SAS® Solutions Services 1.3

SAS Publishing
SAS Solutions Services 1.3
System Administration Guide Second Edition
The correct bibliographic citation for this manual is as follows: SAS Institute Inc. 2006. SAS Solutions Services 1.3: System Administration Guide, Second Edition. Cary, NC: SAS Institute Inc. SAS Solutions Services 1.3: System Administration Guide, Second Edition Copyright 2006, SAS Institute Inc., Cary, NC, USA All rights reserved. Produced in the United States of America. For a Web download or e-book: Your use of this publication shall be governed by the terms established by the vendor at the time you acquire this publication. U.S. Government Restricted Rights Notice. Use, duplication, or disclosure of this software and related documentation by the U.S. government is subject to the Agreement with SAS Institute and the restrictions set forth in FAR 52.227-19 Commercial Computer Software-Restricted Rights (June 1987). SAS Institute Inc., SAS Campus Drive, Cary, North Carolina 27513. 1st printing, December 2006 SAS Publishing provides a complete selection of books and electronic products to help customers use SAS software to its fullest potential. For more information about our e-books, e-learning products, CDs, and hard-copy books, visit the SAS Publishing Web site at support.sas.com/pubs or call 1-800-727-3228. SAS and all other SAS Institute Inc. product or service names are registered trademarks or trademarks of SAS Institute Inc. in the USA and other countries. indicates USA registration. Other brand and product names are registered trademarks or trademarks of their respective companies.
Contents
Chapter 1
Overview of SAS Solutions Services Architecture 2 Assumptions and Recommendations Required Skills 4 Documentation Conventions 4
4 Understanding SAS Solutions Services

1 3
Chapter 2 Solutions
4 Planning, Installing, and Conguring SAS Solutions Services and the

7
Overview of Conguration 8 Plan the Installation 8 Install the Software 9 Set Application Properties 10 Make Localization Changes, If Necessary 10 Secure Your System 10 Load Transformations and Jobs 15 Back Up the System 19 Verify Using Sample Data (Optional) 19 Create the Sites Users and Groups 21 Congure Content 22 Load Production Data 24 Install the SAS Strategic Performance Management Migration Wizard (Optional) Load Client Applications 25 Congure the J2EE Application Server and Web Applications 25 Maintain the System 26 Check SAS Notes for Additional Information 27
25
Chapter 3
About Security 29 Authentication 29 Authorization 30 Server Security and Data Transmission Auditing 32
4 Planning the Sites Security
29
31
Chapter 4
Overview of Authentication and User Security 33 Default Users and Groups 36 Determining Group and Role Assignments 40 Registering Users 48 Synchronizing Users, Groups, and Roles 49
4 Authentication and User Security
33
Chapter 5
4 Content Administration
51
iv
What Is Content? 51 Organizing Content 52 About Security Authorization for Content 53 Dening Security Authorization for Content 55 Creating Site Content 60
Chapter 6
BEA WebLogic Administration 64 IBM WebSphere Administration 71 Conguring the Web Applications 74 Conguring Themes 75 Using ODCS Clustering to Reduce Wait Time
4 J2EE Server Administration
63
76
Chapter 7
About Portal Administration 81 Assigning a Content Administrator 81 Creating Default Portal Pages 83 Customizing the Portal 84 Accessing the Default Portlets of the SAS Information Delivery Portal Securing Logs to Enhance Portal Security 91
4 Portal Administration
81
91
Chapter 8
Administering the Remote Services 94 About Solutions Administration 96 Conguring Applications Using the SAS Management Console Using the Solutions Web Administration Application 99 Conguring Log Files 105 Using Command-Line Diagnostic Tools 106
4 Application Administration
93
96
Chapter 9
About Server Security 113 Basic Protections 113 Securing Data Exchanges between Server Components Secure Sockets Layer (SSL) 114
4 Server Security and Encryption 4 MySQL Server Administration
113
113
Chapter 10
115
MySQL Overview 115 MySQL Installation and Conguration (Windows) 115 MySQL Installation and Conguration (UNIX) 116 Backing Up MySQL Databases 116 MySQL Security Issues 116
Chapter 11
About WebDAV 117 Conguring Content Folder Permissions on the Xythos WebFile Server Changing the Apache Port Number 118 More Information 120
4 WebDAV Server Administration
117
117
Chapter 12
Overview 121 Metadata Repositories Databases 122
4 Conguration Files
121
121
The Lev1\Data Folder 122 The Lev1\SASMain\SASSolutionsServices Folder
122
Chapter 13
Overview 125 A Note about Repositories
4 Deploying SAS Web OLAP Viewer and SAS Web Report Studio
125 128
125
SAS Web OLAP Viewer for Java 126 SAS Web Report Studio and SAS Web Report Viewer
Chapter 14
Client Setup 135 Client Applications 136 Java Runtime Environment
4 Client Installation and Conguration

140
135
Conguring Logging for ETL Jobs 140 Uninstalling the Client Applications 141
Appendix 1
Port Usage
4 Default Port Usage

143
143
Appendix 2
Overview of Log Files 147 Log Files on the Middle Tier
4 Log Files
147
147 149
Log Files on the Data Tier 148 Log Files for Client Applications
Appendix 3
General Troubleshooting Tips Errors in the SASV9.CFG File Errors in the Portal 152
4 Troubleshooting
151
151 151
BEA WebLogic Errors 153 IBM WebSphere Errors and Warnings MySQL Errors 154 Errors Running Client Applications
154 154
Index
157
vi
CHAPTER
1
Understanding SAS Solutions Services
Overview of SAS Solutions Services 1 Architecture 2 Assumptions and Recommendations 3 Required Skills 4 Documentation Conventions 4
Overview of SAS Solutions Services

