for Ellen and you apply the ACT to an object that
already lists Ellen on the authorization of an object, what happens to Ellen’s
permissions?
a. The settings from the ACT take precedence.

b. The settings from the ACT are ignored.
c. Explicit settings are not affected and indirect settings are changed to ACT
settings.
d. The settings from the groups in her identity hierarchy take precedence.
N ote: If there are conflicting ACT settings, the denial settings are used.
42
6.4 Solutions 6-143
a. Grant RM because explicit settings take precedence over ACTs

b. Deny RM because ACT settings take precedence over explicit settings
identity hierarchy, the outcome is a denial
identity hierarchy, the outcome is a grant
45
a. Grant RM because grants take precedence over denials

b. Deny RM because denial settings take precedence over grants
the outcome is a denial
the outcome is a grant
48
a. Grant RM because explicit grants always take precedence over denials

b. Deny RM because the denial setting is coming from a direct group and
take precedence over grants from an indirect group
c. Deny RM because grants coming from an ACT always take precedence
d. Grant RM because the HR group inherits the Explicit grant of RM from
the Finance Group
51
What do the settings on the Authorization tab in SAS Management Console

or SAS Environment Manager Administration of the ACT affect?
a. The settings are applied where the ACT is applied.

b. The settings control who can access and modify the ACT itself.
c. The settings control who can access and modify the repository.
d. The settings are ignored and have no effect.
70
6.4 Solutions 6-145
The Private User Folder ACT does not include permissions for individual users
such as Barbara. How is Barbara granted access to her My Folder?
a. Barbara is a member of PUBLIC, so the ACT settings for PUBLIC

determine Barbara’s access.
b. Barbara is explicitly granted access on the Authorization tab of her
My Folder.
c. Barbara is explicitly granted access on the Authorization tab of the
Barbara folder and the settings are inherited.
d. Users with the same name as the parent folder are implicitly granted
access.
73
What should the setting for PUBLIC for RM be on the Protect ACT?
a. Deny
b. Grant
c. nothing, because the context in which the ACT is applied should
determine the setting
75
Chapter 7 Establishing
Connectivity to Data Sources
7.1 Registering Libraries and Tables in Metadata .......................................................... 7-3
Demonstration: Registering SAS Library and Table Metadata in SAS Environment
Manager ....................................................................................... 7-12
Demonstration: Registering SAS Library and Table Metadata in SAS Management
Console (Optional).......................................................................... 7-21
Exercises............................................................................................................. 7-24
7.2 Setting Up Data Access........................................................................................... 7-27

Exercises............................................................................................................. 7-37
7.3 Solutions ................................................................................................................. 7-44

Solutions to Student Activities (Polls/Quizzes) ........................................................... 7-86
7-2 Chapter 7 Establishing Connectivity to Data Sources
7.1 Registering Libraries and Tables in Metadata 7-3
7.1 Registering Libraries and Tables in

Metadata
Objectives
• Identify two ways to access data.

• Register a SAS library and tables in the metadata.
3
Data Sources
The platform includes several options for data storage including:

• SAS data sets
• Third-party data stores
• ODBC data sources
D a t a Sources
• Hadoop
For each type of data source, SAS uses the appropriate engine SAS Data Sets
SAS OLAP Cubes
Third-party Data Stores
to access the data. Enterprise Resource
Planning (ERP) Systems
4
The BASE engine is used to access SAS data sets. SAS data sets (tables) are the default SAS storage
format. A SAS table contains data values that are organized as a table of rows and columns. A SAS data
set can be processed by SAS software.
You can use SAS/ACCESS Interface to Oracle or SAS/ACCESS Interface to ODBC to access Oracle
tables. SAS/ACCESS Interface to Oracle uses the Oracle engine. SAS/ACCESS Interface to ODBC uses
the ODBC engine.
Accessing Data
Accessing data can be done in these ways:

• writing SAS code to connect to the data source
libname orion "d:\workshop\orion";
• referring to the metadata registration of the data source
5
When you write SAS code, the LIBNAME statement, with the appropriate native engine, can be used
in SAS applications that offer a programmatic interface (for example, SAS Enterprise Guide), as well
as in stored processes and batch jobs. You can also include LIBNAME statements in autoexec files.
An alternative to the native engine is to use the META engine in the LIBNAME statement.
libname orstar meta library="Orion Star Library";
The META engine causes a lookup in the metadata for the connection information and metadata
permission check. This is similar to having a user of a SAS application select a table from a list
of metadata-registered tables.
Accessing Data
By selecting a table registered in metadata, users

have to go through metadata layer controls.
By submitting a LIBNAME statement directly,

users can bypass metadata layer controls.
Regardless, host access to the data is required.
6
If a library is metadata bound, even if a user tries to access it directly, metadata layer permissions
are enforced.
Accessing Data without Metadata
7
The data can be local to the workspace server machine or in a remote location that is accessed using
a network path. Data cannot be accessed via mapped drives on the SAS Application Server. You must use
the UNC path, such as \\dataserver\sourcetables.
Accessing Data with Metadata
8
The appropriate LIBNAME statement is created from the information retrieved from the metadata.
Accessing Relational Data with Metadata
9
SAS/ACCESS must be on the same machine as the SAS process that accesses the data. In a UNIX
environment, the configuration of SAS/ACCESS requires setting some environment variables.
The database client installation and configuration is typically done by a database administrator (DBA).
The DBA has access to tools that help test the configuration and connection to the database server.
Databases typically maintain credentials separate from other authentication providers.
Connection Information
For RDBMS libraries, additional connection information is required and could

be erroneous:
• server host
• database name
• schema name
• credentials
10
Troubleshooting Data Access
The library metadata is converted to a LIBNAME statement, which you can

access from the Data Library Manager. Copy the LIBNAME statement from
SAS Management Console and submit it in a SAS session.
11
For troubleshooting a SAS/ACCESS library configuration when registering tables fails, perform the
following steps:
1. From SAS Management Console, right-click the library icon and select Display LIBNAME
Statement.
2. Start SAS on the SAS server host, or use a client application such as SAS Enterprise Guide, which
includes a Program Editor, and issue the LIBNAME statement displayed from SAS Management
Console.
3. If the SAS log indicates failure, check the following items:

a. If this is UNIX environment, check your UNIX environment variables:
http://support.sas.com/documentation/cdl/en/bidsag/67493/HTML/default/viewer.htm #p1w3
v98qca3sfzn1rzty2tngrfyq.htm
b. Check and revise the LIBNAME statement. For more information about LIBNAME statements
for SAS/ACCESS engines, see SAS/ACCESS® for Relational Databases: Reference. If you are
successful at this stage, then use the Properties tab of the library to reconfigure the library.
c. Confirm that SAS/ACCESS is installed correctly. For installation information, go to the Install
Center at http://support.sas.com/documentation/installcenter/94 and use the operating system
and SAS version to locate the appropriate SAS Foundation Configuration Guide.
4. If the connection succeeds, run the DATASETS procedure:
PROC DATASETS LIBRARY=libref;
QUIT;
If no members are returned, then check the schema value by performing the next step or contacting
your database administrator.
5. Log on with the user account to the host where the SAS server is running, and use the native database
client to connect to the database. If this fails, confirm that the user account has file system privileges
to the database client binaries and libraries.
Connection to External Database Server (Review)
Providing access to a third-party database such as Oracle or DB2 usually

requires maintaining a SAS copy of external credentials in the metadata
(outbound login).
The outbound login can be associated with the following:
• an individual metadata identity if each user has unique database credentials
• a group metadata identity if a collection of users shares database credentials
12
An authentication domain is a SAS metadata object that pairs logins with the server definitions where
those credentials are correctly authenticated.
For example, an Oracle server definition and the SAS copies of Oracle credentials (outbound logins) have
the same authentication domain value (for example, “OracleAuth”) if those credentials authenticate on
that Oracle Server. Authentication domains can be managed using the Server Manager plug-in or the User
Manager plug-in. Right-click the plug-in and select Authentication Domains.
Registering Libraries and Tables in Metadata
Table registrations rely on other information in the metadata, including

library and server definitions.
The following applications can be used to register tables and libraries in the
metadata:
• SAS OLAP Cube Studio
• SAS Data Integration Studio
13
Setting up a connection from SAS to a database management system is a two-step process:

1. Register the database server. This can be done within the New Library Wizard when specifying the
server and connection information. Or it can be registered through the Server Manager Plug-in.
2. Register the database library.
Registering Libraries and Tables in Metadata
The library object contains the connection information (engine,

location of data, additional information as needed) and the libref.
The table object is a description of the table including column

information (names, types, attributes), indexes, name of physical
table, and the library that holds the connection information.
N ote: There are some uniqueness requirements when you register libraries
and tables in the metadata.
14
The same library name cannot be used multiple times in the same metadata folder or for the same
application server.
The same table name cannot be used multiple times in the same metadata folder or for the same library.
 To associate a library with an application server, you need WM permission for the server and WMM for
the parent folder.
 To associate a table with a library, you need WM permission for the library and WMM for the parent
folder.
 For a table accessed via the metadata LIBNAME engine, you need Read permission in order to access
data.
 For a table accessed via a native engine (that is, BASE, ORACLE, TERADATA), the Read permission
in Metadata is ignored, so Grant or Deny has no effect. This is also true for the Write, Create, and
Delete permissions.
Metadata-Bound Libraries and Tables
Enforcement for a metadata-bound library originates from the physical data.
15
When accessing a traditional table, a user can bypass metadata-layer controls by making a direct request.
When accessing a metadata-bound table, a user cannot completely bypass metadata-layer controls. Even
on a direct request, UserA is always subject to a metadata-layer permissions check before accessing SAS
data from SAS.
For each metadata-bound table, information within the table header identifies a corresponding metadata
object (a secured table object). Metadata-layer permissions on each secured table object affect access
from SAS to the corresponding physical table.
For the metadata-bound table, UserB is subject to two metadata-layer authorization checks against two
different metadata objects. The first check is against a traditional table object. The second check is against
a secured table object.
Only Base SAS data, SAS tables, and SAS views can be bound to metadata. Binding data to metadata
does not prevent the use of operating system commands against files or directories.
Setting up a metadata-bound library involves the following:

1. In the SAS metadata, below the /System/Secured Libraries/ folder, identify or create an appropriately
secured folder for the data.
2. Use either SAS Management Console or SAS code to bind the physical library to metadata. For SAS
code, submit a CREATE statement with the AUTHLIB procedure. The options in the AUTHLIB
procedure reference your physical data directory and the metadata folder that you identified in step 1.
3. If you want to support access from clients that use metadata in order to locate data, make sure that
the physical library and tables are also registered in metadata.
For more information, refer to SAS® Guide to Metadata Bound Libraries.
Data Permissions for Metadata-Bound Libraries
For secured library objects and secured table objects, SAS enforces the
following special metadata-layer permissions:
Select (S) Read rows within a physical table.
D elete (D) Delete rows in a physical table.
I n sert (I) Add rows to a physical table.
Up date (U) Update rows in a physical table.
C r eate Table (CT) Create new physical table.
D r op Table (DT) Delete a physical table.
Alt er Table (AT) Replace a physical table.
16
Registering SAS Library and Table Metadata in SAS

Environment Manager
This demonstration illustrates how to use SAS Environment Manager to register a SAS library and tables
in the metadata.
Note: For the current release of SAS Environment Manager, you can browse any type of library that has
been defined in SAS metadata. You can create and edit definitions for Base SAS libraries and
SAS LASR Analytic libraries.
1. Sign in to SAS Environment Manager as Ahmed using the Student1 password.
2. Select the Administration tab. To open the Libraries module, click Side menu in the
SAS Environment Manager banner and select Libraries.
3. The Libraries view displays a table of all library definitions in the SAS Metadata Server. You can
filter by library type, as well as search the table, sort the table by a selected column and choose which
columns appear in the table.
4. To register a new library, click the New Library button in the upper right toolbar.
5. Enter Orion Gold ship1 for the metadata library name. (The libref is included in the metadata library
object name as an example of an access structure that you can use for SAS Enterprise Guide users.)
6. Select Browse to navigate to the SAS Folder location.
7. Navigate to SAS Folders  Orion Star  Shipping Department and click OK.
8. For Type, select SAS Base Library.
9. Enter ship1 as the libref. Keep Engine as Base.

Note: A libref is a nickname or short reference to the physical location of the data. It is a best
practice to use unique librefs in the metadata. Uniqueness of librefs is not enforced.
10. Check the box next to the path of the physical storage of the data.
For Linux /opt/sas/Workshop/OrionStar/orgold

You will need to add the path for Linux.
For Windows D: \Workshop\OrionStar\orgold
a. Click the Add button in the upper right toolbar.
b. Enter /opt/sas/Workshop/OrionStar/orgold. Click OK.
The path will automatically be added to the list and checked.
11. Click OK.

12. After the definition is created, it automatically opens to basic properties to enable you to specify any
non-required options.
13. To register tables in metadata to this library, from the drop-down menu select Tables.
14. Click the Register Tables button in the toolbar.
15. You cannot register tables until the library is assigned to a SAS server context. Click Close.
16. From the drop-down menu, select Assign SAS Servers.
17. Check the box next to SASApp.
Note: This assignment makes the library available to the servers in the SASApp application server
context.
Caution: If you do not assign a library to an application server, the library is not available in some
client applications including SAS Enterprise Guide. Unless you want to intentionally
limit the accessibility of a library by this method, you should assign each library to an
application server. It is a best practice to use metadata-layer and operating-system-layer
permissions to control access to data.
18. Click the Save button in the upper right toolbar.
19. From the drop-down menu, select Tables to register tables.
20. Click the Register Tables button in the toolbar.
Note: If you are signed in as sasadm@saspw, you will receive an error because that account is
internal and does not have access to a SAS Workspace Server.
21. Change the location to /Orion Star/Shipping Department by using the Browse button. Select
CUSTOMER_DIM, GEOGRAPHY_DIM, ORGANIZATION_DIM, and TIME_DIM.
22. Click OK.

23. Select Show details. (The METALIB procedure is used to register these tables. The METALIB
procedure is discussed in the next section.)
24. Click Close.

Note: You can register tables from the Libraries module. Right-click the library and select
Register Tables from the pop-up menu. The Register Tables dialog box appears.
Note: You can register tables from the Folders module. Navigate to the library and right-click the
library and select Register Tables from the menu.
25. The library and tables are stored in the Orion Star  Shipping Department folder. Click the
Side menu button and select Folders.
26. Expand Orion Star  Shipping Department.
Registering SAS Library and Table Metadata in

SAS Management Console (Optional)
This demonstration illustrates how to use SAS Management Console to register a SAS library and tables
in the metadata.
1. Log on to SAS Management Console 9.4 as Ahmed using the Student1 password.
2. On the Plug-ins tab, expand Data Library Manager  Libraries.
3. Right-click Libraries and select New Library.
4. Select SAS BASE Library and click Next.
5. Enter the name Orion Gold ship1 and click Browse. (The libref is included in the metadata library
object name as an example of an access structure that you can use for SAS Enterprise Guide users.)
6. Navigate to SAS Folders  Orion Star  Shipping Department and click OK.
7. Click Next.
8. Move SASApp to the Selected servers list box and click Next.
Note: This assignment makes the library available to the servers in the SASApp application server
context.
Caution: If you do not assign a library to an application server, the library is not available in some
client applications including SAS Enterprise Guide. Unless you want to intentionally
limit the accessibility of a library by this method, you should assign each library to an
application server. It is a best practice to use metadata-layer and operating-system-layer
permissions to control access to data.
9. Enter ship1 as the libref.
Note: A libref is a nickname or short reference to the physical location of the data. It is a
best practice to use unique librefs in the metadata. Uniqueness of librefs is not
enforced.
10. Move the following path over:
For Linux /opt/sas/Workshop/OrionStar/orgold
For Windows D:\Workshop\OrionStar\orgold
Note: If the path to the data source location is not in the available items, click New and navigate to
the location.
11. Click Next.
12. Review the settings and click Finish.
13. Right-click Orion Gold ship1 and select Register Tables.
14. Verify the library settings and click Next.

Note: If you are prompted for credentials, you are probably logged on as an unrestricted user with
only an internal account.
15. Hold down the Ctrl key and select CUSTOMER_DIM, GEOGRAPHY_DIM,
ORGANIZATION_DIM, and TIME_DIM. Click Next.
16. Click Next.

17. Click Finish.
18. The tables are registered in the metadata and now appear in SAS Management Console.
Exercises
1. Registering a SAS Library and Tables

a. Perform an ad hoc backup named Library Example in SAS Management Console. Log on as
Ahmed using the password Student1.
You can use SAS Environment Manager or SAS Management Console to register a SAS library.
1) Make sure you are signed on to SAS Environment Manager as Ahmed and password
Student1. On the Administration page, click Side menu and select Libraries.
2) Select New Library button in the upper right toolbar.

3) Create a library with the following characteristics:
Name Customer orders ordetail
Folder location /Orion Star/Shipping Department
Library Type SAS Base Library
Libref ordetail
Engine BASE
Path specification  On the Linux server: /opt/sas /Workshop/OrionStar/ordetail

 On the Windows server: D:\Workshop\OrionStar\ordetail
Note: You will need to add the path to the existing list.
Assigned SAS SASApp

Servers
Note: Be sure to save your changes after assigning a SAS Server.

4) Register the following tables in the Customer Orders ordetail library and store the metadata
in the same folder as the library:
CUSTOMER, ORDERS, ORDER_ITEM, PRICE_LIST, PRODUCT_LIST
1) Right-click Libraries and select New Library.
Name Customer Orders ordetail
Server SASApp
Libref ordetail
Path specification  On the Linux server: /opt/sas /Workshop/OrionStar/ordetail

Note: You will need to add the path to the existing list in the wizard.
2. Verifying Library and Table Metadata in SAS Enterprise Guide
a. Perform an ad hoc backup named Before denying Shipping group Read on Shipping Folder in
SAS Management Console. Log on as Ahmed using the password Student1.
b. Use SAS Environment Manager or SAS Management Console to deny Shipping the Read
permission on the Shipping Department folder.
c. Log on to SAS Enterprise Guide as Ray. (He is a member of the Shipping group, so he will
be able to see the Shipping Department folder and the folders below.)
d. Select the Server list in the Resources pane. Expand Servers  SASApp  Libraries. Through
the Server list, you can see the metadata libraries and the tables that are registered to those
libraries.
Note: Only SAS Enterprise Guide and SAS Add in For Microsoft Office have a Server list
display.
e. Right-click Customer Orders ordetail and select Properties. What is the libref? Click Close.
f. Enter the following LIBNAME statement in the Program Editor and run the program:
libname ordetail meta library='Customer Orders ordetail';
Note: To get to the Program Editor, select Program  New Program. Or you can select
File  New  Program.
Check for errors in the log.
If it was successfully assigned, you will see that under the server list, the library icon for
Customer Orders ordetail has changed to yellow because it has been assigned. (You
will need to refresh the view by right-clicking SASApp under the Server List and
selecting Refresh.)
Note: The five tables that were registered in the previous exercise are listed under the library
in the Server list.
g. Select the Folders list in the resource pane in the bottom left of the interface. Expand
Orion Star  Shipping Department. Do you see the library? Do you see any tables?
Note: If you did the demonstration, you will also see the registered tables from that library.
h. Open one of the tables. (You can right-click and select Open or double-click the table.) Are you
able to open the table?
i. In the log, the physical location of the data is specified. Enter the following LIBNAME statement
into the Program Editor:
For Linux Server

libname ordetail '/opt/sas/Workshop/OrionStar/ordetail';
For Windows Server
libname ordetail 'D:\Workshop\OrionStar\ordetail';
This LIBNAME statement is not referencing the library in metadata. How many tables appear
under the Customer Orders ordetail library under the server list? (You will need to refresh the
view by right-clicking SASApp under the Server List and selecting Refresh.)
How many tables appear in the Folders list, Orion Star  Shipping?
j. Use SAS Environment Manager or SAS Management Console to grant back to Shipping the
Read permission on the Shipping Department folder. Or, you can recover from the backup that
you performed in step a.
3. Listing Libraries, Librefs, and Their Server Contexts

Metadata DATA step functions provide a programming-based interface to create and maintain
metadata on the SAS Metadata Server. This program uses metadata DATA step functions to return
more detailed information about the libraries. The results are returned to a libraries data set in the
Work library. The requested data includes the library metadata ID, the library name, the libref, the
engine, the path on the file system (or if DBMS data, the DBMS path), and the server contexts
to which the library is associated.
a. In SAS Enterprise Guide, open the program extractlibrefandserverapp.sas that is located
on the client machine. Select Program tab Open Program. Navigate to D:\Workshop\spaft.
b. Verify the connection information to the metadata server in the OPTIONS statement at the top
of the program.
metaport=8561
metauser="sasadm@saspw"
metapass="Student1"
metarepository="Foundation";
c. Run the program. Are there any duplicate librefs?
Note: Sample programs and more information about using DATA step functions to extract
metadata information can be found in the following documentation: SAS® 9.4 Language
Interfaces to Metadata, Second Edition.
7.2 Setting Up Data Access 7-27
7.2 Setting Up Data Access
Objectives
• Identify how libraries can be assigned.

