Académique Documents
Professionnel Documents
Culture Documents
The correct bibliographic citation for this manual is as follows: SAS Institute Inc. 2006. SAS Solutions Services 1.3: System Administration Guide, Second Edition. Cary, NC: SAS Institute Inc. SAS Solutions Services 1.3: System Administration Guide, Second Edition Copyright 2006, SAS Institute Inc., Cary, NC, USA All rights reserved. Produced in the United States of America. For a Web download or e-book: Your use of this publication shall be governed by the terms established by the vendor at the time you acquire this publication. U.S. Government Restricted Rights Notice. Use, duplication, or disclosure of this software and related documentation by the U.S. government is subject to the Agreement with SAS Institute and the restrictions set forth in FAR 52.227-19 Commercial Computer Software-Restricted Rights (June 1987). SAS Institute Inc., SAS Campus Drive, Cary, North Carolina 27513. 1st printing, December 2006 SAS Publishing provides a complete selection of books and electronic products to help customers use SAS software to its fullest potential. For more information about our e-books, e-learning products, CDs, and hard-copy books, visit the SAS Publishing Web site at support.sas.com/pubs or call 1-800-727-3228. SAS and all other SAS Institute Inc. product or service names are registered trademarks or trademarks of SAS Institute Inc. in the USA and other countries. indicates USA registration. Other brand and product names are registered trademarks or trademarks of their respective companies.
Contents
Chapter 1
Overview of SAS Solutions Services Architecture 2 Assumptions and Recommendations Required Skills 4 Documentation Conventions 4
Chapter 2 Solutions
Overview of Conguration 8 Plan the Installation 8 Install the Software 9 Set Application Properties 10 Make Localization Changes, If Necessary 10 Secure Your System 10 Load Transformations and Jobs 15 Back Up the System 19 Verify Using Sample Data (Optional) 19 Create the Sites Users and Groups 21 Congure Content 22 Load Production Data 24 Install the SAS Strategic Performance Management Migration Wizard (Optional) Load Client Applications 25 Congure the J2EE Application Server and Web Applications 25 Maintain the System 26 Check SAS Notes for Additional Information 27
25
Chapter 3
About Security 29 Authentication 29 Authorization 30 Server Security and Data Transmission Auditing 32
29
31
Chapter 4
Overview of Authentication and User Security 33 Default Users and Groups 36 Determining Group and Role Assignments 40 Registering Users 48 Synchronizing Users, Groups, and Roles 49
33
Chapter 5
4 Content Administration
51
iv
What Is Content? 51 Organizing Content 52 About Security Authorization for Content 53 Dening Security Authorization for Content 55 Creating Site Content 60
Chapter 6
BEA WebLogic Administration 64 IBM WebSphere Administration 71 Conguring the Web Applications 74 Conguring Themes 75 Using ODCS Clustering to Reduce Wait Time
63
76
Chapter 7
About Portal Administration 81 Assigning a Content Administrator 81 Creating Default Portal Pages 83 Customizing the Portal 84 Accessing the Default Portlets of the SAS Information Delivery Portal Securing Logs to Enhance Portal Security 91
4 Portal Administration
81
91
Chapter 8
Administering the Remote Services 94 About Solutions Administration 96 Conguring Applications Using the SAS Management Console Using the Solutions Web Administration Application 99 Conguring Log Files 105 Using Command-Line Diagnostic Tools 106
4 Application Administration
93
96
Chapter 9
About Server Security 113 Basic Protections 113 Securing Data Exchanges between Server Components Secure Sockets Layer (SSL) 114
113
113
Chapter 10
115
MySQL Overview 115 MySQL Installation and Conguration (Windows) 115 MySQL Installation and Conguration (UNIX) 116 Backing Up MySQL Databases 116 MySQL Security Issues 116
Chapter 11
About WebDAV 117 Conguring Content Folder Permissions on the Xythos WebFile Server Changing the Apache Port Number 118 More Information 120
117
117
Chapter 12
4 Conguration Files
121
121
122
Chapter 13
4 Deploying SAS Web OLAP Viewer and SAS Web Report Studio
125 128
125
SAS Web OLAP Viewer for Java 126 SAS Web Report Studio and SAS Web Report Viewer
Chapter 14
135
Conguring Logging for ETL Jobs 140 Uninstalling the Client Applications 141
Appendix 1
Port Usage
143
Appendix 2
4 Log Files
147
147 149
Log Files on the Data Tier 148 Log Files for Client Applications
Appendix 3
General Troubleshooting Tips Errors in the SASV9.CFG File Errors in the Portal 152
4 Troubleshooting
151
151 151
BEA WebLogic Errors 153 IBM WebSphere Errors and Warnings MySQL Errors 154 Errors Running Client Applications
154 154
Index
157
vi
CHAPTER
1
Understanding SAS Solutions Services
Overview of SAS Solutions Services 1 Architecture 2 Assumptions and Recommendations 3 Required Skills 4 Documentation Conventions 4
Architecture
Chapter 1
3 Dimension Management provides the ability to create, manage, and add values to
dimensions and hierarchies. A Java client application, Dimension Editor, allows the user to interactively create and modify the dimensions. 3 Microsoft Ofce integration provides the ability to integrate documents from SAS Solutions Services within the Microsoft Ofce suite of applications. There is a common SAS Solutions Services Add-In for Microsoft Ofce that can be extended by solutions that want to add their document types. 3 Data-level security allows application objects that are represented by data in the Solutions Data Mart to be secured using an object-based authorization facility. In this way, complex objects such as scorecards and planning forms can be secured. Authorization decisions are based on user and group permissions per object that are also applied to additional hierarchical information (such as organization tables, legal reporting structures, and project hierarchies).
Architecture
The diagram in Figure 1.1 on page 3 gives an overview of the n-tier architecture of SAS Solutions Services and the solutions. The presentation tier includes Web browser-based clients, add-ins to Microsoft Ofce applications, and Java desktop applications such as Dimension Editor. On the middle tier, SAS applications are deployed to a J2EE application server, usually as either Web Archive (WAR) les (such as the SAS Information Delivery Portal) or Enterprise Archive (EAR) les. SAS Solutions Services is deployed in this middle tier, along with specic domain solutions applications, such as SAS Strategic Performance Management or SAS Financial Management. The SAS Foundation Services (running in a separate Java Virtual Machine) are extended to support SAS Solutions Services and are also deployed in this tier. The data and compute tier typically hosts the SAS application servers, the SAS Metadata Server, the MySQL server, and the WebDAV repository. However, these components might reside on multiple physical machines.
Required Skills
Chapter 1
2 Select the View tab. 3 Under Advanced Settings, select Show hidden files and folders.
3 This guide lists the default password values for accounts that are created during
the installation process. You might have chosen different passwords during your installation.
3 SAS Solutions Services uses the SAS Intelligence n-tier architecture, as described
in the SAS Intelligence Platform: System Administration Guide (available at
http://support.sas.com/documentation/configuration/913admin.html).
This architecture enables software components that are installed on a single machine or on multiple physical machines (servers). While this guide refers to different tiers within the documentation, it is assumed that you understand how to determine the appropriate n-tier structure for your installation and conguration.
3 Microsoft Internet Explorer 6.0 or greater is required for use as your Web browser.
Required Skills
To administer the solutions software, you must be familiar with the operating system on which it is installed. For example, you must know how to create folders, run scripts (.bat les or .sh les), and update environment variables. On Microsoft Windows, you must be an administrator of the machine.
Documentation Conventions
This book uses the following documentation conventions to identify paths in the solutions conguration:
Table 1.1
Path SAS-install-dir
SAS-cong-dir
BEA-home-dir
WebSphere-install-dir
Documentation Conventions
Path MySQL-install-dir
Apache-install-dir
Xythos-install-dir
File system pathnames are typically shown with Windows separators (\); for UNIX, substitute a forward slash (/).
CHAPTER
Planning, Installing, and Conguring SAS Solutions Services and the Solutions
Overview of Conguration 8 Plan the Installation 8 Install the Software 9 Installation Overview 9 Install SAS/GRAPH Maps (Optional) 9 Change Threading Options for SAS Metadata Server (Optional) 9 Congure the SAS Servers for Alternative Authentication Mechanisms (Optional) Set Application Properties 10 Make Localization Changes, If Necessary 10 Secure Your System 10 About Securing Your System 10 Remove Unnecessary Default Metadata Identities 11 Congure Security Settings for Folders and Files (Windows) 11 Protect System Conguration Folders 11 Protect Additional Folders and Files 12 Congure Security Settings for Folders and Files (UNIX) 13 Default Settings 13 Additional Settings 13 Secure the J2EE Server Conguration 15 Secure Your WebDAV Installation 15 Secure Data Transmissions (Optional) 15 Load Transformations and Jobs 15 Apply Hot Fixes 15 Set Up a SAS Data Integration Studio User 16 Dene a Batch Job Deployment Directory (Optional) 16 Import Transformations, Jobs, and Error and Exception Table Metadata 17 Restrict the Events That Data Administrators See (Optional) 17 Back Up the System 19 Verify Using Sample Data (Optional) 19 Load Sample Data 19 Verify the System 20 Restore the System 21 Create the Sites Users and Groups 21 Overview 21 Grant Log on as a batch job Rights to Users (Windows) 21 Create Metadata Identities 22 Run the UserGroupValidation Utility 22 Congure Content 22 Overview 22 Assign a Content Administrator 22 Create Content Folder Structure for the Site 22
Overview of Conguration
Chapter 2
Modify Permissions for Information Maps 23 Modify Permissions for OLAP Cubes 23 Create Content for the Site 24 Set Permissions to Refresh Stored Process Reports 24 Congure the Information Delivery Portal for the Site 24 Load Production Data 24 Install the SAS Strategic Performance Management Migration Wizard (Optional) Load Client Applications 25 Congure the J2EE Application Server and Web Applications 25 Maintain the System 26 Synchronize the Server Clocks 26 Restart Servers 26 Tune System Performance 26 Monitor and Maintain Your System 26 Check SAS Notes for Additional Information 27
25
Overview of Conguration
SAS Solutions Services, and the solutions that use SAS Solutions Services, are built on the SAS 9 Intelligence Architecture. The SAS Intelligence Platform: Installation Guide describes several planning steps that can occur prior to the physical installation and conguration of the software. As a system administrator or consultant, you should be familiar with those planning steps as well as the steps outlined in this guide. Because solutions are geared towards specic user communities, the solutions can provide information for some of these planning areas. Following are the steps that are used during installation and conguration. Note that the initial installation and conguration of solutions includes a set of installation verication data that you can use to verify the installation. This data is also called sample data, because it can be used to demonstrate the software. Before a production warehouse can be loaded, the installation verication data must be removed. For information about the les that are installed with SAS Solutions Services and the solutions, see Chapter 12, Conguration Files, on page 121. For more information about the solutions, see the online Help and users guides, as well as the SAS Solutions Services: Data Administration Guide (available at http:// support.sas.com/documentation/solutions/admin). For more information about the SAS Intelligence Platform, see the following references: 3 SAS Intelligence Platform: Installation Guide 3 SAS Intelligence Platform: System Administration Guide 3 SAS Intelligence Platform: Security Administration Guide
3 SAS Intelligence Platform: Application Server Administration Guide 3 SAS Intelligence Platform: Web Application Administration Guide
These books are available at http://support.sas.com/documentation/ configuration/913admin.html.
1 Determine the set of users that are necessary to run SAS Solutions Services and
the solutions.
2 Decide on the authentication method(s) to be used
For more information, see Chapter 4, Authentication and User Security, on page 33.
Installation Overview
1 Using SAS Software Navigator, install and congure the SAS Intelligence
well as the installation guide for SAS Financial Management, SAS Strategic Performance Management, and SAS Human Capital Management.
3 Follow the procedures described in the remainder of this chapter.
To install selected maps, expand SAS/Graph Map Data Sets and select only the locations needed.
10
Chapter 2
you must make to the server conguration (.cfg) les to support authentication mechanisms such as LDAP or Active Directory.
In the HR repository, navigate to Server Manager. Right-click HR-OLAP and select Properties. Click the Olap Schema tab. Make a copy of the text that is displayed there. In English, this text is HR-OLAP - OLAP Schema, but you will see a translated string.
5 Replace the text to the right of the equal sign with the translated text from the
11
also should protect the physical server(s) that make up the middle-tier level, where your J2EE server is running. In addition to the MySQL database, les on these servers might contain vital information such as encoded passwords.
StoredProcessServer, StoredProcessServer\logs
12
Chapter 2
SASFinancialManagement\SASCode\ETLMetadata SASHumanCapitalManagement\SASCode\Jobs SASStrategicPerformanceManagement\SASCode\Jobs query cache library for SAS Web Report Studio** Grant all SAS Web Report Studio users read, write, and execute permissions for the directory that holds the cache. Grant the SAS Web Administrator (saswbadm) full control of the cache directory.
* By default, these folders are located under SAS-Config-Dir\Lev1\SASMain\. To learn more about the conguration directory structure, see Chapter 12, Conguration Files, on page 121. ** During installation and conguration of SAS Web Report Studio, a query cache library is created at SAS-config-dir/Lev1/SASMain/Data/wrstemp. By default, all users have read and write permissions on this library. If you set up workspace server pooling, then you can implement tighter security and grant full permissions only to the user IDs that you specied for the puddle login denitions in your pool. To use the query cache, make sure each puddle login denition has access permissions (read and write) for the query cache library. If you have not congured pooling, then each requesting users individual (or shared) account will need read and write permissions for the library in order to access the tables. In either case, the SAS Web Administrator (saswbadm) should be granted full permissions for the cache directory, so that les can be deleted automatically and the cache will not become too large. For more information, see SAS Web Report Studio Administration in the SAS Intelligence Platform: Web Application Administration Guide.
For additional information, see Securing a Deployment in the SAS Intelligence Platform: Security Administration Guide. This chapter describes setting folder permissions, securing your metadata repositories, encryption, and related topics. If you installed SAS Web Report Studio, see SAS Web Report Studio Administration in the SAS Intelligence Platform: Web Application Administration Guide. This chapter includes information about securing the folders that are used by SAS Web Report Studio, including folders that hold temporary les. Both books can be found at http://support.sas.com/documentation/ configuration/913admin.html.
13
MySQL-Install-Dir\bin
Read, write, execute Read, write, execute Read, execute Read, execute
All other Lev1 directories and les All other Lev1 scripts
Additional Settings
After installation, change directory to SAS-config-dir and set the following additional permissions: Note: The -R ag is used to set permissions recursively.
14
Chapter 2
Lev1/SASMain
Depending on the solutions that you have installed: Lev1/SASMain/SASSolutionsServices/ SASCode/Jobs Lev1/SASMain/SASSolutionsServices/ SASCode/ETLMetadata Lev1/SASMain/SASSolutionsServices/ SASFormats Lev1/SASMain/SASFinancialManagement/ SASCode/Jobs Lev1/SASMain/SASFinancialManagement/ SASCode/ETLMetadata Lev1/SASMain/ SASStrategicPerformanceManagement/ SASCode/Jobs Lev1/SASMain/ SASHumanCapitalManagement/SASCode/ Jobs user-dened stored processes
If you have created any directories to hold stored processes that are created by users, set those directories permissions to allow full access for the sas user ID and the sas user group. For example: chmod -R 770 Lev1/SASMain/ SASSolutionsServices/SASCode/ UserDefined
Grant all SAS Web Report Studio users read and write permission for the query cache, unless workspace server pooling is enabled. Grant the SAS Web Administrator (saswbadm) full control of the cache directory.
* During installation and conguration of SAS Web Report Studio, a query cache library is created at SAS-config-dir/Lev1/SASMain/Data/wrstemp. By default, all users have read and write permissions on this library. If you set up workspace server pooling, then you can implement tighter security and grant full permissions only to the user IDs that you specied for the puddle login denitions in your pool. To use the query cache, make sure each puddle login denition has access permissions (read and write) for the query cache library. If you have not congured pooling, then each requesting users individual (or shared) account will need read and write permissions for the library in order to access the tables. If workspace server pooling has not been congured, then the query cache is not automatically cleared. You might want to clear these les on a regular basis so that the cache will not grow too large. In either case,
15
the SAS Web Administrator (saswbadm) should be granted full permissions for the directory. For more information, see "SAS Web Report Studio Administration" in the SAS Intelligence Platform: Web Application Administration Guide.
If you want multiple users to be able to update the same data sets that are created by SAS Data Integration Studio, you might want to set the default umask that is applied to the data sets when they are created. For more information, see Administering SAS Data Integration Studio in SAS Intelligence Platform: Desktop Application Administration Guide (available at http://support.sas.com/ documentation/configuration/913admin.html).
you applied the sas.allpermissions.weblogic.policy le during the initial testing, you should reapply the sas.weblogic.policy le. For more information, see the instructions.html le that was generated by the SAS Conguration Wizard. That le is located in SAS-config-dir\SASSolutionsConfig. 3 For information about the lter policy le and security conguration for WebSphere, see the instructions.html le that was generated by the SAS Conguration Wizard.
16
Chapter 2
dis34.html.
2 Download and install Hot Fix 34DATABLDR02. 3 Log on to the SAS Management Console as an administrator. 4 Select Tools
17
events that can be sent to the portal. The only event that is appropriate in this context is the DataChanged event. Consequently, you want to deny Data Administrators permission to see all other events. To set metadata permissions on events, follow these steps: 1 Log on to the SAS Management Console.
2 Expand Foundation Services Manager
Broker Service.
You should see a list of all available events, similar to the image below:
18
Chapter 2
steps:
a Right-click the event name and select Properties. b Click the Authorization tab. c Click the Add button, and add the Data Administrator role to Selected
Identities.
d Click OK. e Deny all permissions to the Data Administrator. Ensure that the background
for each of the check boxes is white, as shown in the image that follows. (If the check box has a non-white background, click the box again to clear the background.) This last step ensures that the permission is set directly on the item and that any future changes to its inherited permission set do not affect it.
19
For instructions, see the documentation for the Backup, Restoration, and Migration tool.
2 Log on to the middle-tier server and load the sample data to be used for
installation verication:
20
Chapter 2
dir\Lev1\Utilities\SASSolutionsServices\Deployment\bin.
b If this is a multi-machine conguration, start the Ant server. On Windows,
Windows:
SolutionsLoadSampleData.bat
On UNIX:
./SolutionsLoadSampleData.sh d If you have installed SAS Human Capital Management, you can also load the
On UNIX:
./HCMLoadSampleData.sh ii After loading the sample data, re-create the HCM cubes and information
maps. For more information, see the SAS Solutions Services: Data Administration Guide.