SAS Solutions Services is a set of services that provide common functionality and a framework for specic solutions. SAS Solutions Services builds upon the SAS 9 Intelligence architecture and includes the following areas of functionality: 3 Document management allows users to create, organize and secure documents of disparate types based upon their own folder structures. Document Manager, a Web application, supports management and viewing of the documents. Document Manager also allows customization of the menus for each document type, based upon user roles. A My Favorites portlet provides shortcuts to the folders or the documents themselves, and documents can also be viewed within a portlet. 3 Collaboration enables the user to collaborate on objects surfaced by the applications or portlets. Comment Manager, a Web application, provides a standard interaction user interface for all types of objects. 3 Measure and metric management provides a means for creating and managing measures used by key performance indicators or SAS Strategic Performance Management (SPM) Elements. A Web application, Measure Manager, allows the user to interactively manage measures. An ETL process is provided to create measures and metrics. Standard measures are shipped as part of SAS Solutions Services. Metric export is also available from the SAS Financial Management Add-In for Microsoft Excel. 3 Key performance indicator (KPI) management enables the user to create and manage KPIs for various levels within an organization. Based upon security authorization, a user can create, manage, and modify KPI projects and scorecards. A Web application, KPI Viewer, allows the user to view the scorecards. The Dashboard portlet allows the user to put KPIs on a dashboard. 3 Alerts provide the ability to alert the users to when specic events happen. Various types of alerts are supported. Applications have the ability to participate in alerts based upon the events of the application. An Alerts portlet displays alerts to a user logged in to the Information Delivery Portal. Alerts can also be sent via e-mail. 3 Directives direct the user to another application or action. Directives can be used by an application to provide links between applications. The My Favorites portlet is based upon directives.
Architecture
Chapter 1
3 Dimension Management provides the ability to create, manage, and add values to
dimensions and hierarchies. A Java client application, Dimension Editor, allows the user to interactively create and modify the dimensions. 3 Microsoft Ofce integration provides the ability to integrate documents from SAS Solutions Services within the Microsoft Ofce suite of applications. There is a common SAS Solutions Services Add-In for Microsoft Ofce that can be extended by solutions that want to add their document types. 3 Data-level security allows application objects that are represented by data in the Solutions Data Mart to be secured using an object-based authorization facility. In this way, complex objects such as scorecards and planning forms can be secured. Authorization decisions are based on user and group permissions per object that are also applied to additional hierarchical information (such as organization tables, legal reporting structures, and project hierarchies).
3 Role-based user interface customization and authorization provide a means of

customizing the user interface based on the roles a user is associated with (for example, administrator or analyst). A role determines which actions a user can take by limiting the menu options available in the user interface. 3 Application conguration provides the ability to congure SAS Solutions Services and the solutions. Conguration is administered via a SAS Management Console plug-in. 3 Administration enables Web-based monitoring of users and administration of SAS Solutions Services and other solutions. The following products use SAS Solutions Services 1.3: 3 SAS Financial Management 4.3 3 SAS Strategic Performance Management 2.3 3 SAS Human Capital Management 4.3 Within this book, these products are referred to as solutions.
Architecture
The diagram in Figure 1.1 on page 3 gives an overview of the n-tier architecture of SAS Solutions Services and the solutions. The presentation tier includes Web browser-based clients, add-ins to Microsoft Ofce applications, and Java desktop applications such as Dimension Editor. On the middle tier, SAS applications are deployed to a J2EE application server, usually as either Web Archive (WAR) les (such as the SAS Information Delivery Portal) or Enterprise Archive (EAR) les. SAS Solutions Services is deployed in this middle tier, along with specic domain solutions applications, such as SAS Strategic Performance Management or SAS Financial Management. The SAS Foundation Services (running in a separate Java Virtual Machine) are extended to support SAS Solutions Services and are also deployed in this tier. The data and compute tier typically hosts the SAS application servers, the SAS Metadata Server, the MySQL server, and the WebDAV repository. However, these components might reside on multiple physical machines.
Assumptions and Recommendations
Figure 1.1 SAS Solutions Services Tiered Architecture
SAS Data Integration Studio
Assumptions and Recommendations

This book is written for system administrators and consultants and contains instructions for initial system administration and maintenance of the system. SAS Solutions Services: Data Administration Guide is a companion document. It is available at http://support.sas.com/documentation/solutions/admin/index.html. The book makes the following assumptions and recommendations: 3 Microsoft Windows: 3 The fully qualied host name will be used. Note: In this book, instructions that reference Windows are oriented toward the Microsoft Windows 2000 Server operating environment. There might be differences between Microsoft Windows 2000 and Microsoft Windows XP for some tasks. 4 3 You have enabled the viewing of hidden les and folders. To enable these views, complete the following steps: 1 In a Microsoft Windows Explorer window, select Tools I Folder Options.
Required Skills
Chapter 1
2 Select the View tab. 3 Under Advanced Settings, select Show hidden files and folders.
3 This guide lists the default password values for accounts that are created during
the installation process. You might have chosen different passwords during your installation.
3 SAS Solutions Services uses the SAS Intelligence n-tier architecture, as described
in the SAS Intelligence Platform: System Administration Guide (available at
http://support.sas.com/documentation/configuration/913admin.html).
This architecture enables software components that are installed on a single machine or on multiple physical machines (servers). While this guide refers to different tiers within the documentation, it is assumed that you understand how to determine the appropriate n-tier structure for your installation and conguration.
3 Microsoft Internet Explorer 6.0 or greater is required for use as your Web browser.
Required Skills
To administer the solutions software, you must be familiar with the operating system on which it is installed. For example, you must know how to create folders, run scripts (.bat les or .sh les), and update environment variables. On Microsoft Windows, you must be an administrator of the machine.
Documentation Conventions
This book uses the following documentation conventions to identify paths in the solutions conguration:
Table 1.1
Path SAS-install-dir
Refers to path to the SAS installation directory
Examples Windows: C:\Program Files\SAS UNIX: /usr/local/SAS
SAS-cong-dir
path to the conguration directory
Windows: C:\SAS\SASSolutionsConfig UNIX: /usr/local/SAS/ SASSolutionsConfig
BEA-home-dir
path to the BEA WebLogic home directory
Windows: C:\bea UNIX: n.a.
WebSphere-install-dir
path to the IBM WebSphere installation directory
UNIX: /usr/local/WebSphere Windows: n.a.
Documentation Conventions
Path MySQL-install-dir
Refers to path to the MySQL installation directory
Examples Windows: C:\mysql UNIX: /usr/local/mysql
Apache-install-dir
path to the Apache installation directory
Windows: C:\Program Files\Apache Group\Apache2 UNIX: /usr/local/IBMIHS
Xythos-install-dir
path to the Xythos WebFile Server installation directory
Windows: C:\Xythos UNIX: /usr/local/SAS/xythos
File system pathnames are typically shown with Windows separators (\); for UNIX, substitute a forward slash (/).
CHAPTER
Planning, Installing, and Conguring SAS Solutions Services and the Solutions
Overview of Conguration 8 Plan the Installation 8 Install the Software 9 Installation Overview 9 Install SAS/GRAPH Maps (Optional) 9 Change Threading Options for SAS Metadata Server (Optional) 9 Congure the SAS Servers for Alternative Authentication Mechanisms (Optional) Set Application Properties 10 Make Localization Changes, If Necessary 10 Secure Your System 10 About Securing Your System 10 Remove Unnecessary Default Metadata Identities 11 Congure Security Settings for Folders and Files (Windows) 11 Protect System Conguration Folders 11 Protect Additional Folders and Files 12 Congure Security Settings for Folders and Files (UNIX) 13 Default Settings 13 Additional Settings 13 Secure the J2EE Server Conguration 15 Secure Your WebDAV Installation 15 Secure Data Transmissions (Optional) 15 Load Transformations and Jobs 15 Apply Hot Fixes 15 Set Up a SAS Data Integration Studio User 16 Dene a Batch Job Deployment Directory (Optional) 16 Import Transformations, Jobs, and Error and Exception Table Metadata 17 Restrict the Events That Data Administrators See (Optional) 17 Back Up the System 19 Verify Using Sample Data (Optional) 19 Load Sample Data 19 Verify the System 20 Restore the System 21 Create the Sites Users and Groups 21 Overview 21 Grant Log on as a batch job Rights to Users (Windows) 21 Create Metadata Identities 22 Run the UserGroupValidation Utility 22 Congure Content 22 Overview 22 Assign a Content Administrator 22 Create Content Folder Structure for the Site 22
Overview of Conguration
Chapter 2
Modify Permissions for Information Maps 23 Modify Permissions for OLAP Cubes 23 Create Content for the Site 24 Set Permissions to Refresh Stored Process Reports 24 Congure the Information Delivery Portal for the Site 24 Load Production Data 24 Install the SAS Strategic Performance Management Migration Wizard (Optional) Load Client Applications 25 Congure the J2EE Application Server and Web Applications 25 Maintain the System 26 Synchronize the Server Clocks 26 Restart Servers 26 Tune System Performance 26 Monitor and Maintain Your System 26 Check SAS Notes for Additional Information 27
25
Overview of Conguration
SAS Solutions Services, and the solutions that use SAS Solutions Services, are built on the SAS 9 Intelligence Architecture. The SAS Intelligence Platform: Installation Guide describes several planning steps that can occur prior to the physical installation and conguration of the software. As a system administrator or consultant, you should be familiar with those planning steps as well as the steps outlined in this guide. Because solutions are geared towards specic user communities, the solutions can provide information for some of these planning areas. Following are the steps that are used during installation and conguration. Note that the initial installation and conguration of solutions includes a set of installation verication data that you can use to verify the installation. This data is also called sample data, because it can be used to demonstrate the software. Before a production warehouse can be loaded, the installation verication data must be removed. For information about the les that are installed with SAS Solutions Services and the solutions, see Chapter 12, Conguration Files, on page 121. For more information about the solutions, see the online Help and users guides, as well as the SAS Solutions Services: Data Administration Guide (available at http:// support.sas.com/documentation/solutions/admin). For more information about the SAS Intelligence Platform, see the following references: 3 SAS Intelligence Platform: Installation Guide 3 SAS Intelligence Platform: System Administration Guide 3 SAS Intelligence Platform: Security Administration Guide
3 SAS Intelligence Platform: Application Server Administration Guide 3 SAS Intelligence Platform: Web Application Administration Guide
These books are available at http://support.sas.com/documentation/ configuration/913admin.html.
Plan the Installation