• Pre-assign a library.
• Examine considerations for how to make data available.
21
Library Assignment
Assigning a library to a SAS server enables

• the SAS server to access the library
• the library to be visible to users of the SAS server
• control over which SAS engine is used by the SAS server to access data,
if the library is pre-assigned.
By default, libraries are assigned by the client applications, but not until a
user tries to access a library. In other words, library assignment is deferred
until it is needed.
22
Assigning a library to a SAS server means letting the SAS server session know that a libref (a shortcut
name) is associated with the information that a SAS session needs to access a data library.
Pre-assigned Libraries
Pre-assigned libraries
• are assigned when the server starts.
• require the administrator to configure the environment so that the SAS
server finds out about the libref and the SAS engine to use for data access
at server start-up. So the connection information is established before any
code that uses that libref is submitted.
• mean that the libraries do not become available to the user until all
pre-assigned libraries are assigned.
23
Pre-assigned libraries are assigned using the server’s identity. For servers that run under shared
credentials, such as the Stored Process Server, this means that the library is assigned using the shared
identity, not an individual user identity.
Note: The disadvantage of pre-assigning libraries is that pre-assigning an excessive number of libraries
can slow the execution of SAS jobs for all users.
Pre-assigning Libraries
You can pre-assign a library in these ways:

• in the metadata
• in a server autoexec file
Libraries assigned by an autoexec file take precedence over same-named
libraries that are pre-assigned in the metadata.
N ote: The best practice when pre-assigning libraries is to use only one
method if possible. If you have configuration information in two
places, maintenance increases.
24
Pre-assigning Libraries in the Metadata
To pre-assign libraries in metadata, use SAS Management Console,

or SAS Environment Manager.
25
By native library engine: The library is assigned through the METAAUTORESOURCES options. You use
the library engine defined for the library.
By metadata LIBNAME engine: The library is assigned through the METAAUTORESOURCES options.
You use the metadata LIBNAME engine (MLE). Using the MLE ensures that access controls that are
placed on the library and its tables and columns are enforced in metadata.
By external configuration: The library is assigned through an external definition or by an autoexec file.
Pre-assigning Libraries in an Autoexec File
1. Add the LIBNAME statement to the autoexec file.
libname orstar
"S:\Workshop\OrionStar\orstar";
libname orstar meta

library="Orion Star Library";
2. Restart the object spawner and any server processes whose autoexec
files were modified.
26
Note: You cannot see the LIBNAME statement in the properties of the metadata library if the library is
pre-assigned.
The LIBDEBUG option reports to the SAS log the LIBNAME statement, which is generated behind
the scenes when the META engine is used.
libname orstart meta library="Orion Star Library" libdebug;
Metadata LIBNAME Engine
The metadata LIBNAME engine points to metadata, rather than referencing

the actual physical data. The engine does the following:
• retrieves library connection information from the metadata (physical
location of data, credentials if required, and so on)
• enforces additional metadata permissions (Read, Write, Create, Delete)
• uses the access engine (such as Base or Oracle) in the library definition to
read values from tables in the library
27
You can use the appropriate METAOUT option value on your META LIBNAME statement in your
autoexec file for pre-assignment.
METAOUT=ALL You can read, create, update, and delete observations in physical tables
that exist and are registered in metadata. You cannot create or delete
*default entire tables.
You can read, create, update, and delete physical tables.
METAOUT=DATA
METAOUT=DATAREG You can read, update, and delete physical tables that are defined in
metadata. You can create a table, but you cannot read, update, or delete
the new table until it is defined in metadata.
If you want to use the META engine and do not need to create or delete tables, do the following:
1. Register the library in the metadata.
2. Flag the library as pre-assigned by the metadata LIBNAME engine.
Note: Using this option results in using the metadata engine with the METAOUT=ALL option.
This LIBNAME option specifies that you can read, create, update, and delete observations
in physical tables that exist and are registered in metadata. You cannot create or delete entire
tables.
If you want to use the META engine and need to create or delete tables, do the following:
1. Register the library in the metadata.
2. Flag the library as pre-assigned by external configuration.
3. Add the metadata LIBNAME statement to an autoexec file. You can use the appropriate METAOUT=
option value. For example:
libname meta library="Orion Star Library" metaout=data;
Note: Omitting the METAOUT= option in your LIBNAME statement or flagging the
pre-assignment in metadata with the metadata engine results in using the metadata engine
with the METAOUT=ALL option.
4. Restart the object spawner and any server processes whose autoexec files were modified.
For the SAS/CONNECT server and the SAS DATA Step Batch server, modify the server’s
sasv9_usermods.cfg file by adding the following SAS system option:
-metaautoresources 'SASApp'
Default Engines Used
Application Li brary Mi nimum Metadata

Eng ine Used A uthorizations Required
SAS Add-In for Microsoft Office META Library: ReadMetadata
SAS Enterprise Guide Table: ReadMetadata
Read
SAS Data Integration Studio Native engine Library: ReadMetadata
SAS OLAP Cube Studio Table: ReadMetadata
28
When libraries are not pre-assigned, each SAS application accesses data with the SAS engine that makes
the most sense for that application. Applications typically used for queries and reporting are designed
to use the metadata engine. Applications typically used to update or create tables are designed to use
the native engine.
Note: The metadata authorization layer supplements operating system and RDBMS security. It does not
replace it. Operating system and RDBMS authorization should always be used as the first means
of securing access to tables.
Metadata LIBNAME Engine Used Metadata LIBNAME Engine Not Used
Library not SAS Enterprise Guide SAS Data Integration Studio

pre-assigned SAS Add-In for Microsoft Office SAS OLAP Cube Studio
Library  in metadata with meta engine  in metadata with native engine
pre-assigned  in autoexec file with meta engine  in autoexec file with native engine
SAS Enterprise Guide and SAS Add-In

for Microsoft Office
If you administer only SAS Enterprise Guide and SAS Add-In for Microsoft
Office, consider the following questions:
• Should users be permitted to create new tables or modify
existing tables in the library?
• Do you want metadata permissions enforced on tables?
• Should the library connection be deferred until
needed or made when the server starts
(pre-assignment)?
29
Library Metadata and AssignMode
Anytime that SAS Enterprise Guide or SAS Add-In assigns a library, the
library’s value of AssignMode is used, if present, to determine the assignment
behavior. For libraries assigned with the META engine, the value of
AssignMode is also used to set the value for the METAOUT= option.
With an AssignMode value of 0, data is accessed through the underlying

engine and no metadata permissions on tables or columns are enforced.
Tables can be seen only through the Server list.
30
Note: This would have the same effect as pre-assigning a library with the native LIBNAME statement.
Caution: You risk permanently corrupting the library metadata if you do not enter a valid name and
value for the extended attribute.
AssignMode Values
0 The library is assigned using SAS Enterprise Guide. Data is accessed through the underlying
engine and no metadata permissions on tables or columns are enforced.
1 The library is assigned using the META engine with the METAOUT=ALL option (the
default META engine behavior). Metadata permissions are enforced and the user only sees
registered tables. The metadata and physical tables are prevented from becoming out of
sync, even if the user has permissions such as Write and Delete on tables in the library.
2 The library is assigned using the META engine with the METAOUT=DATA option.
Metadata permissions are enforced for all registered tables, but the user sees all physical
tables in the library. The user can change, create, and delete registered tables
if he has appropriate permissions in the metadata. This can cause the metadata and the
physical tables to become out of sync.
4 The library is assigned using the META engine with the METAOUT=DATAREG option.
Metadata permissions are enforced and the user only sees registered tables. In this mode, the
users can change, create, and delete the tables if they have appropriate permissions in the
metadata. This can cause the metadata and the physical tables to become out of sync. If the
user creates a table, he cannot read, update, or delete the newly created table until it is
registered in metadata.
Other applications, such as SAS Data Integration Studio, ignore the AssignMode extended attribute when
you assign libraries.
Access to Data in Stored Processes
You have several options to make data available to a stored process:

• include the LIBNAME statement using the native engine in the code
• include the LIBNAME statement using the META engine in the code
• pre-assign the library
31
If you include a LIBNAME statement in the code:

 The library is assigned when the code runs.
 Metadata layer permissions for the user running the code are checked.
 Operating system access is based on the account under which the server runs.
 RDBMS access is based on the credentials used to make the connection.
If you choose to include the LIBNAME statement using the native engine in the code, you need
 include RDBMS credentials for RDBMS data or include the AUTHDOMAIN= option so that
credentials can be retrieved from the metadata for the connecting user
 maintain connection information included in the LIBNAME statements in the code
If you choose to include the LIBNAME statement using the META engine in the code, you need
 maintain RDBMS credentials in the metadata
 maintain the connection information in the metadata
Updating Table Metadata
Updating table metadata synchronizes the physical data with the metadata
definitions of the data. The following methods are available:
• update Metadata task in SAS Management Console and Data Integration
Studio
• update Library Metadata task in SAS Enterprise Guide
• custom code using the METALIB procedure
32
Updating table metadata enables you to do the following:

 Add table metadata for tables that exist in the physical library but have no metadata in the repository.
 Delete metadata for table definitions that exist in the metadata repository but do not have a
corresponding table in the physical library.
 Update table definitions to match corresponding physical tables, including changes to the table’s
columns and indexes.
PROC METALIB provides options for maintaining your table metadata that are not available in SAS
Management Console.
 The Update Library Metadata task in SAS Enterprise Guide uses PROC METALIB.
 The Update Library Metadata task is available from the Task List, under the Tools category,
or by selecting Tools  Update Library Metadata.
 The METALIB procedure gives you the most control over the updating features and can be run in
batch.
Caution: The METALIB procedure can produce “duplicate” table registrations in the same
metadata folder. These are two tables with the same name but registered to different
libraries. SAS Data Integration Studio table properties highlight the differences.
The METALIB procedure syntax is as follows:
PROC METALIB;
OMR <=> (LIBID = <">identifier<"> | LIBRARY = <">name<">
| LIBRARY = "/folder-pathname/name" |
| LIBURI = "URI-format"
<server-connection-arguments>);
<EXCLUDE <=> (table-specification <table-specification-n>);> |
<SELECT (table-specification <READ = read-password>
< table-specification-n <READ = read-password-n>>);>
<FOLDER <=> "/pathname";> |
<FOLDERID <=> "identifier.identifier";>
<IMPACT_LIMIT = n;>
<NOEXEC;>
<PREFIX <=> <">text<">;>
<REPORT <<=> (report-arguments)>;>
<UPDATE_RULE <=> (<DELETE> <NOADD> <NODELDUP>
<NOUPDATE> <STATS_AUTH>);>
RUN;
For more information about the METALIB procedure, refer to SAS® 9.4 Language Interfaces
to Metadata.
Security
Access to a table requires access to the following:

• server metadata for a server that opens data
• credentials for a server (or multiple servers)
• table metadata
• a table in an operating system.
N ote: The level of metadata security for tables depends on whether the
metadata LIBNAME engine is used.
33
Exercises
4. Looking at Metadata LIBNAME Engine and Metadata Permission Implications

a. Perform an ad hoc backup named Before adding library assignment example in
b. Register a library and tables in metadata. You can use SAS Environment Manager or
SAS Management Console to register a SAS library.
1) Make sure you are signed in to SAS Environment Manager as Ahmed and password
2) Click the new library button in the upper right toolbar.

Name Library Assignment Example libdata
Libref libdata
Engine BASE
Path specification  On the Linux server: /opt/sas/Workshop/OrionStar/orstar
 On the Windows server: D:\Workshop\OrionStar\orstar
Assigned SAS SASApp

Servers
4) Register the following tables in the Library Assignment Example libdata library and store
the metadata in the same folder as the library:
NEWHIRES, PRODUCT_DIM
Server SASApp
Libref libdata
Path specification  On the Linux server: /opt/sas/Workshop/OrionStar/orstar

 On the Windows server: D:\Workshop\OrionStar\orstar
c. Add Jacques to the Authorization of the Shipping Department folder. Verify that he has
a grant of ReadMetadata and deny all other permissions. You can use SAS Environment
Manager or SAS Management Console.
d. Log on to SAS Enterprise Guide as Jacques using the password Student1. Submit the following
code:
proc print data=libdata.NEWHIRES (obs=10);
run;
You get the following error: ERROR: Libref LIBDATA is not assigned.
Note: A solution would be to do the following:
1) Right-click Library Assignment Example libdata and select Assign but coders do
not like this.
2) Provide a LIBNAME statement, but that is more difficult to maintain/administer.
3) Pre-assign a library.
e. Navigate to Server List  Servers  SASApp  Libraries  Library Assignment Example
libdata.
Note: The library icon is white (unassigned).
Note: There are two tables (NEWHIRES and PRODUCT_DIM).
f. Open the NEWHIRES table. Are you successful?
Note: SAS Enterprise Guide assigns libraries by default, using the metadata LIBNAME engine.
The metadata LIBNAME engine enforces the Read permission in metadata.
g. Navigate to Servers  SASApp. Right-click SASApp and select Disconnect. Click Yes in the
pop-up window.
h. Log on to SAS Data Integration Studio as Jacques using the password Student1. Navigate
to Folders  Orion Star  Shipping Department. Right-click NEWHIRES and select Open.
Note: No error was generated, and Jacques is able to view the data because SAS Data
Integration Studio uses the native engine by default (BASE, ORACLE, R3, and so on.),
so the Read, Write, Create, and Delete permissions in metadata are ignored.
i. Exit SAS Data Integration Studio.
5. Pre-assigning a Library in the Metadata

a. Pre-assign Library Assignment Example libdata in metadata, using SAS Environment Manager
or SAS Management Console.
1) On the Administration page, click Side menu and select Libraries. Right-click Library
Assignment Example libdata and select Open.
2) From the drop-down menu, select Options. In the left pane, select Pre-assign.
3) Pre-assign the library using By metadata library engine.

5) Click Close.
1) Under the Data Library Manager plug-in, right-click Library Assignment Example libdata
and select Properties.
2) On the Options tab, click the Advanced Options button.
3) Pre-assign the library using: By metadata library engine. Click OK twice.
b. In SAS Enterprise Guide, verify that you are logged on as Jacques. Under the Servers list,
expand SASApp. (This establishes the connection or session.)
c. Expand Library Assignment Example libdata.
Note: The Library icon is yellow, which means it is assigned.
Note: You see the two registered tables (NEWHIRES and PRODUCT_DIM).
d. Open Program Editor. Edit and submit the following code:
run;
Note: The code runs, but there is an authorization error. The library assigns but cannot read
data. (The metadata LIBNAME engine enforces Read, Write, Create, and Delete.)
e. Disconnect from the workspace server by right-clicking SASApp under the Servers list and select
Disconnect.
f. Log on to SAS Data Integration Studio as Jacques using the password Student1. On the Folders
tab, navigate to Orion Star  Shipping Department. Right-click NEWHIRES and select
Open.
Note: There is an error indicating that Read permission is required because this library was pre-
assigned with the metadata LIBNAME engine.
g. Exit SAS Data Integration Studio.
6. Pre-Assigning a Library in Metadata Using Native Engine
1) On the Administration page, click Side menu and select Libraries. Right-click
Library Assignment Example libdata and select Open.
2) From the drop-down menu, select Options. In the left pane select Pre-assign.
3) Pre-assign the library using By native library engine.
4) Save your changes .Click Close.
3) Pre-assign the library using: By native library engine. Click OK twice.
b. In SAS Enterprise Guide verify that you are logged on as Jacques. Under the Servers list, expand
SASApp. (This establishes the connection or session.)
Note: All tables show up regardless of whether they are registered in metadata, based on
Jacques’ operation system permissions on the table.
d. Open the Program Editor. Enter and submit the following code:
run;
Note: The code runs, and a list report is produced with 10 rows displayed.
Note: There were no metadata permissions enforced on the table. When you pre-assign with
the native engine, SAS Enterprise Guide displays all tables in the server list, regardless
of whether they are registered in metadata.
Note: To have the native LIBNAME engine used without pre-assigning the library,
use the AssignMode option with value of 0.
e. Exit out of SAS Enterprise Guide.
f. Remove Jacques from the Authorization tab of the Shipping Department folder
using SAS Environment Manager or SAS Management Console.
7. Updating Table Metadata with SAS Enterprise Guide
a. Open SAS Enterprise Guide and log on as Ray using the password Student1.
b. Select Tools  Update Library Metadata.
c. Select SASApp as the server and Customer Orders ordetail. Click Next.
d. Select Report on the differences between physical tables and the metadata repository.
e. View the results. Do any tables need to be updated?