3 Create any sample users and groups necessary for demonstration and verication
purposes.
4 Synchronize users and groups by following these steps:
a Log on to the portal as a member of the Administrators group. b Open the Document Manager and click the Browse tab. c From the Repository drop-down list, select Solutions.
To support different content types and dependencies, the Browse page displays documents and folders for one repository at a time. Your repository selection is remembered and applied the next time you open the Document Manager. d Navigate to SAS Content I Data Management I Solutions Data Mart. beside the Import Users and Groups stored process e Click the action menu and select Refresh.
5 Create any document folders necessary for demonstration and verication
purposes.
6 Optionally, administer data-level security on the installation verication data for
demonstration and verication purposes. For instructions, see SAS Solutions Services: Data Administration Guide (http://support.sas.com/documentation/solutions/admin).
21
1 Run the MailValidation utility to check that the e-mail interface was set up
correctly. For details, see Validate the E-Mail Interface on page 111.
2 Log on to the portal as sasdemo. 3 Add an instance of each portlet. 4 In the My Favorites portlet, add the Manage Documents task. 5 Select Manage Documents and import a document to the SAS Demo User folder. 6 Add a comment to the document.
Be sure to include the SAS General Server User (sassrv). Note: This is an operating-system group, not a SAS metadata identity. It can be created as a network (global) group, or it can be created as a local group on each server machine.
2 On each server machine, assign the Log on as a batch job right to the SAS
Server Users group. These rights must be assigned locally. For more information about assigning local policy rights, see your computers online help.
22
Chapter 2
Congure Content
Overview
In terms of SAS Solutions Services, content is dened as any document, stored process, or viewable object. SAS Solutions Services provides a Web application, called the Document Manager, that displays content in a hierarchical folder structure. Content that is displayed within the Document Managers tree view can also be shown in portlets. Content conguration tasks include creating the sites content folder structure in the Document Manager, creating stored process reports, and conguring the Information Delivery Portal.
23
3 Organizing Content on page 52 3 About Security Authorization for Content on page 53 3 Dening Security Authorization for Content on page 55
If you have installed SAS Web Report Studio, the typical location for its maps is BI Manager I BIP Tree I Report Studio I Maps. Note: The rst time that a user opens SAS Web Report Studio, the ReportStudio folder structure is created for that domain in the metadata repository and in the external content server (WebDAV).
4 Right-click the Maps folder and select Properties. 5 Click the Authorization tab. 6 Grant Solutions Users these permissions: Read and ReadMetadata.
You might need to add the Solutions Users group to the list. Be sure that the Read and ReadMetadata permissions are granted directlythat is, be sure that the Read and ReadMetadata Grant check boxes are selected and have white backgrounds. If the background is gray, click the check box until the background changes to white.
select Properties.
I Resource Management I By I OLAP server name I OLAP server name OLAP Schema. Right-click OLAP server name I OLAP server name OLAP Schema and
Location
5 Click the Authorization tab. 6 Grant Solutions Users these permissions: Read and ReadMetadata.
You might need to add the Solutions Users group to the list. Be sure that the Read and ReadMetadata permissions are granted directlythat is, be sure that the Read and ReadMetadata Grant check boxes are selected and have white backgrounds. If the background is gray, click the check box until the background changes to white. You can also set permissions for an individual cube, a dimension, a hierarchy within a dimension, or a level within a dimension. For details, see the SAS OLAP Server:
24
Chapter 2
For instructions, see the documentation for the Backup, Restoration, and Migration tool.
2 Load production data. The user and group information is retained in metadata.
For instructions about loading production data and applying data security, see SAS Solutions Services: Data Administration Guide (http://support.sas.com/ documentation/solutions/admin).
25
3 3 3
26
Chapter 2
For WebLogic managed servers, see Changing the Port Number for a Managed Server on page 69. 3 Congure ODCS clustering to improve performance. ODCS clustering is designed to reduce wait time by distributing query processing to additional machines. For more information, see Using ODCS Clustering to Reduce Wait Time on page 76. For additional information about J2EE application administration, see Chapter 6, J2EE Server Administration, on page 63.
Restart Servers
If you are running SAS Human Capital Management on the BEA WebLogic application server: for best performance, we recommend that you restart the managed servers, as well as the SAS application servers, once a week.
27
Describes useful log les, some of which might need regular rotation to prevent their becoming too large. For information about controlling the level of information that is logged, see Conguring Log Files on page 105.
28
29
CHAPTER
3
Planning the Sites Security
About Security Authentication Authorization Server Security Auditing 32
29 29 30
31
About Security
SAS Solutions Services and the solutions that use SAS Solutions Services build on the SAS Intelligence Architecture security plan, as described below. You should be familiar with the Security Administration chapters of the SAS Intelligence Platform: Security Administration Guide (available at http://support.sas.com/ documentation/configuration/913admin.html).
Authentication
Authentication is the process of verifying the identity of a person or process within the guidelines of a specic policy. Authentication is a prerequisite for authorization. An authentication provider is a technology that servers or applications can use to verify that users are who they say they are. An implementation of SAS Solutions Services and the solutions uses the authentication providers supported by the SAS Intelligence Platform: 3 By default, the authentication provider for a SAS server is the host operating system of the machine on which the server is running. When you request access to a SAS server that is using the default authentication process, the server asks its host environment to verify that your user ID and password correspond to a valid user account in the operating system. This method of verifying identities is called host authentication. 3 At many sites, the host authentication process makes use of LDAP or Active Directory as a back-end authentication mechanism. 3 SAS Web applications run on third-party servers that can use a variety of authentication providers. For more information, see the documentation for the third-party server on which your SAS Web applications run. 3 SAS Solutions Services and the various solutions applications (such as SAS Financial Management and SAS Strategic Performance Management) are deployed on standard J2EE application servers. These servers might also employ a variety of third-party authentication providers.
30
Authorization
Chapter 3
Authorization
Authorization is the process of determining which users have which permissions for which resources. The outcome of the authorization process is an authorization decision that permits or denies a specic action on a specic resource, based on the requesting users identity and group memberships. It is important to understand how authorization works in the SAS Intelligence Platform and with SAS Solutions Services. Authorization enables you to perform the following activities: 3 manage access to resources across multiple authorization layers 3 dene an effective, manageable set of access controls in the metadata authorization layer The SAS Intelligence Platform uses an authorization facility to control user access to repositories and to specic metadata in those repositories. The authorization facility is a subsystem of the SAS Metadata Server that returns authorization decisions based on access controls that are in the metadata. To secure a metadata resource, you must create authorization metadata and associate it with your resource metadata. The authorization metadata denes who can do what to a given resource. The secured resources can be both metadata and the actual computing resources represented by the metadata. The SAS Metadata Server enforces ReadMetadata, WriteMetadata, and CheckinMetadata permissions on resources. The authorization facility also provides a mechanism by which client applications can request authorization decisions on other actions which include Create, Delete, Read, Write, and Administer permissions. Applications use the authorization facility to obtain a users authorization to perform an action dened by the application. In this way, it is the responsibility of the application to request and enforce authorization decisions. In order to effectively secure a sites enterprise metadata, an administrator must understand these concepts: 3 the authorization facility 3 the default security provided by the metadata server 3 the way in which the authorization facility makes authorization decisions 3 the options that are available for securing metadata In addition, the administrator needs to know the security requirements that SAS Solutions Services and related SAS applications might have that are enforced via metadata. In particular: 3 The SAS Intelligence Platform provides the ability to secure data such as tables and columns via metadata security. The authorization facility of the SAS Metadata Server evaluates and enforces specic metadata layer permissions. There are three basic types of access controls that you can use to set permissions in the metadata authorization layer, including:
31
3 For some forms of table access, row-level security is provided via information that
is stored in a separate table in the Solutions Data Mart. Modifying this security information is a customization.
3 Application objects that are represented by data in the Solutions Data Mart are
secured by means of an extended object-based authorization facility. In this way, complex objects such as scorecards and planning forms can be secured. Authorization decisions are based on user and group permissions per object that are also applied to additional hierarchical information (such as organization tables, legal reporting structures, and project hierarchies). This facility is shared by SAS Solutions Services and applications such as SAS Financial Management and SAS Strategic Performance Management. For detailed information about applying this object-based security, see the documentation for the solutions. The ability of users to perform a particular action is determined not only by these metadata-based access controls, row-level security schemes, and application-level authorization, but also by external authorization mechanisms such as operating system permissions and database controls. In order to perform a particular action, a user must have the necessary permissions in all of the applicable authorization layers. For additional information about authorization in the SAS Intelligence Platform, see the SAS Intelligence Platform: Security Administration Guide.
32
Auditing
Chapter 3
information does not fall into the wrong hands. However, this distributed model often requires more than application-level authorization and data security. It is also important to consider how access to physical servers is congured. In general, the solutions are designed for use inside a corporate rewall. Because much of the data deals with particularly sensitive information, an organization typically deploys a rewall at appropriate network gateways to protect the resources of its private network from users of other networks. This private network (or intranet) enables an enterprise to provide its workers with access to protected data resources. As organizations distribute the business intelligence found in their data, there is an increased need to ensure the condentiality of business transactions over a network and within an enterprise. SAS Solutions Services makes available a number of data security technologies from SAS and from third parties to further protect data and credentials (such as user IDs and passwords) that are exchanged in a networked environment. Fundamental to these technologies is the use of proven, industry-standard encryption algorithms for data protection. Encryption is the transformation of intelligible data (plaintext) into an unintelligible form (ciphertext) by means of a mathematical process. The ciphertext is translated back to plaintext when the appropriate key that is necessary for decrypting (unlocking) the ciphertext is applied. Although encryption increases the protection of data, it does not prevent unauthorized access to data. For more information about these security mechanisms, see Chapter 9, Server Security and Encryption, on page 113.
Auditing
It is not enough to protect data resources and applications by prohibiting access by unauthorized users. A good security system must also provide a record that indicates who has accessed an application or resource and what operations he or she has performed during a given period of time. Such records are known as audit trails, and they are useful not just in maintaining security but also in identifying the process by which information is routed through the system. SAS Solutions Services provides several mechanisms for producing audit trails and user history, including a common user history mechanism in SAS Solutions Services that is used by the solutions (see View an Audit Trail for a User on page 103). The solutions have the capability to extend the auditing capabilities of SAS Solutions Services. For more information about those auditing capabilities, see the documentation for the solutions. In addition, SAS Solutions Services uses the auditing capabilities provided by SAS Data Integration Studio. For more information about these features, see the online Help for SAS Data Integration Studio.
33
CHAPTER
4
Authentication and User Security
Overview of Authentication and User Security 33 Group MembershipWhat Can I See? 34 About Groups 34 How Content Permissions Are Enforced 34 Role MembershipWhat Can I Do? 34 About Roles 34 Groups and Roles: An Example 34 How Roles Are Dened 35 How Role Permissions Are Enforced 36 Default Users and Groups 36 Default Users 36 Default Groups 38 Determining Group and Role Assignments 40 Overview of Group and Role Assignments 40 Assign a Solutions-Wide Group 40 Assign Custom Groups 41 Assign a Solutions-Wide Role 42 Assign SAS Strategic Performance Management Roles 42 Assign SAS Financial Management Roles 43 SAS Financial Management Studio 43 SAS Financial Management 44 Excel Reports 46 Stored Process Reports 46 Assign SAS Human Capital Management Roles 46 Assign SAS Web Report Studio Roles 47 Assign SAS Data Integration Studio Groups and Roles 48 Registering Users 48 About Registering Users 48 Bulk Loading Users and Groups 49 Synchronizing Users, Groups, and Roles 49 Synchronizing Data Tables 49 Creating Group Permission Trees for the Portal 50
34
Chapter 4
The SAS Intelligence Platform and SAS Solutions Services require a specic set of users that are created and congured during the deployment process. These users are described in the SAS Intelligence Platform: Security Administration Guide (available at http://support.sas.com/documentation/configuration/913admin.html). The users of a solutions application, however, are typically the business users in a particular domain, such as nance. A sites administrator must load all of the appropriate information for each user who requires access to the solutions application. This chapter describes the default metadata identities representing users, groups, and roles required by SAS Solutions Services, as well as the identities that need to be created on site. For background information about authentication and authorization, see About Security on page 29.
35
In the Document Manager, you can see the list of documents in the Travel Dept folder, because of the group permissions attached to that folder and its contents. However, you are an Information Consumer, which by default can view documents but cannot move them. When you open the action menu for a Web document, you see this list of available actions:
If you had been assigned the Analyst or System Administrator role instead, you would see an action menu that included the Move action, like this:
During the solutions installation process, a set of default roles is dened. The Solutions Role Administrator is a member of all roles, and the SAS Demo User is a member of several of the roles. In addition to the default mappings, you must add site-created users to some of these roles. For more information, see Determining Group and Role Assignments on page 40. Note: Best practice suggests that roles not be added on-site unless they are for extensions that are added specically for that site. 4
36
Chapter 4
3 The Document Manager enforces the permissions that are set in the metadata
repository. For each content type, such as WebDocument, ExcelReport, or StoredProcessReport, there is a dened set of actions, such as Move, AddtoPortlet, and Comment. Roles are granted permission to perform various actions based on content type. In Groups and Roles: An Example on page 34, the permissions are set on the Move action for the WebDocument content type. If a user has one role that grants an action for a particular content type and another role that denies the same action, then the least restrictive permission applies. If a user is directly granted or denied permission to perform an action, then the users grant or denial applies, regardless of any roles the user might belong to.
* The Logins column shows the authentication mechanism for each metadata identity. The user IDs should correspond to accounts in your authentication provider. On Microsoft Windows,
Default Users
37
the user ID in the login should be fully qualied with a host or domain namefor example, myhostname\sassrv. That is the pattern shown in this table. ** The user that is specied as the metadata user in sas.solutions.services.ear/ sas.solutions.common.war/WEB-INF/web.xml must have read and write access to all areas of the metadata server. By default, this user is the SAS Trusted User.
The solutions installation creates additional users. The following table lists those metadata identities and associated information:
Table 4.2 Default Users That Are Created during SAS Solutions Services Installation
Logins Metadata Identity Solutions Installer Default Password AdminAdmin1 Default Authentication Domain Notes DefaultAuth The slninstl user account must exist on the data-tier machine and must belong to the machines Administrators group and SAS Server Users group. The slnadm user account must exist on the machine where the metadata server is located, and must be a member of the machines SAS Server Users group. This identity should not be used to log on to the portal.
User ID domain\slninstl
AdminAdmin1
DefaultAuth
* The Solutions Role Administrator is a system user that should always be a member of all roles that are created by the solutions. It is used for cases in which a user must perform a query as a part of a larger process, but the query requires a role that the user does not generally need. Rather than requiring that the user be assigned that role, the application recognizes the Solutions Role Administrator as a user with the proper role in order to successfully complete the process.
Note: There are three special user identities that are cached when the J2EE application server is started: SAS Trusted User, SAS Administrator, and Solutions Role Administrator. Changes to these users in the SAS Management Console do not take effect until the J2EE application server is restarted. Other user identities are loaded from the metadata repository when the user logs on to the portal. 4 The SAS Intelligence Platform describes a small set of required users. Typically, there are many solutions users. For more information, see Determining Group and Role Assignments on page 40.
38
Default Groups
Chapter 4
Default Groups
The SAS Intelligence Platform conguration creates several default groups in the metadata:
3 3 3 3
SAS System Services SAS General Servers Portal Admins Portal Demos
In addition, there are two implicit groups: SASUSERS (which includes all users who have a metadata identity) and PUBLIC (which includes all users who can access the metadata server). For more information about these groups, see Standard Group Metadata Identities in the SAS Intelligence Platform: Security Administration Guide (available at http://support.sas.com/documentation/configuration/ 913admin.html). The following table lists these group metadata identities, their logins, and default members.
Table 4.3 Groups That Are Created during SAS Intelligence Platform Conguration
Logins Default Password Default Authentication Domain
User ID
domain\sassrv
UserUser1
DefaultAuth
Portal Demos
* The SAS Trusted User identity should not be used to log on to the portal. ** There is no metadata identity for the SAS General Server user (sassrv). It is the account used by the object spawner to launch stored process servers and requires Log on as a batch job rights.
3 Solutions Users is the base group for all solutions users. 3 Administrators is a subgroup of Solutions Users. 3 The MYSQL Users group is used to grant access to users who run stored processes
and ETL processes that reference MYSQL tables. The following table lists these group metadata identities, their logins, and default members. In addition to the default mapping, you must add site-created users to some of the solutions groups. For more information, see Assign a Solutions-Wide Group on page 40.
Default Groups
39
Table 4.4
Group Administrators
User ID
Password
Authentication Domain
Solutions Users
domain\ sasspusr
UserUser1
SpAuth
MYSQL Users
sqladmin
AdminAdmin1 MysqlAuth
HR
Members of this group have superuser access to HCM tables. There are no default members. These are example groups. They have no default permissions assigned.
There is no metadata identity for sasspusr (the SAS Stored Process user). It is the account used to authenticate to the stored process server. This user exists on the stored process physical server and requires Log on as a batch job user rights; this user should have no access to data. With SAS Solutions Services, the stored process server is congured to have an authentication domain of SPAuth. Any user who invokes a stored process must be authenticated on this server, either with the users own login or via a group login. If you are installing other applications in addition to the solutions, and you do not want the users of those applications to be members of the Solutions Users group, you can create a similar group and stored process user. Follow these instructions:
1 On the stored process physical server, create a user (for example, sasspusr2).
right.
3 Log on to SAS Management Console as the administrative user (sasadm). 4 In the User Manager, create a group (for example, Stored Process Users). 5 On the Logins tab for this group, add a login for sasspusr2.
Enter the user name and password that you created in Step 1. For the authentication domain, select SPAuth.
6 Add your users to the Stored Process Users group.
Alternatively, you can give each user a login on the stored process physical server. Follow the same criteria as for the group login. Then add the login to the users properties in SAS Management Console.
40
Chapter 4
3 the set of users, groups, and roles, and the mapping between them.