In addition to the planning steps outlined in the SAS Intelligence Platform: Installation Guide, follow these steps in planning your installation.
Planning, Installing, and Conguring
Congure the SAS Servers for Alternative Authentication Mechanisms (Optional)
1 Determine the set of users that are necessary to run SAS Solutions Services and
the solutions.
2 Decide on the authentication method(s) to be used
For more information, see Chapter 4, Authentication and User Security, on page 33.
Install the Software
Installation Overview
1 Using SAS Software Navigator, install and congure the SAS Intelligence
Platform, as well as SAS Solutions Services and any licensed solutions.

2 Follow the instructions that were generated by the SAS Conguration Wizard, as
well as the installation guide for SAS Financial Management, SAS Strategic Performance Management, and SAS Human Capital Management.
3 Follow the procedures described in the remainder of this chapter.
Install SAS/GRAPH Maps (Optional)

The SAS/GRAPH map data sets are not installed by default. If you want to install them, either as part of your regular installation or afterwards, follow these steps:
1 On the Select Components screen of the SAS 9.1 Foundation install, expand the
listing under SAS 9.1.

2 Scroll down and select SAS/Graph Map Data Sets.
To install selected maps, expand SAS/Graph Map Data Sets and select only the locations needed.
Change Threading Options for SAS Metadata Server (Optional)

After installation and conguration, the maximum number of threads for the SAS Metadata Server has been set to a value that represents the number of processors on the machine hosting the metadata server. To maximize performance, you might need to change the threading options. These options are described in Optimizing the Performance of the SAS Metadata Server in the SAS Intelligence Platform: System Administration Guide, available at http://support.sas.com/documentation/ configuration/913admin.html.
Congure the SAS Servers for Alternative Authentication Mechanisms (Optional)

If you use an authentication mechanism other than host authentication, see Understanding Authentication and Customizing the Authentication Conguration in the SAS Intelligence Platform: Security Administration Guide (available at http:// support.sas.com/documentation/configuration/913admin.html). This guide contains an overview of user authentication, as well as information about modications
10
Set Application Properties
Chapter 2
you must make to the server conguration (.cfg) les to support authentication mechanisms such as LDAP or Active Directory.
Set Application Properties

After installation and conguration, you might need to make these changes:
3 Set e-mail addresses for administrators.

If you did not already do so during the installation process, set the mail host and the e-mail addresses for administrative and error messages. This task is performed by using the Conguration Manager plug-in of the SAS Management Console. For instructions, see Modify E-Mail Settings on page 97.
3 Optionally, install a service to start the remote services.

See Install a Service to Start the Remote Services on page 94.
Make Localization Changes, If Necessary

If you installed SAS Human Capital Management in a language other than English, you must modify the setlocs.sas le as follows:
1 In the SAS Management Console, locate the text for the OLAP schema, as follows:
a b c d
In the HR repository, navigate to Server Manager. Right-click HR-OLAP and select Properties. Click the Olap Schema tab. Make a copy of the text that is displayed there. In English, this text is HR-OLAP - OLAP Schema, but you will see a translated string.
2 Change directory as follows:
Windows: !SASROOT\hrds\sasmacro UNIX: !SASROOT\sasautos 3 Open the setlocs.sas le for editing.

4 Locate this line:
%let HRSchema=HR-OLAP - OLAP Schema;
5 Replace the text to the right of the equal sign with the translated text from the
SAS Management Console.