Do any tables need to be added?
Do any tables need to be deleted?
f. In the project tree, under the process flow, right-click Update Metadata for "Customer Orders
ordetail" and select Modify Update Metadata for "Customer Orders ordetail".
Keep the same server and library, but update and add table definitions in the metadata with
the actual tables and columns.
For which actions can you override the default credentials?
What are the default credentials?
Why or when might you want to override the default credentials?
Are any new tables defined?
7.01 Quiz
The unrestricted user can see the Sample Data library and its tables
registered in the metadata using SAS Management Console.
Marcel cannot see the Sample Data library and tables in SAS Add-In for
Microsoft Office or in SAS Data Integration Studio.
36
7.02 Quiz
Marcel can see the Sample Data library and tables in SAS Add-In for Microsoft
Office but cannot open the table.
What is a possible cause of this problem?
38
7.03 Quiz
Marcel can see the Sample Data library and tables in SAS Management
Console and in SAS Data Integration Studio. Marcel can open the table in
SAS Data Integration Studio.
Marcel cannot see the Sample Data library and tables in the SAS Add-In for
Microsoft Office.
40
7.3 Solutions
1. Registering a SAS Library and Tables
a. Perform an ad hoc backup named Library Example in SAS Management Console. Log on as
Ahmed using the password Student1.
You can use SAS Environment Manager or SAS Management Console to register a SAS library.
1) Make sure you are signed on to SAS Environment Manager as Ahmed using the password
2) Select New Library button in the upper right toolbar.
7.3 Solutions 7-45
Name Customer orders ordetail
Libref ordetail
Engine BASE
Path specification  On the Linux server: /opt/sas /Workshop/

OrionStar/ordetail
Note: You will need to add the path to the existing list.
Assigned SAS SASApp

Servers
a) Click the Add button to add the path of the physical location of the data to the list.
b) Enter the path. Click OK.
c) Click OK.
d) From the drop-down menu, select Assigned SAS Servers.
e) Check SASApp.
f) Click Save button in the upper right toolbar.
7.3 Solutions 7-47
a) From the drop-down menu, select Tables.
b) Click the Register Tables button in the toolbar.
Note: If you are signed in as sasadm@saspw, you will receive an error, because that
account is internal and does not have access to a SAS Workspace Server.
c) Change the location to /Orion Star/Shipping Department by using the Browse button.
d) Click OK. Select CUSTOMER_DIM, GEOGRAPHY_DIM,

ORGANIZATION_DIM, and TIME_DIM.
e) Click OK. Click Close in the pop-up window.
7.3 Solutions 7-49
f) Click Close.
1) Make sure you are logged on as Ahmed using the password Student1. On the Plug-ins tab,
expand Data Library Manager. Right-click Libraries and select New Library.
Name Customer Orders ordetail
Server SASApp
Libref ordetail
Path specification  On the Linux server: /opt/sas/Workshop/OrionStar/ordetail

Note: You need to add the path to the existing list in the wizard.
a) Highlight SAS BASE Library. Click Next.
b) Enter Customer Orders ordetail in the Name field. Select Browse and navigate to
Orion Star/Shipping Department. Click Next.
7.3 Solutions 7-51
c) Move SASApp to the Select Servers side. Click Next.
d) Enter ordetail in the Libref field. Select New to add the data path to the Available items
list.
e) Navigate to the proper location.
For Linux Server

opt/sas/Workshop/OrionStar/ordetail
For Windows Server
D:\Workshop\OrionStar\ordetail
f) Click OK twice.
7.3 Solutions 7-53
g) The path appears in the Selected items pane. Click Next.
h) Click Finish.
a) Right-click the Customer Orders ordetail library under the Data Library Manager plug-
in and select Register Tables.
b) Click Next.
7.3 Solutions 7-55
c) Hold down the Ctrl key down while you select CUSTOMER, ORDERS,
ORDER_ITEM, PRICE_LIST, and PRODUCT_LIST. Verify that the folder location
in metadata is the same as where the library was registered. Click Next.
d) Click Finish.
2. Verifying Library and Table Metadata in SAS Enterprise Guide

a. Perform an ad hoc backup named Before denying Shipping group Read on Shipping Folder in
b. Use SAS Environment Manager or SAS Management Console to deny Shipping the Read
permission on the Shipping Department folder.
7.3 Solutions 7-57
c. Log on to SAS Enterprise Guide as Ray. (He is a member of the Shipping group, so he is able
to see the Shipping Department folder and the folders below.)
d. Select the Server list in the Resources pane. Expand Servers  SASApp  Libraries. Through
the Server list, you can see the metadata libraries and the tables that are registered to those
libraries.
Note: Only SAS Enterprise Guide and SAS Add-In for Microsoft Office have a Server list
display.
e. Right-click Customer Orders ordetail and select Properties. What is the libref? ORDETAIL
Click Close.
f. Enter the following LIBNAME statement in the Program Editor and run the program:
libname ordetail meta library='Customer Orders ordetail';
Note: To get to the Program Editor, select Program  New Program. Or you can select
File  New  Program.
Check for errors in the log.
If it was successfully assigned, you will see that under the Server list, the library icon for
Customer Orders ordetail has changed to yellow because it has been assigned. (You will need
to refresh the view by right-clicking SASApp under the Server List and selecting Refresh.)
Note: The five tables that were registered in the previous exercise are listed under the library
in the Server list.
g. Select the Folders list in the resource pane in the bottom left of the interface. Expand
Orion Star  Shipping Department. Do you see the library?
No, the folder structure in SAS Enterprise Guide does not show library definitions.
Do you see any tables?
Yes, the registered tables to the Customer Orders ordetail are displayed.
7.3 Solutions 7-59
Note: If you did the demonstration, you will also see the registered tables from that library.
h. Open one of the tables. (You can right-click and select Open, or double-click the table.)
Are you able to open the table?
No.
Authorization for accessing this table requires Read as well as ReadMetadata when opening
tables in SAS Enterprise Guide, because the metadata LIBNAME engine is used
by default, which enforces the Read permission as well. In step a, we denied Shipping the
Read permission on the Shipping Department folder.
i. In the log, the physical location of the data is specified. Enter the following LIBNAME statement
into the Program Editor:
For Linux Server

libname ordetail '/opt/sas/Workshop/OrionStar/ordetail';
For Windows Server

libname ordetail 'D:\Workshop\OrionStar\ordetail';
This LIBNAME statement is not referencing the library in metadata. How many tables appear
under the Customer Orders ordetail library under the server list? (You will need to refresh the
view by right-clicking SASApp under the Server List and selecting Refresh.)
All the tables that the user logged on and has permission to see in the stored location in the
Operation System. When writing this native LIBNAME statement, the user is not going
through metadata for table metadata, so no metadata permissions are enforced.
How many tables appear in the Folders list, Orion Star  Shipping?
Five tables that were registered in metadata
j. Use SAS Environment Manager or SAS Management Console to grant back to Shipping the
Read permission on the Shipping Department folder. Or, you can recover from the backup that
you performed in step a.
3. Listing Libraries, Librefs, and Their Server Contexts

Metadata DATA step functions provide a programming-based interface to create and maintain
metadata in the SAS Metadata Server. This program uses metadata DATA step functions to return
more detailed information about the libraries. The results are returned to a libraries data set in the
Work library. The requested data includes the library metadata ID, the library name, the libref, the
engine, the path on the file system (or if DBMS data, the DBMS path), and the server contexts to
which the library is associated.
a. In SAS Enterprise Guide, open the program extractlibrefandserverapp.sas that is located on the
client machine. Select Program tab  Open Program and navigate to
D:\Workshop\spaft.
7.3 Solutions 7-61
b. Verify the connection information to the metadata server in the OPTIONS statement at the top
of the program.
metaport=8561
metauser="sasadm@saspw"
metapass="Student1"
metarepository="Foundation";
c. Run the program. Are there any duplicate librefs? No.
Note: Sample programs and more information about using DATA step functions to extract
metadata information can be found in the following documentation: SAS® 9.4 Language
Interfaces to Metadata, Second Edition.
4. Looking at Metadata LIBNAME Engine and Metadata Permission Implications
a. Perform an ad hoc backup named Before adding library assignment example in SAS
Management Console. Log on as Ahmed using the password Student1.
b. Register a library and tables in metadata. You can use SAS Environment Manager or
SAS Management Console to register a SAS library.
1) Make sure you are signed in to SAS Environment Manager as Ahmed using the password
2) Select new library in the upper right toolbar.
Libref libdata
Engine BASE
Path specification  On the Linux server: /opt/sas/Workshop/OrionStar/ordetail
Assigned SAS SASApp

Servers
7.3 Solutions 7-63
a) Check the box next to:

For Windows server: D:\Workshop\OrionStar\orstar
For Linux server: /opt/sas/Workshop/OrionStar/orstar
b) Click OK.
c) From the drop-down menu, select Assigned SAS Servers.
d) Check SASApp.
e) Click Save button in the upper right toolbar.
a) From the drop-down menu, select Tables.
b) Click the Register Tables button in the toolbar.
Note: If you are signed in as sasadm@saspw, you will receive an error, because that
account is internal and does not have access to a SAS Workspace Server.
c) Change the location to /Orion Star/Shipping Department by using the Browse button.
7.3 Solutions 7-65
d) Click OK.
e) Select NEWHIRES and PRODUCT_DIM. Click OK.
f) Click Close in the pop-up window.
g) Click Close
Server SASApp
Libref libdata
Path specification  On the Windows server: D:\Workshop\OrionStar\orstar

 On the Linux server: /opt/sasinside/DemoData/Workshop/
OrionStar/orstar
a) In the Data Library Manager Plug-in, right-click Libraries and select New Library
7.3 Solutions 7-67
b) Select Base Library. Click Next.
c) Enter Library Assignment Example libdata in the Name field. Make sure that the
metadata location is /Orion Star/Shipping Department. Click Next.
d) Move SASApp to the Selected servers list and click Next.
e) Enter libdata in the Libref field and highlight:
For Linux Server

opt/sas/Workshop/OrionStar/orstar
For Windows Server
D:\Workshop\OrionStar\orstar
f) Move it to the Selected items list. Click OK.
7.3 Solutions 7-69
g) Click Finish.
Right-click Library Assignment Example libdata under the Data Library Manager Plug-in
and select Register Tables. Click Next. With the Ctrl key held down, select NEWHIRES
and Product_DIM. Verify that the metadata location is the same folder as the library. Click
Next. Click Finish.
c. Add Jacques to the Authorization of the Shipping Department folder. Verify that he has
a grant of ReadMetadata and deny all other permissions. You can use SAS Environment
Manager or SAS Management Console.
1) Make sure you are signed in to SAS Environment Manager as Ahmed using the password
Student1. On the Administration page, click Side menu and select Folders.
2) Expand Orion Star folder. Right-click Shipping Department folder and select Open.
7.3 Solutions 7-71
5) Enter Jacques and press Enter. Move Jacques over to the Identities to add pane. Click OK.
6) He will be given an automatic grant of ReadMetadata. Select Deny for all other permission
that he has as indirect grants.
7) Click the Save button in the upper right toolbar. Click Close.
1) Right-click the Shipping Department folder and click the Authorization tab. Click Add
next to the Users and Groups window. Add Jacques to the Selected Identities list. Click OK.
7.3 Solutions 7-73
He will be given an automatic grant of ReadMetadata. Select Deny for all other permission
that he has as indirect grants.
d. Log on to SAS Enterprise Guide as Jacques using the password Student1. Submit the following
code:
proc print data=libdata.NEWHIRES(obs=10);
run;
You get the following error: ERROR: Libref LIBDATA is not assigned.
Note: A solution would be to do the following:

1) Right-click Library Assignment Example libdata and select Assign, but coders do not like
this.
2) Provide a LIBNAME statement, but that is more difficult to maintain/administer.
3) Pre-assign a library.
e. Navigate to Server List  Servers  SASApp  Libraries  Library Assignment Example

libdata.
Note: The library icon is white (unassigned).
Note: There are two tables (NEWHIRES and PRODUCT_DIM).
f. Open the NEWHIRES table. Are you successful? No, an Error window appears, indicating
that Read permission is required.
Note: SAS Enterprise Guide assigns libraries by default, using the metadata LIBNAME engine.
The metadata LIBNAME engine enforces the Read permission in metadata.
Right-click the NEWHIRES table in the server list and select Open.
Error message:
g. Navigate to Servers  SASApp. Right-click SASApp and select Disconnect. Click Yes in the
pop-up window.
7.3 Solutions 7-75
h. Log on to SAS Data Integration Studio as Jacques using the password Student1. Navigate
to Folders  Orion Star  Shipping Department. Right-click NEWHIRES and select Open.
Note: No error was generated, and Jacques is able to view the data because SAS Data
Integration Studio uses the native engine by default (BASE, ORACLE, R3, and so on.),
so the Read, Write, Create, and Delete permissions in metadata are ignored.
i. Exit SAS Data Integration Studio.
5. Pre-assigning a Library in the Metadata
2) From the drop-down menu, select Options. In the left pane select Pre-assign.
3) Pre-assign the library using: By metadata library engine.
5) Click Close.
7.3 Solutions 7-77
3) Pre-assign the library using the metadata library engine.
Click OK twice.
b. In SAS Enterprise Guide, verify that you are logged on as Jacques. Under the Servers list, expand

Note: You see the two registered tables (NEWHIRES and PRODUCT_DIM).
run;
Note: The code runs, but there is an authorization error. The library assigns but cannot read data
(The metadata LIBNAME engine enforces Read, Write, Create, and Delete.)
7.3 Solutions 7-79
e. Disconnect from the workspace server by right-clicking SASApp under the Servers list and select
Disconnect.
f. Log on to SAS Data Integration Studio as Jacques using the password Student1. On the Folders
tab, navigate to Orion Star  Shipping. Right-click NEWHIRES and select Open.
Note: There is an error indicating that Read permission is required because this library was
pre-assigned with the metadata LIBNAME engine.
g. Exit SAS Data Integration Studio.

6. Pre-Assigning a Library in Metadata Using Native Engine
2) From the drop-down menu, select Options. In the left pane, select Pre-assign.
3) Pre-assign the library using By native library engine.
4) Save your changes . Click Close.
7.3 Solutions 7-81
3) Pre-assign the library using: By native library engine.
Click OK twice.
b. In SAS Enterprise Guide, verify that you are logged on as Jacques. Under the Servers list, expand
Note: All tables show up regardless of whether they are registered in metadata, based
on Jacques’ operating system permissions on the table.
run;
Note: The code runs and a list report is produced with 10 rows displayed.
Note: There were no metadata permissions enforced on the table. When you pre-assign with
the native engine, SAS Enterprise Guide displays all tables in the server list, regardless
of whether they are registered in metadata.
Note: To have the native LIBNAME engine used without pre-assigning the library,
use the ASSIGNMODE= option with value of 0.
e. Exit out of SAS Enterprise Guide.
f. Remove Jacques from the Authorization tab of the Shipping Department folder
using SAS Environment Manager or SAS Management Console.
7. Updating Table Metadata with SAS Enterprise Guide
a. Open SAS Enterprise Guide and log on as Ray using the password Student1.
b. Select Tools  Update Library Metadata.
7.3 Solutions 7-83
c. Select SASApp as the server and Customer Orders ordetail. Click Next.
d. Select Report on the differences between physical tables and the metadata repository.
e. View the results. Do any tables need to be updated? Yes, one table
Do any tables need to be added? Yes, 17 tables
Do any tables need to be deleted? No
f. In the project tree, under the process flow, right-click Update Metadata for "Customer Orders
ordetail" and select Modify Update Metadata for "Customer Orders ordetail".
Keep the same server and library, but update and add table definitions in the metadata with
the actual tables and columns.
For which actions can you override the default credentials? The Update and Delete selections
What are the default credentials? The user who is currently logged on, Ray/Student1
Why or when might you want to override the default credentials? If the user that you used
to log on to SAS Enterprise Guide does not have the appropriate permissions to update
libraries and tables
7.3 Solutions 7-85
Are any new tables defined? Yes, 17 tables
Marcel cannot see the Sample Data library and tables in SAS Add-In for
Microsoft Office or in SAS Data Integration Studio.
Ma rcel was denied access to the Sample Data library via metadata
permissions.
37
Marcel can see the Sample Data library and tables in SAS Add-In for Microsoft
Office but cannot open the table.
What is a possible cause of this problem?
Ma rcel does not have sufficient access to the table metadata or access to the
physical table in the operating system or database where it resides.
39
7.3 Solutions 7-87
Marcel can see the Sample Data library and tables in SAS Management
Console and in SAS Data Integration Studio. Marcel can open the table in
SAS Data Integration Studio.
Marcel cannot see the Sample Data library and tables in the SAS Add-In for
Microsoft Office.
The Sample Data library was not assigned to an application server.
41
Chapter 8 Monitoring Your SAS®
Environment
8.1 Monitoring a SAS Environment with SAS Environment Manager ............................. 8-3
Demonstration: Viewing Analyze Pages and Creating an Alert in SAS Environment
Manager ..................................................................................................... 8-13
Exercises .............................................................................................................................. 8-20
8.2 Reviewing SAS Middle-Tier Architecture ................................................................... 8-26

Exercises .............................................................................................................................. 8-38
8.3 Additional Topics on SAS Server Maintenance ......................................................... 8-48

Exercises .............................................................................................................................. 8-54
8.4 Solutions ....................................................................................................................... 8-59

8-2 Chapter 8 Monitoring Your SAS® Environment
8.1 Monitoring a SAS Environment with SAS Environment Manager 8-3
8.1 Monitoring a SAS Environment with

Objectives
• Identify tools for monitoring operating systems.

• Examine tools used to monitor the SAS environment.
• Use SAS Environment Manager to create and monitor a SAS server event.
3
Windows Operating System Monitoring Tools
The Windows platform provides these built-in applications to help you

monitor your SAS deployment:
• Windows Services application
• Windows Task Manager/Process Explorer
• Windows Event Viewer
• Windows Explorer/editors
4
The most valuable tools are often the Windows Explorer and simple text file editors. With these two
tools, you can search for and monitor server logs.
The Windows Services application provides an interface to start, stop, and configure Windows services. It
also does the following:
 enables the administrator to list and review installed applications that do not require a login
 obtains status on what applications are currently running (no history) and what identity is running them
 determines the start-up type of the application (Automatic, Manual, Disabled, or Automatic (Delayed
Start))
 sets dependencies for start-up order for processes. By default, all SAS server processes running on
Windows are installed as services.
In contrast to the Windows Services application, the Task Manager provides an additional level of detail:
It shows all running processes (foreground and background) and the name of the executable. An
application might involve more than one individual process. It also indicates system resource utilization
(CPU, memory, and disk I/O) for each process, and the Process ID (PID) - for each process. It also
provides a one-minute timeline of resource usage in real time.
The Process Explorer is similar but provides more detail. It shows the entire executable with all
parameters, and it shows parent/child process relationships. The Process Explorer also highlights
processes that are just starting up, and those that have recently shut down. Note that the Process Explorer
must be downloaded and installed separately. It is not a default part of Windows.
The Windows Event viewer can be useful for a system administrator because it provides hardware-level
information, and requires systems administration knowledge. An example might be a failure to write to a
file because the user running the application does not have Write permissions to that directory.
UNIX Operating System Monitoring Tools
The UNIX platform has built-in monitoring commands that provide a variety
of functions that are oriented toward the system administrator. Here are
some examples:
• ps, top, vmstat, lsof, tcpdump,
netstat, ss, iostat, strace, free,
mpstat, df, du
5
The built-in UNIX monitoring commands provide a wide variety of functions that are oriented toward the
UNIX system administrator. These tools can provide information at the operating system, application, or
the individual process level.
The top command produces a list of all the currently running processes listed in order of CPU usage. The
top CPU users appear at the top of the list, leading to the name of this command. The list is continuously
updated at five second intervals by default, and there are options to shorten or lengthen the update period.
The administrator can specify which fields to display, their order, filter the output on a variety of fields,
and sort the output by various fields.
Once a process ID is identified, you can use the ps command to find the complete command line, thus
identifying the specific server (SAS or otherwise) of interest.
There are two commands that are useful in evaluating disk space utilization. The Linux df command
displays the amount of free space on all mounted file systems. A related commend, du, provides disk
usage (in Kb) of each directory and its subdirectories.
The SAS Environment Manager gathers many of its metrics from some of these UNIX tools.
Developing a Monitoring Plan
• Who is responsible for monitoring and addressing problems?