Assigning groups and roles consists of these tasks:
1 Assign each user to a solutions-wide group. 2 Create custom groups for the site, and then assign users to those groups. 3 Assign each user to a solutions-wide role for Document Manager access. 4 Assign each user to one or more domain rolesfor example, roles for SAS
Financial Management or roles for SAS Human Capital Management. 5 Optionally, assign SAS Web Report Studio roles.
6 Optionally, create additional SAS Data Integration Studio users by assigning the
necessary groups and roles. Each of these tasks is described in the remainder of this chapter. Note: Some roles appear in more than one place; for example, the Analyst role applies to the Document Manager and to each of the solutions. This is the same role, but the functionality it confers depends on the application that is being used. 4
41
You would then add John Doe, a member of the Finance Planning Department, to the Finance Planning Dept group. For an example of restricting access to content based on group membership, see Dening Security Authorization for Content on page 55. Note: In addition to the basic security that is applied to managing documents, specic security is applied to details within the SAS Financial Management data models. For more information, consult the SAS Financial Management documentation. 4 The installation includes two examples of custom groups: Finance and SPM Users. These groups have no default permissions assigned. You are free to use these groups or to create others. On the other hand, members of the HR group have superuser access to HCM tables, regardless of the hierarchical lters that are applied to those tables. As a
42
Chapter 4
customization it is possible to restrict access to individual members of the HR group, by means of a user lter.
one role from the following table. Roles are listed in increasing levels of functionality.
43
2 Optionally, assign users to the Dimension Modeler role. Table 4.8 Dimension Modeler Role
Role Dimension Modeler Description Users with the Dimension Modeler role are able to use the SAS Dimension Editor.
44
Chapter 4
3 3
Finance Process Administrator
all features of the Models workspace except for creating and editing unbalanced manual adjustments read access to the Dimensions, Cycles, Rates, and Forms workspaces
An administrator who congures SAS Financial Management, creates cycles, rates, and formsets, manages data security, exports measures, and performs other administration tasks. Users with this role can use all the features of SAS Financial Management Studio.
2 Optionally, select the Dimension Modeler role that is described in the following
table:
Table 4.10
Role Dimension Modeler
45
Table 4.11
Role
Form Submitter
Form Approver
A user who approves forms and sends them to the next stage in the approval process. Users with this role can approve forms that they have some responsibility for. This role is not needed for top-down workows. In a bottom-up workow, all users who need to approve forms need this role.
An administrator who performs tasks such as freeing a form that is stuck in the workow process. Users with this role can enter data in forms and can approve forms. They have access to all currently active forms.
The need for these roles depends in part on the workow that the users will be participating in. In a top-down workow, data is entered at the highest level of the hierarchy and pushed down to lower levels. In a bottom-up workow, data is entered at the lowest level of the hierarchy (in the leaf forms) and submitted for approval to the next higher level in roll-up forms. For more information about workow, see the SAS Financial Management Users Guide (available at http://support.sas.com/ documentation/solutions/admin/index.html). Notice that bottom-up workows often require users to have both the Form Approver role and the Form Submitter role. If a user is assigned as the author for a roll-up form, then that user must have the Form Submitter role in order to submit the form to the next-level approver. If that user is also responsible for approving all leaf forms below that form, then the user must also have the Form Approver role, as shown in this example:
3 WW: Author=Fred (Form Submitter role, Form Approver role) 3 USA: Author=Mary (Form Submitter role), Approver=Fred 3 Europe: Author=Jean (Form Submitter role), Approver=Fred
However, it is possible to design a workow in which some users are only approvers, while other users are only form submitters. In this example, one user is assigned to roll up a form, while a different user approves leaf forms:
3 WW: Author=Fred (Form Submitter role) 3 USA: Author=Mary (Form Submitter role), Approver=Carl (Form Approver role) 3 Europe: Author=Jean (Form Submitter role), Approver=Carl
Note: In order for a user to receive alerts for forms that need attention, the user must be directly assigned to the Form Submitter or Form Approver role. Only individual usersnot groupsshould be assigned to roles. 4
46
Chapter 4
Excel Reports
If the SAS Financial Management Add-in for Microsoft Excel is installed, then users with the appropriate permissions are able to view and create reports. The default role permissions are as follows:
Table 4.12
Role Information Consumer
47
Table 4.13
Role HCM User
3 3 3
Analyst
Employee Browser: all functions, including the ability to view employee detail (prole view), to search for employees, and to edit the category list Organizational Analysis: open and print organizational charts; launch a linked scorecard; create a presentation view Geographic Analysis: open a geographic analysis document and drill down into the content; print a map or employee list
An HR analyst who creates organizational and geographic analyses. Users with the Analyst role have these capabilities:
3 3
Employee Browser: all functions (same as the HCM User role) Organizational Analysis: in addition to the HCM User privileges, these users can add and remove measures, create new organizational charts, and modify the organizational structure or organizational analysis Geographic Analysis: in addition to the HCM User privileges, these users can create a geographic analysis document
3
HCM Administrator
An administrator who congures SAS Human Capital Management and manages data security. Users with the HCM Administrator role have full access to all functionality within SAS Human Capital Management. In addition to the capabilities described for Analysts, they can perform HCM conguration, including conguring data, organizational analysts, categories, and the employee browser.
48
Chapter 4
Table 4.14
Role
There is one additional role, WRS Administrator, that provides full access to SAS Web Report Studio functionality. However, adding a member to the WRS Administrator role does not affect implicit membership in the other three roles. For more information about these roles, see SAS Web Report Studio Administration in the SAS Intelligence Platform: Web Application Administration Guide (available at http://support.sas.com/documentation/configuration/913admin.html).
Group or Role Solutions Users group MYSQL Users group Data Administrator role
Registering Users
About Registering Users
After you determine the authentication mechanisms and the group and role assignments, you can register users in the metadata repository. The system
49
administrator can use the SAS Management Console to create the users interactively. There is also a mechanism for bulk loading a large set of users and groups (see Bulk Loading Users and Groups on page 49). When you dene each user, be sure to include the users login information, group and role membership as described in Determining Group and Role Assignments on page 40, and e-mail address. E-mail notications are often sent to users. Be sure to dene an e-mail address for every user as you create the users metadata identity. This is a requirement for the successful processing of some functions.
In addition, if you create new groups or roles, group permission trees for the portal must be created in the metadata repository. Those group permission trees can be
50
Chapter 4
created automatically, or you can initialize them with a batch job; see Creating Group Permission Trees for the Portal on page 50.
sas.entities.jar, and sas.oma.joma.rmt.jar to the classpath. The JAR les are located in the remote services library folder (SAS-install-dir\SASSolutionsServices\1.3\RemoteServices\lib). If you copy the JAR les to the appropriate location (%CPJARSDIR%), then you can add these lines at the end of the set CLASSPATH section:
set set set set CLASSPATH=%CLASSPATH%;%CPJARSDIR%\weblogic.jar CLASSPATH=%CLASSPATH%;%CPJARSDIR%\sas.svc.sec.login.weblogic.jar CLASSPATH=%CLASSPATH%;%CPJARSDIR%\sas.entities.jar CLASSPATH=%CLASSPATH%;%CPJARSDIR%\sas.oma.joma.rmt.jar
3 Change directory to
SAS-install-dir\Web\Portal2.0.1\SASServices\WEB-INF\conf.
4 Update the sas_metadata_source_client.properties le so that it matches the
corresponding properties le in the WEB-INF\conf directory of the deployed Portal Web application.
5 Change directory to SAS-install-dir\Web\Portal2.0.1\Tools. 6 From a command prompt, run initPortalData.bat.
If the initPortalData utility runs successfully, then a message like the following is displayed:
Done initializing metadata information Transaction count: [0] DONE
The transaction count indicates the number of transactions that are still active when the utility exits. A value other than zero indicates an error. For more information about initPortalData.bat, see the SAS Web Infrastructure Kit: Administrators Guide, available at http://support.sas.com/documentation/ configuration/913admin.html.
51
CHAPTER
5
Content Administration
What Is Content? 51 Organizing Content 52 Default Folders 53 Create Document Manager Folders 53 About Security Authorization for Content 53 Permissions for Accessing Content 53 Default Shared Folder Security 54 Default User Folder Security 55 Dening Security Authorization for Content 55 Secure Content Via Document Manager Properties 55 Secure Content via the SAS Management Console 56 Example: Protecting Access to Shared Folders 57 Secure Content for SAS Web OLAP Viewer 58 Secure Content for SAS Web Report Studio 59 Secure Access for the SAS Guest User 59 Restrictive Permissions Property 60 Creating Site Content 60 Create Stored Process Reports 60 Enable Users to Refresh Stored Process Reports 60 Import Content 61
What Is Content?
In terms of SAS Solutions Services, content is any document, stored process, or viewable object. A content type is a specic object denition that deals with general business or domain intelligence, is stored in the SAS Metadata Server, and can be recognized and managed by the Document Manager application. The following content types are supported.
Table 5.1 Supported Content Types
Icon Content Type DataExploration ExcelReport Description Document containing bookmarks (stored views of an information map) Microsoft Excel (.xls) document
52
Organizing Content
Chapter 5
Icon
Description Microsoft Excel document that can be updated dynamically from the server (can be imported but not opened in a portlet) Document Manager folder, which can contain documents and other folders A display of employee information using maps (available with SAS Human Capital Management) Key performance indicator (KPI) project Organizational chart (available with SAS Human Capital Management) PDF document Simulated organizational chart (available with SAS Human Capital Management) Link to another document Scorecard project (available with SAS Strategic Performance Management) Stored process Object that points to a stored process and contains information about stored process parameters Folder for deleted content HTML document or other valid MIME type, including Microsoft PowerPoint les and BMP or JPG images Report generated by SAS Web Report Studio Microsoft Word (.doc) document Microsoft Word document that can be updated dynamically from the server
Folder GeographicAnalysis KPIProject OrgChart PDFDocument SimOrgChart SolutionsLink SPMProject StoredProcess StoredProcessReport Trashcan WebDocument WebReportStudio WordDocument WordDocument-Dynamic
SAS Solutions Services provides a Web application, Document Manager, that displays content in a hierarchical folder structure. Content that is displayed within the Document Manager tree view can also be shown in portlets. With SAS Solutions Services and the portal, system administrators can customize content for a particular site, so that each group of users can have their own view of that content. This chapter describes the procedures, and some best practices, for organizing content and dening the way pages are viewed in the portal.
Organizing Content
As part of the planning for solutions, the system administrator or consultant should determine the content structure that best ts the sites needs. For information ow, it is
Content Administration
53
useful to create a set of folders that are based upon the intended recipients of the documents in those folders. For example, executives might want to view one set of reports, while managers view another set and general staff view yet another set of reports. Each solution, which is associated with a domain of knowledge such as Finance or Human Capital Management, has its own repository with its own data mart. Within each repository, Document Manager by default has a folder called Documents that serves as the root level of the sites content. Below that root folder, the folder structure should correspond to the security groupings that are created, so that the appropriate permissions can be easily applied to the folder levels, and so that content within each folder can inherit permissions from its parent folder. Note: The repository in which content is located is particularly important when you are dealing with data explorations, information maps, and SAS Web Report Studio reports. For more information, see A Note about Repositories on page 125. 4
Default Folders
By default, the Documents folder contains these folders: 3 SAS Content: a folder for SAS to ship content, such as standard reports, with the solutions. The folder structure is based upon the products that are included. By default, only Administrators have permissions to view this folder. 3 Shared Documents: the root level folder for the sites content. The folder can be renamed (for example, My Companys Documents). The folder structure should be designed to be appropriate for the site and its security. 3 Users: a root folder for the folders belonging to individual users. All users have a folder for personal content. The default permissions on each users folder allow access only to that user. However, a user can modify the permissions to let others view content in his or her personal folder. 3 Trash Can: a folder to hold deleted content.
54
Chapter 5
departments, projects, or some other method of organization. In the SAS Intelligence Platform, users who are authenticated to the system have authorization privileges determined by their metadata identity. In the Document Manager, users with Administer permission for a given resource can open its properties and view or set the permissions for that resource. Permissions have the following meanings:
Table 5.2 Document Manager Security Permissions
Permission Read Meaning Read a metadata object Example If a user does not have Read permission for a resource, it does not appear in the Document Manager or in a My Favorites portlet. If a user does not have Write permission for a folder, the user cannot import documents into that folder. If a user does not have Delete permission for a document, the user cannot delete the document. If a user does not have Administer permission for a document or folder, the user does not see the Permissions section of the document or folder properties in the Document Manager.
Write
Create or update a metadata object Delete a resource described by a metadata object Perform administrative tasks
Delete
Administer
Administer permission is the most inclusive and includes Delete, Write, and Read permission. Delete permission includes Write and Read permission, and Write includes Read permission. Be aware that, while users might have permissions for various resources, the actions that they can perform on these resources might be restricted by the roles they belong to. For more information about roles, see Role MembershipWhat Can I Do? on page 34. For further information about the processing of permissions and how the Open Metadata Repository makes authorization decisions, see Understanding Authorization in the SAS Intelligence Platform: Security Administration Guide (available at http:// support.sas.com/documentation/configuration/913admin.html).
Content Administration
55
Any folder that is loaded (but not listed above) inherits its permissions from the parent folder. As demonstrated above, if you assign permissions for Solutions Users to a folder, then the Administrators group should also be assigned permissions, because the Administrators group is a member of the Solutions Users group. If the folder has no Administrators-specic permissions, it reverts to using the Solutions Users group permissions. In particular, if you deny Solutions Users access to a folder, you should restore that access to the Administrators group. Note: The Administrators group must have, at a minimum, read/write access to all areas of the metadata server. The metadata user (by default the SAS Trusted User, a member of the Administrators group) performs a number of operations on behalf of users and requires these permissions. 4 Because many folders have conicting permissions for the Administrators and Solutions Users groups, an individual user should not be a member of both groups. In fact, no user should be a member of both Solutions Users and a subgroup of Solutions Users.
56
Chapter 5
easier way for administrators to secure a large number of les and folders (see Secure Content via the SAS Management Console on page 56. To secure les and folders in the Document Manager: 1 Select a repository. 2 Navigate to the containing folder. 3 click the folder or le you want to secure and select Properties. 4 Expand the Permissions section. Users (or groups) and permissions are displayed. Note: Users and groups that have only inherited permissions are not displayed, although you can view those permissions in the SAS Management Console. In the Document Manager properties, you see only those users and groups with permissions that are specically set for this le or folder.
5 To add a user or group, click Add Users & Groups. 6 To delete a user or group, click the Delete icon
to the right of the permissions for that user or group. 7 To grant a permission, select its check box. To deny a permission, clear the check box. Available permissions are described in About Security Authorization for Content on page 53. 8 Click OK to accept your changes. Note: If you set le or folder permissions in the Document Manager, your changes are reected in the SAS Management Console, and vice versa. 4
3 Navigate to the appropriate folder or document, right-click, and select Properties. 4 Click the Authorization tab. 5 Add or remove permissions for users or groups.
Only users and groups should have assigned access to content. Roles should never be used to assign these permissions.
Content Administration
57
Note: ReadMetadata and WriteMetadata permissions in the SAS Management Console correspond to Read and Write permissions in the Document Manager.
Note: If you directly set permissions for Solutions Users for a folder, you should also directly set permissions for Administrators. It is not sufcient for the Administrators group to inherit those permissions, because the direct settings for Solutions Users will override the inherited permissions for Administrators. In the SAS Management Console, inherited permissions are shown with a gray background, like this:
To change those permissions to direct grants (or denials), click the check box until the gray background disappears. 4
3 Grant or deny permissions to groups rather than to individual users. 3 Apply permissions to folders and let content items in the folders inherit those
permissions. In this example, you have two departments, Travel and Accounting, and you want to create for each department a set of folders that only those department members can access. 1 In the SAS Management Console, you create two groups: Travel and Accounting.
2 You add both of these groups to the Solutions Users group.
58
Chapter 5
3 You add the members of the Travel department to the Travel group, and the
members of the Accounting department to the Accounting group, as shown in this simplied diagram:
4 In the Document Manager, you navigate to Shared Folders and create two
folder.
7 You deny Solutions Users access to both these folders. 8 You grant the Administrators group RWDA access to both folders.
As a result, only members of the Accounting and Administrators groups can view the
Accounting folders. Only members of the Travel and Administrators groups can view the Travel folders.
Content Administration
59
3 To enable users to move content that is located in their own folders, grant
Administrators ReadMetadata and WriteMetadata privileges for each of the Users\userid folders.
Control Templates.
3 Right-click Default ACT and select Properties. 4 Click the Users and Permissions tab. 5 Click the Add button. 6 Move the SAS Guest user from Available Identities to Selected Identities
of the permissions.
8 Click OK.
You do not need to change any of the other ACTsfor example, the SolutionsFolderACT. Note: Do not make these changes to the Foundation repository. Doing so causes errors in the portal. 4
60
Chapter 5
want restrictive permissions to be applied when new content is created through the Document Manager classes. This propertys default value is false. Modifying its value is a customization.
Content Administration
Import Content
61
Content
I Standard Reports.
Under Standard Reports, there are several folders, each with a number of stored processes.
3 For each stored process that you want the Solutions Users group to be able to
refresh: Right-click the stored process and select Properties. Click the Authorization tab. Click Access Control Templates. In the Add/Remove Access Control Templates dialog box, move HRStoredProcessACT from the Available column to the Currently Using column. In addition to granting ReadMetadata privileges to Solutions Users, this ACT grants Administrators all privileges for the stored process. e Save your changes.
a b c d
For more information about Access Control Templates (ACTs), see the SAS Intelligence Platform: Security Administration Guide.
Import Content
Content of supported types can be imported from external le systems. This content is also registered in the appropriate Shared Document folders. See What Is Content? on page 51.