6 Save the le.
Secure Your System

About Securing Your System
After you have veried that your system is functioning correctly, you need to take additional steps to secure it, including (but not necessarily limited to) the tasks that are described in this section. In addition to setting metadata access controls, you must protect the physical server(s) that make up the data-tier level (in other words, the servers where your MySQL database is located and where your SAS application servers are running). You
Congure Security Settings for Folders and Files (Windows)
11
also should protect the physical server(s) that make up the middle-tier level, where your J2EE server is running. In addition to the MySQL database, les on these servers might contain vital information such as encoded passwords.
Remove Unnecessary Default Metadata Identities

You should remove default metadata identities that are no longer needed. For security, you should remove the Solutions Installer from production environments after the installation and conguration are complete. (You might need to re-create this user identity if you need to install upgrades or hot xes later.) You can also remove the SAS Demo User identity from production environments. For more information about the default metadata identities, see Table 4.1 on page 36 and Table 4.2 on page 37.
Protect System Conguration Folders

By default, the conguration directory folders on a Windows machine do not have any special protections. It is important to secure some of these folders because they can contain information such as repository data sets and encoded passwords. The following table summarizes the recommended protections. It assumes that your SAS servers and spawners run as services under the Local System account, which is the recommended conguration.
Table 2.1 Recommended Operating System Protections on Windows
Folders* MetadataServer, OLAPServer[_domain], ObjectSpawner Permissions Grant Full Control to SYSTEM and Administrators, and remove all other users and groups. Grant Full Control to SYSTEM, and grant Read permission to all SAS server users. If you enable logging for the workspace server and you use this default location for the logs, then all users of the workspace server should be granted Modify permission for this subdirectory. Grant Full Control to SYSTEM, grant Full Control to SAS General Server User (sassrv), and remove all other users and groups.
BatchServer, SASEnvironment, Users, Utilities, WorkspaceServer WorkspaceServer\logs
StoredProcessServer, StoredProcessServer\logs
12
Chapter 2
Folders* SASEnvironment\SASCode\Jobs SASSolutionsServices\SASCode\Jobs SASSolutionsServices\SASCode\ETLMetadata SASSolutionsServices\SASFormats SASFinancialManagement\SASCode\Jobs
Permissions Grant Modify permission to all SAS server users.
SASFinancialManagement\SASCode\ETLMetadata SASHumanCapitalManagement\SASCode\Jobs SASStrategicPerformanceManagement\SASCode\Jobs query cache library for SAS Web Report Studio** Grant all SAS Web Report Studio users read, write, and execute permissions for the directory that holds the cache. Grant the SAS Web Administrator (saswbadm) full control of the cache directory.
* By default, these folders are located under SAS-Config-Dir\Lev1\SASMain\. To learn more about the conguration directory structure, see Chapter 12, Conguration Files, on page 121. ** During installation and conguration of SAS Web Report Studio, a query cache library is created at SAS-config-dir/Lev1/SASMain/Data/wrstemp. By default, all users have read and write permissions on this library. If you set up workspace server pooling, then you can implement tighter security and grant full permissions only to the user IDs that you specied for the puddle login denitions in your pool. To use the query cache, make sure each puddle login denition has access permissions (read and write) for the query cache library. If you have not congured pooling, then each requesting users individual (or shared) account will need read and write permissions for the library in order to access the tables. In either case, the SAS Web Administrator (saswbadm) should be granted full permissions for the cache directory, so that les can be deleted automatically and the cache will not become too large. For more information, see SAS Web Report Studio Administration in the SAS Intelligence Platform: Web Application Administration Guide.
For additional information, see Securing a Deployment in the SAS Intelligence Platform: Security Administration Guide. This chapter describes setting folder permissions, securing your metadata repositories, encryption, and related topics. If you installed SAS Web Report Studio, see SAS Web Report Studio Administration in the SAS Intelligence Platform: Web Application Administration Guide. This chapter includes information about securing the folders that are used by SAS Web Report Studio, including folders that hold temporary les. Both books can be found at http://support.sas.com/documentation/ configuration/913admin.html.
Protect Additional Folders and Files

In addition to securing the folders mentioned above, secure the following folders and les:
Congure Security Settings for Folders and Files (UNIX)
13
Table 2.2 Additional Recommended Operating System Protections

Folders !SASROOT\nls\en\sasv9.cfg SAS-config-dir\Lev1\Data and its subdirectories Permissions Grant Read and Execute permission to the SAS Server Users group. Grant Full Control to SAS General Server User (sassrv) and to SAS Administrator (sasadm). Grant Read/Write/Create permission to users who will run ETL or SAS jobs to update data in the warehouse. This includes the user that is specied in the jdbcconnection-userid of the web.xml le for sas.solutions.common.war. MySQL-Install-Dir Grant Full Control to MySQL-Install-Dir only to SYSTEM and Administrators. Grant Read and Execute permission to everyone.
MySQL-Install-Dir\bin

Default Settings
For UNIX systems, the following table lists the default permissions for the directories, les, and scripts that are created in a planned installation. All les reside in the SAS-config-dir directory.
Table 2.3 Default Directory Permissions for UNIX
Directories/Files/Scripts Server-specic directories, les, and scripts, except for the StoredProcessServer directory Lev1/SASMain/ StoredProcessServer Lev1/SASMain/Data The sas user ID Read, write, execute Read, write, execute Read, write, execute Read, write, execute Read, write, execute The sas User Group No access All Users No access
Read, write, execute Read, write, execute Read, execute Read, execute
No access Read, write, execute Read, execute Read, execute
All other Lev1 directories and les All other Lev1 scripts
Additional Settings
After installation, change directory to SAS-config-dir and set the following additional permissions: Note: The -R ag is used to set permissions recursively.
14
Chapter 2
Table 2.4 Additional Directory Permissions for UNIX

Directories/Files/Scripts Lev1/Data Permissions permit full access for the sas user ID and the sas user group: chmod -R 775 Lev1/Data permit full access for the sas user ID and the sas user group: chmod 775 Lev1/SASMain permit full access for the sas user ID and the sas user group. For example: chmod -R 775 Lev1/SASMain/ SASSolutionsServices/SASCode/Jobs
Lev1/SASMain
Depending on the solutions that you have installed: Lev1/SASMain/SASSolutionsServices/ SASCode/Jobs Lev1/SASMain/SASSolutionsServices/ SASCode/ETLMetadata Lev1/SASMain/SASSolutionsServices/ SASFormats Lev1/SASMain/SASFinancialManagement/ SASCode/Jobs Lev1/SASMain/SASFinancialManagement/ SASCode/ETLMetadata Lev1/SASMain/ SASStrategicPerformanceManagement/ SASCode/Jobs Lev1/SASMain/ SASHumanCapitalManagement/SASCode/ Jobs user-dened stored processes
If you have created any directories to hold stored processes that are created by users, set those directories permissions to allow full access for the sas user ID and the sas user group. For example: chmod -R 770 Lev1/SASMain/ SASSolutionsServices/SASCode/ UserDefined
query cache library for SAS Web Report Studio*
Grant all SAS Web Report Studio users read and write permission for the query cache, unless workspace server pooling is enabled. Grant the SAS Web Administrator (saswbadm) full control of the cache directory.
* During installation and conguration of SAS Web Report Studio, a query cache library is created at SAS-config-dir/Lev1/SASMain/Data/wrstemp. By default, all users have read and write permissions on this library. If you set up workspace server pooling, then you can implement tighter security and grant full permissions only to the user IDs that you specied for the puddle login denitions in your pool. To use the query cache, make sure each puddle login denition has access permissions (read and write) for the query cache library. If you have not congured pooling, then each requesting users individual (or shared) account will need read and write permissions for the library in order to access the tables. If workspace server pooling has not been congured, then the query cache is not automatically cleared. You might want to clear these les on a regular basis so that the cache will not grow too large. In either case,
Apply Hot Fixes
15
the SAS Web Administrator (saswbadm) should be granted full permissions for the directory. For more information, see "SAS Web Report Studio Administration" in the SAS Intelligence Platform: Web Application Administration Guide.
If you want multiple users to be able to update the same data sets that are created by SAS Data Integration Studio, you might want to set the default umask that is applied to the data sets when they are created. For more information, see Administering SAS Data Integration Studio in SAS Intelligence Platform: Desktop Application Administration Guide (available at http://support.sas.com/ documentation/configuration/913admin.html).
Secure the J2EE Server Conguration