• What resources need to be checked, and how often?
• Which resources are most critical?
• Which metrics are most useful?
• What happens when an issue or problem arises?
• Are there scheduled tasks that should be regularly checked?
• What reports are most helpful in identifying trends and potential
problems?
6
A performance monitoring plan ensures that administrators always have up-to-date information about
how their servers are operating. Knowing what questions to ask usually leads to what data is needed to
provide answers to those questions, and can provide guidance when developing a performance monitoring
plan.
Establishing a performance baseline establishes a reference point that makes it easier to identify problems
when, or before, they occur. When administrators have performance data for their systems that cover
multiple activities and loads, they can define a range of measurements that represent normal performance
levels under typical operating conditions for each server. In addition, when troubleshooting system
problems, performance data gives information about the behavior of the various system resources when
the problem occurs.
SAS Monitoring Tools
7
In addition to the OS-provided tools mentioned, SAS has several tools that enable the administrator to
examine, monitor, and manipulate a SAS installation. Most are highly specialized and are used for a
small number of specific tasks.
SAS Management Console is the heart of a SAS installation, providing authentication, authorization,
configuration metadata, and other services. Using SAS Management Console, you can validate basic
functionality of SAS servers and examine object spawner connections, server options and properties, and
logging levels.
SAS also provides some scripting tools to start, stop, and determine the status of the SAS servers and
applications. In an earlier chapter of this course, we used the sas.servers script on UNIX to check the
status of SAS servers. In addition, most SAS servers have their own start/stop/status scripts that can be
executed either individually or as a part of a larger script.
In addition, there are some monitoring tools that are a part of some SAS solutions. For example, the SAS
Visual Analytics Administrator provides reports in the SAS Visual Analytics environment. Platform RTM
and SAS Grid Manager Module provide grid administrators the capability to graphically view the status
of devices and services within a SAS Grid environment.
SAS Environment Manager (Review)

SAS Environment Manager provides a framework for SAS administrators to
monitor the performance, health, and operation of their SAS deployments.
• A comprehensive view of all resources related to SAS is displayed.
• It provides drill-down into different levels of detail on resources.
• It provides a flexible alerting function to warn administrators of problems.
8
SAS Environment Manager is based on VMware’s Hyperic application monitoring framework with
customizations and plug-ins to optimize the product specifically for a SAS environment.
SAS Environment Manager connects a SAS environment with the underlying data services and operating
system information. Having this information connected and correlated provides a single, consistent view
of the operating environment.
SAS Environment Manager also provides proactive monitoring capabilities. Through a series of events
and alerts, you can notify designated personnel when a threshold is exceeded and run designated resource
control operations when an alert is triggered.
The SAS Environment Manager Service Architecture provides functions and capabilities that enable
SAS Environment Manager to fit into a service-oriented architecture (SOA). The package implements
best practices for resource monitoring, and automates the application’s auditing and user monitoring
capabilities.
SAS Operational Monitoring Continuum
Real Time Operational Operational Capacity Planning/

(Detailed) (Summary) Forensics
Focus: Usage and Process SAS Environment Manager Service

Monitoring Architecture Framework
Consumption
(not persisted)
SAS IT Resource Management
(Performance Database)
Focus: OS Metrics
and Events SAS Environment Manager
• Understanding usage
Goals/Tasks/Uses • Monitor health of the patterns of SAS content
• Dynamic visualization environment • Provide “context” for and data
of real-time activity • Alerting operational activities • Audit security
• Review logs • Configuration change changes
control • Capacity planning
• Hardware maintenance
Time Scale < 1 minute 1 minute to 3 days 3 days to 10 days > 10 days
9
Each SAS system administrator or IT operations specialist is faced with the challenging task of
monitoring, managing and forecasting the needs of software, hardware and systems. So much so that even
the language of discussing a problem, event, or analysis can become rather complex. This diagram depicts
the monitoring “continuum” over time:
 dynamic monitoring, which is typically not persisted
 recent monitoring, to include less than three days review of system usage via SAS Environment
Manager
 longer term “forensics” type of usage and capacity planning offered by the SAS Environment Manager
Service Architecture and the SAS IT Resource Management solution
For more information, see the SAS Global Forum paper “Monitoring 101: New Features in SAS 9.4 for
Monitoring Your SAS Intelligence Platform”:
http://support.sas.com/resources/papers/proceedings13/463-2013.pdf.
Monitoring Resources: The Analyze Pages
The Analyze pages contain the following:

• Alert Center
• Event Center
• Operations Center
• Environment Snapshot
• Report Center
• Monitoring Center
These pages enable you to quickly view and work with alerts, events, system
status, and performance and usage reporting throughout your system.
10
The Report Center is included only if you have enabled SAS Environment Manager Service Architecture.
Events
An event is generated when there is a change in a resource’s state or a
change in a resource’s threshold value for one of these items:
• messages written to a log file associated with a monitored resource
• changes made to monitored configuration files or directories
• control actions: server start/stop/restart
• alerts
• event importer/event exporter
11
SAS Environment Manager provides the capability to monitor metrics, scan log files, manage
configuration changes, and monitor availability. When there is a change in a resource’s threshold value
for one of these items, an event is recorded in SAS Environment Manager’s event message system.
Events are also automatically created for certain types of entries in SAS server logs, and you can specify
other criteria that will create events based on SAS server logs.
Alerts
Alerts are a predefined or user-defined type of event that indicates a critical

condition in a selected resource.
12
When an alert occurs, it must be acknowledged, and alerts are listed until they are marked as being fixed.
You can define escalation schemes to identify the actions that happen if an alert is not fixed within a
specified time.
If you initialize SAS Environment Manager Extended Monitoring, a set of alerts is automatically created.
Environment Snapshot (Review)
Environment Snapshot contains a comprehensive listing of the system

information in the SAS Environment Manager database.
13
Environment Snapshot was originally designed to provide SAS Technical Support with a method for
quickly diagnosing system issues, but it also provides you with valuable information about your system.
It collects and displays the most current performance measures and configuration parameters from the
SAS Environment Manager database. It also executes and gathers real-time usage information.
Operations Center
The Operations Center lists resources that are down or have active alerts.
14
You can use filters to find resources and problem types of interest. This concise view displays the current
number of unavailable resources and active alerts, and a one-line problem summary for each resource.

(Review)
The SAS Environment Manager Extended Monitoring package implements best
practices for SAS Environment Manager. The framework consists of two components:
• predefined alerts, groups, logging, and metric configurations
• data mart infrastructure, which provides empty data tables, stored processes, and
reports that are populated by data that is provided by APM or ACM ETL processes
Extended Monitoring Data Mart

Audit, Performance
VA auto-load Feed
Best Practices
Report Center
Measurement Data(APM)
• Predefined alerts
• Automate resource configuration
• Additional resource groups Agent-Collected
• Metric collection adjustments Metrics (ACM)
• Event importing and exporting
Kits Data
15
Note: Extended monitoring components are not active until you initialize the service architecture.
Viewing Analyze Pages and Creating an Alert in

This demonstration illustrates using SAS Environment Manager’s Analyze Pages and creating an alert for
SAS Work Disk space.
1. Open Internet Explorer from the client machine using the taskbar. Click SAS Environment Manager
on the Favorites bar.
Note: To access SAS Environment Manager, use your web browser to go to
2. Sign in as Ahmed using the password Student1.
The Analyze tab contains these selections: Environment Snapshot, Operations Center, Alert Center,
Report Center, and Event Center.
3. Select Analyze  Alert Center.

The Alert Center page provides a deployment-wide view of alerts and alert definitions.
Note: An alert is a type of event that acknowledges a critical condition in a selected resource. You
can configure SAS Environment Manager to also log events for log messages and resource
configuration changes.
You can use the filter controls to filter by criteria such as status, type, and priority. Clicking an entry
in the Alert Definition column in the table displays detailed information about the alert.
You can select the check box next to an alert and click Fixed to identify the problem as having been
corrected. A pop-up window enables you to enter a note regarding the resolution of the alert.
4. Click an entry in the Alert Definition column in the table. Detailed information about the alert is
displayed. You can also mark the alert as fixed, as well as enter information about the resolution
of the alert.
5. Select Analyze  Alert Center to go back to the Alert Center page.

6. Click the Definition tab. The Definition tab in the Alert Center contains a table that lists al of the
defined alerts. Clicking an alert takes you to the definition page for the alert, where you can view
more detailed information or edit the alert. These alerts were created when Extended Monitoring
was enabled.
7. Select Analyze  Event Center.

The Event Center page provides a deployment-wide view of all events that have been logged for
resources. Alerts are automatically logged as events. You can configure SAS Environment Manager
to also log events for log messages, resource configuration changes, and resource metric triggers.
Note: An event is any sort of activity in a resource that you are monitoring.
8. Select Analyze  Operations Center.

The Operations Center lists resources that are down or have active alerts. You can use filters to find
resources and problem types of interest.
9. Now that you have explored the Analyze tab, set up an alert to be triggered whenever the SAS Work
Disk space reaches 40% of its capacity. The alert should be issued once every two hours until the
condition is cleared. When the alert is triggered, users with the Super User Role should be notified.
10. Select Resources  Services. Using the Keyword Search facility, search for the string home
directory and click .
11. There are three icons on the left of the entry for the resource: . The icons take you to the
Monitor page, Inventory page, or Alerts page, respectively, for this resource.
12. Select sasserver.demo.sas.com SAS Home Directory 9.4 SAS work directory service.
Notice the name of the default SAS work directory.

13. Build a new alert. From the sasserver.demo.sas.com SAS Home Directory 9.4 SAS work directory
screen, select Alert. (Notice that the SAS Work Directory location is specified and is a different path
for Windows and Linux servers.)
14. Select Configure to display the Alert Configuration page.
There are already two alerts defined. These were installed and configured as a part of the SAS
Environment Manager Extended Monitoring package.
15. Click New to display the New Alert Configuration page.
16. Name the alert, select the priority, and specify that the alert should be active.
 In the Name field, enter SASWork Disk Use % > 40
 In the Description field, enter Alert SASWork Disk use % > 40 %
 Accept the default priority of Medium.
 Verify that the Active button is set to Yes.
17. In the If Condition area, select the Metric option, and then select Use Percent in the Metric field.
To specify 40% capacity, enter .4 in the absolute value field. To specify that the alert is triggered
whenever the used capacity exceeds 90%, specify and select > (Greater than) from the comparison
menu.
18. In the Enable Action(s) field, specify 1 for the number of times the alert is issued and 2 for the time
period. Select hours for the time period units. These values specify that the alert is issued one time
every two hours while the alert conditions are met.
19. Click OK to define the alert and display the Configuration page for the new alert.
20. Create the notification. Select Notify Roles and then click Add to List.
21. Select the check box beside Super User role in the Roles list, and use the arrow control to move the
role to the Add Role Notification list.
22. Click OK to close the Role Selection page.
23. Click Return to Alert Definitions to complete the process of defining the alert.
Exercises
1. Setting Up a Monitor for the SASWork Disk Space Usage

The SAS Work directory stores temporary files that are created during SAS processing of code. This
directory is automatically cleaned up by default. However, the SAS Work directory might not be
cleaned up properly due to unexpected errors in processing or termination of SAS sessions. It might
be necessary to monitor the SAS Work directory to avoid a buildup of disk usage.
a. Sign in to SAS Environment Manager as Ahmed using the password Student1.
b. Locate the resource for the SAS Work directory by selecting Resource  Services.
c. Enter work directory in the Search field and click the arrow to the far right of the row .
d. Click sasserver.demo.sas.com SAS Home Directory 9.4 SAS work directory. Where is the
SAS Work directory located?
You can confirm the location by opening a SAS session through SAS Studio or SAS Enterprise
Guide and submitting the following code:
proc options option = work;
run;
For Linux Server
For Windows Server
Note: Use Percent is one of the metrics available for this resource.
The Metric Viewer portlet does not provide a resource type of SAS Work directory. It has only
SAS Home Directory and SAS Config Level Directory. Therefore, SAS Work metrics cannot be
displayed directly. The workaround is to create a platform service of type FileServer Directory,
which provides the metrics that we want and then points this new platform service to the OS
directory where SAS Work is located.
e. Select Resources  Platforms. Click sasserver.demo.sas.com.

f. From the Tools menu, select New Platform Service.
g. Use the following information:
Name: Enter SAS Work directory.
Description: Enter Storage area for SAS intermediate and temporary files.
Service Type: Select FileServer Directory.
h. Click OK.
i. Click Configuration Properties to configure the resource.
j. Enter the Path to Directory and click OK.
For Linux Server
Enter /tmp.
For Windows Server
Enter C:\Windows\Temp\SAS Temporary Files.
k. Create a new Metric Viewer portlet on the Dashboard page. Click the Dashboard tab.
l. On the right side at the bottom of the Dashboard page, select Metric Viewer in the Add Content
to this column field and click the button.
m. Click the Configure button to display the Dashboard Settings page for the portlet.
n. On the Dashboard Settings page, use the following information:

Description: Enter SAS Work disk space.
Resource Type: Select FileServer Directory.
Metric: Select Disk Usage.
o. Click Add to List.
p. Select the SAS Work resource that you just defined and click the arrow pointing to the right to
move the resource to the right side. Click OK.
q. Click OK.
In most cases, the Metric Viewer portlet provides the resource types that you want. Therefore,
you can get the metrics that you want to view directly. In this case, we had to use an OS-level
resource type to view those metrics.
2. Defining an Alert for a SAS Server Log File

Log file entries are one type of event that can be configured and customized using log file tracking in
SAS Environment Manager. For each SAS server, a special file named
sev_logtracker_plugin.properties is automatically set up by the SAS Deployment Wizard. These
files can be configured to trap various log entries and capture them as events.
You can add to this file to create events for criteria of your choosing. Because each SAS server has its
own properties file, logging events can be created for specific server types.
In this exercise, you set up an alert to be triggered whenever a warning message for the I/O
Subsystem appears in the log of the SAS Metadata Server.
a. On the server machine, navigate to the metadata server’s sev_logtracker_plugin.properties file.
For Linux Server

For Windows Server

Navigate to D:\SAS\Config\Lev1\SASMeta\MetadataServer.
b. Make a backup copy of sev_logtracker_plugin.properties.
c. Open sev_logtracker_plugin.properties.
The entries in this file use this format:

level. [level_of_message] . [sequential_number] = [regular_expression]
All sev_logtracker_plugin.properties files contain the following two entries by default:
#All fatal
level.fatal.1=.*
#All errors
level.error.1=.*
These entries specify that an event is created whenever a message appears in the SAS log with a
level of Fatal or Error. The message can contain any text. (The period represents any character
and the asterisk says “zero or more of the preceding character,” which is a period, so any and all
characters.)
level.warn.1=.*Access to this account.*is locked out.* specifies that an event is created
whenever a message with a level of Warn appears that also contains the words Access to this
account and is locked out. Any or no characters can be before, in between, or after these words.
Multiple entries for messages at the same log level must have an incremental number. In the
metadata server properties file, the next warn message to be captured would be
level.warn.3=.*message text here.*
d. Add the following entry to the file:
#I/O subsystem information
level.info.1=.*I/O Subsystem.*
e. Save and close the file.

f. In SAS Environment Manager, locate the server SASMeta – SAS Metadata Server on the
Resource page and click it to bring up the Resource Detail page for the server.
g. On the Detail page, select Alert  Configure to display the Alert Configuration page.
h. Click New to display the New Alert Configuration page.
i. Name the alert, select the priority, and specify that the alert should be active.
Alert Properties:
Name: I/O Subsystem
Priority: Medium
Description: I/O subsystem warnings in the server log
Condition Set: Select the Event/Logs Level radio button and then select Info in the
Event/Logs Level field.
In the Substring to Match field, enter I/O Subsystem.
These values specify that an alert is issued whenever an event is found for an Info message from
the log containing the string I/O Subsystem.
In the Enable Actions(s) area, select the Each time conditions are met radio button. An alert is
triggered each time I/O Subsystem information appears in the log.
j. Click OK.
3. Searching on the Web for the SAS Usage Note on I/O Subsystem
a. Open a new tab in Internet Explorer and click the Home button in the upper right.
b. In the Search field, enter I/O Subsystem.
c. Select the Usage Note 53874.
Note: There are many papers from SAS that can help you with various troubleshooting
techniques. For a complete list of papers useful for troubleshooting system performance
problems, see Usage Note 42197.
8.2 Reviewing SAS Middle-Tier

Architecture
Objectives
• Explore middle-tier architecture.

• Explore SAS middle-tier architecture.
• Identify the SAS middle-tier components.
• Identify the Content Server.
• Identify the Web Infrastructure Platform Data Server.
• Explore SAS Web Application Server clustering.
• Explore high availability of middle-tier components.
20
What Is a Middle-Tier Architecture?
Middle-tier architecture refers to a three-tier model where the browser is the client
tier, the database is the back-end tier, and the servers in the middle tier retrieve and
process data from the servers in the data tier for presentation to clients. The middle-
tier server performs the business logic.
Middle Tier Back-End DB Server/
SAS Servers
HTTP Server
WIP Data Server

Client PC
Web Application
Server
Web Applications
Web Server Web Infrastructure
Platform
JMS Broker
Cache Locator
Web Browser Environment Manager
21
8.2 Reviewing SAS Middle-Tier Architecture 8-27
Clients access the servers in the web tier directly or through a firewall. They access the servers in the data
tier only through the servers in the web tier.
Definition comes from http://www.onjava.com/2003/10/01/middletier.html.
Middle Tier
Web Browser SAS Web Server Middle Tier
(http server)
SAS Web Application Server SAS Environment