62
63
CHAPTER
6
J2EE Server Administration
BEA WebLogic Administration 64 Controlling the WebLogic Managed Servers 64 About the Managed Servers 64 Start the Managed Servers 64 Stop the Managed Servers 64 Conguring the Managed Servers 65 The Common Environment 65 Startup Scripts 65 URL Mapping 66 Execute Queues 67 Load Order for Themes 68 Setting Up Managed Servers as Windows Services 68 Changing the Port Number for a Managed Server 69 Change the Port Number for SASManagedServer 69 Change the Port Number for SASODCSServer 71 Selecting an Alternative Port 71 IBM WebSphere Administration 71 General Information 71 Start and Stop WebSphere Servers 71 Set Total Transaction Lifetime Timeout 72 Increase the Log File Size 72 Suppress Warning Messages for Data Access 73 Congure Starting Weight for Themes 73 Update jdom.jar after an Upgrade 73 Conguring the Web Applications 74 About Deployment Descriptors 74 Set Session Timeout Values 74 Set Timeout Values for Remote Portlet Sessions 74 Conguring Themes 75 Make the Winter Theme Available 75 Move Themes to a Web Server 75 Using ODCS Clustering to Reduce Wait Time 76 Overview of ODCS Clustering 76 Congure ODCS Target Machines 77 Congure ODCS Server Options 78
64
Chapter 6
I SASSolutionsCong I Start WebLogic. 4 If you have installed any domain servers, start them with these commands from the Windows Start menu: 3 SAS I SASSolutionsCong I Start FoundationServer 3 SAS I SASSolutionsCong I Start SolutionServer 3 SAS I SASSolutionsCong I Start FinanceServer 3 SAS I SASSolutionsCong I Start PerfMgmtServer 3 SAS I SASSolutionsCong I Start HRServer
3 From the Windows Start menu, select SAS
For startup options that affect these commands, see The Common Environment on page 65 and Startup Scripts on page 65. Note: If you are running SAS Human Capital Management: we recommend that you restart the managed servers, as well as the SAS application servers, once a week to ensure best performance. 4
65
hostname:7501/console.
2 Find SASSolutions
3 From the Start/Stop page that appears, select Graceful shutdown of this
Startup Scripts
During installation and conguration, the JAVA_OPTIONS in the startup scripts are set to default values, which might vary for different managed servers. However, each site needs to determine its optimal settings based on the server size and other factors. In particular, note these JAVA_OPTIONS and MEM_ARGS settings:
66
Chapter 6
Description These MEM_ARGS settings specify the initial and maximum total heap size. If the server allows NT remote terminal services, the values of 860m are correct for the SASManagedServer and the ODCSManagedServer. If the system has at least 4 GB of memory, use 960m rather than 860m. If the server does not allow remote terminal services, you should set both Xms and Xmx to 1280m (the maximum permitted value). Logging conguration le. The typical location is file:///c:/SAS/SASSolutionsConfig/Lev1/web/ Deployments/SASSolutionsServices/logging.xml
-Dlog4j.conguration
If you have installed SAS Human Capital Management, increase the heap size for the HR managed server as follows: Note: Do not make this modication if you have a single-machine installation.
1 Change directory to BEA-home-dir\user_projects\domains\SASSolutions. 2 Open the startHRServer.cmd le for editing. 3 Find this line:
set MEM_ARGS=-Xms512m -Xmx512m
If the server has at least 4 GB of memory, specify 960m rather than 860m.
5 Save the le.
The change will be applied the next time you restart the managed server.
URL Mapping
WebLogic appears to treat domains differently if they are referenced differently (for example, http://Dxxx/yyy and http://Dxxx.mycompany.com/yyy). This causes problems when a Web application stores information in the HttpSession context. There is a conguration parameter called Frontend Host that addresses this issue. According to the WebLogic documentation, this parameter is set when the Host information coming from the URL might be inaccurate due to the presence of a rewall or proxy. If this parameter is set, the HOST header is ignored and this value is always used. To modify the Frontend Host parameter: 1 Open the WebLogic Administration Console. 2 Under the Servers node of the tree, click the name of the server (for example, SASManagedServer). 3 On the page that appears, select Protocols I HTTP. 4 Click the Show link beside Advanced Options. 5 In the Frontend Host box, enter the fully qualied name of your site (for example, sasmachine.mycompany.com). 6 In the Frontend HTTP Port box, enter the number of the port for this managed server. 7 Click Apply to update the conguration le cong.xml.
67
Note: You need to restart the server for the changes to take effect.
web_server.html.
Execute Queues
Execute queues help to prevent deadlock conditions when applications call into one another. Requests are placed in an execute queue and are assigned to a thread within that queue. By default, the solutions conguration process creates the execute queues described below and assigns them to the appropriate applications. If you need to create and assign these execute queues manually, follow these steps:
1 Log on to the WebLogic Administration Console. 2 Open the Servers node of the tree. 3 Right-click the server denition where the portal is running, and select the View
table, the Location of weblogic.xml File is relative to where you deployed the applications; typically, they are deployed to BEA-home-dir\user_projects\domains\SASSolutions\applications. The suggested thread count values should be sufcient for most loads. You might need to modify this value for your site.
Table 6.1 Execute Queues
Thread Count 25 5 5 15
Location of weblogic.xml File Portal.war\WEB-INF SASDoc.war\WEB-INF SASTheme_default.war\WEB-INF sas.solutions.services.ear\ sas.solutions.commonapp.war\ WEB-INF sas.solutions.odcs.ear\ sas.solutions.odcs.services.axis.war\ WEB-INF sas.solutions.scorecard.ear\ sas.solutions.spm.webapp.war\ WEB-INF
sas.solutions.odcs.webservices 20
sas.spm.webapp
50
6 Click Create at the bottom of the page to update the WebLogic conguration le
68
Chapter 6
Replace queue_name with the name you gave to the execute queuefor example, sas.portal.default or sas.themes.default. Note: If you deploy additional themes, they can share the same execute queue. Typically, you create a new theme by copying an existing theme and modifying the copy. As a result, the new theme has a copy of weblogic.xml with the execute queue already dened.
8 Save the le. 9 Restart the remote services and the managed servers.
For more information, see the WebLogic Administration Consoles online help.
The Deployment Order page appears, listing the currently deployed applications. 3 Click the Change button associated with the theme. 4 On the Change Deployment Order page, give this theme a load order that is less than that of the other deployed applications. 5 Click Apply to update the conguration le cong.xml. You must restart the managed server for the change to take effect.
the HR server, as follows: Note: Do not make this modication if you have a single-machine installation.
a Open the installHRServerService.cmd le for editing. b Find this line: set MEM_ARGS=-Xms512m -Xmx512m c Change the line as follows: set MEM_ARGS=-Xms860m -Xmx860m
If the server has at least 4 GB of memory, specify 960m rather than 860m.
d Save the le.
69
3 Run the installation script. 4 You can now start the service from Administrative Tools
I Services. The next time you restart your system, the service is started automatically.
Note: These scripts contain a dependency on the Admin server. To facilitate that dependency, the script to install the Admin server as a service (installService.cmd) species a delay of 60000 milliseconds. The delay causes Windows to wait for that amount of time before notifying dependent servers that they may start. To verify that a server has started, open the WebLogic Administration Console and navigate to SASSolutions I Servers I server-name. In the panel on the right, click the Control tab and then the Start/Stop tab. The page that appears shows the server statusfor example, STANDBY or RUNNING.
Note: If you make changes such as modifying the MEM_ARGS option or the WebLogic password, you will need to uninstall and reinstall the service. The table below lists the uninstall commands for each service. 4
Table 6.2 Service Install and Uninstall Commands
server-name SASODCSServer install-command installODCSService uninstall-command uninstallODCSService uninstallSASManagedService uninstallHRServerService uninstallFinanceServerService uninstallSolutionServerService uninstallFoundationServerService
SASManagedServer installSASManagedService HRServer FinanceServer SolutionServer FoundationServer installHRServerService installFinanceServerService installSolutionServerService installFoundationServerService
You can change this value by editing cong.xml (while the managed server is not running) or by modifying the managed server conguration in the WebLogic Administration Console. The cong.xml le is located in BEA-home-dir\user_projects\domains\SASSolutions.
2 Change directory to
SAS-config-dir\Lev1\web\Deployments\SASSolutionsServices.
3 Open EnvironmentFactory.xml for editing and change the port references
appropriately. If you were using the default port number, then you would replace all references to 7001 with the new port number. For information about port usage, see Selecting an Alternative Port on page 71.
4 Open the EnvironmentFactory.odcs.xml le for editing and change the port
references appropriately.
70
Chapter 6
BEA-home-dir\user_projects\domains\SASSolutions\applications\ sas.solutions.services.ear\sas.solutions.common.war. (This will overwrite the copy that resides in that directory.) 6 Change directory to BEA-home-dir\user_projects\domains\SASSolutions. 7 Update the JAVA_OPTIONS variable in startManagedWebLogic.cmd to include an additional specication: -Djava.naming.provider.url=t3://host:port. Note: If you have installed the managed server as a service, you need to uninstall the service, modify the JAVA_OPTIONS variable in the installation command le, and then reinstall the service. For details about uninstalling and installing the service, see Setting Up Managed Servers as Windows Services on page 68. 4 8 Change directory to BEA-home-dir\weblogic81\server\lib. 9 Update the weblogic.policy le to provide socket permissions as appropriate. See this example:
// ------------------ Socket Access to Themes -------------permission java.net.SocketPermission "localhost:port", "connect, resolve"; // ---------------------------------------------------------
10 Change directory to
SAS-install-dir\SASSolutionsServices\1.3\RemoteServices.
11 Update the StartRemoteServices.bat le to change the
supplied in Step 1:
set SERVICES_OPTS=%SERVICES_OPTS% -Djava.naming.provider.url=t3:// host:port
example, !SASROOT\nls\en.
13 Update the JREOPTIONS system option of SASV9.CFG so that the
-Denv.factory.location contains the new port number. 14 Using the Conguration Manager plug-in of SAS Management Console, update the connection information for all appropriate applications and modules for each repository:
a From the Repository drop-down list, select the appropriate repository. Conguration Manager. b Expand Application Management c Right-click the application or module name and select Properties.
Do not modify Operational Data and Compute Server, because it runs on the SASODCSServer. Do not modify the WRS Component modules (if they exist) if they run on separate domain servers. d Click the Connection tab. e Update Host Name and Port Number as appropriate. f Save your changes. 15 Restart the remote services, the managed servers, and the object spawner. 16 If you have installed SAS Financial Management Studio or SAS Dimension Editor:
a Open the applications .ini le for editing. b Find the -Denv.factory.location parameter and change its port number. c Save your changes.
71
17 If you have installed SAS Financial Management Add-In for Microsoft Excel or
SAS Solutions Services Add-In for Microsoft Ofce, be sure to use the new port number when you log on to SAS.
72
Chapter 6
For more information about these commands, see the WebSphere documentation.
2 Log on to the WebSphere administrative console. 3 In the navigation tree, select Servers 5 Click Start.
I Application Servers.
4 On the Application Servers page, select the check box for the appropriate server.
I Application Servers.
3 On the Application Servers page, select the check box for the appropriate server.
I Application Servers.
3 On the Application Servers page, click the server name. 4 Under Additional Properties, click Transaction Service. 5 Specify a new value for Total transaction lifetime timeout. 6 Save your changes.
change the Maximum Size from 1 MB to 10 MB. You can adjust this value to suit your conguration.
6 To save log les that have been rotated, increase the value of Maximum
73
true to false.
I Enterprise Applications).
6 On the Enterprise Applications screen, click the Save link in the Message(s) area. 7 On the Save screen, click Save to save the changes to the master conguration.
Note:
If you deploy themes to an HTTP server, then starting weight does not apply.
74
Chapter 6
If you change the timeout settings, we recommend that they remain consistent across Web applications. New settings apply the next time you start the managed server. For more information about session timeout, see http://e-docs.bea.com/wls/docs81/ webapp/sessions.html and http://e-docs.bea.com/wls/docs81/webapp/ web_xml.html#1017275.
75
Conguring Themes
editing.
2 Find this line:
%let SWCName=SASTheme_default;
5 Change /SASTheme_default to /SASTheme_winter. 6 If necessary, change the metadata options, host name, and port. The host name
and port should be the fully-qualied host name and port number for the Web server or J2EE application server to which the theme was deployed. (For WebLogic, the port is typically 7001.)
7 Save the le with a different name and a .sas extension (for example,
LoadWinterThemeConnection.sas).
8 Right-click the le and select Batch Submit with SAS 9.1. 9 Restart the remote services and the managed servers.
76
Chapter 6
If you are using WebSphere, you cannot deploy themes to the same server that is used by applications that reference those themes; doing so causes eventual thread lock. You can deploy them to a separate WebSphere instance that does not share the same thread pool or to a Web server such as Apache HTTP Server, Microsoft Internet Information Services ( IIS), or Apache Tomcat. The instructions for deploying a theme to a Web server are similar, regardless of the brand of server. To deploy the default theme to the Apache Web server:
1 Copy the contents of
Properties.
6 Select the Connection tab. 7 Change the Host Name to contain the fully-qualied name of the Apache Web
server host.
8 Change the Port Number to contain the port number for the Apache Web server
SASTheme_default application.
11 Restart the remote services and the managed servers.
Be sure that the HTTP server is running before you start the managed servers. To deploy the default theme to Apache Tomcat, you would copy the contents of
SAS-config-dir\Lev1\web\webapps\exploded\SASTheme_default.war to Tomcat-install-dir\webapps\SASTheme_default. (Do not use a .war extension.)
If you use Xythos WebFile Server as your WebDAV server, you cannot use the same instance of Tomcat for the themes. However, you can install another instance of Tomcat. It must use different port numbers for the listen port and the shutdown port. (These port numbers are dened in the server.xml le, which is located in the Tomcat-install-dir\conf directory.)
77
3 jarles is a list of the JAR les that you copied in the previous step. Separate
the lenames with semicolons. Typically, you would create a batch le that dynamically creates the CLASSPATH from the set of JAR les, rather than listing each JAR le separately. You could also create a batch le that both copies the JAR les to a target machine and runs the query processor. 3 -Xms and -Xmx represent initial and maximum total heap size. For best results, these values should be identical. 3 -Xss represents the thread stack size. A value of 128k is appropriate for Windows. On UNIX, use 256k instead. 3 -Dodcs.dispatcher.host species the name of the machine on which the ODCS application is running. You can include additional options, in the form -Doption=value, as described in the table below.
Option odcs.dispatcher.host Description and Default Value The TCP/IP port on which the in-process RMI registry is hosted by ODCS and through which the clustered query processors make the bootstrap contact. The default is localhost. odcs.dispatcher.passkey The password key handshake between the query processor and the dispatcher. If the passkey does not match, the query processor cannot connect to the dispatcher to run queries. The passkey must be specied by both the dispatcher and the query processor. The default value is passkey.
78
Chapter 6
Option odcs.queryprocessor.maxthreads
Description and Default Value The number of CPUs that are available on the machine that hosts the query processor. Because the algorithms are CPU-bound, adding more threads than physical CPUs will cause context switching and degrade performance. The default is <number of available processors>.
odcs.queryprocessor.reattach
If this value is set to false (the default), then the query processor shuts down when the ODCS dispatcher stops running. If the value is true, then the query processor waits for the dispatcher to start again and reattaches to the dispatcher immediately. In a production environment, reattaching might be practical. In a development environment, the typical reason for shutting down the ODCS server is to modify the JAR les; as a result, reattaching would result in a ClassCastException.
When a query processor is started, it checks to see if the ODCS server is running. If so, it attaches to the server and waits for the server to send it jobs to process. Otherwise, the query processor waits until the ODCS server starts and then attaches to the server.
79
Option odcs.dispatcher.ipfilter
Description and Default Value A comma-separated list of Internet addresses of machines that are allowed to connect. If you specify such a list, and a query processor tries to connect to an IP address that is not in the list, the connection is rejected. There is no default.
odcs.dispatcher.use.internal.qp
If true (the default), the dispatcher makes use of the built-in internal query processor, in addition to any external query processors that might be available. There are benets to running queries locally. In-process queries do not require the data to be serialized to them. Moreover, if you congure only a few external query processors, then the ODCS server might be better used to share the query load, in addition to the data and dispatch. If this argument is false, the dispatcher does not process any queries locally, so that it is always available to route queries to external query processors. This mode is useful if you have a large number of query processors.
80
81
CHAPTER
7
Portal Administration
About Portal Administration 81 Assigning a Content Administrator 81 Types of Content Administrators 82 Assign an Administrator for All Portal Content 82 Assign a Content Administrator for a Group 82 Creating Default Portal Pages 83 About Page Templates 83 Applying the Solutions Users Page Templates 83 Delete the PUBLIC Templates 83 Apply the Solutions Users Templates 83 Creating Custom Page Templates 84 Customizing the Portal 84 About Portal Customizations 84 My Favorites Portlets 84 My Alerts Portlets 87 About Alerts and My Alerts Portlets 87 Add a My Alerts Portlet 88 Add a Custom Alerts Portlet 88 URL Display Portlets 89 View a Report 89 Create a View a Report Portlet 89 Create a Link to a Document 90 Performance Management Portlets 90 Accessing the Default Portlets of the SAS Information Delivery Portal Securing Logs to Enhance Portal Security 91
91
82
Chapter 7
3 Share, unshare, and delete content with members of the group(s) which they
administer, subject to the le and folder permissions. For example, they could delete les from a users personal portal, or they could share users personal portlets or pages with other members of the group.
3 Create custom page templates in the portal. For more information about page
templates, see Creating Default Portal Pages on page 83.
Management
I Resource
3 Expand the Portal Application Tree folder, and select the group for which you want
on the Authorization tab, select a user to be the content administrator. If a particular user is not listed, click Add and use the Add Users and/or Groups dialog box to add the user. When you return to the Authorization tab, select that user in the Names list box. Note: You can also assign a group to be a content administrator, in the same way that you assign a user.
Note: Be sure that the permission is directly assigned, instead of inherited. The check box for a permission that is directly assigned has no added background color. If the check box for a permission has a background color, clicking the check box will remove the background color and assign the permission directly.
Portal Administration
83
SAS-cong-dir\Lev1\SASMain\SASSolutionsServices\SASCode.
2 Run DeletePageTemplatePUBLIC.sas by right-clicking on the le and choosing
3 If you have licensed SAS Solutions Services with KPI and/or SAS Strategic
Performance Management and not SAS Financial Management:
1 Change directory to
SAS-cong-dir\Lev1\SASMain\SASSolutionsServices\SASCode.
2 Run LoadPageTemplateSolutionsHome.sas. 3 Run LoadPageTemplateSolutionsTasks.sas.
SAS-cong-dir\Lev1\SASMain\SASFinancialManagement\SASCode.