1 Secure the J2EE server conguration and log les. 2 The installation process congures WebLogic to use the sas.weblogic.policy le. If
you applied the sas.allpermissions.weblogic.policy le during the initial testing, you should reapply the sas.weblogic.policy le. For more information, see the instructions.html le that was generated by the SAS Conguration Wizard. That le is located in SAS-config-dir\SASSolutionsConfig. 3 For information about the lter policy le and security conguration for WebSphere, see the instructions.html le that was generated by the SAS Conguration Wizard.
Secure Your WebDAV Installation

If you are using Xythos as your WebDAV server, the conguration process requires that all Users with Accounts have full permissions for Xythos content folders. After the conguration is complete, deny those permissions and add permissions for the SAS Trusted User. Follow the instructions in Conguring Content Folder Permissions on the Xythos WebFile Server on page 117 to secure the Xythos content folders for running the solutions. For more information about WebDAV, see Chapter 11, WebDAV Server Administration, on page 117.
Secure Data Transmissions (Optional)

For information about using encryption to protect data transmissions, see Securing Data Exchanges between Server Components on page 113.
Load Transformations and Jobs

As part of conguring your system, you must use SAS Data Integration Studio to load transformations, jobs, and error and exception table metadata that are required by the solutions.
Apply Hot Fixes

Before opening SAS Data Integration Studio, download and apply necessary hot xes by following these steps:
16
Set Up a SAS Data Integration Studio User
Chapter 2
1 Point your browser to http://ftp.sas.com/techsup/download/hotfix/
dis34.html.
2 Download and install Hot Fix 34DATABLDR02. 3 Log on to the SAS Management Console as an administrator. 4 Select Tools
I Update Metadata for SAS Data Integration Studio.
Set Up a SAS Data Integration Studio User

Set up at least one SAS Data Integration Studio user for the solutions, as follows: 1 If necessary, create a user ID and password on the host system on which the jobs are being submitted. On Windows, SAS Data Integration Studio users must have the Log on as a batch job right. For more information, see Grant Log on as a batch job Rights to Users (Windows) on page 21. 2 In the folders security properties, grant Read/Write/Create permission to the user for the directory where the data warehouse resides (that is, SAS-config-dir\Lev1\Data and its subdirectories). 3 In the SAS Management Console, create the user (if necessary), and add the user to the following groups and roles: 3 Solutions Users group 3 MYSQL Users group 3 Data Administrator role Note: The user ID that is used to log on to SAS Data Integration Studio must not be the unrestricted user (sasadm). If you log on as the unrestricted user, then you will not be able to attach the libraries that are necessary to run SAS Data Integration Studio. 4 You will dene additional SAS Data Integration Studio users later; see Assign SAS Data Integration Studio Groups and Roles on page 48.
Dene a Batch Job Deployment Directory (Optional)

In SAS Data Integration Studio, when you deploy a job for scheduling, you must select a directory to hold the generated code. Your directory choices are set in the SAS Management Console, in the Schedule Manager. To dene a batch job deployment directory: 1 Log on to the SAS Management Console as the administrative user (sasadm). 2 Right-click Schedule Manager and select Deployment Directories. 3 From the Application Server drop-down list, select the application server that will be used to deploy jobs. 4 Click New. 5 In the New Directories dialog, specify a name for the directory, and either type a directory name or click Browse to select a directory. For SAS Human Capital Management, we recommend that you create a subdirectory in the
SAS-config-dir\Lev1\SASMain\SASHumanCapitalManagement\SASCode directory (such as SASCode\ScheduledJobs). Grant it the same le permissions as the SASCode\Jobs directory. For more information about le permissions, see
Secure Your System on page 10. 6 Click OK.
Restrict the Events That Data Administrators See (Optional)
17
Import Transformations, Jobs, and Error and Exception Table Metadata

SAS Solutions Services is shipped with a comprehensive set of transformations and jobs that provide a framework for extracting, transforming, and loading enterprise data, as well as error and exception table metadata. You must import the following:
3 Detail Data Store repository error and exception table metadata

These are imported in a single SAS package le (DDS Error Tables.spk). 3 Detail Data Store repository transformations and jobs
3 Solutions repository transformations and jobs

These transformations and jobs are imported in a single SAS package (Solutions_DIS_Jobs.spk). 3 If you installed SAS Financial Management: Finance repository transformations and jobs As with the Solutions repository, these transformations and jobs are imported in a single SAS package (Finance_DIS_Jobs.spk). 3 If you installed SAS Human Capital Management: HR repository transformations and jobs 3 If you are migrating data from SAS Strategic Performance Management 1.4, or if you want to be able to load numeric values into the SAS Strategic Performance Management database: Performance Management repository transformations and jobs For instructions, see the SAS Solutions Services: Data Administration Guide (http:/
/support.sas.com/documentation/solutions/admin).

You can set permissions on events so that Data Administrators see only
DataChanged events. In SAS Data Integration Studio, Data Administrators see a list of
events that can be sent to the portal. The only event that is appropriate in this context is the DataChanged event. Consequently, you want to deny Data Administrators permission to see all other events. To set metadata permissions on events, follow these steps: 1 Log on to the SAS Management Console.
2 Expand Foundation Services Manager
Broker Service.
I Remote Services I Event I Event
You should see a list of all available events, similar to the image below:
18
Chapter 2
3 For all events except SAS.Solutions.Data.DataChanged, perform the following
steps:
a Right-click the event name and select Properties. b Click the Authorization tab. c Click the Add button, and add the Data Administrator role to Selected
Identities.
d Click OK. e Deny all permissions to the Data Administrator. Ensure that the background
for each of the check boxes is white, as shown in the image that follows. (If the check box has a non-white background, click the box again to clear the background.) This last step ensures that the permission is set directly on the item and that any future changes to its inherited permission set do not affect it.
Load Sample Data
19
Back Up the System