Manager Agent
In this scenario, all of Web Applications:
SAS Studio SAS Web Report Studio
SAS Environment
the SAS middle-tier SAS Information Delivery Portal Manager Server
components are installed Other SAS web applications Cache Locator
SAS Web Infrastructure Platform
on a single system. JMS Broker
SAS Servers
Metadata Server
Platform Data Server SAS Pooled Workspace Cache Locator
Server
SAS EV Agent
22
The SAS Intelligence Platform architecture provides the flexibility to distribute these components
according to your organization’s requirements. For small implementations, the middle-tier software,
SAS Metadata Server, and other SAS servers (such as the SAS Workspace Server and SAS Stored
Process Server) can all run on the same machine. In contrast, a large enterprise might have multiple
servers and a metadata repository that are distributed across multiple platforms. The middle tier in such
an enterprise might distribute the web applications to many web application server instances on multiple
machines.
SAS 9.4 middle-tier software includes the following:
SAS Web  It provides the execution environment for the SAS web applications.
Application Server  The SAS Deployment Wizard can automatically configure the web
application server, or you can configure it manually.
SAS Web Server  It is an HTTP server that is configured as a single connection point for
SAS web applications.
 It is automatically configured to perform load-balancing when the SAS
middle tier is clustered, as well as updated to route web sessions to SAS
Web Application Server instances
 It is automatically configured to cache static web content such as
JavaScript files, cascading style sheets, and graphic files.
 It can be configured for HTTPS automatically.
Cache Locator  It is used by applications on server-tier and middle-tier machines to

locate other members and form a data cache.
 The SAS Web Application Server uses a single locator instance. In a
clustered environment, each instance uses the one locator to learn about
the other server instances when forming the cache.
 A locator is also installed on the first server-tier machine that includes an
instance of SAS Web Infrastructure Platform Scheduling Services.
JMS Broker  SAS middle-tier software uses the broker for Java Messaging Services
(JMS). The JMS Broker provides distributed communication and acts as
a message broker.
 An instance is configured as a server on the machine that is used for the
SAS middle tier.
 Some SAS web applications use JMS connection factories, queues, and
topics for implementing business logic, and use JMS for this
communication between middle tier applications and services.
The SAS middle-tier environment includes a Java Runtime Environment with SAS 9.4 software. You do
not need to install a separate Java environment for the middle-tier environment.
Middle-Tier Components
23
SAS Content Server
The SAS Content Server stores digital content (such as documents, reports,
and images) that is created and used by SAS web applications, such as
SAS Web Report Studio and SAS Information Delivery Portal.
• It is part of the SAS Web Infrastructure Platform.
• Client applications use Web Distributed Authoring and Versioning
(WebDAV) protocols for access, versioning, collaboration, security, and
searching.
• Content mapping is in place to ensure that report content is stored using
the same folder names and permissions that the SAS Metadata Server uses
to store corresponding report metadata.
24
The SAS Web Infrastructure Platform always installs and configures the SAS Content Server. By default,
the SAS Content Server uses file system storage located in the SAS configuration directory,
Levn/AppData/SASContentServer/Repository.
The SAS Content Server is managed using the SAS Content Server Administration Console,
https://server:port/SASContentServer/dircontents.jsp. You must be an unrestricted user to
administer content in the SAS Content Server.
SAS Web Infrastructure Platform Data Server
The SAS Web Infrastructure Platform data server is used as transactional

storage by SAS middle-tier software and some SAS solutions.
• It is based on PostgreSQL 9.1.9 and configured specifically to support
SAS software.
• The server is configured to manage the following databases:
• Administration
SAS Web Application Server
Server Tier
• EVManager • SAS Environment Manager
• Content Server SAS Web Infrastructure
• Shared Services • SAS Visual Analytics
Transport Services
• transportsvcs_db
• The databases that are managed by the server are backed up and restored
with the Backup and Recovery Deployment
25
Tool.
The Administration database contains configuration information for the modules that SAS develops to
extend the features of SAS Environment Manager.
The EVManager database is used by SAS Environment Manager. The database contains configuration
and metric information for the machines and servers that SAS Environment Manager manages in your
deployment.
The SharedServices database is used by the SAS web applications and middle-tier software. For example,
comments that are added through various web applications are stored in this database. Digital content that
is stored with SAS Content Server is also stored in this database.
Note: You can choose to use a third-party vendor database server for this database when you install and
configure software with the SAS Deployment Wizard. This database is identified as the SAS Web
Infrastructure Platform Database on the pages in the wizard.
This transportsvcs_db database is used by SAS Visual Analytics Transport Service. The database stores
mobile logon history information, as well as the device’s blacklist and whitelist data that is maintained
through SAS Visual Analytics Administrator. It is also used to support caching within the Transport
Service application.
If your deployment includes SAS solutions software that supports SAS Web Infrastructure Platform Data
Server, and then more databases might be configured on the server.
SAS Middle-Tier Software Components
The configuration directory for your SAS middle tier (JMS Broker)
is SAS-configuration-directory\Levn\Web.
\logconfig
(Cache Locator)
Each component has the following:
• scripts for start, stop, and status
• scripts to install and uninstall
• Windows services
• configuration files (which include logging control)
• log files (\logs directory)
26
Log Locations for Applications and Servers
Application or Log Location

Server
Cache Locator SAS-configuration-

directory\Levn\Web\gemfire\instances\ins_port-
number\gemfire.log file
JMS Broker SAS-configuration-

directory\Levn\Web\activemq\data\activemq.log file
SAS Environment SAS-configuration-

Manager Agent directory\Levn\Web\SASEnvironmentManager\agent-version-
EE\log directory
SAS Environment SAS-configuration-

Manager Server directory\Levn\Web\SASEnvironmentManager\server-version-
EE\logs directory
SAS Web SAS-configuration-

Application directory\Levn\Web\WebAppServer\SASServern_m\logs directory
Server
SAS web SAS-configuration-directory\Levn\Web\Logs\SASServern_m

applications directory
SAS Web SAS-configuration-

Infrastructure directory\Levn\WebInfrastructurePlatformDataServer\Logs
Platform Data directory
Server
Note: In a multi-machine deployment, the default log location is on the server
tier.
SAS Web Server SAS-configuration-directory\Levn\Web\WebServer\logs directory
For more information about SAS server logging, see “Administering Logging for SAS Servers” in
SAS® Intelligence Platform: System Administration Guide.
For more information about specific web application logs, see SAS® Intelligence Platform: Web
Application Administration Guide.
Distributing Server Functions
• The SAS Web Application Server supports both vertical and horizontal
clustering.
• Workload distribution is managed by the SAS Web Server. The SAS Web
Server is configured as a load-balancing HTTP proxy.
• The server instances in a cluster can coexist on the same machine (vertical
clustering), or the server instances can run on a group of middle-tier server
machines (horizontal clustering).
• Web applications can be deployed on both vertical and horizontal clusters.
27
For SAS web applications to be deployed into a clustered environment, the SAS Web Server implements
session affinity. Session affinity is an association between a web application server and a client that
requests an HTTP session with that server. This association is known in the industry by several terms in
addition to session affinity, including server affinity and sticky sessions. With session affinity, after a
client is assigned to a session with a web application server, the client remains with that server for the
duration of the session. By default, session affinity is enabled.
The Load Balancer Manager can be used to direct all requests to a single instance of the application, thus
“draining” the sessions associated with applications in the other cluster instance. When an instance
is drained, it can be stopped for maintenance without disrupting the service of clustered applications.
Note: http://webservermachine.mycompany.com/balancer-manager
Vertical Clustering
of SAS Web Application Servers
Clients Middle Tier
SAS Web Server

Web Browser (http server) SASServer1_1
SASServer1_2
SASServer1_3
SAS Servers SAS Web Application Servers
SAS Metadata Server
SAS Workspace Server…

28
Vertical clustering can be configured automatically by the SAS Deployment Wizard. The custom
prompting level is used in the SAS Deployment Wizard.
If you configured multiple instances of a managed server, such as SASServer1_1 and SASServer1_2, then
the web applications that support clustering are deployed identically to each instance. Each of these
instances is a vertical cluster member.
Advantages:
 If the Java process that underlies one of the instances in the web application server cluster encounters
problems that stop the functioning of the web applications, the applications in the other cluster instance
are still able to respond. In this case, it would be possible to stop and restart the web application server
that is experiencing problems. Requests would still be serviced by the applications in the other cluster
instance. Users who had sessions on the stopped server would lose session data, but an attempt to
reconnect to a clustered application would be successful.
 In some cases, the operating system can balance CPU load more effectively if separate Java processes
are used.
Disadvantages:
 If the single machine on which the vertical cluster is deployed experiences an outage, then all the
instances in the cluster are affected. Therefore, the failure of a single machine would cause the
application to become unavailable.
Note: Some applications, such as SAS BI Dashboard Event Generator, and some SAS solutions
applications cannot be clustered. Those are examples of when the server instances and
applications are not identically configured.
Horizontal Clustering
of SAS Web Application Servers
Clients Middle Tier
SAS Web Application Servers
SAS Web Server

Web Browser (http server) SASServer1_1
SASServer1_2
SAS Servers
SAS Metadata Server
SAS Workspace Server… SASServer1_3

29
In this topology, some deployments can implement a failover scheme, in which a server failure does not
interrupt a user’s session. The proxy server detects the failure and redirects the requests to a different
application server. That server can then retrieve the users’ session information and continue.
Advantages:
 The SAS web applications and the web application server cluster are protected by firewalls.
 The web application server and SAS web applications can be configured to perform web authentication
for single sign-on to the applications and other web resources in the network.
 Response time is improved because static content is cached by SAS Web Server.
 The greater computing capacity of the web application server cluster also improves performance.
 After the cluster is established, additional server instances can be added to support larger numbers
of concurrent users.
 Clustering provides fault isolation that is not possible with a single web application server. If a machine
in the cluster fails, then only the users with active sessions on that machine are affected.
 You can plan downtime for maintenance by taking some servers offline. New requests are then directed
to the applications deployed on the remaining servers while maintenance is performed.
 Configuration and deployment of the cluster and the applications can still be automated with
the SAS Deployment Wizard.
Disadvantages:
 SAS Web Server remains a single point of failure. Software and hardware high-availability options
exist to mitigate this disadvantage.
 Some operations, such as redeploying web applications, can require more effort when more machines
are used.
Cluster Configurations
There are two general deployment topologies.

SASServer1_1
• Single server: SASServer1_2
SASServer1_3
• homogeneous cluster
• clustered nodes containing the same applications that can be clustered
• Multiple server:
SASServers2_1
• heterogeneous cluster
SASServer3_1
• specific applications that are deployed to SASServer3_2
different server instances
• can allocate additional resources to the applications and application groups that
are more heavily used
30
Similar to clustering, the applications can be distributed to different managed servers. Distributing the
applications is similar to clustering in that additional web application server instances are used. It is
different in that the managed server profiles are different. That is, single instances of the applications
are distributed to web application servers rather than redundant instances.
Distributing the applications enables more memory availability for the applications that are deployed
on each managed server and also increases the number of users that can be supported.
Some SAS solutions are configured automatically with multiple servers by the SAS Deployment Wizard.
However, you can choose to configure multiple managed servers by running the wizard with the custom
prompting level and selecting this feature.
Whether the single or multiple server topology is selected, both vertical and horizontal clusters are still
possible, as is a combination of both clustering techniques. The only difference is how the applications
are distributed to the server instances.
High Availability
Several middle-tier components can be configured for high availability, and each has
different requirements and considerations.
SAS Web Server
SAS Web Server
SAS Web Server
SAS Web Application Server SAS Web Application Server SAS Web Application Server
SASServer1_1 SASServer1_1 SASServer1_1
Cache Locator JMS Broker Cache Locator JMS Broker Cache Locator JMS Broker
SAS Grid Manager

SAS Compute SAS Metadata SAS Content
SAS Compute SAS Metadata
Server SAS Content
Server SAS WIP Data
Server SAS Metadata
SAS Compute
Server Server SAS Content
Server Server
Server Server 31 Server
Note: Some components, such as SAS Web Application Server, can be configured in a cluster
automatically. Other components, like JMS Broker, require manual configuration to enable high
availability.
The following SAS Analytics Platform components can be deployed and configured for high availability:
 SAS Web Server
 SAS Web Application Server
 SAS Web Infrastructure Platform Data Server
 SAS JMS Broker
 SAS Cache Locator
 SAS Object Spawner
 SAS OLAP Server
 SAS Environment Manager Server
 SAS Environment Manager Agent
 SAS Deployment Agent
For more information, refer to the following:
 “High-Availability Features in the Middle Tier” in SAS® Intelligence Platform: Middle-Tier
 “Best Practices for Implementing High Availability for SAS 9.4.” SAS Global Forum Paper 305-2104.
http://support.sas.com/resources/papers/proceedings14/SAS305-2014.pdf
 “Managing SAS Web Infrastructure Platform Data Server High-Availability Clusters.” SAS Global
Forum Paper SAS1776-2015. http://support.sas.com/resources/papers/proceedings15/SAS1776-
2015.pdf
Classroom Environment
In the classroom environment, four SAS Web Application Server instances

exist, but they are not clustered. Web applications are deployed on only
one instance. Middle Tier
Clients SAS Web Application Servers
SAS Web Server SASServer1_1

(http server)
Web Browser
SASServer2_1
SAS Servers SASServer12_1
SAS Metadata Server SASServer13_1

SAS Compute Servers

32
Exercises
4. Finding Web Applications Deployed on SAS Web Application Server Instances

There are a few places that you can look to find out on which SAS Web Application Server instance
your web applications are deployed:
 It is documented in Instructions.html. This is the reference document for your SAS deployment.
It contains any manual configuration steps that must be performed. It provides an overview of your
deployment, including the web application URLs.
 SAS Environment Manager
 Configuration directory for the SAS middle tier
a. Open Instuctions.html. It is located under the SAS configuration directory in the
Levn/Documents subdirectory.
For Linux Server

1. You can use WinSCP (there is a shortcut on your desktop) to access and view files
on the Linux server. Click Login to open the application. (No changes are needed.)
2. In WinSCP, navigate to /opt/sas/config/Lev1/Documents.

(As an alternative, you can use MRemoteNG: Use the firefox
/opt/sas/config/Lev1/Documents/Instructions.html command to open the document.)
4. Select Web Application Server in the Overview list. Review the configuration details.
What web application is not clusterable?
What web app server instance is it deployed on?
What web app server instance is SAS Studio deployed on?
For Windows Server

1. Access Windows Explorer, and navigate to
D:\SAS\Config\Lev1\Documents\Instructions.html.
(Make sure that you are on the Windows server and not the Windows client.)

What web application is not clusterable?
What web app server instance is it deployed on?
What web app server instance is SAS Studio deployed on?
b. Open SAS Environment Manager.

1) Open Internet Explorer on the client machine, located on the system tray.
2) Select SAS Environment Manager on the Favorites bar.
3) Connect as Ahmed, with a password of Student1.
4) Go to Resources  Browse  Servers.
5) Select a web application server, such as sasserver.demo.sas.com tc Runtime
SASServer2_1.
6) Select Views  Application Management.
7) The deployed SAS web applications are listed. You can stop and start a web application from
this location as well.
c. Find the WAR files that are deployed on each web application server instance. They are located
in the sas_webapps directory under the SAS Web Application Server configuration directory.
For Linux Server

Navigate to
/opt/sas/config/Lev1/Web/WebAppServer/…serverinstancenumber/sas_webapps.
Note: You can use WinSCP or MRemoteNG.
For Windows Server

Navigate to
D:\SAS\Config\Lev1\Web\WebAppServer\...serverinstancenumber\sas_webapps.
5. Setting Up a Basic Alert for a SAS Web Server in SAS Environment Manager
In this exercise, you create an alert indicating when the SAS Web Server is down and when it is back
up (a recovery alert). You also create an escalation scheme, which is a series of steps to be executed
when the alert fires.
a. Sign in to SAS Environment Manager as Ahmed using the password Student1, if not already
signed in. (Open Internet Explorer on the client machine and select SAS Environment Manager
on the Favorites bar.)
b. Create an escalation scheme.
1) Click the Manage tab.
2) Click the Escalation Schemes Configuration link.
3) Fill in the form with the following information:

Name: WebServerScheme
Description: Web Server Status
If the alert is acknowledged: Allow user to pause escalation for 5 minutes
If the alert state changed: Notify previously notified users
If the alert is not fixed when escalation ends: Repeat escalation actions
4) Click Next Step.

5) Click the Create Action button.
6) Complete the following fields:
Create an Action for this escalation: SMS
Select method to notify: Notify Roles
In the pop-up box, select Super User Role  OK.
Then select continue.
Note: Ahmed is a member of the Super User role. You might want all members of the role
to be notified when something as crucial as a server goes down.
7) Click Save.
c. Create the first alert that indicates that the web server is down.
1) Select Resources. Making sure that Server list is selected, select sasserver.demo.sas.com
Pivotal Web Server 5.4 WebServer.
2) Select Alert  Configure.
3) On the Alert Definitions page, click New.
4) Enter the following information in the fields:

Name: NoWebServer
Description: SAS Web Server Down
Priority: High
Active: Yes
If Condition: Metric Availability is < 100% of Baseline Value
Enable Actions: Each time conditions are met
Enable Action Filters: Generate one alert and then disable alert definition until fixed
5) Click OK to save the alert definition.

d. You are now presented with an additional window that enables you to associate this alert with
an escalation scheme. Use the drop-down list to select the WebServerScheme scheme that was
just created.
e. After the escalation scheme is selected, click Return to Alert Definitions to create the recovery
alert.
f. Create the second alert, the recovery alert, which indicates the server is back up.
1) Click New. A new alert definition window appears.
2) Enter the following information:

Name: YesWebServer
Description: SAS Web Server is back up!
Priority: High
Active: Yes
If Condition: Metric Availability = 100% of Baseline Value
Recovery Alert for: NoWebServer
Enable Action: Each time conditions are met
Enable Action Filters: (blank)
3) Click OK to save the new recovery alert.

g. Select Analyze  Alert Center. Click the Definition tab. All defined alerts are listed, including
the two that you just defined.
h. Test the new alerts. Go to Resource  Browse. Click sasserver.demo.sas.com Pivotal Web
Server 5.4 Web Server.
i. Click Control.
j. Select Stop from the drop-down list and click next to the Control Action field.
Note: It can take up to five minutes before the system detects that the SAS Web Server is down,
because the default collection interval for it is five minutes.
k. Select Resources. With Servers selected, the SAS Web Server is displayed as Not Available on
the Availability timeline.
Here are some of the locations where alerts appear:
 Dashboard  Recent Alerts or Problem Resources portlets
 on the header of the Environment Manager
 Analyze tab  Alert Center
 event bar for that resource (added automatically when an event is generated)
 if you set the alert (notify) to send an email
l. You can look at the other locations as well:
Recent Alerts Portlet on Dashboard Tab
SAS Environment Manager Header and Alert Center
Event Bar for the SAS Web Server Resource
Note: The default metric collection interval for the Pivotal Web Server is five minutes.
(This can be changed by selecting Manage  Monitoring Defaults. Scroll to Pivot Web
Server 5.4 Servers. Select Edit Metric Template to the far right of the entry.) Therefore,
you might wait as long as five minutes before the alert fires and you see results on your
interface.
m. Acknowledge the alert. This enables others on the system to be aware that an administrator is
aware of the problem. You can acknowledge an alert in two places:
 the dashboard Recent Alerts portlet
 Analyze  Alert Center  Alerts tab
1) On the dashboard, select the box next to the NoWebServer and click ACKNOWLEDGE.
2) You can add a note for the reason. It will show up as acknowledged on the Alerts page. If it
is not fixed within five minutes (as specified when the alert was created), then it will request
acknowledgment again.
n. Restart the SAS Web Server by issuing the control action. Go to Resources 
sasserver.demo.sas.com Pivotal Web Server 5.4 Webserver  Control. Select Start and then
click the arrow in the Quick Control area.
o. Within five minutes or less, you should see the recovery alert, called YesWebServer. It appears in
the same places and indicates that the SAS Web Server is running again.
6. (Optional) Configuring the PostgreSQL Server Component to Interact with Your PostgreSQL
RDBMS
There are three PostgreSQL database servers listed under Resources  Servers. None of these
servers are currently being monitored because the resources are not fully configured. In this exercise,
you modify the necessary information so that the SAS Web Infrastructure Platform Data Server
resource can be monitored. (This is the PostgreSQL database server with listening port 9432.)
a. Sign in to SAS Environment Manager as Ahmed using the password Student1, if not
already signed in. (Open Internet Explorer on the client machine and select SAS
Environment Manager on the Favorites bar.)
b. Go to Resources  Browse  Servers.
c. Find the PostgreSQL 9.x server resource in the list. (You can also go to the resource using
the Search bar. In the drop-down list, select PostgreSQL 9.x and click the arrow on the right.)
d. The status of the PostgreSQL server is undetermined. Click the server link
sasserver.demo.sas.com PostgreSQL 9.x localhost:9432.
e. You see that the server is not well configured. Click Configuration Properties.
f. Enter the required parameter values:
PostgreSQL.user: dbmsowner
PostgreSQL.pass: Student1
PostgreSQL.program or Windows Service:
For Linux Server

/opt/sas/config/Lev1/WebInfrastructurePlatformDataServer/webinfdsvrc.sh
For Windows Server

Use the Windows Service Name: SAS [Config-Lev1] Web Infrastructure Platform Data
Server
Note: To avoid typographical errors, go to the Windows Services application and copy
and paste the service name to the service name field.
g. Make sure that the Auto-Discover DataBases, Indexes, and other services? check box
is selected. Then click OK.
h. Click Monitor. After a few minutes (or the required time for the agent to query the system), you
see the server availability, some server metrics, and two new services.
7. (Optional) Administering Logging for SAS Web Infrastructure Platform Data Server
b. Enter PgAdmin III tool in the Search field and click Search.
c. Click the first entry, SAS Web Infrastructure Platform Data Server, dated 2016-01-19.
d. Click Administering Logging for the Server. Review the logging steps.
The pgAdmin III Tool follows. It is a PostgreSQL database design and management system tool
that can be downloaded and enables you to administer the SAS Web Infrastructure Platform Data
Server.
8. (Optional) Setting Up Log Tracking for a Resource in SAS Environment Manager

monitoring specific log files, usually for specific messages, such as severe errors or other critical
information. By doing this, you are not required to open the log files directly. You can access only the
portion that you need from the user interface. The log file entries are one type of event that can be
configured and customized in SAS Environment Manager.
For SAS servers, a special file, sev_logtracker_plugin.properties, is automatically set up by the
In this exercise, you enable log tracking for a SAS Web Application Server. The tc Server
(SASServer1 instance) log file is scanned for start-up completion. If you must restart that server, you
know when it fully started up, and that all the web applications are loaded and ready for users.
Although this server might appear as Available or Started right away, it is not actually ready to
receive requests for 20 to 30 minutes after that, given the necessary full deployment of all the SAS
web applications.
a. Sign in to SAS Environment Manager as Ahmed using the password Student1, if you are not
already logged on.
b. Click Resources  Browse.
c. Click sasserver.demo.sas.com tc Runtime SASServer2_1.
d. Click Views  Application Management. There are fewer web applications deployed on this
instance, so choose this tc Server to use for log tracking.
e. Click the Inventory tab.
f. Scroll to the bottom to the Configuration Properties section, and click Edit.
g. Set the following three properties:
1) Click the Enable Log Tracking check box.
2) Select INFO from the Track Event Log Level drop-down menu.
3) Under Log Pattern Match, enter the following code:
Server startup in \d{5,} ms
4) For the log files, enter logs/server.log.
h. Click OK at the bottom center of the window. You should see the following message:
i. Restart the server. Select Resources  Browse  sasserver.demo.sas.com tc Runtime

SASServer2_1.
j. Click the Control tab.
k. Select Control Action: Restart. Click the arrow to the right.
l. When the command state indicates Completed, click the Monitor tab. The Restart event was
recorded and appears in the Events/Logs Tracking timeline at the bottom of the window:
If you click the event bubble, a message appears. The server is not yet available because all the
applications were not deployed and started yet.
m. If you wait a few minutes, you can see an additional item on the Events/Logs Tracking timeline.
While waiting, you can change the time range of metrics displayed by selecting 30 and Minutes
from the drop-down lists next to Last. Click OK.
That second event provides the actual message text from the log file that you specified in your
search, Server startup in XXXXXX ms, as shown above.
8.3 Additional Topics on SAS Server

Maintenance
Objectives
• Review process of troubleshooting SAS Metadata Server.