2 Run LoadPageTemplateSolutionsFMHome.sas. 3 Run LoadPageTemplateSolutionsFMTasks.sas.
84
Chapter 7
Note: The two SAS Financial Management jobs contain all the code that is in LoadPageTemplateSolutionsHome.sas and LoadPageTemplateSolutionsTasks.sas, as well as some additional code that is specic to SAS Financial Management.
3 Home page: Every user should have a home page, and one is supplied by the
default portal templates.
3 Additional pages: The structure and content of additional pages depend on the
way each user or group of users wants to use the portal. Here are some examples of page functionality:
3 Additional portlets: Users, or groups of users, will customize their pages. The
following sections contain examples of how some of the SAS Solutions Services portlets can be used. These portlets can also be added to the portal templates for a group of users. Note: To search for portlets, select Options Edit Content. Then click the Add Portlets button. On the Add Portlets to Page screen, select the Search tab, enter one or more keywords, and click Search. To nd all available portlets, use an asterisk (*) as the keyword. The available portlets are limited by the users
identity. For example, users who are not Administrators do not see the Solutions Web Administration portlet.
My Favorites Portlets
The My Favorites portlet has many uses. The portlet allows users to create lists of documents, les, folders, links, and tasks. Here are some examples of My Favorites portlets that users can create:
Portal Administration
My Favorites Portlets
85
3 Daily Information
A My Favorites portlet containing URLs, folder links, document links, and tasks to generate information that the user looks at daily.
3 Corporate Information
A My Favorites portlet containing links to corporate information, such as the corporate home page and corporate Web applications. Note: When creating this portlet, add a link to the Shared Documents folder. This link allows users to access Document Manager folders without selecting the Manage Documents task.
3 My Tasks
A My Favorites portlet containing the appropriate tasks for that user. Tasks are Web applications that can be added to My Favorites portlets. The list of available tasks depends on the solutions that are installed:
Table 7.1 Tasks for the My Favorites Portlet
Task Manage Documents Manage Measures New Scorecard Project Manage Scorecard Projects Manage Financial Forms Description Opens the Document Manager, which enables users, and administrators in particular, to organize and manage content. Opens Measure Manager, which enables users to dene measures for use in KPIs and scorecards. If you have SAS Strategic Performance Management installed, these tasks open a new scorecard or KPI project or let you edit an existing project. Otherwise, the tasks are the same, except that the projects are restricted to KPI projects. If SAS Financial Management is installed, this task enables users to enter nancial data by means of forms that were designed in SAS Financial Management Studio. If SAS Human Capital Management is installed, these tasks enable users to browse employee demographic information, create a geographic analysis (a map-based analysis of employee information), or create an organizational analysis (a real or simulated organizational chart). If SAS Web OLAP Viewer is installed, this task enables users to open an information map, a data exploration, or a SAS OLAP cube. If SAS Web Report Studio is installed, this task enables users to create or edit a report using data from an information map.
Browse Employee Information New Geographic Analysis New Organization Analysis Open SAS Web OLAP Viewer Open SAS Web Report Studio
For more information about these tasks, see the online Help.
86
My Favorites Portlets
Chapter 7
3 My Documents
A My Favorites portlet with document, folder, and URL links. Note: Suggest to users that they customize this portlet with a link to their Users folder.
3 My Scorecards
A My Favorites portlet with links to scorecard project documents.
3 My People
A My Favorites portlet centered around the corporations goals. A similar portlet might be called My Finances. 3 Corporate Documents A My Favorites portlet that is structured to reect the organizational or project structure at the company. This kind of portlet contains documents that are distributed to a group of people within a division or department, or to a group of people who are working on a particular project. To create this kind of portlet:
1 Use the Document Manager navigation pane to locate the folder containing
Portal Administration
My Alerts Portlets
87
Note: Notications about comments are available only on the document level, not the folder level.
Depending on the number of portlets required, secondary pages can be created around the same concept.
My Alerts Portlets
88
My Alerts Portlets
Chapter 7
Description Alerts that users choose to receive by setting properties on a document or a folder in the Document Manager. For example, a user might ask to be informed of a document being added to a folder, or of a comment being added to a document. Notications of tasks that the user has to perform, such as approving a budget item. Users cannot choose not to receive these alerts. Notications of DataChanged events from SAS Data Integration Studio. (ETL notications are a subset of workow alerts.)
All users should have a My Alerts portlet, typically one that receives only opt-in alerts. Data administrators should also have an ETL Notications alerts portlet so that they can be notied of DataChanged events. Finance approvers and submitters should have a To Do List portlet for their planning. Note: Multiple My Alerts portlets are permitted.
By default, the My Alerts portlet receives all alerts. However, after you create the portlet, you can edit it to select the type of alerts you want ("all" or a single type).
Portal Administration
View a Report
89
View a Report
Reports or documents that use graphs and that are viewed by the user on a regular basis are good candidates for a View a Report portlet, which displays the contents of a document rather than a link to the document.
Note: Only certain document types, such as stored process reports and Web documents, can be displayed in a View a Report portlet. If the document type cannot be displayed in the portlet, then the only choice you see is to add a link.
4 Give the portlet a name and, optionally, a description. 5 Check Add to page and select a page from the drop-down list. 6 Click OK.
The portlet is created on the page you specied, and the document is displayed within the portlet, subject to your Internet Explorer settings. (Some documents might be opened in a separate browser window.)
I Add portlets.
in the portlet.
7 From the folders in the Document eld, select the document that you want to
90
Chapter 7
9 Click OK.
6 Click OK.
If you created a new portlet, a My Favorites portlet is created containing the link. Otherwise the link is added to the portlet you selected.
If you have licensed SAS Strategic Performance Management, the Performance Dashboard and Performance Table portlets display scorecard elements as well as KPIs, and the following portlets are also available:
Table 7.3 Portlets Available with SAS Strategic Management
Portlet Type Performance Aggregate Table portlet Performance Association portlet Performance Diagram portlet Description Displays data for the selected scorecard and all of its children. Displays the hierarchical relationship between scorecard elements of a single scorecard or project. Displays data in the form of diagrams, to illustrate the relationships between elements. The data can be based on project element types or scorecard element types.
For information about dening these portlets, see the online Help.
Portal Administration
91
3 Under Prototype, scroll to nd the template for the portlet that you want to make
Note: We recommend that you do not grant access to portlets (such as the Alerts portlet) that duplicate functionality that is already available with the SAS Solutions Services portlets. 4
92
93
CHAPTER
8
Application Administration
Administering the Remote Services 94 About the Remote Services 94 Start the Remote Services 94 Install a Service to Start the Remote Services 94 About Solutions Administration 96 Conguring Applications Using the SAS Management Console 96 About Conguration Settings 96 Modify Application Connection Information 97 Modify E-Mail Settings 97 Monitor Error Notications 99 Using the Solutions Web Administration Application 99 About the Administration Console 99 Open the Solutions Web Administration Application Directly 100 Add the Solutions Web Administration Application to a Portlet 100 Maintaining and Monitoring Solutions Applications 100 View Application Status 101 Generate and Send a Status Report 101 Quiesce the System 101 Restart the System 102 Working with Users 102 Tools for Working with Users 102 Send E-Mail to System Users 102 Send E-Mail to Selected Users 103 Force Users to Log Off 103 View an Audit Trail for a User 103 Clear Users in Role Cache 105 Conguring Log Files 105 Change the Logging Congurations 105 Dynamically Change Logging Levels 106 Using Command-Line Diagnostic Tools 106 Check System Status 107 About the status Command 107 Run the status Command 107 Display User Information 109 About the users Command 109 Run the users Command 109 Validate Group Assignments 109 Overview and Setup 109 Run UserGroupValidation 110 Validate the Domain for the SAS Stored Process Server 110 Overview and Setup 110
94
Chapter 8
Run StoredProcessValidation Validate the E-Mail Interface 111 Overview and Setup 111 Run MailValidation 111
111
Note: You should run only one instance of the remote services. For SAS Solutions Services, you must run the version that is located in SAS-install-dir\SASSolutionsServices\1.3\RemoteServices. 4 The log for the remote services (services.log) is located in SAS-cong-dir\Lev1\web\Deployments\SASSolutionsServices. For information about creating a more (or less) verbose log, see Conguring Log Files on page 105.
Application Administration
95
2 Change directory to
SAS-install-dir\SASFoundationServices\1.1\Wrapper\conf.
3 Open the wrapper.conf le for editing. 4 Modify the service name and description:
a Find these lines: # Name of the service wrapper.ntservice.name=SASFoundationServices # Display name of the service wrapper.ntservice.displayname=SAS Foundation Services # Description of the service wrapper.ntservice.description=SAS Foundation Services remote deployment b Change the lines as follows: # Name of the service wrapper.ntservice.name=SAS Remote Services # Display name of the service wrapper.ntservice.displayname=SAS Remote Services # Description of the service wrapper.ntservice.description=SAS Remote Services remote deployment
5 To avoid outofmemory problems, modify the heap allocation for the remote
Note: Each site must determine its optimal settings, which should be based on server size and other factors.
6 If your deployment metadata is stored in a SAS Metadata Repository, and the SAS
Metadata Server has been installed as a service on the same machine as the remote services, then you can specify a service dependency to ensure that the services start in the correct order. You can specify the service dependency by adding the following line to wrapper.conf:
wrapper.ntservice.dependency.1=Metadata-Service-Name
7 Save the le. 8 Change directory to SAS-install-dir\SASFoundationServices\1.1\Wrapper\bin. 9 Run the following command: InstallSolutionsRemoteServices.bat
Initially, you need to start this service manually. However, you can open the service properties and change the Startup type so that it starts automatically.
96
Chapter 8
3 command-line utilities
See Using Command-Line Diagnostic Tools on page 106.
3 All solutions applications inherit their settings from the SAS Solutions Services
properties.
3 Each application can dene a value for one or more properties as required. If a
setting is explicitly dened for an application, it always overrides a parent value. If a value is not explicitly set, the application looks up to its parent to obtain the appropriate setting. For example, if no setting is specically set in SAS Financial Management, it looks to SAS Solutions Services. Not all applications provide the same items to congure. Also, remember that if you want to make a change available to more than one application, you can modify the parent component or application. For example, if you wanted to set the default alert notications type for both SAS Strategic Performance Management and SAS Financial Management, you might set it at the SAS Solutions Services level. Such changes apply to all solutions applications unless they have their own settings. In addition, there can
Application Administration
97
be separate conguration settings within the solution applications themselves. Those conguration settings override any settings that are congured here.
98
Chapter 8
2 To change the host name, type a new value in the Host name of mail server
eld. This eld species the name of the SMTP server used to provide e-mail support. To modify the character set, select a new value from the drop-down list in the Character set for encoding e-mail eld. This value is set to UTF-8 by default. This setting should be correct for most congurations. To change the sender name from the default, type a new value in the Value of FROM field. The sender name applies to e-mail messages (such as alert notications) that are sent to end users. If you do not want users to reply to such messages, you might want to create a send-only account on your mail server that is valid. Users can then add the account to their safe senders list but cannot reply. This eld does not apply to administrative messages. Set the format of e-mail messages by selecting or deselecting the Use text/HTML MIME type check box. If the check box is selected, then e-mail messages use Multipurpose Internet Mail Extensions (MIME), an Internet standard for the format of e-mail. If the box is not selected, then e-mail messages are displayed as plain text. In the Recipients of admin. messages box, specify one or more e-mail addresses of administrators who should receive administrative messages. (See Monitor Error Notications on page 99.) To add an e-mail address, click Add and type an address in the selected box. To remove an e-mail address, select it and click Remove. In the Recipients of error messages box, specify one or more e-mail addresses of administrators who should receive error messages.
Application Administration
99
You can test your e-mail settings with the MailValidation utility. See Validate the E-Mail Interface on page 111.
3 3 3 3
details about the user who encountered the error HTTP form parameters that might have been passed with the user request any values stored in the HttpRequest or HttpSession of the application the Java system properties available to the application server
This report can be useful in tracking down system conguration errors, user misuse of the system, or even defects in the applications themselves. You should keep a record of these notications and be prepared to make them available to SAS Technical Support. You can specify who receives the error notications for a given application in the Conguration Manager plug-in. To specify recipients for all solutions applications, dene the recipients on the E-mail tab of the SAS Solutions Services properties. You can also specify recipients for specic domain applications.
100
Chapter 8
Management
Data
server-name is the name of the server on which the applications are deployed and port is the port number (such as 7001 or 9098). A Log On page is displayed.
2 Enter your user ID and password credentials.
The portlet displays general information about the application, such as the time that the system was started and the numbers of users. To access a Web application that provides more administrative information, select the More info link from the Solutions Web Administration portlet. This link gives you access to the Solutions Web Administration application.
Application Administration
101
Note: The report does not include information about managed servers that are not running at the time. 4
operation. See Working with Users on page 102 for information about sending e-mail messages to logged-on users.
2 Click the Status tab. 3 From the toolbar, select Quiesce System. 4 On the Conrm Quiesce page, click OK to proceed with the quiesce operation.
If the system is quiesced, a warning message appears, noting that user logon capabilities have been disabled. Users attempting to log on via the SAS Information Delivery Portal receive an HTTP 403 Error: Unauthorized or forbidden error page in
102
Chapter 8
their browsers. Users who are already logged on can continue to use the system. (In contrast, see Restart the System on page 102.) To restart the system and re-enable user logon capabilities, follow these steps: 1 Click the Status tab.
2 From the toolbar, select Resume System.
Note: During a restart operation, the system is quiesced for a period of time. Make sure that you do not close your browser or otherwise end your session. If you do, you will not be able to access the Web application and you will need to restart the managed servers. 4
The console displays a list of users who are currently logged on. 4 Use the links on the left side of the page to access the user tools.
To send an e-mail message to all users who are currently logged on, follow these steps: 1 Select the Notify Users menu item on the Management tabs toolbar. 2 On the Send Mail page, enter the subject and text of the message.
Application Administration
103
3 Select whether you want to send the e-mail message to all addressees at one time,
or to each user individually. The second option provides an additional security measure by not disclosing who is currently logged on.
4 Click Send to send the message.
An informational message is displayed, with a list of users to whom the e-mail was sent.
2 Using the check box in the right-most column, select the user or users to whom
you want to send a message. Note: You must have dened e-mail addresses for these users in the metadata.
3 Select the Send Mail option from the columns pop-up menu. 4 On the Send Mail page, enter the subject and text of the message. 5 Click Send to send the message.
An informational message is displayed, with a list of users to whom the e-mail was sent.
2 Using the check boxes in the right-most column, select the user or users that you
The Force Log Off conrmation page displays the user ID(s), e-mail address, and last logon time. Review this information to ensure that you want to continue with the logoff operation.
4 Click OK to force the logoff, or click Cancel to return to the list.
104
Chapter 8
3 3 3 3
adding or replying to a comment Web service authenticationfor example, entering or exiting Document Manager entering or exiting a solutions application such as SAS Financial Management entering table view, aggregate view, dashboard view, association view, or diagram view in a scorecard project
The SAS Solutions Web Administration application includes a user history facility that enables auditing by a system administrator. To view this information, follow these steps: 1 On the Management tab, select SAS Solutions I Users I User History. 2 Select the user for whom you want to view history information. 3 Click Show History. The appropriate user history is displayed.
Type Object
Application Administration
105
Description Transaction identier (a value of 1 indicates no transaction association). It is used to link a history transaction to a set of audit transactions (that is, updated data). An optional text comment that indicates conditions or other annotations of the action. Some actions, such as submitting, approving, or rejecting a form, offer the opportunity for the user to make a comment. This comment is sent in the user notication for the form as well as included in the history for the action.
Comment
Note: If you select the User History option and do not see your users in the drop-down list, or if you receive a message that says there are no users present in the system, then the USERS table in the SAS Solutions Data Mart has not been properly loaded or updated. Verify that the appropriate job has been run to create users and groups. (See Synchronizing Users, Groups, and Roles on page 49.) 4 This user history information is maintained in the SAS Solutions Data Mart. Each application can also provide customized or domain-oriented views on the recorded transactions.
Note: This role cache and this utility do not apply to other parts of SAS Financial Management, to other solutions, or to SAS Solutions Services. 4
106
Chapter 8
3 ERROR 3 FATAL
The SAS Logging Service outputs only those log requests with a priority level equal to or greater than its own. For example, a priority of WARN displays only errors and warnings. A priority of DEBUG displays all log statements. This capability effectively controls the output to the log les, where log statements of lesser importance can generally be suppressed unless a debugging situation occurs. After editing either of the logging conguration les, you must restart the remote services and then the application servers, in order for your changes to take effect. Note: You can temporarily change the priorities for Web application logging, without restarting the servers, in the Solutions Administration Console. See Dynamically Change Logging Levels on page 106. 4 For information about other log les, including the log le used by the portal, see Appendix 2, Log Files, on page 147.
Application Administration
107
Description Veries that the domain for the SAS Stored Process Server is correct. Veries that the e-mail interface is set up correctly.
Note: The metadata server must be running before you can use any of these utilities. Before you can use the status and users utilities, the remote services and the managed servers must also be running. 4
108
Chapter 8
Description Species the format for the output. The default is -html, an HTML le. Both -nohtml and -text specify output in text le format. Species that the output be written to a le. The path is optional. If you specify a path, use forward slashes rather than backslashes as separators. Here are some examples of valid paths: c:/temp/status.html ./status.html The second example writes the output to the current folder. Notice that you cannot simply specify the lename; you must preface it with ./ or a full path. If you do not specify a path, the output is written to a le named statusyyyymmdd-hhmmss.<html or txt>, in the diagnostics folder. If you invoke the status command without specifying -file, -send, or -nolog, the default is -file.
-send email-address
Species that the output be sent in an e-mail message, rather than being written to a le. The e-mail address is optional. If it is omitted, the message is sent to the user who is specied to receive administrative e-mail messages. (See Modify E-Mail Settings on page 97.) Species no logging output. This option cannot be used with the -file or -send option. However, it can be used with the -users option, to generate a simple list of current users. In fact, that is what the users.bat command le does. In the console window, this option prints a list of current users and the time that they logged in. This information is not included in a le or e-mail message. Species the locale for the output, such as en_US or fr_FR. Locales are specied as language-code[_country-code]. Species that information about content be omitted. The default is to include information about repositories, themes, stored processes, and content types that have been dened. Asks that server start time be included in the output. This is also the default. Provides verbose output from the command.