Back up the server content. This backup (referred to as the Default Backup) contains the content of the system prior to any load of data. It can be used to restore the system to its default state (before any data was loaded). As part of good system administration practice, it is suggested that you make a complete backup of each machine in the conguration before proceeding. For information about backing up and restoring the server content, see the documentation for the Backup, Restoration, and Migration tool.
Verify Using Sample Data (Optional)

Sample data is provided to help you verify the correct operation of the system and to demonstrate system functionality. Follow these steps to verify the installation, or skip to Create the Sites Users and Groups on page 21.
Load Sample Data

1 Back up the server content if the Default Backup was not created.
For instructions, see the documentation for the Backup, Restoration, and Migration tool.
2 Log on to the middle-tier server and load the sample data to be used for
installation verication:
20
Verify the System
Chapter 2
a At a command prompt, change directory to SAS-config-
dir\Lev1\Utilities\SASSolutionsServices\Deployment\bin.
b If this is a multi-machine conguration, start the Ant server. On Windows,
use this command:

StartAntServer.bat
On UNIX, use this command:

./StartAntServer.sh c Run the command to load the SAS Solutions Services sample data. On
Windows:
SolutionsLoadSampleData.bat
On UNIX:
./SolutionsLoadSampleData.sh d If you have installed SAS Human Capital Management, you can also load the
HCM sample data.

i
To load the sample data on Windows, run this command:

HCMLoadSampleData.bat
On UNIX:
./HCMLoadSampleData.sh ii After loading the sample data, re-create the HCM cubes and information
maps. For more information, see the SAS Solutions Services: Data Administration Guide.
3 Create any sample users and groups necessary for demonstration and verication
purposes.
4 Synchronize users and groups by following these steps:
a Log on to the portal as a member of the Administrators group. b Open the Document Manager and click the Browse tab. c From the Repository drop-down list, select Solutions.
To support different content types and dependencies, the Browse page displays documents and folders for one repository at a time. Your repository selection is remembered and applied the next time you open the Document Manager. d Navigate to SAS Content I Data Management I Solutions Data Mart. beside the Import Users and Groups stored process e Click the action menu and select Refresh.
5 Create any document folders necessary for demonstration and verication
purposes.
6 Optionally, administer data-level security on the installation verication data for
demonstration and verication purposes. For instructions, see SAS Solutions Services: Data Administration Guide (http://support.sas.com/documentation/solutions/admin).
Verify the System

After you load the sample data, verify the operation of the system. The following steps are an example of verication:
Grant Log on as a batch job Rights to Users (Windows)
21
1 Run the MailValidation utility to check that the e-mail interface was set up
correctly. For details, see Validate the E-Mail Interface on page 111.
2 Log on to the portal as sasdemo. 3 Add an instance of each portlet. 4 In the My Favorites portlet, add the Manage Documents task. 5 Select Manage Documents and import a document to the SAS Demo User folder. 6 Add a comment to the document.
Restore the System

When the installation has been veried, the system needs to be restored to its default state (before the sample data was loaded). For instructions, see the documentation for the Backup, Restoration, and Migration tool.
Create the Sites Users and Groups

Overview
After you verify the installation and operation of the solutions, you can create and load production information. To load the production users, perform the tasks described in this section. You can use the SAS Management Console, or you can use the bulk-load process as described in Bulk Loading Users and Groups on page 49. As you expand the set of users and groups, you can repeat these tasks.
Grant Log on as a batch job Rights to Users (Windows)

If you are using host authentication on Windows systems, then all users must have the local Log on as a batch job right on machines that host SAS servers, including the SAS Metadata Server, workspace servers, the SAS Stored Process Server, the SAS OLAP Server, the SAS/CONNECT server, and the SAS/SHARE server. Note: There is an exception: machines hosting pooled workspace servers (and no other SAS servers) do not need this right to be assigned. 4 The recommended way to grant this right is as follows:
1 Create a SAS Server Users group and add your users to that group.
Be sure to include the SAS General Server User (sassrv). Note: This is an operating-system group, not a SAS metadata identity. It can be created as a network (global) group, or it can be created as a local group on each server machine.
2 On each server machine, assign the Log on as a batch job right to the SAS
Server Users group. These rights must be assigned locally. For more information about assigning local policy rights, see your computers online help.
22
Create Metadata Identities
Chapter 2
Create Metadata Identities

Register users at the site and assign them to groups and roles. For instructions, see Determining Group and Role Assignments on page 40 and Registering Users on page 48. After you have registered the users, log on to the portal as an administrator and run Import Users and Groups to synchronize users, groups, and roles. For details, see Synchronizing Users, Groups, and Roles on page 49. Note: The stored process server is congured to have an authentication domain of SPAuth. Any user who invokes a stored process must be authenticated on this server, either with his own login or via a group login. For more information, see Default Groups on page 38. 4
Run the UserGroupValidation Utility

The UserGroupValidation utility checks to make sure that all users belong to the Solutions Users group or to a subgroup, as required for logging on to the portal. For details, see Validate Group Assignments on page 109.
Congure Content
Overview
In terms of SAS Solutions Services, content is dened as any document, stored process, or viewable object. SAS Solutions Services provides a Web application, called the Document Manager, that displays content in a hierarchical folder structure. Content that is displayed within the Document Managers tree view can also be shown in portlets. Content conguration tasks include creating the sites content folder structure in the Document Manager, creating stored process reports, and conguring the Information Delivery Portal.
Assign a Content Administrator

It is recommended that you assign a user to administer portal content. This could be the user who is the system administrator for the site. You can assign a single user to administer all portal content, or you can assign different content administrators for different groups. These user identities must have logins that can be authenticated on the metadata server host. For instructions about assigning a content administrator, see Assigning a Content Administrator on page 81.
Create Content Folder Structure for the Site

In the Document Manager, create a set of shared folders that correspond to the group hierarchy you created for the sites users. Assign security to these folders. For instructions, see these topics:
Modify Permissions for OLAP Cubes
23
3 Organizing Content on page 52 3 About Security Authorization for Content on page 53 3 Dening Security Authorization for Content on page 55
Modify Permissions for Information Maps

If you have installed SAS Web Report Studio or SAS Web OLAP Viewer, you must modify the permissions for accessing information maps. For each repository that will be used to hold information maps:
1 Log on to the SAS Management Console as an administrator. 2 Open the repository that you want to modify. 3 In the navigation tree, select the folder that will hold information maps.
If you have installed SAS Web Report Studio, the typical location for its maps is BI Manager I BIP Tree I Report Studio I Maps. Note: The rst time that a user opens SAS Web Report Studio, the ReportStudio folder structure is created for that domain in the metadata repository and in the external content server (WebDAV).
4 Right-click the Maps folder and select Properties. 5 Click the Authorization tab. 6 Grant Solutions Users these permissions: Read and ReadMetadata.
You might need to add the Solutions Users group to the list. Be sure that the Read and ReadMetadata permissions are granted directlythat is, be sure that the Read and ReadMetadata Grant check boxes are selected and have white backgrounds. If the background is gray, click the check box until the background changes to white.
Modify Permissions for OLAP Cubes