• Explore Analyze and Repair Tool.
• Review tuning SAS Servers, such as SAS Workspace Server.
36
Troubleshooting SAS Metadata Server
If the metadata server is not responding to client requests:

1. Stop the metadata server.
2. Review the entries in the metadata server log to determine the cause of
the problem.
3. Start the metadata server. Do not forget about server dependencies!
4. If you still cannot start the server, review the log again and resolve any
issues, if possible.
37
8.3 Additional Topics on SAS Server Maintenance 8-49
In this situation, these are the preferred methods for stopping the server:
 Use the metadata manager in SAS Management Console.
 Click the Plug-ins tab, expand the Metadata Manager node, right-click the Active Server node, and
select Stop.
 Use SAS Environment Manager
 Or you can use the metadata server script.
 (Windows only) If you cannot stop the server using the metadata manager or the script, then stop the
Windows service. If you cannot stop the service, then use the windows task manager to stop the server
process.
 (UNIX only) if you cannot stop the server using the metadata manager or the script, use one of the
following commands to stop the server process:
kill -2 server-process-idkill –15 server-process-id
If the process fails to stop, use the following command:
kill- -9 server-process-id
For more information, see “Exiting or Interrupting Your SAS Session in UNIX Environments” in the
SAS® Companion for UNIX Environments.
Recovering an Unresponsive SAS Metadata Server
To recover a non-clustered metadata server that is not responding to client

requests:
1. Copy current configuration information and data.
2. Try to start the server using the –recover option.
3. Manually recover the configuration files.
4. Use SAS Management Console to perform a normal recovery.
5. Run the Analyze and Repair Metadata Tool.
38
For more information, see “What to Do If the SAS Metadata Server Is Unresponsive” in SAS® 9.4
Intelligence Platform: System Administration Guide.
Analyze and Repair Tool
The Metadata Analyze and Repair Tool enables you to run selected tests on
metadata to locate common problems. When possible, the tools also repair
problems that the analysis has identified.
The Analyze and Repair Tool can be
• accessed from the Metadata Manager
node in SAS Management Console
• run in batch mode from a command line,
sas-analyze-metadata.
39
 Verify Metadata Files analyzes key metadata server files to determine whether they are corrupted and,
when possible, recommends repairs that can be applied
 Verify Associations checks the metadata repository for associations in which one or the other
associated object does not exist.
 Metadata Server Cluster Synchronization verifies that metadata is synchronized among all the nodes
of a metadata server cluster
 Verify Permissions verifies that permission objects exist only in the Foundation repository
 Verify Authentication Domains checks authentication domain objects to ensure that the object names
are valid and unique
 Orphaned Objects locates metadata objects that are no longer being referenced
 Validate SAS Folders analyzes the integrity of objects contained in the SAS Folders tree.
Analyze and Repair Tool
When using the Analyze and Repair Tool:

• Back up the metadata server before running a repair.
• The metadata server is automatically paused to ADMINISTRATION mode.
• On a clustered metadata server, stop all of the nodes in the cluster. Then
start a single node without clustering.
• When running the Verify Metadata Files and Verify Associations tools, it is
recommended that you run an analyze and a repair in two separate steps.
Note: If the Verify Metadata Files tool reports errors (as compared to
warnings), do not run the repair for that tool. Instead, contact
SAS Technical Support for assistance.
40
The ADMINISTRATION state prevents metadata changes from occurring while the analysis process is
running, except that unrestricted users can continue to change metadata during this time. The server is
automatically resumed when the analysis and repair process is completed.
Configuration and Log Files for SAS Servers
Every server tier has a configuration directory that includes servers that are
components of a SAS Application Server: OLAP servers, workspace servers,
pooled workspace servers, stored process servers, and SAS/CONNECT servers
Each component has the following:
• scripts for start, stop, and status
• configuration files
• logging configuration files
• autoexec files
• _usermod files
• log files
41
The structure and contents of the directory vary depending on the host operating system, which products
are installed, and whether the host machine is a server-tier host or a middle-tier host.
Tuning Workspace Servers
Changes that you might need to make include specifying the following:
• an appropriate work folder
• a buffer size for writing files to the work area
• a limit on the total amount of memory that SAS uses at any one time
System Option Explanation
-work work-folder Specifies the pathname for the directory that contains the Work data library. This
directory should reside on a disk that emphasizes fast write performance.
-memsize size-value Specifies a limit on the total amount of memory that SAS uses at any one time.
-sortsize size-value Limits the amount of memory that can be used temporarily for sorting. Larger
sort sizes reduce the use of the work folder, but increase the possibility of paging.
-ubufsize size-value Specifies a buffer size for writing files to the work area.
42
See “Workspace Server Configuration Tasks” in SAS® 9.4 Intelligence Platform: Application Server
Tuning Workspace Servers
After you have determined the system options that you want to use to start your
workspace server, edit the sas command that starts the server.
Note: You might have optimized your workspace server for use with an application,
such as SAS Web Report Studio. If you are using other applications and these
applications can benefit from a workspace server that is configured differently,
you must create a new logical workspace server (under SASApp) and add a
workspace server to it. 43
Tuning SAS Servers
Before modifying system options,

monitor the performance of your
SAS servers.
You can use the reports in the
Report Center to see resource
utilization of your SAS servers
over time.
44
If you want to specify different values for system options, or if you want to
specify additional options, then enter your updates and additions in which of
the following files for a SAS server?
a. sasv9.cfg
b. metadataconfig_usermods.xml
c. sasv9_usermods.cfg
d. autoexec.sas
45
Exercises
9. Exploring the Analyze and Repair Tool

a. Log on to SAS Management Console as Ahmed using the password Student1.
b. Expand Metadata Manager. Right-click Active Server and select Analyze/Repair Metadata.
c. The following message is displayed:
Click Yes. (The server will be paused after you complete the next two wizard pages.)
d. On the first wizard page, select the Foundation repository to analyze and repair. Click Next.
e. The next wizard page lists the analysis tools that are available. Select all of the tools. Do not click
the check box to Repair immediately. It is recommended that you perform the repairs in a
separate step. Click Analyze.
A message is displayed stating that the server is being paused to Administration mode. The
analysis is then performed. When it is finished, the results are displayed.
If problems are found, the following message is displayed: Analysis has completed and
problems were found. View the log for details.
f. Click View Log to see information about the errors. Additional details might also be available in
the metadata server log.
g. Scroll down to find WARN messages:
Orphaned Objects locates metadata objects that are no longer being referenced.
Click OK to close out of the log.
h. Click Next.
i. The next wizard page displays a list of the analysis tools that found problem situations. Select one
or more tools to run in Repair mode, and click Repair.
j. A message reminds you to back up your metadata before running the repairs. Click Yes to
continue. The repairs are executed. A dialog box indicates whether each repair was completed
successfully.
k. Click Finish to exit the wizard.
Note: The log will still show the WARN message. Instead, rerun the Analysis/Repair Tools
without repairing and check the log. You should not see any WARN messages.
10. Locating the Start-up Scripts and Configuration Files for the Workspace Server
On the server machine, open the script to start the SAS Workspace Server.
What configuration files are read during the server start-up?
For Linux Server

/opt/sas/config/Lev1/SASApp/WorkspaceServer/WorkspaceServer.sh
appservercontext_env.sh
level_env.sh
So APPSERVER_ROOT resolves to /opt/sas/config/Lev1/SASApp and CONFIGDIR resolves

to /opt/sas/config/Lev1/SASApp/WorkspaceServer.
The four configuration files read are as follows:
 /opt/sas/config/Lev1/SASApp/sasv9.cfg
 /opt/sas/config/Lev1/SASApp/sasv9_usermods.cfg
 /opt/sas/config/Lev1/SASApp/WorkspaceServer/sasv9.cfg
 /opt/sas/config/Lev1/SASApp/WorkspaceServer/sasv9_usermods.cfg
Note: These configuration files include other reference to configuration files. The
complete list of configuration files and order of precedence can be found at the
end of this exercise.
For Windows Server

D:\SAS\Config\Lev1\SASApp\WorkspaceServer\WorkspaceServer.bat
Appservercontext_env.bat:
Level_env.bat:
So the value of APPSERVER_ROOT resolves to D:\SAS\Config\Lev1\SASApp,

CONFIGDIR resolves to D:\SAS\Config\Lev1\SASApp\WorkspaceServer, and
CMD_OPTIONS= -config “D:\SAS\Config\Lev1\SASAp\WorkspaceServer\sasv9.cfg”
sasv9.cfg includes two other configuration files:
Note: The documentation provides information about the configuration files used by default.
This can be found in the appendix of SAS® 9.4 Intelligence Platform: System
Configuration Files for Components of SAS Application Servers
Order of Path and Filename

Precedence
1 Windows: \Lev1\server-context\server-name\sasv9.cfg
UNIX: /Lev1/server-context/server-name/sasv9.cfg
2 Windows: \Lev1\server-context\sasv9.cfg
UNIX: /Lev1/server-context/sasv9.cfg
3 Windows: SAS-install-directory\SASFoundation\9.4\sasv9.cfg
UNIX: SAS-install-directory /SASFoundation/9.4/sasv9.cfg
4 UNIX only: SAS-install-directory /SASFoundation/9.4/sasv9_local.cfg
5 Windows: SAS-install-directory\SASFoundation\9.4\locale\sasv9.cfg
UNIX: SAS-install-directory /SASFoundation/9.4/locale/sasv9.cfg
6 Windows: \Lev1\server-context\sasv9_usermods.cfg
UNIX: /Lev1/server-context/sasv9_usermods.cfg
7 Windows: \Lev1\server-context\appserver_autoexec.sas
UNIX: /Lev1/server-context/appserver_autexec.sas
8 Windows: \Lev1\server-context\appserver_autoexec_usermods.sas
UNIX: /Lev1/server-context/appserver_autoexec_usermods.sas
9 Windows: \Lev1\server-context\server-name\sasv9_usermods.cfg
UNIX: /Lev1/server-context/server-name/sasv9_usermods.cfg
10 Windows: \Lev1\server-context\server-name\autoexec.sas
UNIX: /Lev1/server-context/server-name/autoexec.sas
11. Windows: \Lev1\server-context\server-name\autoexec_usermods.sas

UNIX: /Lev1/server-context/server-name/autoexec_usermods.sas
11. (Optional) Adding System Options to the Workspace Server Launch Command
After you have determined the system options that you want to use to start your workspace server,
you can add system options to the workspace server launch command.
a. In SAS Management Console, expand Server Manager  SASApp - Logical Workspace
Server. A tree node that represents the physical workspace server is displayed.
b. Right-click the icon for the physical workspace server, and select Properties.
c. Click the Options tab. The command to start the workspace server is displayed.
d. You would edit the text in the Command text box, which by default is set to this:
configuration-directory\SASApp\WorkspaceServer\WorkspaceServer.bat
For example, here is a command with options that improve performance for a workspace server:
-rsasuser -work work-folder -ubufsize 64K -memsize 512M
-realmemsize 400M -sortsize 256M
e. If you wanted to force the workspace server to disconnect idle clients, on this Options tab, click
Advanced Options.
f. Click Launch Properties.
g. In the Inactive client timeout field, enter a numeric value (minutes) that a connected client is
allowed to remain inactive before the server disconnects the client. Specify a value of 0 to disable
this option.
h. Click Cancel in the Advanced Options dialog box.
i. Click Cancel in the Properties dialog box. (You are not making any changes.)
8.4 Solutions 8-59
8.4 Solutions
1. Setting Up a Monitor for the SAS Work Directory
The SAS Work directory stores temporary files that are created during SAS processing of code. This
directory is automatically cleaned up by default. However, the SAS Work directory might not be
cleaned up properly due to unexpected errors in processing or termination of SAS sessions. It might
be necessary to monitor the SAS Work directory to avoid a buildup of disk usage.
a. Sign in to SAS Environment Manager as Ahmed using the password Student1.
b. Locate the resource for the SAS Work directory by selecting Resource  Services.
c. Enter work directory in the Search field and click the arrow to the far right of the row .
d. Click sasserver.demo.sas.com SAS Home Directory 9.4 SAS work directory. Where is the SAS
Work directory located?
For Linux:
For Windows:
You can confirm the location by opening a SAS session through SAS Studio or SAS Enterprise
Guide and submitting the following code:
proc options option = work;
run;
For Linux Server
For Windows Server
Note: Use Percent is one of the metrics available for this resource.
The Metric Viewer portlet does not provide a resource type of SAS Work directory. It has only
SAS Home Directory and SAS Config Level Directory. Therefore, SAS Work metrics cannot be
displayed directly. The workaround is to create a platform service of type FileServer Directory,
which provides the metrics that we want and then points this new platform service to the OS
directory where SAS Work is located.
e. Select Resources  Platforms. Click sasserver.demo.sas.com.
8.4 Solutions 8-61
f. From the Tools menu, select New Platform Service.
g. Use the following information:

Name: SAS Work directory
Description: Storage area for SAS intermediate and temporary files
Service Type: Select FileServer Directory.
h. Click OK.
i. Click Configuration Properties to configure the resource.
j. Enter the Path to Directory and click OK.
For Linux Server
Enter /tmp.
For Windows Server
Enter C:\Windows\Temp\SAS Temporary Files.
k. Create a new Metric Viewer portlet on the Dashboard page. Click the Dashboard tab.
l. On the right side at the bottom of the Dashboard page, select Metric Viewer in the Add Content
to this column field and click the button.
m. Click the Configure button to display the Dashboard Settings page for the portlet.
n. On the Dashboard Settings page, use the following information:

Description: SAS Work disk space
Resource Type: Select FileServer Directory
Metric: Select Disk Usage
8.4 Solutions 8-63
o. Click Add to List.

p. Select the SAS Work resource that you just defined and click the arrow pointing to the right to
move the resource to the right side. Click OK.
q. Click OK.
In most cases, the Metric Viewer portlet provides the resource types that you want. Therefore,
you can get the metrics that you want to view directly. In this case, we had to use an OS-level
resource type to view those metrics.
2. Defining an Alert for a SAS Server Log File
Log file entries are one type of event that can be configured and customized using SAS Environment
Manager’s log file tracking. For each SAS server, a special file named
sev_logtracker_plugin.properties is automatically set up by the SAS Deployment Wizard. They can
be configured to trap various log entries and capture them as events.
You can add to this file to create events for criteria of your choosing. Because each SAS server has its
own properties file, logging events can be created for specific server types.
In this exercise, you will set up an alert to be triggered whenever a warning message for the I/O
Subsystem appears in the log of the SAS Metadata Server.
a. On the server machine, navigate to the metadata server’s sev_logtracker_plugin.properties file.
For Linux Server

For Windows Server

Navigate to D:\SAS\Config\Lev1\SASMeta\MetadataServer.
b. Make a backup copy of sev_logtracker_plugin.properties.
c. Open sev_logtracker_plugin.properties.
The entries in this file use this format:

level. [level_of_message] . [sequential_number] = [regular_expression]
All sev_logtracker_plugin.properties files contain the following two entries by default:
#All fatal
level.fatal.1=.*
#All errors
level.error.1=.*
These entries specify that an event is created whenever a message appears in the SAS log with a
level of Fatal or Error. The message can contain any text. (The period represents any character
and the asterisk says “zero or more of the preceding character,” which is a period, so any and all
characters.)
level.warn.1=.*Access to this account.*is locked out.* specifies that an event is created
whenever a message with a level of Warn appears that also contains the words: Access to this
account and is locked out. Any or no characters can be before, in between, and after these words.
Multiple entries for messages at the same log level must have an incremental number. In the
metadata server properties file, the next warn message to be captured would be
level.warn.3=.*message text here.*
8.4 Solutions 8-65
d. Add the following entry to the file:

#I/O subsystem information
level.info.1=.*I/O Subsystem.*
e. Save and close the file.

f. In SAS Environment Manager, locate the server SASMeta - SAS Metadata Server on the
Resource page and click it to bring up the Resource Detail page for the server.
g. On the Detail page, select Alert  Configure to display the Alert Configuration page.
h. Click New to display the New Alert Configuration page.
i. Name the alert, select the priority, and specify that the alert should be active.
Alert Properties:
Name: I/O Subsystem
Priority: Medium
Description: I/O subsystem warnings in the server log
Condition Set: Select the Event/Logs Level radio button and then select Info in the
Event/Logs Level field.
In the Substring to Match field, enter I/O Subsystem.
These values specify that an alert is issued whenever an event is found for an Info message from
the log containing the string I/O Subsystem.
8.4 Solutions 8-67
In the Enable Actions(s) area, select the Each time conditions are met radio button. An alert is
triggered each time I/O Subsystem information appears in the log.
j. Click OK.
3. Searching on the Web for SAS Usage Note on I/O Subsystem
a. Open a new tab in Internet Explorer and click the Home button in the upper right.
b. In the Search field, enter I/O Subsystem.
c. Select the Usage Note 53874.
Note: There are many papers from SAS that can help you with various troubleshooting
techniques. For a complete list of papers useful for troubleshooting system performance
problems, see Usage Note 42197.
4. Finding Web Applications Deployed on SAS Web Application Server Instances

There are a few places that you can look to find out on which SAS Web Application Server instance
your web applications are deployed:
 It is documented in Instructions.html. This is the reference document for your SAS deployment.
It contains any manual configuration steps that must be performed. It provides an overview of
your deployment, including the web application URLs.
 SAS Environment Manager
 Configuration directory for the SAS middle-tier
a. Open Instuctions.html. It is located under the SAS configuration directory in the
Levn/Documents subdirectory.
For Linux Server

1. You can use WinSCP (there is a shortcut on your desktop) to access and view files
on the Linux server. Click Login to open the application. (No changes are needed.)
Linux Server
2. In WinSCP, navigate to /opt/sas/config/Lev1/Documents.
(As an alternative, you can use MRemoteNG: Use the firefox

/opt/sas/config/Lev1/Documents/Instructions.html command to open the document.)
8.4 Solutions 8-69
What web application is not clusterable? SASBIDashboardEventGen4.4

What web app server instance is it deployed on? SASServer1_1
What web app server instance is SAS Studio deployed on? SASServer2_1
For Windows Server

1. Access Windows Explorer, and navigate to
D:\SAS\Config\Lev1\Documents\Instructions.html
(Make sure that you are on the Windows server and not Windows client.)