-nolog
Application Administration
109
SAS Solutions Services SiteStatus v.1.3.0.0 Checking current site deployment... The current deployment started on 2005-12-13 08:38:45.463. Logging site information...Done. Logging application summary...Done. Logging startup configuration...Done. Logging connections...Done. Logging application details...Done. Logging configured content...Done. The report has been saved to status20051213-084527.html. Done.
In the console or at the end of the status report, you might see a list of exceptions that the utility encountered. Typically these exceptions occur for two reasons, both of which can be ignored: not all SAS components have separate license keys, and so their license information cannot be retrieved; and some components (that are not part of SAS Solutions Services) do not store conguration information in the metadata repository, and so that information cannot be retrieved.
110
Chapter 8
3 users who are not members of the Solutions Users group or a single subgroup of
Solutions Users. Any user who logs on to the portal must be a member of Solutions Users or a subgroup of Solutions Users. However, users who do not log on to the portal are exempt from this requirement.
3 existence of the Solutions Installer user. This user should be removed after the
installation and conguration are completed. Before running the utility, edit the UserGroupValidation.cmd script, as follows:
1 Open the UserGroupValidation.cmd le for editing.
Run UserGroupValidation
UserGroupValidation requires only that the metadata server be running. To run the UserGroupValidation command, follow these steps:
1 At a command prompt, change directory to
SAS-install-dir\SASSolutionsServices\1.3\MidTier\Tools\diagnostics.
2 Type one of the following commands:
Windows:
UserGroupValidation.bat
UNIX:
./UserGroupValidation.sh
Application Administration
111
Run StoredProcessValidation
StoredProcessValidation requires only that the metadata server be running. To run the StoredProcessValidation command, follow these steps:
1 At a command prompt, change directory to
SAS-install-dir\SASSolutionsServices\1.3\MidTier\Tools\diagnostics.
2 Type one of the following commands:
Windows:
StoredProcessValidation.bat
UNIX:
./StoredProcessValidation.sh
Run MailValidation
This utility requires only that the metadata server be running. To run the MailValidation utility, follow these steps:
1 At a command prompt, change directory to
SAS-install-dir\SASSolutionsServices\1.3\MidTier\Tools\diagnostics.
2 Type one of the following commands:
Windows:
112
Chapter 8
MailValidation.bat
UNIX:
./MailValidation.sh
If the command succeeds, you will receive an e-mail message notifying you of the fact. If it fails, check to be certain that you have set up the mailhost correctly in the SAS Management Console. For more information, see Modify E-Mail Settings on page 97.
113
CHAPTER
9
Server Security and Encryption
About Server Security 113 Basic Protections 113 Securing Data Exchanges between Server Components Secure Sockets Layer (SSL) 114
113
Basic Protections
Basic protections include the following: 3 protecting the physical server(s) that make up the data-tier level (in other words, the servers where your MySQL database is located and where your SAS application servers are running) as well as the physical server(s) that make up the mid-tier level, where your J2EE server is running. In addition to the MySQL database, les on these servers might contain vital information such as encoded passwords. 3 encoding passwords 3 securing the metadata repositories For information about le system protection for the solutions, see Congure Security Settings for Folders and Files (Windows) on page 11. For additional information, see Securing a Deployment in the SAS Intelligence Platform: Security Administration Guide
114
Chapter 9
operation that can detract from other client/server activities and from overall performance in general. However, an enterprise might require the security provided by encrypted connections; if so, the extra computation is warranted. By default, user credentials in an initial credential exchange are protected using the SAS proprietary 32bit algorithm that is included with BASE SAS software. It requires no additional SAS product licenses. The underlying encoding system uses a single/ symmetric key method, which means that the same key is employed by SAS for both xed encoding and decoding of data sets. The SASProprietary algorithm is strong enough to protect your data from casual viewing. The SASProprietary method provides what security experts might call a medium level of security at about the same performance overhead cost as data set compression. While it does help prevent unauthorized access to the data, the SASProprietary xed-encoding method is a single-tier system, which does not use RSA or any other licensed external software. SAS/SECURE software and Secure Sockets Layer (SSL) encryption provide a high level of security but include additional performance considerations and incur additional export restrictions. For information about conguring additional security with SAS/SECURE software, see Securing a Deployment in the SAS Intelligence Platform: Security Administration Guide. After the data security technology is installed, the site system administrator congures the encryption method (and the level of encryption) to be used in all client/ server data exchanges in that installation.
In the SAS Intelligence Platform and the solutions, there are several communication points that can be protected by SSL. For example:
3 HTTP servers such as those that provide WebDAV capabilities can be congured to
support access via the HTTPS protocol, assuming that the servers have been congured to support SSL.
3 Communication with the Event Broker Service using the HTTP transport type can
be congured to use SSL.
3 Applications such as the SAS Information Delivery Portal and the solutions
applications can support SSL communication when they are deployed on a J2EE application server that is congured for SSL authentication. In addition, MySQL has support for secure (encrypted) connections between MySQL clients and the server using the Secure Sockets Layer (SSL) protocol. Note that SSL is an on-the-wire protocol that protects data travelling from the client to the server. It does not, however, protect data that is stored in MySQL databases.
115
CHAPTER
10
MySQL Server Administration
MySQL Overview 115 MySQL Installation and Conguration (Windows) 115 Access to libmysql.dll 115 Reconguring MySQL 115 MySQL Installation and Conguration (UNIX) 116 Backing Up MySQL Databases 116 MySQL Security Issues 116
MySQL Overview
SAS Solutions Services stores common data in a MySQL database that is created during the installation process. Support for INNODB tables must be enabled within MySQL to provide transaction support, which is required by a number of SAS Solutions Services components such as the Fiscal Calendar component. Transaction support enables you to roll back or commit changes on an all-or-nothing basis. A common example is an ATM transfer from a savings account to a checking account. You would not want the debit to the savings account to occur unless the credit to the checking account succeeded.
Reconguring MySQL
The MySQL server is congured to read its conguration settings from the MySQL-install-dir\my.ini conguration le. If you need to adjust your MySQL conguration, you can modify these conguration settings in the MySQL Administrator,
116
Chapter 10
or you can edit the my.ini le directly. Before you make any changes, be sure to make a backup copy of the my.ini le. After making your changes, restart the service. The MySQL client reads its conguration information from a copy of the my.ini le that is located in the Windows root directory (for example, C:\WINNT\my.ini). If you modify the MySQL-install-dir\my.ini le, be sure to copy your modied le to the Windows root directory.
117
CHAPTER
11
WebDAV Server Administration
About WebDAV 117 Conguring Content Folder Permissions on the Xythos WebFile Server Permissions During Conguration 117 Permissions After Conguration 118 Improving Performance 118 Changing the Apache Port Number 118 Modify the http.conf File 118 Update the weblogic.policy File 119 Update the Metadata 119 More Information 120
117
About WebDAV
The Web-based Distributed Authoring and Versioning (WebDAV) protocol is an extension to HTTP that provides write access, version control, and other features in addition to the basic features of HTTP. WebDAV is typically enabled only for specic folders on an HTTP server. If you are using Xythos WebFile Server as your WebDAV server, see Conguring Content Folder Permissions on the Xythos WebFile Server on page 117. If you are using the Apache HTTP server as your WebDAV server, it is recommended that you place the server behind a rewall and allow access only to the middle-tier machine. For greater security, use Xythos as your WebDAV server.
118
Chapter 11
Table 11.1
User or Group SAS Trusted User SAS Administrator Solutions Role Administrator SAS Web Administrator
Granted Read and InheritAll permissions for /sasdav folder. Granted all permissions for /sasdav/wrs folder.
Granted Read permission only for the /sasdav and /sasdav/ Users folders.
Improving Performance
If you use Xythos as your WebDAV server, you can improve its performance by changing the document store location to external storage in a le system location. The SAS installation instructions for Xythos WFS follow this recommended approach.
Apache-install-dir\Apache2\conf. Before making any changes, make a backup copy of the le.
3 Find this line:
Listen 80
119
Listen new_port_number
Note: If you are using WebSphere, this kind of change is not necessary because the default policy le species allpermissions. 4
Right-click BIP Information Service and select Properties. In the Properties dialog box, select the Service Configuration tab. Click Edit Configuration. Click the Repositories tab. In the Information Repositories box, select DAV and then click Edit. Change the Port Number to the new port number and then click OK to save the change. g Click OK. h Click OK. 4 Navigate to Foundation Services Manager I Remote Services I BIP Remote Services OMR.
120
More Information
Chapter 11
Properties.
8 On the Options tab, change the Port Number to the new port number and click OK. 9 Stop and restart the WebLogic managed server.
Note: If you have also installed other applications that use WebDAV, consult the documentation for those applications for instructions about updating the port number.
More Information
For more information about Xythos security, see "Implementing Authentication and Authorization for the Xythos WFS WebDAV Server" in the SAS Integration Technologies: Server Administrators Guide.
121
CHAPTER
12
Conguration Files
Overview 121 Metadata Repositories 121 Databases 122 The Lev1\Data Folder 122 The Lev1\SASMain\SASSolutionsServices Folder
122
Overview
This chapter gives a general view of the state of your system after installing the SAS Solutions Services. It is intended to supplement "Conguration Files" in the SAS Intelligence Platform: System Administration Guide (available at http:// support.sas.com/documentation/configuration/913admin.html). The les are typically installed on the server where your SAS application servers are running, including the metadata server. SAS-config-dir refers to the path to the conguration directory. In Windows congurations, an example would be C:\SAS\SASSolutionsConfig. On UNIX, the typical path is /usr/local/SAS/SASSolutionsConfig. Beyond that point, the paths are the same, except that on UNIX systems, the path separator is a forward slash (/).
Metadata Repositories
In addition to the Foundation repository, SAS Solutions Services and the solutions require these custom metadata repositories:
Table 12.1 Metadata Repositories
Contains Metadata about the common applications and common congurations Metadata about the Solutions Data Mart Metadata used by SAS Financial Management Depends on Foundation repository
122
Databases
Chapter 12
Contains Metadata used by SAS Strategic Performance Management Metadata used by SAS Human Capital Management
HR
Databases
The SAS Solutions Services installation includes the MySQL database server, The installation process creates the following MySQL databases used by SAS Solutions Services:
Table 12.2
Database sassdm hcm spm
MySQL Databases
Description SAS Solutions Data Mart, which contains the common data model and application data SAS Human Capital Management library SAS Strategic Performance Management library
123
subfolders:
Table 12.3
Folder SASCode
Subfolders of SASSolutionsServices
Description Contains a Jobs directory that stores the SAS code for each job in the environment. Within the SASCode directory, you can also create a UserDened directory to store stored processes that are created on-site.
SASFormats
Contains the SAS format and informat catalogs that are necessary for the data and for the code that is accessed through the current SAS application server. Contains the SAS Autocall macros that are invoked via SAS code that executes through the current SAS application server.
SASMacros
There are similar folders for each solutions that is installed: for example, you might have SASFinancialManagement, SASStrategicPerformanceManagement, and SASHumanCapitalManagement folders.
124
125
CHAPTER
13
Deploying SAS Web OLAP Viewer and SAS Web Report Studio
Overview 125 A Note about Repositories 125 SAS Web OLAP Viewer for Java 126 Dene SAS Web OLAP Viewer for Java Services 126 Deploy SAS Web OLAP Viewer 127 Enable Use of SAS Themes 127 Test SAS Web OLAP Viewer 127 SAS Web Report Studio and SAS Web Report Viewer 128 Deploy to a Domain Server 128 Attach the WebDAV Server as the Content Manager for the BIP Tree 128 Import the Query and Reporting Service 129 Duplicate the Query and Reporting Service Deployment 129 Create Managed Servers (Windows) 130 Create Managed Servers (UNIX) 130 Deploy Web Applications to WebLogic (Windows) 131 Deploy Web Applications to WebSphere (UNIX) 131 Deploying SAS Web Report Studio and SAS Web Report Viewer to the Same Managed Server as the Portal 132 Test Your Applications 133
Overview
If you installed SAS Web OLAP Viewer for Java or SAS Web Report Studio, or both, but did not congure them when you congured the solutions, then you can follow the instructions in this chapter to congure these applications.
126
Chapter 13
or from the New menu in the Document Manager, you are asked to select a repository in which to work. If you are working with OLAP cubes, the metadata objects that describe the cube and the cubes associated libraries and source tables must be stored in the same repository, or the metadata that describes the cube must be in a custom repository that is dependent on the repository that contains the library and table objects. Also, to be able to view a cube in a custom repository, the cubes SAS OLAP Server and OLAP schema must reside in the same repository. Otherwise, you are not able to create the cube. In addition, the library and table objects that are referenced by a cube must always be in the same repository.
sas_services_webolapviewer_local_omr.xml le from SAS-cong-dir\Lev1\web\Deployments\SASWebOLAPViewerforJava. Note: Typically, this step would have been performed during the initial system conguration.
Services
Configuration.
c Merge the appropriate les from the table that follows. d Click OK to save your changes.
Table 13.1
Deploying SAS Web OLAP Viewer and SAS Web Report Studio
127
SAS-config-dir\Lev1\Utilities\SASSolutionsServices\Deployment\bin.
2 Run one of these commands:
Windows:
WebOlapViewer.bat
If this script fails, correct the problem and run the script again.
The next time you reload the application or restart the J2EE application server, the SAS themes will be applied. Note: For additional information about conguring SAS Web OLAP Viewer, see the SAS Intelligence Platform: Web Application Administration Guide (available at http:// support.sas.com/documentation/configuration/913admin.html). 4
128
Chapter 13
3 Windows: Start the OLAP servers as services, or start them from the
Windows Start menu. At installation time, if you chose to install applications as services, then each OLAP server was installed as a service to be started automatically.
3 UNIX: Change to the appropriate directory from the table below and execute
the following command:
./OLAPServer.sh start Domain Foundation Solutions Performance Management Finance HR Directory SAS-config-dir/Lev1/SASMain/OLAPServer SAS-config-dir/Lev1/SASMain/OLAPServer_Solution SAS-config-dir/Lev1/SASMain/OLAPServer_PerfMgmt
SAS-config-dir/Lev1/SASMain/OLAPServer_Finance SAS-config-dir/Lev1/SASMain/OLAPServer_HR
2 Log on to the portal. 3 Add the SAS Web OLAP Viewer task to a My Favorites portlet.
For more information about adding a task to a portlet, see the online Help.
4 In the portlet, click the task.
If you receive an error when you are trying to access an information map, you might need to grant to Solutions Users ReadMetadata and Read permission for the Maps folder. For instructions, see Modify Permissions for Information Maps on page 23. If you receive an error when you are trying to access a cube, you might need to set the cubes access permissions. See Modify Permissions for OLAP Cubes on page 23.
Attach the WebDAV Server as the Content Manager for the BIP Tree
For each domain to which you want to deploy SAS Web Report Studio, perform these steps to attach the WebDAV server as the content manager for the BIP Tree: Note: For the Foundation repository, this step is usually performed during installation and conguration. 4
1 Log on to the SAS Management Console as an administrative user.
Deploying SAS Web OLAP Viewer and SAS Web Report Studio
129
2 Select the appropriate repository. 3 Expand the BI Manager node. 4 Right-click BIP Tree and select Properties. 5 Click the Content Mapping tab. 6 Select WebDAV location. 7 From the Server drop-down list, select HTTP Dav Server. 8 From the Base Path drop-down list, select /sasdav/wrs. 9 Save your changes.
If you omit the user ID and password, the BI Manager displays a warning that these credentials are recommended for security reasons. For non-production systems, you can leave these elds empty. If you are using Xythos WebFile Server as your WebDAV server, then for production systems, it is recommended that you enter the user ID and password of the SAS Web Administrator (saswbadm), which should match the user who is granted access to the /sasdav/wrs folder in Xythos (see Conguring Content Folder Permissions on the Xythos WebFile Server on page 117). Note: If you use the same content mapping for multiple repositories, they share the same space in the WebDAV repository. As a result, if you had reports with the same name and path in more than one repository, they could overwrite one another. To avoid this situation, you might create different content mappings for each repositoryfor example, /sasdav/wrs_hr and /sasdav/wrs_fm. You would need to create the base path in the properties for the HTTP DAV Server and then specify that base path in the content mapping as explained above. Be sure to apply the same permissions to these folders that you apply to the /sasdav/wrs folder. 4
following:
3 Solution
130
Chapter 13
3 PerfMgmt 3 HR 3 Finance
5 6 7 8 9 10 11
Click OK. Expand Query and Reporting Solution I BIP Core Services. Right-click Platform Information Services and select Properties. Select the Service Configuration tab. Click the Edit Configuration button. Select the Repositories tab and click the Edit button. On the Edit Information Service Repository page, make these changes: 3 Change the Name eld from Foundation to the name of the repository, which can be one of the following: Solutions, Performance Management, HR, or Finance. 3 Change the Description eld so that it references the appropriate repository name. 3 Change the Base eld from Foundation to the name of the repository.
SAS-cong-dir\Lev1\Utilities\SASSolutionsServices\Deployment\bin.
2 For each of the domain managed servers you want to create, use the appropriate
SAS-cong-dir\Lev1\Utilities\SASSolutionsServices\Deployment\bin.
2 For each of the domain managed servers you want to create, use the appropriate
Deploying SAS Web OLAP Viewer and SAS Web Report Studio
131
Domain HR Finance
Note: These commands must be executed as the root user because they affect WebSphere. 4
3 3 3 3 3
For information about modifying the heap allocation for the HR server, see Startup Scripts on page 65. 2 At a command prompt, change directory to SAS-cong-dir\Lev1\Utilities\SASSolutionsServices\Deployment\bin. 3 To deploy SAS Web Report Studio, type the command to deploy the applications. Select from this list:
Domain Foundation Command to Deploy Web Application FoundationWebReportStudio.bat FoundationWebReportViewer.bat Solutions SolutionsWebReportStudio.bat SolutionsWebReportViewer.bat Performance Management PerfMgmtWebReportStudio.bat PerfMgmtWebReportViewer.bat HR HRWebReportStudio.bat HRWebReportViewer.bat Finance FinanceWebReportStudio.bat FinanceWebReportViewer.bat
The deployment takes some time to execute because it precompiles all the JSP les.
132
Chapter 13
1 Change directory to
SAS-cong-dir\Lev1\Utilities\SASSolutionsServices\Deployment\bin.