In order for users to access OLAP cubes in SAS Web Report Studio or SAS Web OLAP Viewer, they must have Read permission for the cubes (in addition to any information maps that are built on the cubes). To modify the permissions for accessing OLAP cubes:
1 Log on to the SAS Management Console as an administrator. 2 Open the repository that you want to modify. 3 Navigate to Authorization Manager
select Properties.
I Resource Management I By I OLAP server name I OLAP server name OLAP Schema. Right-click OLAP server name I OLAP server name OLAP Schema and
Location
5 Click the Authorization tab. 6 Grant Solutions Users these permissions: Read and ReadMetadata.
You might need to add the Solutions Users group to the list. Be sure that the Read and ReadMetadata permissions are granted directlythat is, be sure that the Read and ReadMetadata Grant check boxes are selected and have white backgrounds. If the background is gray, click the check box until the background changes to white. You can also set permissions for an individual cube, a dimension, a hierarchy within a dimension, or a level within a dimension. For details, see the SAS OLAP Server:
24
Create Content for the Site
Chapter 2
Administrators Guide, available at http://support.sas.com/documentation/

configuration/913admin.html.
Create Content for the Site

Create content for the site by importing content, creating stored process reports, and developing custom stored processes. A number of stored processes are provided with the solutions. These stored processes are located in the SAS Content folders of the repositories that are used by those solutions. One way of creating content for the site is to create stored process reports that are customized for different groups. For instructions about creating site content, including stored process reports, see Creating Site Content on page 60.
Set Permissions to Refresh Stored Process Reports

If you have installed SAS Human Capital Management and want users to be able to refresh stored process reports, you must grant ReadMetadata permission to Solutions Users for the corresponding stored processes. For details, see Enable Users to Refresh Stored Process Reports on page 60.
Congure the Information Delivery Portal for the Site

Conguring the portal includes assigning default portal pages for users or groups, as described in Applying the Solutions Users Page Templates on page 83. You can also create custom page templates; for more information, search for page templates in the portals online Help. Users can customize their own portal pages. Some suggestions are in Customizing the Portal on page 84. If you want to make available additional portlets of the SAS Information Delivery Portal, see Accessing the Default Portlets of the SAS Information Delivery Portal on page 91.
Load Production Data

You are now ready to load production data. Follow these steps:
1 Back up the server content.
For instructions, see the documentation for the Backup, Restoration, and Migration tool.
2 Load production data. The user and group information is retained in metadata.
The content folder structure is maintained.

3 Apply data security to the production data.
For instructions about loading production data and applying data security, see SAS Solutions Services: Data Administration Guide (http://support.sas.com/ documentation/solutions/admin).
Congure the J2EE Application Server and Web Applications
25
Install the SAS Strategic Performance Management Migration Wizard (Optional)

If you are migrating data from an earlier release of SAS Strategic Performance Management, you should install and run the Migration Wizard. For instructions, refer to SAS Strategic Performance Management Migration Wizard on page 139.
Load Client Applications

After installing the servers, system administrators can install some client applications on the users systems. Alternatively, users can install these clients themselves. For descriptions of these applications and for installation instructions, see Chapter 14, Client Installation and Conguration, on page 135.
Congure the J2EE Application Server and Web Applications

After installation and conguration, you can make the following modications to the J2EE application servers and to the deployed Web applications. The rst few modications are required under certain circumstances. The remaining modications are optional. 3 Deploy themes to a Web server. If you are deploying your applications on WebSphere, you cannot deploy your themes to the same servers that are referencing the themes. You must deploy them to a separate WebSphere instance or to a Web server. For instructions, see Move Themes to a Web Server on page 75. 3 WebLogic only: Set the Frontend Host parameter for a WebLogic server. This can be particularly important if you are deploying SAS Web Report Studio and SAS Solutions Services on different managed servers. 3 WebLogic only: If you have installed SAS Human Capital Management, increase the heap size for the HR managed server. For instructions, see Startup Scripts on page 65. Note: Do not make this modication for a single-machine installation.
3 WebLogic only: Install services to start the managed servers. 3

See Setting Up Managed Servers as Windows Services on page 68. WebSphere only: Suppress warning messages that occur as the result of data access from a thread that was spawned by an application event (optional). To suppress these warning messages, see Suppress Warning Messages for Data Access on page 73. Modify timeout values for Web applications. The default timeout is 30 minutes. For instructions about changing this value, see Set Session Timeout Values on page 74. Make the Winter theme available to portal users. See Make the Winter Theme Available on page 75. Change the port number for an application server.
3 3 3
26
Maintain the System
Chapter 2
For WebLogic managed servers, see Changing the Port Number for a Managed Server on page 69. 3 Congure ODCS clustering to improve performance. ODCS clustering is designed to reduce wait time by distributing query processing to additional machines. For more information, see Using ODCS Clustering to Reduce Wait Time on page 76. For additional information about J2EE application administration, see Chapter 6, J2EE Server Administration, on page 63.
Maintain the System

Synchronize the Server Clocks
If you installed the solutions on more than one server, you should set up a job to synchronize clocks between servers. Otherwise there might be errors when you try to update datafor example, if the target server has a later date or time than the source. Typically, this job should run on a daily basis.
Restart Servers
If you are running SAS Human Capital Management on the BEA WebLogic application server: for best performance, we recommend that you restart the managed servers, as well as the SAS application servers, once a week.
Tune System Performance

The SAS Intelligence Platform: System Administration Guide, SAS Intelligence Platform: Web Application Administration Guide, and SAS Intelligence Platform: Application Server Administration Guide have several topics about performance tuningfor example, for SAS Web Report Studio, for SAS OLAP Server, for the metadata server, and for the workspace servers. These books are available at http:// support.sas.com/documentation/configuration/913admin.html. For information about performance tuning for WebLogic or WebSphere, follow the recommendations in Chapter 6, J2EE Server Administration, on page 63.
Monitor and Maintain Your System

Maintaining your system is a complex set of tasks that cannot be fully described in this book. Here are some references to chapters in this book, as well as other sources of information: 3 Using the Solutions Web Administration Application on page 99 Describes the utilities that are available in the Solutions Web Administration Console. 3 Using Command-Line Diagnostic Tools on page 106 Describes the status, users, UserGroupValidation, StoredProcessValidation, and MailValidation diagnostic utilities. 3 Appendix 2, Log Files, on page 147
Check SAS Notes for Additional Information
27
Describes useful log les, some of which might need regular rotation to prevent their becoming too large. For information about controlling the level of information that is logged, see Conguring Log Files on page 105.
3 Appendix 3, Troubleshooting, on page 151