8.4 Solutions 8-71
What web application is not clusterable? SASBIDashboardEventGen4.4

What web app server instance is it deployed on? SASServer1_1
What web app server instance is SAS Studio deployed on? SASServer2_1
b. Open SAS Environment Manager.

1) Open Internet Explorer on the client machine, located on the system tray.
2) Select SAS Environment Manager on the Favorites bar.
3) Connect as Ahmed, with a password of Student1.

4) Go to Resources  Browse  Servers.
5) Select a web application server, such as sasserver.demo.sas.com tc Runtime SASServer2_1.
6) Select Views  Application Management.
7) The deployed SAS web applications are listed. You can stop and start a web application from
this location as well.
c. Find the WAR files that are deployed on each web application server instance. They are located
in the sas_webapps directory under the SAS Web Application Server configuration directory.
For Linux Server

Navigate to
/opt/sas/config/Lev1/Web/WebAppServer/…serverinstancenumber/sas_webapps.
Note: You can use WinSCP or MRemoteNG.
For Windows Server

Navigate to
D:\SAS\Config\Lev1\Web\WebAppServer\...serverinstancenumber\sas_webapps.
5. Setting Up a Basic Alert for SAS Web Server in SAS Environment Manager
In this exercise, you create an alert indicating when the SAS Web Server is down and when it is back
up (a recovery alert). You also create an escalation scheme, which is a series of steps to be executed
when the alert fires.
a. Sign in to SAS Environment Manager as Ahmed using the password Student1, if not already
signed in. (Open Internet Explorer on the client machine and select SAS Environment Manager
on the Favorites bar.)
b. Create an escalation scheme.
1) Click the Manage tab.
2) Click the Escalation Schemes Configuration link.
8.4 Solutions 8-73
3) Fill in the form with the following information:

Name: WebServerScheme
Description: Web Server Status
If the alert is acknowledged: Allow user to pause escalation for 5 minutes
If the alert state changed: Notify previously notified users
If the alert is not fixed when escalation ends: Repeat escalation actions
4) Click Next Step.

5) Click the Create Action button.
6) Complete the following fields:

Create an Action for this escalation: SMS
Select method to notify: Notify Roles
In the pop-up box, select Super User Role  OK.
Then select continue.

Note: Ahmed is a member of the Super User Role. You might want all members of the role
to be notified when something as crucial as a server goes down.
7) Click Save.
c. Create the first alert that indicates that the web server is down.
1) Select Resources. Making sure that the Server list is selected, select sasserver.demo.sas.com
Pivotal Web Server 5.4 WebServer.
2) Select Alert  Configure.
8.4 Solutions 8-75
3) On the Alert Definitions page, click New.
4) Enter the following information in the fields:

Name: NoWebServer
Description: SAS Web Server Down
Priority: High
Active: Yes
If Condition: Metric Availability is < 100% of Baseline Value
Enable Actions: Each time conditions are met
Enable Action Filters: Generate one alert and then disable alert definition until fixed
5) Click OK to save the alert definition.
d. You are now presented with an additional window that enables you to associate this alert with
an escalation scheme. Use the drop-down list to select the WebServerScheme scheme that was
just created.
e. After the escalation scheme is selected, click Return to Alert Definitions to create the recovery
alert.
f. Create the second alert, the recovery alert, which indicates the server is back up.
1) Click New. A new alert definition window appears.
2) Enter the following information:
Name: YesWebServer
Description: SAS Web Server is back up!
Priority: High
Active: Yes
If Condition: Metric Availability = 100% of Baseline Value
Recovery Alert for: NoWebServer
Enable Action Each time conditions are met
Enable Action Filters: (blank)
3) Click OK to save the new recovery alert.
8.4 Solutions 8-77
g. Select Analyze  Alert Center. Click the Definition tab. All defined alerts are listed, including
the two that you just defined.
h. Test the new alerts. Go to Resource  Browse. Click sasserver.demo.sas.com Pivotal Web
Server 5.4 Web Server.
i. Click Control.
j. Select Stop from the drop-down list and click next to the Control Action field.
Note: It can take up to five minutes before the system detects that the SAS Web Server is down,
because the default collection interval for it is five minutes.
k. Select Resources. With Servers selected, the SAS Web Server is displayed as Not Available on
the Availability timeline.
Here are some of the locations where alerts appear:
 Dashboard  Recent Alerts or Problem Resources portlets
 on the header of the Environment Manager
 Analyze tab  Alert Center
 event bar for that resource (added automatically when an event is generated)
 if you set the alert (notify) to send an email
l. You can look at the other locations as well:
Recent Alerts Portlet on Dashboard Tab
SAS Environment Manager Header and Alert Center
8.4 Solutions 8-79
Event Bar for the SAS Web Server Resource
Note: The default metric collection interval for the Pivotal Web Server is five minutes.
(This can be changed by selecting Manage  Monitoring Defaults. Scroll to Pivot Web
Server 5.4 Servers. Select Edit Metric Template to the far right of the entry.) Therefore,
you might wait as long as five minutes before the alert fires and you see results on your
interface.
m. Acknowledge the alert. This enables others on the system to be aware that an administrator is
aware of the problem. You can acknowledge an alert in two places:
 the dashboard Recent Alerts portlet
 Analyze  Alert Center  Alerts tab
1) On the dashboard, select the box next to the NoWebServer and click ACKNOWLEDGE.
2) You can add a note for the reason. It will show up as acknowledged on the Alerts page. If it is
not fixed within five minutes (as specified when the alert was created), then it will request
acknowledgment again.
n. Restart the SAS Web Server, by issuing the control action. Go to Resources 
sasserver.demo.sas.com Pivotal Web Server 5.4 Webserver  Control. Select Start and then
click the arrow in the Quick Control area.
o. Within five minutes or less, you should see the recovery alert, called YesWebServer. It appears in
the same places and indicates that the SAS Web Server is running again.
6. (Optional) Configuring the PostgreSQL Server Component to Interact with Your PostgreSQL
RDBMS
There are three PostgreSQL database servers listed under Resources  Servers. None of these
servers are currently being monitored because the resources are not fully configured. In this exercise,
you modify the necessary information so that the SAS Web Infrastructure Platform Data Server
resource can be monitored. (This is the PostgreSQL database server with listening port 9432.)
a. Sign in to SAS Environment Manager as Ahmed using password Student1, if not already signed
in. (Open Internet Explorer on the client machine and select SAS Environment Manager on the
Favorites bar.)
8.4 Solutions 8-81
b. Go to Resources  Browse  Servers.
c. Find the PostgreSQL 9.x server resource in the list. (You can also go to the resource using
the Search bar. In the drop-down list, select PostgreSQL 9.x and click the arrow on the right.)
d. The status of the PostgreSQL server is undetermined. Click the server link
sasserver.demo.sas.com PostgreSQL 9.x localhost:9432.
e. You see that the server is not well configured. Click Configuration Properties.
f. Enter the required parameter values:

PostgreSQL.user: dbmsowner
PostgreSQL.pass: Student1
PostgreSQL.program or Windows Service:
For Linux Server

/opt/sas/config/Lev1/WebInfrastructurePlatformDataServer/webinfdsvrc.sh
8.4 Solutions 8-83
For Windows Server

Use the Windows Service Name: SAS [Config-Lev1] Web Infrastructure Platform Data
Server
Note: To avoid typographical errors, go to the Windows Services application and copy
and paste the service name to the service name field.
g. Make sure that the Auto-Discover DataBases, Indexes, and other services? check box is
selected. Then click OK.
h. Click Monitor. After a few minutes (or the required time for the agent to query the system),
you see the server availability, some server metrics, and two new services.
7. (Optional) Administering Logging for SAS Web Infrastructure Platform Data Server
b. Enter PgAdmin III tool in the Search field and click Search.
c. Click the first entry, SAS Web Infrastructure Platform Data Server, dated 2016-01-19.
d. Click Administering Logging for the Server. Review the logging steps.
The pgAdmin III Tool follows. It is a PostgreSQL database design and management system tool
that can be downloaded and enables you to administer the SAS Web Infrastructure Platform Data
Server.
8. (Optional) Setting Up Log Tracking for a Resource in the SAS Environment Manager
monitoring specific log files, usually for specific messages, such as severe errors or other critical
information. By doing this, you are not required to open the log files directly. You can access only the
portion that you need from the user interface. The log file entries are one type of event that can be
configured and customized in SAS Environment Manager.
For SAS servers, a special file, sev_logtracker_plugin.properties, is automatically set up by the
In this exercise, you enable log tracking for a SAS Web Application Server. The tc Server
(SASServer1 instance) log file is scanned for start-up completion. If you must restart that server, you
know when it fully started up, and that all the web applications are loaded and ready for users.
Although this server might appear as Available or Started right away, it is not actually ready to
receive requests for 20 to 30 minutes after that, given the necessary full deployment of all the SAS
web applications.
a. Sign in to SAS Environment Manager as Ahmed using the password Student1, if you are not
already logged on.
b. Click Resources  Browse.
c. Click sasserver.demo.sas.com tc Runtime SASServer2_1.
8.4 Solutions 8-85
d. Click Views  Application Management. There are fewer web applications deployed on this
instance, so choose this tc Server to use for log tracking.
e. Click the Inventory tab.
f. Scroll to the bottom to the Configuration Properties section, and click Edit.
g. Set the following three properties:

1) Click the Enable Log Tracking check box.
2) Select INFO from the Track Event Log Level drop-down menu.
3) Under Log Pattern Match, enter the following code:
Server startup in \d{5,} ms
4) For the log files, enter log/server.log.
h. Click OK at the bottom center of the window. You should see the following message:
i. Restart the server. Select Resources  Browse  sasserver.demo.sas.com tc Runtime

SASServer2_1.
j. Click the Control tab.
k. Select Control Action: Restart. Click the arrow to the right.
8.4 Solutions 8-87
l. When the command state indicates Completed, click the Monitor tab.
The Restart event was recorded and appears in the Events/Logs Tracking timeline at the bottom
of the window, as shown.
If you click the event bubble, a message appears. The server is not yet available because all the
applications were not deployed and started yet.
m. If you wait a few minutes, you can see an additional item on the Events/Logs Tracking timeline.
That second event provides the actual message text from the log file that you specified in your
search earlier: Server startup in XXXXXX ms, as shown above.
9. Exploring the Analyze and Repair Tool

a. Log on to SAS Management Console as Ahmed using the password Student1.
b. Expand Metadata Manager. Right-click Active Server and select Analyze/Repair Metadata.
c. The following message is displayed:
Click Yes. (The server will be paused after you complete the next two wizard pages.)
d. On the first wizard page, select the Foundation repository to analyze and repair. Click Next.
8.4 Solutions 8-89
e. The next wizard page lists the analysis tools that are available. Select all of the tools. Do not click
the check box to Repair immediately. It is recommended that you perform the repairs in a
separate step. Click Analyze.
A message is displayed stating that the server is being paused to Administration mode. The
analysis is then performed. When it is finished, the results are displayed.
If problems are found, the following message is displayed: Analysis has completed and
problems were found. View the log for details.
f. Click View Log to see information about the errors. Additional details might also be available in
the metadata server log.
g. Scroll down to find WARN messages:
Orphaned Objects locates metadata objects that are no longer being referenced.
Click OK to close out of the log.
h. Click Next.
8.4 Solutions 8-91
i. The next wizard page displays a list of the analysis tools that found problem situations. Select one
or more tools to run in Repair mode, and click Repair.
j. A message reminds you to back up your metadata before running the repairs. Click Yes to
continue. The repairs are executed. A dialog box indicates whether each repair was completed
successfully.
k. Click Finish to exit the wizard.
Note: The log will still show the WARN message. Instead, rerun the Analysis/Repair Tools
without repairing and check the log. You should not see any WARN messages.
10. Locating the Start-up Scripts and Configuration Files for the Workspace Server
On the server machine, open the script to start the SAS Workspace Server.
What configuration files are read during the server start-up?
For Linux Server

/opt/sas/config/Lev1/SASApp/WorkspaceServer/WorkspaceServer.sh
appservercontext_env.sh
level_env.sh
So APPSERVER_ROOT resolves to /opt/sas/config/Lev1/SASApp and CONFIGDIR resolves

to /opt/sas/config/Lev1/SASApp/WorkspaceServer.
The four configuration files read are as follows:
 /opt/sas/config/Lev1/SASApp/sasv9.cfg
 /opt/sas/config/Lev1/SASApp/sasv9_usermods.cfg
 /opt/sas/config/Lev1/SASApp/WorkspaceServer/sasv9.cfg
 /opt/sas/config/Lev1/SASApp/WorkspaceServer/sasv9_usermods.cfg
Note: These configuration files include other reference to configuration files. The complete
list of configuration files and order of precedence can be found at the end of this
exercise.
8.4 Solutions 8-93
For Windows Server

D:\SAS\Config\Lev1\SASApp\WorkspaceServer\WorkspaceServer.bat
Appservercontext_env.bat:
Level_env.bat:
So the value of APPSERVER_ROOT resolves to D:\SAS\Config\Lev1\SASApp,

CONFIGDIR resolves to D:\SAS\Config\Lev1\SASApp\WorkspaceServer, and
CMD_OPTIONS= -config “D:\SAS\Config\Lev1\SASAp\WorkspaceServer\sasv9.cfg”
sasv9.cfg includes two other configuration files:
Note: These configuration files include other reference to configuration files. The complete
list of configuration files and order of precedence can be found at the end of this
exercise.
Note: The documentation provides information about the configuration files used by default.
This can be found in the appendix of SAS® 9.4 Intelligence Platform: System
Configuration Files for Components of SAS Application Servers
Order of Path and Filename

Precedence
1 Windows: \Lev1\server-context\server-name\sasv9.cfg
UNIX: /Lev1/server-context/server-name/sasv9.cfg
2 Windows: \Lev1\server-context\sasv9.cfg
UNIX: /Lev1/server-context/sasv9.cfg
3 Windows: SAS-install-directory\SASFoundation\9.4\sasv9.cfg
UNIX: SAS-install-directory /SASFoundation/9.4/sasv9.cfg
4 UNIX only: SAS-install-directory /SASFoundation/9.4/sasv9_local.cfg
5 Windows: SAS-install-directory\SASFoundation\9.4\locale\sasv9.cfg
UNIX: SAS-install-directory /SASFoundation/9.4/locale/sasv9.cfg
6 Windows: \Lev1\server-context\sasv9_usermods.cfg
UNIX: /Lev1/server-context/sasv9_usermods.cfg
7 Windows: \Lev1\server-context\appserver_autoexec.sas
UNIX: /Lev1/server-context/appserver_autexec.sas
8 Windows: \Lev1\server-context\appserver_autoexec_usermods.sas
UNIX: /Lev1/server-context/appserver_autoexec_usermods.sas
9 Windows: \Lev1\server-context\server-name\sasv9_usermods.cfg
UNIX: /Lev1/server-context/server-name/sasv9_usermods.cfg
10 Windows: \Lev1\server-context\server-name\autoexec.sas
UNIX: /Lev1/server-context/server-name/autoexec.sas
11. Windows: \Lev1\server-context\server-name\autoexec_usermods.sas

UNIX: /Lev1/server-context/server-name/autoexec_usermods.sas
11. (Optional) Adding System Options to the Workspace Server Launch Command
After you have determined the system options that you want to use to start your workspace server,
you can add system options to the workspace server launch command.
a. In SAS Management Console, expand Server Manager  SASApp - Logical Workspace
Server. A tree node that represents the physical workspace server is displayed.
8.4 Solutions 8-95
b. Right-click the icon for the physical workspace server, and select Properties.
c. Click the Options tab. The command to start the workspace server is displayed.
d. You would edit the text in the Command text box, which by default is set to this:
For example, here is a command with options that improve performance for a workspace server:
-rsasuser -work work-folder -ubufsize 64K -memsize 512M
-realmemsize 400M -sortsize 256M
e. If you wanted to force the workspace server to disconnect idle clients, on this Options tab, click
Advanced Options.
f. Click Launch Properties.
g. In the Inactive client timeout field, enter a numeric value (minutes) that a connected client is
allowed to remain inactive before the server disconnects the client. Specify a value of 0 to disable
this option.
h. Click Cancel in the Advanced Options dialog box.
i. Click Cancel in the Properties dialog box. (You are not making any changes.)
8.4 Solutions 8-97
If you want to specify different values for system options, or if you want to
specify additional options, then enter your updates and additions in which of
the following files for a SAS server?
a. sasv9.cfg
b. metadataconfig_usermods.xml
c. sasv9_usermods.cfg
d. autoexec.sas
46
Chapter 9 Exploring Ongoing
Administration Tasks
9.1 Updating SAS Software .................................................................................................. 9-3

Exercises .............................................................................................................................. 9-12
9.2 Finding Resources for SAS Administrators ............................................................... 9-13
9.3 Solutions ....................................................................................................................... 9-19

9-2 Chapter 9 Exploring Ongoing Administration Tasks
9.1 Updating SAS Software 9-3
9.1 Updating SAS Software
Objectives
• Explore SAS software updates.