2 As the root user, type the appropriate commands from this list:
Domain Foundation Command to Deploy Web Application ./FoundationWebReportStudioWS.sh ./FoundationWebReportViewerWS.sh Solutions ./SolutionsWebReportStudioWS.sh ./SolutionsWebReportViewerWS.sh Performance Management ./PerfMgmtWebReportStudioWS.sh ./PerfMgmtWebReportViewerWS.sh HR ./HRWebReportStudioWS.sh ./HRWebReportViewerWS.sh Finance ./FinanceWebReportStudioWS.sh ./FinanceWebReportViewerWS.sh
server.
d Click Start.
Deploying SAS Web Report Studio and SAS Web Report Viewer to the Same Managed Server as the Portal
It is possible to deploy SAS Web Report Studio and SAS Web Report Viewer to the same managed server as the portal, rather than to a separate managed server. This can be useful in an upgrade situation if you have links to reports that were created on the SASManagedServer. Follow these steps:
1 If you have already deployed SAS Web Report Studio and SAS Web Report Viewer
to the Foundation Server, use the administration console of the J2EE application server to undeploy these applications.
2 Open the SAS-config-dir\solutionsmid.properties le for editing. 3 Modify the values of SWOVFOUNDATION_NAME and
SWOVFOUNDATION_PORT so that they point to the correct managed server. Here is an example:
SWOVFOUNDATION_NAME=SASManagedServer SWOVFOUNDATION_PORT=7001
4 Save your changes. 5 From a command prompt, run the FoundationWebReportStudio and
For detailed instructions, see Deploy Web Applications to WebLogic (Windows) on page 131 and Deploy Web Applications to WebSphere (UNIX) on page 131. Note: Do not create or start the Foundation Server.
Deploying SAS Web OLAP Viewer and SAS Web Report Studio
133
Properties.
f Click the Connection tab. g Modify the port number and click OK.
Note: Collection portlets expect SAS Web Report Studio reports to exist only in the Foundation repository, and they expect SAS Web Report Viewer to be deployed on the same managed server as the portal. If your reports do not t those criteria, add them to a My Favorites portlet instead. 4
appropriate repository on the data-tier machine. For instructions, see Test SAS Web OLAP Viewer on page 127.
2 Log on to the portal. 3 Add the SAS Web Report Studio task to a My Favorites portlet.
For more information about adding a task to a portlet, see the online Help. You can also open SAS Web Report Studio from the Document Manager: select New I Web Report Studio Report.
4 In the portlet, click the task. 5 When you are prompted, select a repository. 6 Create a report.
If you receive an error when you are trying to access an information map, you might need to grant to Solutions Users ReadMetadata and Read permission for the Maps folder. For instructions, see Modify Permissions for Information Maps on page 23. If you receive an error when you are trying to access a cube, you might need to set the cubes access permissions. See Modify Permissions for OLAP Cubes on page 23.
7 Add the report to a portlet and try to open it, or try to open it from the Document
Manager. At runtime, SAS Web Report Studio is opened when a user selects the Open SAS Web Report Studio task from the portal or selects New I Web Report Studio Report from the Document Manager. SAS Web Report Viewer is opened when a user clicks on an existing report in the portal or in the Document Manager. Note: For additional information about conguring SAS Web Report Studio and SAS Web Report Viewer, see the SAS Intelligence Platform: Web Application Administration Guide (available at http://support.sas.com/documentation/configuration/ 913admin.html). 4
134
135
CHAPTER
14
Client Installation and Conguration
Client Setup 135 Client Applications 136 SAS Solutions Services Add-In for Microsoft Ofce 136 SAS Financial Management Add-In for Microsoft Excel 137 Install the Applications 137 Verify the Installation 137 Complete the Installation of the SAS Financial Management Add-In Verify the SAS Financial Management Add-In 138 SAS Solutions Services Dimension Editor 139 SAS Financial Management Studio 139 SAS Data Integration Studio 139 SAS Strategic Performance Management Migration Wizard 139 SAS Management Console 140 Java Runtime Environment 140 Conguring Logging for ETL Jobs 140 Uninstalling the Client Applications 141
137
Client Setup
Client applications must be installed on Windows machines. Before installing client applications, you must determine how users will access the clients. The following instructions assume that the clients will be installed on users desktops by means of SAS Software Navigator (SSN). When SSN is used, the following steps apply to all installations. Note: If you have a previous installation of any of the client applications, uninstall them before proceeding. See Uninstalling the Client Applications on page 141. 4 To install the client applications, complete the following steps.
1 On the client machine, open SSN. 2 Select a language for SSN. Click Next. 3 On the deployment type page, select Advanced. Click Next. 4 Select the SAS Installation Data (SID) le. Click Next. 5 Select the folder for the client deployment plan. Click Next. 6 On the installation options screen, select the appropriate software, as described in
Client Applications on page 136. You can install these client applications separately or at the same time. If you install the Microsoft Ofce add-ins separately, the installation order is important; see SAS Solutions Services Add-In for Microsoft Ofce on page 136 and SAS
136
Client Applications
Chapter 14
Financial Management Add-In for Microsoft Excel on page 137. Otherwise, the applications can be installed in any order. 7 Click Next. 8 The next screen asks for the default install path. Select the default or navigate to a different folder for the installation. Click Next. 9 Select the set of help les to install and click Next. You have two choices in terms of help le languages: 3 the current language 3 or all available languages
10 On the Review options screen, look over your installation options. If they are
correct, click Install. If you are installing SAS Financial Management Studio, SAS Dimension Editor, or SAS Solutions Services Add-In for Microsoft Ofce, the installation prompts you for the URL to the le that denes the available servers, in the form http:// server-name:port. For server-name, enter the name of the middle-tier server, where the J2EE application server is running. For port, enter the port number that is used to log on to the portal. Here is an example: http:// myserver.mycompany.com:7001. If users are installing client applications on their own machines, be sure that they are aware of this middle-tier server name and port. The installation program uses this information to determine the path to the EnvironmentFactory.xml le, which denes one or more site-specic environments (for example, default, dev, or test). When users log on to SAS Financial Management Studio or SAS Dimension Editor or when they log on to the middle-tier server from Microsoft Word or Excel, they are asked to select one of these environments.
Client Applications
137
This le should be located in Microsoft-Ofce-install-dir\Office\Library, Office10\Library, or Office11\Library, depending on the version of Microsoft Ofce that is installed.
4 Click OK to add it to the Add-Ins dialog box. 5 In the Add-Ins dialog box, make sure that SAS SPM Functions is selected. 6 Click OK. 7 Click OK.
To verify that the installation succeeded, open Microsoft Excel or Microsoft Word. You should see a new menu item, SAS Solutions, that is available to users who belong to the Solutions Users group and the Analyst role..
section)
2 SAS Financial Management Add-In for Microsoft Excel
This le should be located in Microsoft-Ofce-install-dir\Office\Library, Office10\Library, or Office11\Library, depending on the version of Microsoft Ofce that is installed.
4 Click OK to add it to the Add-Ins dialog box. 5 In the Add-Ins dialog box, make sure that SAS Financial Management
Functions is selected.
138
Chapter 14
If you had an existing installation of Microsoft Excel and the SAS Financial Management Add-In, you might need to delete the existing add-in rst, as follows:
1 Open Microsoft Excel. 2 From the Tools menu, select Add-Ins. 3 Clear the checkbox for SAS Financial Management Functions.
When you are asked if you want to delete the add-in, say yes.
4 Close Excel and reopen it. 5 Then follow the instructions, above, to add SAS Financial Management Functions
2 Enter a valid user name and password and the name and port for the middle-tier
server.
139
3 Click OK.
The application connects to the middle-tier server. 4 From the SAS Solutions menu, select Insert. If the installation is successful, a pop-up menu appears showing the options Document, Read-only Table, CDA Table, and Member Labels. If the Insert menu item is dimmed, try the following steps:
1 From the Help menu, select About Microsoft Excel. 2 Click the Disabled Items button. 3 Check that the add-in is not on the disabled items list.
For more troubleshooting information, see Errors Running Client Applications on page 154.
140
Chapter 14
To install this client on the users desktop, select SAS Strategic Performance Management Migration Wizard in the list of installation options.
3 3 3 3
Java Runtime Environment (SAS Private Version) Volume 3 SAS Management Console SAS Foundation Services with SAS Management Console plug-ins SAS Solutions plug-ins for SAS Management Console
If you choose to store this le in a different directory, edit the path in the above code accordingly.
3 Save the le. 4 In the C:\tmp directory, create a log4j.properties le, similar to the following.
Note:
The lines that begin [%t] are continuations of the previous line.
# Hiearchy: DEBUG < INFO < WARN < ERROR < FATAL log4j.appender.A1=org.apache.log4j.ConsoleAppender log4j.appender.A1.layout=org.apache.log4j.PatternLayout log4j.appender.A1.layout.ConversionPattern=%d{MM-dd HH:mm:ss,SSS} [%t][%-5p %c{1}] - %m%n log4j.appender.F1=org.apache.log4j.RollingFileAppender log4j.appender.F1.file=c:/tmp/fms_log4j.log log4j.appender.F1.layout=org.apache.log4j.PatternLayout
141
log4j.appender.F1.layout.ConversionPattern=%d{MM-dd HH:mm:ss,SSS} [%t][%-5p %c{1}] - %m%n log4j.rootLogger=WARN, F1 log4j.rootCategory=WARN, F1 log4j.category.com.bea=WARN log4j.category.com.sas=WARN log4j.category.com.sas.solutions=DEBUG log4j.category.com.sas.solutions.finance=DEBUG
Outlook.
2 From the Windows Start menu, select Control Panel. 3 Select Add or Remove Programs.
Note: The other client applications can be uninstalled at any point in the sequence.
142
143
APPENDIX
1
Default Port Usage
Port Usage
143
Port Usage
The following table lists ports that might be used in a default solutions deployment. For a list of default ports that are used by the SAS Intelligence Platform, see Default SAS Ports in the SAS Intelligence Platform: System Administration Guide.
Port 25 Entity/Service SMTP mail Description/Purpose Port used by mailhost or Simple Mail Transfer Protocol (SMTP). Used to send administrative e-mail notices and end-user alert notications. This functionality is not provided by SAS, but is made available by the site. Handles proxy requests to application server. Also used for static assets such as themes, stylesheets, and images. Apache DAV support provided via standard HTTP server; typical use is in Windows deployments where no Xythos server is installed or available. Both proxy requests and DAV requests can use the same server and port. Default port used by Apache Web Server for Secure Sockets Layer; congured only for HTTPS access in a secured environment. Default port for the Backup, Restore, and Migration tool. User-congurable. All JDBC access from the application server(s) goes through this port to the MySQL server. SAS/ACCESS to MySQL also uses this port. (Deprecated) Used by the Event Broker of SAS Foundation Services to manage multiple brokers.
80
HTTP Server
80
443
2206 3306
5098
144
Port Usage
4
Port 5099
Appendix 1
Description/Purpose All client access to remote Foundation Services is directed through this port. In Solutions deployments, only middle-tier clients communicate via RMI. Therefore, it is not necessary to open this port to external access (that is, to other clients on the network) in a rewall-protected environment. Port that is used by Xythos WebFile Server to access the PostgresSQL database. Ports that are used by the SAS OLAP Server. The default port number (5451) applies to the Foundation domain. Ports 1545115454 are used for deployment to additional domains. (WebLogic) Default port for a single managed server. Used by the solutions Web applications and by many of the client applications, such as SAS Financial Management Studio. (WebLogic) Default port for the ODCS managed server. (WebLogic) Default congured ports for the domain servers: FoundationServer, SolutionServer, PerfMgmtServer, FinanceServer, and HRServer. These domain servers are used for deploying SAS Web Report Studio. Default congured port for the WebLogic administration server. Port used by SAS/CONNECT Server. Server that is congured by SAS Solutions Services for HTTP transports into the Foundation Services Event Broker. Events red by SAS code into the middle tier are communicated via this port. Default port for Xythos congurations. Xythos works in conjunction with its own deployed Apache Tomcat server that handles requests on this port. Port used by the SAS/SHARE Server. Default port for metadata access. Load-balancing requests from SAS Object Spawner go through this port. Default Object Spawner operator port. Default port for SAS IOM Workspace Server. 8601 is the default port for the SAS Stored Process Server. 8611, 8621, and 8631 are the defaults for any additional SAS Stored Process Servers.
SASManagedServer
7002 71017104
BEA WebLogic Admin Server SAS/CONNECT HTTP Server for Event Broker
8300
SAS/SHARE Server SAS Metadata Server SAS Object Spawner Load Balancing SAS Object Spawner Operator SAS IOM Workspace Server SAS Stored Process Server
Port Usage
145
Description/Purpose Default listen port for the WebSphere Application Server. Default administration port for the WebSphere Application Server. If there is a conict with port 9090, 9091 is typically used. For more information about additional ports that are used by WebSphere, see the documentation for the WebSphere Application Server.
17000
Ant server
146
147
APPENDIX
2
Log Files
Overview Log Files Log Files Log Files of Log Files 147 on the Middle Tier 147 on the Data Tier 148 for Client Applications 149
148
Appendix 2
Log File Location and Notes SAS-cong-dir\Lev1\web\Deployments\SASSolutionsServices Contains a conguration le (logging_cong.xml) and log le (services.log) for the remote services, and a conguration le (logging.xml) and log le (server.log) for SAS Solutions Services that are part of the Web applications. For information about modifying logging options, see Conguring Log Files on page 105. SAS-cong-dir\Lev1\web\Deployments\Portal\logs Contains logs for the portal, the SASStoredProcess Web application, and the SASPreferences Web application. The Portal directory contains conguration les for these logs.
In addition to the logs that are described above, you can congure a log le to be written when a stored process uses the Javaobj interface, a mechanism that is similar to Java Native Interface (JNI) for instantiating Java classes and accessing their methods and elds. This applies to the standard reports that are shipped with SAS Financial Management Solutions. For information about log les for other applications, such as SAS Web Report Studio and SAS Web OLAP Viewer, see the SAS Intelligence Platform: Web Application Administration Guide, available at http://support.sas.com/documentation/ configuration/913admin.html.
Log Files
149
Object SAS Stored Process Server SAS Workspace Server Xythos WebFile Server
Log File Location and Notes SAS-cong-dir\Lev1\SASMain\StoredProcessServer\logs SAS-cong-dir\Lev1\SASMain\WorkspaceServer\logs SAS Workspace Server logging is not enabled by default. Xythos-install-dir\appserver-version\logs Created if you install Xythos as your WebDAV server. In addition, the database server that you use with Xythos typically has its own log les.
150
151
APPENDIX
3
Troubleshooting
General Troubleshooting Tips 151 Errors in the SASV9.CFG File 151 Errors in the Portal 152 BEA WebLogic Errors 153 IBM WebSphere Errors and Warnings 154 MySQL Errors 154 Errors Running Client Applications 154
3 Be sure that you start the remote services before you start the managed servers. If
you restart the remote services and managed servers, you should also restart the object spawner.
3 Check log les. For information about nding and conguring log les, see
Appendix 2, Log Files, on page 147.
3 If you need to contact SAS Technical Support, it is a good idea to generate a status
report that can be sent along with your question. Check System Status on page 107 explains how to run the status utility from the command line, and Generate and Send a Status Report on page 101 explains how to generate a status report from the Solutions Web Administration console.
3 Windows congurations:
On Windows, this le can be found at !SASROOT\nls\en (for an installation in English). There are two sets of JREOPTIONS. The rst set should include
152
Appendix 3
these values, which are set during solutions conguration (in addition to other values that are set during the platform conguration):
JREOPTIONS= (... -Denv.factory.location=http://host:port/SASConfig/EnvironmentFactory.xml -Dsas.javaobj.experimental=no)
The second set of JREOPTIONS applies only to the solutions and should have these contents:
JREOPTIONS= (-Dsas.app.class.dirs=!sasroot\soltnsdata\sasmisc; !SASROOT\core\sasmisc; !SASROOT\finance\sasmisc; C:\Program Files\SAS\Shared Files\applets\9.1)
If you did not install SAS Financial Management, the options will not include
!SASROOT\finance\sasmisc.
3 UNIX congurations:
On UNIX, there is a single set of JREOPTIONS in the sasv9.cfg le, which can be found at !SASROOT. The options should include these values, which are set during solutions conguration (in addition to other values that are set during the platform conguration):
JREOPTIONS= (-Dsas.app.class.dirs=!SASROOT/misc/soltnsdata: !SASROOT/misc/base:!SASROOT/misc/finance:!SASROOT/misc/applets ... -Denv.factory.location=http://host:port/SASConfig/EnvironmentFactory.xml -Dsas.javaobj.experimental=no)
If you did not install SAS Financial Management, the options will not include
!SASROOT/misc/finance.
Troubleshooting
153
To circumvent this problem, you can change the connection information that is stored in the metadata, as follows: 1 Open SAS Management Console. 2 Select the Foundation repository. 3 Navigate to Application Management I Conguration Manager. 4 Right-click SASTheme_default and select Properties. 5 Click the Connection tab. 6 Modify the Host Name and click OK. Make similar changes, if appropriate, for the other objects that have
Connection tabs, in the Foundation repository and in other repositories. After
making your changes, stop and restart the remote services and the managed servers. Note: If you are using a WebLogic developers license, you are limited to ve connections, and this limitation can also result in images not always displaying correctly.
3 When you refresh a stored process, you receive a failed to authenticate error.
In SAS Management Console, check to see that the authentication domain for the SAS Stored Process Server is SPAuth. If it is not, change the authentication domain as follows: 1 Open SAS Management Console. 2 Select the Foundation repository. 3 From the navigation tree, expand Server Manager I SASMain I SASMain Logical stored Process Server I SASMain Stored Process Server. 4 In the right pane, right-click the Connection denition and select Properties. 5 Click the Options tab. 6 From the Authentication Domain box, select SPAuth. 7 Click OK. Make the same change to each of the load balanced (LB) connection denitions. You do not need to set any advanced options. If the authentication domain is correct, but you are still receiving stored process errors: 3 Try restarting the object spawner. 3 Make sure that the users groups and roles are sufcient for the task. For details, see Chapter 4, Authentication and User Security, on page 33. 3 In SAS Management Console, check to be sure that the stored process name and output location are correct.