• Explore hot fixes.
• Explore SAS maintenance packs.
• Explain how to update SAS licenses.
3
Administers who maintain software deployments must balance the need for
stability with the value of changes. Administrators could apply changes
• as soon as they are released
Maintenance Administration Tasks
• if they address a specific problem
Apply Maintenance Apply Hotfixes
• on a fixed schedule Remove or Update Existing configurations
• as needed or depending on Update Hostnames Maintain Hardware Capacity

the nature of the fix Update Passwords Update Licenses
(for example, security)
• on major maintenance boundaries.
4
Factors that influence when to update your SAS deployment:

 Corporate policies
 User community tolerance for change
 Volume of users
 Availability of fixes for identified issues
 Desire for new capabilities
 Downtime
 Ease and speed of updates
SAS Software Updates
SAS delivers software updates in several formats.
Hot fixes Targeted for specific issues

Maintenance Sets of hot fixes, enhanced capabilities, and
releases in some cases new product releases
New software Updates to the larger SAS software grouping
releases
5
Copy rig ht © SA S Institute Inc. A ll rig hts reserved.
The planning that goes into maintenance releases and new software releases is beyond this discussion.
Hot Fixes
Hot fixes are used to solve critical and frequently recurring problems.
They are tested and supported by SAS.
Hot fixes are packaged or grouped in three ways:
• Individual hot fixes
• Container hot fixes
• Hot fix bundles
6
SAS provides hot fixes to previously shipped software. A hot fix is created to resolve a number of
problems, ranging from an isolated code fix for a critical bug uncovered by a specific customer
application to a frequently recurring problem in a common code base. The hot fix tooling has changed
over time to simplify their identification and installation.
Each hot fix from SAS is tested and fully supported and then typically incorporated into the next
maintenance release or full release of the software component or product. Hot fixes are packaged or
grouped in three different ways:
 Individual hot fixes – created to fix one product or software component.
 Container hot fixes – created to provide fixes for one or more software components that must be hot
fixed together in order to provide a complete resolution to the problem being addressed. In order to
fully install the container hot fix, the container needs to be applied to each machine in the deployment
that contains one or more of the products being fixed by the container.
 Hot fix bundles – an accumulation of one or more individual hot fixes. These bundles tend to be
produced (and named) for products such as SAS Marketing Optimization and can contain a number of
fixes for different components within the product. Bundling these fixes makes it simpler for you to
obtain and install them.
For more information about hot fixes, refer to http://ftp.sas.com/techsup/download/hotfix/faq.html.
Managing Hot Fixes
SAS offers several tools to help you manage hot fixes:

• tsnews-l listserv: Receive automatic notification when hot fixes become
available:
http://support.sas.com/techsup/news/tsnews.html
• ViewRegistry reporting utility
• SAS Hot Fix Analysis, Download, and Deployment Tool (SASHFADD)
• SAS Deployment Manager
7
View Registry Reporting Utility (Review)
The ViewRegistry reporting utility

processes the deployment registry
and generates a report that identifies
currently installed software and
hot fixes.
ViewRegistry
8
The installation of SAS products is logged in the SAS Deployment Registry. ViewRegistry is a reporting
utility that processes the deployment registry to generate a report. This report identifies all SAS 9.2 and
later software that is installed in the current SASHOME location. Installed hot fixes are also logged in the
Beginning with SAS 9.4 M3, the default output reports only the current release of product components,
which are installed in the current SASHOME. Duplicate product component entries appear only for
products that support side-by-side deployment (for example, SAS Enterprise Guide and SAS Add-In for
Microsoft Office). The -all option can be used to report on all product components that have been
installed in SASHOME.
The ViewRegistry report is generated by executing the JAR file sas.tools.viewregistry.jar. This JAR file
is located in the SASHOME/deploymntreg directory and must be executed from this directory.
Two output files are produced by the reporting utility, DeploymentRegistry.html and
DeploymentRegistry.txt. The HTML and TXT output files are written in the SASHOME/deploymntreg
directory.
Note: In order to run the reporting utility, Windows users must have Write permissions for the
deploymntreg directory (the default location is D:\Program Files\SASHome\deploymntreg)
because the resulting reports are written to this location. UNIX users must have Write permission
to the SASHOME location.
For more information about using the ViewRegistry report, see Usage Note 35968, “Using the
ViewRegistry Report and other methods to determine the SAS® 9.2 and later software releases and hot
fixes that are installed.”
SAS Hot Fix Analysis, Download,

and Deployment Tool (SASHFADD)
This tool is designed to streamline the hot fix identification, download, and
install process. The tool requires that you run the ViewRegistry report tool
first and then the following occurs:
• A SAS deployment registry is analyzed.
• A customized report listing available
hot fixes is created.
• Scripts for automatically downloading
hot fixes are generated.
9
The SAS Hot Fix Analysis, Download, and Deployment tool (SASHFADD)
 analyzes a SAS Deployment Registry (DeploymentRegistry.txt)
 creates a Hot Fix Report with information and links to hot fixes, which are eligible to be installed on
the SAS deployment
 generates scripts that automate the download of the eligible hot fixes.
The SASHFADD tool can be downloaded from http://ftp.sas.com/techsup/download

/hotfix/HF2/SASHFADD.html.
The usage guide can be found here: http://ftp.sas.com/techsup/download
/hotfix/HF2/SASHFADD_usage.pdf
Reviewing the Hot Fix Report
10
The Hot Fix Report can contain up to three sections:

Hot fixes that can be downloaded and installed individually or by using the generated scripts: This
section always appears in the Hot Fix Report. It lists hot fixes that can be downloaded and installed
individually, or by using the generated download scripts, SAS Deployment Manager for SAS 9.3/9.4 or
install_scripts for SAS 9.2. Successful installation of these hot fixes is recorded in the deployment
registry. If your system is up-to-date with these hot fixes, then an appropriate message appears.
Hot fixes that are available only by clicking the Download link and following installation
instructions: This section might appear in the Hot Fix Report. It lists hot fixes that must be downloaded
and installed individually by closely following the instructions in the documentation. Successful
installation of these hot fixes might be recorded in the SAS Deployment Registry, depending on the
unique properties of the hot fix. It is possible that you will continue to see these hot fixes in the report
even if they have been successfully installed. If you have already applied these hot fixes by following the
installation instructions, then you can safely ignore their reappearance in the report.
Hot fixes containing updates only to non-English software components: This section might appear in
the Hot Fix Report. It lists hot fixes that can be applied only to systems where the languages listed with
the hot fix are installed for the specific SAS product. These hot fixes do not appear in the SASHFADD
FTP scripts. They must be downloaded by clicking the Download link. Successful installation of these
hot fixes is recorded in the SAS Deployment Registry. If you are ineligible to install these hot fixes
because you have not installed the SAS product for the languages listed, then you can safely ignore the
appearance of these hot fixes in the report. If you do not want to see these hot fixes in the report,
uncomment the line -ENGLISH_ONLY in SASHFADD.cfg.
SAS Deployment Manager (Review)
SAS Deployment Manager includes a wide variety of administration tasks

including to apply hot fixes to your deployment.
11
SAS Maintenance Packs
Maintenance packs are aggregations of hot fixes and limited features.

Maintenance packs have these features:
• can be scheduled as needed
• can introduce new supported platforms or third-party products
• can add a maintenance number to product version numbers for products
receiving maintenance
12
Maintenance packs are applied using the SAS Deployment Wizard.

Customers must request maintenance packs. They can be added to an existing software depot or a newly
created depot.
Applying a maintenance pack involves the following:
 updating software
 updating configuration
 possibly performing manual steps
SAS License Updates
SAS software is licensed on a periodic basis. In order to run your licensed

software, you must apply the SAS installation data file (SID file) to renew your
software.
When your SAS license expires, you need to do the following:
• obtain a SID (SAS Installation Data) from SAS
• apply the SID file in all of the appropriate places in your deployment
Note: In addition, some SAS solutions require the license to be updated in

the metadata.
13
The SAS Deployment Manager includes a task to update the license file in the metadata.
For troubleshooting SID file errors, see Problem Note 56371, “The Renew SAS® Software utility or SAS®
installation process produces an "invalid SID file" error after you select the SID file.”
Exercises
1. Exploring SAS Software Updates

a. Review the Usage Note that instructs on using the ViewRegistry report.
1) Open Internet Explorer and go to the Home page. You can click the Home button in the
upper right toolbar.
2) In the Search field, enter Usage Note 35968 and click Search.
3) Select the first entry, 35968 – Using the ViewRegistry Report and other methods to
determine the SAS 9.2 and later software releases and hot fixes that are installed, dated
2015-07-16.
b. Review the hot fix FAQ at http://ftp.sas.com/techsup/download/hotfix/faq.html.
c. Review SAS® Hot Fix Analysis, Download, and Deployment Tool Usage Guide at
http://ftp.sas.com/techsup/download/hotfix/HF2/SASHFADD_usage.pdf.
2. Exploring How to Update SAS Licenses
Navigate to support.sas.com/techsup. Use the Search box to search for information about how
to update SAS licenses. For example, you can search for SAS 9.4 update license. Review
the information that is relevant to your deployment version and software.
9.2 Finding Resources for SAS Administrators 9-13
9.2 Finding Resources for

SAS Administrators
Objectives
• Identify areas of support that SAS offers to support the deployment and
administration communities.
• List additional available resources.
17
Where to Go for Help
18
SAS provides a wide array of tools and resources designed to help you find answers and resolve
problems. From the SAS customer support website at support.sas.com, you can access the extensive SAS
knowledge base, where you can find information about SAS software, SAS product documentation, SAS
technical papers, samples, SAS notes, and much more.
Documentation
19
SAS documentation is available in multiple formats, based on your needs. Product documentation is
organized by usage, such as Installation, Configuration, and Migration information, Administration
information, or a Programmer’s Bookshelf. There is also extensive search capabilities, by keywords,
release, or product. Documentation on current releases as well as previous releases is provided.
In addition to product documentation, many different forms of technical papers and conference
proceedings are available.
 SAS Technical Papers – http://support.sas.com/resources/papers/index.html
 SAS Technical Papers » Installation and Enterprise Administration –
http://support.sas.com/resources/papers/tnote/tnote_enterprise.html
 SAS Global Forum Conference Proceedings –
http://support.sas.com/events/sasglobalforum/previous/online.html
 SAS Presents – Technical Papers and Presentations – http://support.sas.com/rnd/papers/index.html
Install Center
20
SAS Install Center contains the most up-to-date installation and configuration documentation for SAS
software. The documentation on this site is grouped by SAS release, installation, and configuration type.
System Requirements
21
Information about supported operating systems and associated platforms can be found in the System
Requirements section of the Knowledge Base on support.sas.com. The supported operating systems
derived from this page are for a set of products made up of the combination of Base SAS and the
orderable server-side products that are installed at the same time as Base SAS.
Samples and SAS Notes
22
Samples & SAS Notes provide useful examples of using SAS software. There are different types of SAS
notes available at the Samples & SAS Notes section of the Knowledge Base:
 Usage Notes – These notes provide information, examples, and suggestions for usage of SAS software.
 Installation Notes – These notes are focused on SAS installations, providing useful information and
references for install-related questions.
 Problem Notes – These notes contain useful information about usage problems, and provide
information about workarounds and available hot fixes.
http://support.sas.com/notes/index.html
Subscriptions
23
E-Newsletters – http://support.sas.com/community/newsletters/index.html
 SAS Tech Report
 SAS Statistics and Operations Research News
 SAS Learning Report
 SAS Book Report
 SAS Global Certification News
TS-NEWS-L – http://support.sas.com/techsup/news/tsnews.html
SNOTES-L – http://support.sas.com/techsup/news/snotes.html
Security Bulletins – http://support.sas.com/security/alerts.html
RSS feeds and Blogs – http://support.sas.com/community/rss/
SAS-L – User supported Listserv – listserv.uga.edu/archives/sas-l.html
Administration Online
24
There are multiple online communities focused on SAS deployment and administration.
 SAS Communities - https://communities.sas.com/
 Administrator Blog Series - http://blogs.sas.com/content/sgf/tag/sas-administrators/
 Administration and Deployment Community - https://communities.sas.com/t5/Administration-and-
Deployment/bd-p/sas_admin
9.3 Solutions 9-19
9.3 Solutions
1. Exploring SAS Software Updates
a. Review the Usage Note that instructs on using the ViewRegistry report.
1) Open Internet Explorer and go to the Home page. You can click the Home button in the
upper right toolbar.
2) In the Search field, enter Usage Note 35968 and click Search.
3) Select the first entry, 35968 – Using the ViewRegistry Report and other methods to
determine the SAS 9.2 and later software releases and hot fixes that are installed, dated
2015-07-16.
b. Review the hot fix FAQ at http://ftp.sas.com/techsup/download/hotfix/faq.html.

c. Review the SAS® Hot Fix Analysis, Download, and Deployment Tool Usage Guide
at http://ftp.sas.com/techsup/download/hotfix/HF2/SASHFADD_usage.pdf.
2. Exploring How to Update SAS Licenses
Navigate to support.sas.com/techsup. Use the Search box to search for information about how
to update SAS licenses. For example, you can search for SAS 9.4 update license. Review
the information that is relevant to your deployment version and software.
Chapter 10 Learning More
10.1 SAS Resources ............................................................................................................. 10-3
10.2 Beyond This Course ..................................................................................................... 10-6

10-2 Chapter 10 Learning More
10.1 SAS Resources 10-3
10.1 SAS Resources
Objectives
• Identify areas of support that SAS offers.

• List additional resources.
3
Education
SAS Education provides comprehensive training to deliver greater value

to your organization.
• more than 200 course offerings
• world-class instructors
• multiple delivery methods
• training centers around the world
http://support.sas.com/training
4
SAS Books
Convenient. Practical. Enlightening.

Valuable insight with solid results.
Available in a variety of formats to best meet your needs:
• hard-copy books
• e-books
• PDF
www.sas.com/store/books
5
SAS Global Certification Program
SAS Education enables you to validate your skills and knowledge through
certification and includes the following:
• globally recognized certifications
• preparation materials
• practice exams
http://support.sas.com/certify
6
10.1 SAS Resources 10-5
Customer Support
SAS provides a variety of self-help and assisted-help resources including

the following:
• SAS Knowledge Base
• downloads and hot fixes
• license assistance
• SAS discussion forums
• SAS Technical Support
http://support.sas.com/techsup/
7
User Groups and SAS Support Communities
SAS supports many local, regional, international, and special-interest

SAS user groups.
http://support.sas.com/usergroups
SAS Support Communities enable you to collaboratewith SAS and other

SAS users.
http://communities.sas.com
8
Networking
Social media channels, SAS blogs, and user group organizations enable you to
• interact with other SAS users and SAS staff
• learn new programming tips and tricks
• obtain exclusive discounts.
http://support.sas.com/socialmedia
9
10.2 Beyond This Course
Objectives
• Introduce the different types of SAS training.

• Identify additional learning opportunities that follow this course.
12
10.2 Beyond This Course 10-7
Several “Flavors” of SAS Training
SAS Education provides a variety of training formats that are designed

to satisfy your learning style, including the following:
• classroom
• Live Web
• e-learning
• on-site training
• mentoring
http://support.sas.com/training/options
13
Classroom Training and e-Learning
SAS Education provides training on all aspects of the SAS System.
Classroom training can be delivered in SAS training centers, in the Live Web
classroom, and at your site.
http://support.sas.com/training/us/paths
SAS e-Learning provides award-winning training when and where you need it.
http://support.sas.com/elearn
14
SAS Platform Training Paths
SAS Education training paths are used to organize training by similar

functionality based on common job tasks.
Business
The training paths for the SAS platform include Intelligence
the following: Data
Management
• Administration
• Data Management
• Business Intelligence
Administration
15
Additional Training Categories
In addition to SAS platform training, courses are available in the following

areas:
• Advanced Analytics
• SAS Foundation
• SAS Solutions
Visit http://support.sas.com/training/us/paths to view all of the courses that

are available to meet your training needs.
16
10.2 Beyond This Course 10-9
SAS Video Tutorials
SAS Education provides an extensive set of “how-to” videos, tutorials,

and demos to learn tips and tricks for working with SAS software.
http://support.sas.com/training/tutorial
17
Next Steps
After you complete this course, you have access to extended learning
resources, including the following:
• an electronic copy of the course notes
• links to technical papers
• links to SAS Publishing documentation and books
• links to white papers, SAS Global Forum papers, and much more
To grow your SAS skills, remember to activate the extended learning page for
this course.
18

Lwspafm4 001

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Lwspafm4 001

Uploaded by

Copyright:

Available Formats

SAS® Platform

Administration: Fast Track

SAS® Platform Administration: Fast Track Course Notes

1.4 Solutions ........................................................................................................................ 1-60

Chapter 2 Reviewing SAS Platform Architecture ................................................ 2-1

2.1 Exploring the Platform Architecture ................................................................................ 2-3

2.2 Operating SAS Servers and Spawners ........................................................................... 2-19

2.3 Exploring SAS Environment Manager .......................................................................... 2-32

2.4 Exploring SAS Environment Manager Service Architecture......................................... 2-54

2.5 Solutions ........................................................................................................................ 2-71

3.2 Exploring SAS Metadata Objects .................................................................................. 3-16

3.3 Implementing a SAS Metadata Server Cluster .............................................................. 3-36

3.4 Backing Up the SAS Metadata Server ........................................................................... 3-49

3.5 Backing Up the SAS Environment ................................................................................ 3-63

3.6 Solutions ........................................................................................................................ 3-84

Chapter 4 Understanding Initial Authentication and Administering

4.1 Exploring Initial Authentication to the Metadata Server ................................................. 4-3

4.2 Administering Users and Groups ................................................................................... 4-13

4.3 Using Import Macros ..................................................................................................... 4-22

4.5 Administering Roles and Administrative Identities ....................................................... 4-44

4.6 Solutions ........................................................................................................................ 4-53

Chapter 5 Managing SAS® Compute Servers and Spawners ............................. 5-1

5.1 Understanding SAS Compute Servers ............................................................................. 5-3

5.2 Exploring Credential Management ................................................................................ 5-28

5.3 Administering Server Logging ...................................................................................... 5-43

5.4 Solutions ........................................................................................................................ 5-62

Chapter 6 Securing Metadata ................................................................................ 6-1

6.1 Reviewing Metadata Security .......................................................................................... 6-3

6.2 Exploring Metadata Permissions and ACTs ................................................................... 6-25

6.3 Customizing SAS Folders .............................................................................................. 6-45

6.4 Solutions ........................................................................................................................ 6-68

Chapter 7 Establishing Connectivity to Data Sources ....................................... 7-1

7.1 Registering Libraries and Tables in Metadata .................................................................. 7-3

Demonstration: Registering SAS Library and Table Metadata in

7.2 Setting Up Data Access .................................................................................................. 7-27

7.3 Solutions ........................................................................................................................ 7-44

Chapter 8 Monitoring Your SAS® Environment ................................................... 8-1

8.2 Reviewing SAS Middle-Tier Architecture ..................................................................... 8-26

8.3 Additional Topics on SAS Server Maintenance............................................................. 8-48

8.4 Solutions ........................................................................................................................ 8-59

Chapter 9 Exploring Ongoing Administration Tasks .......................................... 9-1

9.1 Updating SAS Software ................................................................................................... 9-3

9.2 Finding Resources for SAS Administrators ................................................................... 9-13

9.3 Solutions ........................................................................................................................ 9-19

Chapter 10 Learning More ..................................................................................... 10-1

10.1 SAS Resources ............................................................................................................... 10-3

10.2 Beyond This Course ....................................................................................................... 10-6

Exercises .............................................................................................................................. 1-17

Exercises .............................................................................................................................. 1-55

1.4 Solutions ....................................................................................................................... 1-60

Solutions to Student Activities (Polls/Quizzes) ..................................................................... 1-86

1.1 Exploring the Platform for SAS

• Compare the types of SAS installations.

Varieties of SAS Deployments

With SAS®9, there are two types of SAS® Viya™

Platform for SAS Business Analytics

The platform for SAS Business Analytics is enterprise software with

SAS High-Performance Analytics

The SAS High-Performance Analytics infrastructure consists of software that

SAS High-Performance Analytics: SAS Grid Computing

SAS Grid Manager provides a shared, centrally managed analytic computing

The data management components enable you to consolidate and manage

SAS Business Intelligence