154
Appendix 3
3 You have a JDBC error when starting the managed server or when deploying one
of the applications. Be sure that the following conditions are true: 3 The JAR le for the JDBC driver is in the WEBLOGIC_CLASSPATH. If you installed MySQL after installing WebLogic, and you are running the WebLogic Admin server as a service, you need to uninstall the service and reinstall it so that it will pick up the new classpath that includes the JDBC driver. 3 There are no other versions of the JDBC driver being used. In particular, check the jre/lib/ext folder and delete any other versions of this driver. (Note that it is not sufcient to rename the JAR le; you must move or delete it.) 3 The path to libmysql.dll is in the system path.
3 Your WebSphere log les do not capture all the logging information.
Resize the log les; see Increase the Log File Size on page 72.
MySQL Errors
If you encounter MySQL errors, be sure that the MySQL bin directory is on the users path. Here is a typical error message:
ERROR: The SAS/ACCESS Interface to MYSQL cannot be loaded. The libmysql code appendage could not be loaded. ERROR: Error in the LIBNAME statement. ERROR: an error occured during submission of libname command for SASLibrary object: HCMData. Regdata.regutil.class, method _buildLibname failed. ERROR: failure occured during _buildLibname() for SASLibrary HCMData. Regdata.BuildLibname.scl aborting. ERROR: Failure creating libref to: HCMData.
For complete instructions about installing and conguring MySQL, see the installation guide.
Troubleshooting
155
These client applications must validate the user on the middle-tier server. The J2EE application server must be running, and the client application must be able to nd the EnvironmentFactory.xml le, which contains site-specic information about one or more environments (see Client Setup on page 135). To modify the address of EnvironmentFactory.xml:
1 Open the client applications .ini le for editing. The .ini les are located in the
following locations:
SAS-install-dir\SAS Solutions Services\Add-In for Microsoft Office\SASSolutionsOfficeClient.ini SAS-installdir\SASSolutionsServices\DimensionEditor\1.3\SASDimEditor.ini SAS-installdir\SASFinancialManagement\Studio\4.3\sasfmstudio.ini
2 Find the reference to EnvironmentFactory.xml, which should have a value in
the form http://server-name:port/SASConfig/EnvironmentFactory.xml. The server-name should be the name of the middle-tier server, where the J2EE application server is running. The port should be the port number that is used to log on to the portal. Here is an example: http:// myserver.mycompany.com:7001/SASConfig/EnvironmentFactory.xml.
3 Save the le. 4 Restart the client application.
3 In SAS Data Integration Studio, when you try to run a job that loads data from
the DDS to SASSDM, you see an error like this:
ERROR: Could not instantiate class com/sas/solutions/etl/metadata/client/MDLoad at line 26 column 18. ERROR: DATA STEP Component Object failure. Aborted during the EXECUTION phase.
The SASManagedServer must be running in order to use some of the Web services that are necessary for this operation.
156
Index 157
Index
A
actions 31 Administer permission 54 administration 2 Administration Console 99 Administrators group 38 alerts 1 multiple 88 My Alerts portlets 87 types of 87 Apache Web server installation directory 4 moving themes to 75 port number 118 application administration command-line diagnostic tools 106 application properties 10 applications See also client applications conguration settings 96 conguring 2 conguring J2EE application server 25 conguring Web applications 25 conguring with SAS Management Console 96 connection information 97 error notications 99 honoring properties 96 loading client applications 25 maintaining and monitoring 100 quiescing the system 101 restarting the system 102 Solutions Web Administration 99 status of 101 status reports 101 architecture 2, 4 assumptions and recommendations 3 audit trails 32 viewing 103 auditing 32 authentication 29 host authentication 29 user security and 33 authentication domain changing, for SAS Stored Process Server 153 authentication provider 29 authorization 30 See also content security authorization object-based authorization facility 31
B
backup script 19 backups 19 batch job rights 21 BEA home directory 4 BIP Tree WebDAV server as content manager for Browse Employee Information task 85 bulk loading users and groups 49
128
C
clear users in role cache 105 client applications 136 loading 25 SAS Data Integration Studio 139 SAS Financial Management Add-In for Microsoft Excel 137 SAS Financial Management Studio 139 SAS Management Console 140 SAS Solutions Services Add-In for Microsoft Ofce 136 SAS Solutions Services Dimension Editor 139 SAS Strategic Performance Management Migration Wizard 139 troubleshooting errors 154 uninstalling 141 client setup 135 clock synchronization 26 collaboration 1 command-line administration tools status script 107 users script 109 command-line diagnostic tools 106 conguration 8 applications, with SAS Management Console 96 content conguration 22 content folders on Xythos WebFile Server 118 Information Delivery Portal 24 J2EE application server 25 log les 105 managed servers 65 modifying application settings 96 MySQL 115 security settings for folders and les 11 steps for 8
themes 75 Web applications 25, 74 conguration directory 4 Conguration Manager plug-in 96 connection information 97 content 51 See also content security authorization access permissions 53 conguring 22 creating 60 creating for site 24 creating stored process reports 60 default folders 53 importing 61 organizing 52 permissions 34 shared folder security 53 types 51 content administrators 22 assigning 82 assigning for a group 82 assigning for all portal content 82 types of 82 content folders conguring on Xythos WebFile Server 118 modifying permissions 15 structure 22 content manager WebDAV server as, for BIP Tree 128 content security authorization 53 content access permissions 53 default shared folder security 54 default user folder security 55 dening 55 in Document Manager properties 55 in SAS Management Console 56 in SAS OLAP Viewer 58 in SAS Web Report Studio 59 restrictive permissions property 60 SAS Guest user access 59 content types 51 conventions 4 Corporate Information portlet 85 cubes permissions for 23 repositories and 126 custom groups 41 custom page templates 84 custom trees 31 customizing the portal
158
Index
D
Daily Information portlet 85 dashboard 90 data and compute tier 2, 121 databases 122 Lev1\Data folder 122 Lev1\SASMain\SASSolutionsServices folder 122 metadata repositories 121 data exchanges securing 113 data-level security 2 data tables synchronizing 49 data tier log les on 148 data transmission security 31 data transmissions securing 15 databases 122 Default Backup 19 default folders 53 default groups 38 default portal pages 83 default portlets accessing 91 default shared folder security 54 default user folder security 55 default users 36 Delete permission 54 deployment descriptors for Web applications 74 diagrams 90 Dimension Editor 139 dimension management 2 Dimension Modeler role 44 directives 1 document management 1 Document Manager 52 creating folders 53 securing content in 55 security permissions 54 documentation conventions 4 documents creating a link to 90 Manage Documents task 85 domain servers 64
error notications 99 ETL Notications alerts 87 ETL transformations and jobs importing 17 loading 15 events setting permissions on 17 Excel reports 46 execute queues 67
host authentication 29
I
importing content 61 ETL transformations and jobs 17 Query and Reporting service 129 Information Delivery Portal conguring 24 information maps permissions for 23 repositories and 125 install scripts for Windows services 68 installation 3 MySQL 115 of software 9 planning 8 SAS/Graph maps 9 verifying 8 Windows services 68 installation directory 4 installation verication data 8
F
favorites See My Favorites portlets les security settings for 10 nancial forms 85 rewall 32 folders content folder structure 22 creating with Document Manager 53 default folders 53 default shared folder security 54 default user folder security 55 SAS Content folder 53 security settings for 10 Shared Documents folder 53 shared folder security 53, 57 Trash Can folder 53 Users folder 53 forcing log-off 103 Foundation domain server deploying SAS Web Report Studio to 128 deploying SAS Web Report Viewer to 128 Foundation managed server creating 130 deploying Web applications to 131 Foundation Services importing Query and Reporting service to 129
J
J2EE application server 29 conguring 25 securing conguration 15 Java Runtime Environment 140 Java services dening SAS Web OLAP Viewer for jobs importing ETL jobs 17 loading ETL jobs 15
126
K G
geographic analysis 85 group content administrators 82 group permission trees 50 groups 34 assignment 40 bulk loading 49 creating 21 custom groups 41 default groups 38 dening 34 enforcing content permissions 34 Portal Admins 82 roles and 34 SAS Data Integration Studio 48 SAS Intelligence Platform 38 solutions-wide 40 synchronizing users, groups, and roles key 32 key performance indicator (KPI) 1, 90
L
LDAP server 29 Lev1\Data folder 122 Lev1\SASMain\SASSolutionsServices folder 122 links adding to My Favorites portlets 89 to documents 90 load order for themes 68 loading client applications 25 ETL transformations and jobs 15 production data 24 sample data 19 log les 147 conguring 105 on data tier 148 on middle tier 147 log on as batch job rights 21
E
e-mail sending to selected users 103 sending to system users 102 e-mail addresses for administrative and error messages 10 for administrators 10 for notications 49 employee information 85 encryption 15, 32 error messages e-mail addresses for 10
49
H
hidden les and folders 3
Index 159
logging levels dynamically changing 106 logging off forcing 103 logging priorities 105 logs securing for portal security 91
O
object-based authorization facility 31 ODCS clustering 76 OLAP cubes permissions for 23 repositories and 126 OLAP server authentication 29 Open SAS Web OLAP Viewer task 85 Open SAS Web Report Studio task 85 operating environment 3 protection for 11 organization analysis 85
M
Manage Documents task 85 Manage Financial Forms task 85 Manage Measures task 85 Manage Scorecard Projects task 85 managed servers 64 changing port numbers 69 common environment 65 conguring 65 creating Foundation managed server 130 execute queues 67 load order for themes 68 selecting alternative port 71 starting 64 startup scripts 65 stopping 64 URL mapping 66 mapping URL mapping 66 measure and metric management 1, 85 merging les 126 metadata identities 33 creating 22 removing default identities 11 metadata repositories 121 securing 113 metadata security 30 metadata server authentication 29 threading options for 9 Microsoft Excel reports 46 Microsoft Ofce integration 2 middle tier 2 log les on 147 migrating SPM data 25 Migration Wizard 139 monitoring 26 monitoring applications 100 My Alerts portlets 87 adding 88 adding a custom portlet 88 My Favorites portlets 84 linking to 89 MySQL 115 installation and conguration 115 installation directory 4 securing data 114 security 116 MySQL Users group 38
P
page templates 83 applying 83 creating custom templates 84 deleting PUBLIC templates 83 pages displaying Web page content 89 portal pages 83 passwords 4 performance tuning system performance 26 Performance Aggregate Table portlet 90 Performance Association portlet 90 Performance Dashboard portlet 90 Performance Diagram portlet 90 performance management portlets 90 Performance Table portlet 90 permission trees 50 permissions content permissions 34 for content access 53 group permission trees 50 information maps 23 OLAP cubes 23 restrictive permissions property 60 role permissions 36 setting for events 17 Xythos content folders 15 Planning Workow alerts 87 port number 118 port numbers changing for managed servers 69 changing for SASManagedServer 69 changing for SASODCSServer 71 portal administration 81 accessing default portlets 91 assigning content administrator 82 creating default portal pages 83 customizing the portal 84 securing logs 91 Portal Admins group 82 portal customization 84 My Alerts portlets 87 My Favorites portlets 84 performance management portlets 90 URL display portlets 89
viewing reports 89 portal pages 83 creating default pages 83 page templates 83 portal security 91 portals troubleshooting errors in 152 portlets accessing default portlets 91 accessing Solutions Web Administration application from 100 My Alerts 87 My Favorites 84 Performance Dashboard 90 performance management portlets 90 Performance Table 90 SAS Strategic Management 90 searching for 84 URL display portlets 89 View a Report 89 ports default usage 143 selecting alternative port 71 presentation tier 2 production data loading 24 properties honoring application properties 96 PUBLIC group 38 PUBLIC templates deleting 83
Q
Query and Reporting service duplicating the deployment 129 importing to Foundation Services quiescing the system 101 129
R
Read permission 54 recommendations and assumptions 3 registering users 48 remote services 94 installing a service for starting 94 service for starting 10 starting 94 starting for managed servers 64 troubleshooting 151 reports viewing 89 repositories 125 cubes and 126 information maps and 125 metadata repositories 113 required skills 4 restarting the system 102 restoring the system 21 restrictive permissions property 60 role-based user interface customization and authorization 2 role cache, clearing 105
N
n-tier architecture 2, 4 New Geographic Analysis task 85 New Organization Analysis task 85
160
Index
roles 34 assignment 40 dening 35 enforcing permissions 36 for Excel reports 46 groups and 34 SAS Data Integration Studio 48 SAS Financial Management 43 SAS Human Capital Management 46 SAS Strategic Performance Management 42 solutions-wide 42 synchronizing users, groups, and roles 49 row-level security 31
S
sample data 8 loading 19 restoring the system 21 verifying with 19 SAS Administrator 37 SAS Content folder 53 SAS Data Integration Studio 139 groups 48 importing ETL transformations and jobs 17 loading ETL transformations and jobs 15 roles 48 setting permissions on events 17 setting up users 16 SAS Financial Management 2 roles 43 SAS Financial Management Add-In for Microsoft Excel 137 SAS Financial Management Studio 139 SAS Foundation Services 94 SAS General Server user 38 SAS/Graph maps installing 9 SAS Guest user securing access for 59 SAS Human Capital Management 2 non-English languages 10 roles 46 SAS Intelligence Platform groups created during installation 38 SAS Logging Service editing conguration 105 SAS Management Console 140 conguring applications with 96 securing content with 56 SAS Notes 27 SAS OLAP Viewer securing content 58 SAS Solutions Services 1 SAS Solutions Services Add-In for Microsoft Ofce 136 SAS Solutions Services Dimension Editor 139 SAS Stored Process Server changing authentication domain 153 SAS Stored Process user 39 SAS Strategic Management portlets 90 SAS Strategic Performance Management 2 roles 42 SAS Strategic Performance Management Migration Wizard 139 SAS Trusted User 37, 38
SAS Web OLAP Viewer 126 dening for Java services 126 deploying 127 merging les 126 testing 127 SAS Web Report Studio 133 deploying to Foundation domain server 128 Open SAS Web Report Studio task 85 query cache 11, 13 securing content 59 testing deployment 133 SAS Web Report Viewer 133 deploying to Foundation domain server 128 testing deployment 133 SASManagedServer 64 changing port number for 69 SASODCSServer 64 changing port number for 71 SASUSERS group 38 scorecards displaying data in tabular form 90 Manage Scorecard Projects task 85 New Scorecard Project task 85 scripts managed server startup scripts 65 status script 107 users script 109 searching for portlets 84 security 29 See also content security authorization See also server security auditing 32 authentication 29 authentication and user security 33 authorization 30 data-level 2 data transmissions 15 default shared folder security 54 default user folder security 55 J2EE server conguration 15 metadata security 30 MySQL 114, 116 removing default metadata identities 11 row-level 31 securing logs for portal security 91 server security and data transmission 31 settings for folders and les (UNIX) 13 settings for folders and les (Windows) 11 shared folder security 53, 57 system security 10 WebDAV installation 15 server clock synchronization 26 server security 31, 113 communications between other servers 114 data exchanges between server components 113 metadata repositories 113 session timeout values 74 setlocs.sas le 10 Shared Documents folder 53 shared folder security 53, 57 default 54 skill requirements 4 software installation 9 SAS Stored Process Server and 153 solutions 2 solutions administration utilities 96
Solutions Role Administrator 37 Solutions Users group 38 Solutions Users templates See page templates Solutions Web Administration forcing users to log off 103 logging priorities 105 sending e-mail to selected users 103 sending e-mail to system users 102 viewing user audit trails 103 Solutions Web Administration application 99 accessing directly 100 accessing from a portlet 100 Administration Console 99 logging levels 106 maintaining and monitoring applications 100 tools for working with users 102 solutions-wide groups 40 solutions-wide roles 42 SPAuth authentication domain 39 SPM data migrating 25 startup scripts managed servers 65 status of applications 101 status reports 101 status script 107 stored process reports 46 creating 60 stored process server authentication domain 39 synchronizing server clocks 26 synchronizing users, groups, and roles 49 system backup 19 system monitoring 26 system performance tuning 26 system security 10 system verication 19
T
tabular data displays 90 tasks 85 testing SAS Web OLAP Viewer 127 SAS Web Report Studio deployment 133 SAS Web Report Viewer deployment 133 themes conguring 75 load order for 68 moving to Apache Web server 75 winter theme 75 third-party servers 29 threads options for metadata server 9 tiered architecture 2, 4 timeout values 74 transformations importing ETL transformations 17 loading ETL transformations 15 Trash Can folder 53 troubleshooting general tips 151 portals 152 remote services 151
Index 161
running client applications 154 WebLogic managed server 153 tuning system performance 26
U
uninstall scripts for Windows services 68 uninstalling client applications 141 UNIX security settings for folders and les 13 URL display portlets 89 URL links linking to My Favorites portlets 89 user audit trails 103 user folder security, default 55 user identities cached 37 user interface customization and authorization 2 User Opt-in alerts 87 user security authentication and 33 UserGroupValidation utility 22 users bulk loading 49 clear role cache 105 creating 21
default users 36 log on as batch job rights 21 registering 48 sending e-mail to 102, 103 setting up Data Integration Studio users 16 synchronizing users, groups, and roles 49 Users folder 53 users script 109 utilities for solutions administration 96
V
verifying the system 19 View a Report portlet 89 creating 89
W
Web applications as tasks 85 conguring 25, 74 deploying to Foundation managed server 131 deployment descriptors 74 session timeout values 74
Web browser 4 Web pages displaying content of 89 WebDAV 117 Apache port number 118 content folders on Xythos WebFile Server 118 securing installation 15 WebDAV server as content manager for BIP Tree 128 WebLogic managed server troubleshooting errors 153 WebLogic managed servers See managed servers WebSphere administration 71 Windows security settings for folders and les 11 Windows services install and uninstall scripts 68 installing 68 winter theme 75 Write permission 54
X
Xythos WebFile Server conguring content folders on 118 installation directory 4 modifying content folder permissions
15
Your Turn
If you have comments or suggestions about SAS Solutions Services 1.3: System Administration Guide, Second Edition, please send them to us on a photocopy of this page or send us electronic mail. For comments about this book, please return the photocopy to SAS Publishing SAS Campus Drive Cary, NC 27513 E-mail: yourturn@sas.com For suggestions about the software, please return the photocopy to SAS Institute Inc. Technical Support Division SAS Campus Drive Cary, NC 27513 E-mail: suggest@sas.com