Describes some common problems and possible courses of action. For information about generating a status report that can be sent to SAS Technical Support, see Check System Status on page 107. For information about port numbers, see Appendix 1, Default Port Usage, on page 143.
3 SAS Intelligence Platform: System Administration Guide and SAS Intelligence

Platform: Application Server Administration Guide Contain information about maintaining SAS servers, such as the SAS Metadata Server, the SAS Stored Process Server, and workspace servers. These books are available at http://support.sas.com/documentation/configuration/ 913admin.html.
Check SAS Notes for Additional Information

We strongly recommend that you check the SAS Notes, available on the SAS Technical Support Web site, for additional information and support xes. To nd the available SAS Notes, go to http://support.sas.com/techsup/intro.html, click Advanced Search, and search for the phrase solutions services.
28
29
CHAPTER
3
Planning the Sites Security
About Security Authentication Authorization Server Security Auditing 32
29 29 30
and Data Transmission
31
About Security
SAS Solutions Services and the solutions that use SAS Solutions Services build on the SAS Intelligence Architecture security plan, as described below. You should be familiar with the Security Administration chapters of the SAS Intelligence Platform: Security Administration Guide (available at http://support.sas.com/ documentation/configuration/913admin.html).
Authentication
Authentication is the process of verifying the identity of a person or process within the guidelines of a specic policy. Authentication is a prerequisite for authorization. An authentication provider is a technology that servers or applications can use to verify that users are who they say they are. An implementation of SAS Solutions Services and the solutions uses the authentication providers supported by the SAS Intelligence Platform: 3 By default, the authentication provider for a SAS server is the host operating system of the machine on which the server is running. When you request access to a SAS server that is using the default authentication process, the server asks its host environment to verify that your user ID and password correspond to a valid user account in the operating system. This method of verifying identities is called host authentication. 3 At many sites, the host authentication process makes use of LDAP or Active Directory as a back-end authentication mechanism. 3 SAS Web applications run on third-party servers that can use a variety of authentication providers. For more information, see the documentation for the third-party server on which your SAS Web applications run. 3 SAS Solutions Services and the various solutions applications (such as SAS Financial Management and SAS Strategic Performance Management) are deployed on standard J2EE application servers. These servers might also employ a variety of third-party authentication providers.
30
Authorization
Chapter 3
3 End-user client access to the solutions typically involves authentication to the

applications deployed on the J2EE application server. By default, the applications are congured to pass user authentication on to the SAS Metadata Server. For more information about authentication providers, see Understanding Authentication and Customizing the Authentication Conguration in the SAS Intelligence Platform: Security Administration Guide (available at http:// support.sas.com/documentation/configuration/913admin.html). For information about the metadata identities that must be created for SAS Solutions Services, see Chapter 4, Authentication and User Security, on page 33.
Authorization
Authorization is the process of determining which users have which permissions for which resources. The outcome of the authorization process is an authorization decision that permits or denies a specic action on a specic resource, based on the requesting users identity and group memberships. It is important to understand how authorization works in the SAS Intelligence Platform and with SAS Solutions Services. Authorization enables you to perform the following activities: 3 manage access to resources across multiple authorization layers 3 dene an effective, manageable set of access controls in the metadata authorization layer The SAS Intelligence Platform uses an authorization facility to control user access to repositories and to specic metadata in those repositories. The authorization facility is a subsystem of the SAS Metadata Server that returns authorization decisions based on access controls that are in the metadata. To secure a metadata resource, you must create authorization metadata and associate it with your resource metadata. The authorization metadata denes who can do what to a given resource. The secured resources can be both metadata and the actual computing resources represented by the metadata. The SAS Metadata Server enforces ReadMetadata, WriteMetadata, and CheckinMetadata permissions on resources. The authorization facility also provides a mechanism by which client applications can request authorization decisions on other actions which include Create, Delete, Read, Write, and Administer permissions. Applications use the authorization facility to obtain a users authorization to perform an action dened by the application. In this way, it is the responsibility of the application to request and enforce authorization decisions. In order to effectively secure a sites enterprise metadata, an administrator must understand these concepts: 3 the authorization facility 3 the default security provided by the metadata server 3 the way in which the authorization facility makes authorization decisions 3 the options that are available for securing metadata In addition, the administrator needs to know the security requirements that SAS Solutions Services and related SAS applications might have that are enforced via metadata. In particular: 3 The SAS Intelligence Platform provides the ability to secure data such as tables and columns via metadata security. The authorization facility of the SAS Metadata Server evaluates and enforces specic metadata layer permissions. There are three basic types of access controls that you can use to set permissions in the metadata authorization layer, including:
Planning the Sites Security
Server Security and Data Transmission
31
3 direct access controls 3 inherited access controls 3 repository-level access controls

SAS Solutions Services installs a set of direct access controls to dene permissions to the tables in the SAS Detailed Data Store and the SAS Solutions Data Mart. In addition, a site can further secure access to tables and other metadata objects using the Authorization Manager plug-in for SAS Management Console. For more information about setting those permissions, see the online Help for SAS Management Console.
3 In addition to data resources, SAS Intelligence Platform deployment can include

one or more custom trees that you can use to organize and manage access for certain resources. In SAS Solutions Services, Document Manager has a default folder, Documents, that serves as the root level of the sites content within a repository. Below that folder are three additional default folders: SAS Content, Shared Documents, and Users. Within this content tree, each folder inherits the effective permissions of its parent folder. For more information about security for these folders, see Organizing Content on page 52.
3 The actions allowed on a particular metadata-dened content type are determined

by the metadata authorization facility based on role assignments. SAS Solutions Services provides two other authorization mechanisms that extend the authorization capabilities of the SAS Metadata Server:
3 For some forms of table access, row-level security is provided via information that
is stored in a separate table in the Solutions Data Mart. Modifying this security information is a customization.
3 Application objects that are represented by data in the Solutions Data Mart are
secured by means of an extended object-based authorization facility. In this way, complex objects such as scorecards and planning forms can be secured. Authorization decisions are based on user and group permissions per object that are also applied to additional hierarchical information (such as organization tables, legal reporting structures, and project hierarchies). This facility is shared by SAS Solutions Services and applications such as SAS Financial Management and SAS Strategic Performance Management. For detailed information about applying this object-based security, see the documentation for the solutions. The ability of users to perform a particular action is determined not only by these metadata-based access controls, row-level security schemes, and application-level authorization, but also by external authorization mechanisms such as operating system permissions and database controls. In order to perform a particular action, a user must have the necessary permissions in all of the applicable authorization layers. For additional information about authorization in the SAS Intelligence Platform, see the SAS Intelligence Platform: Security Administration Guide.
Server Security and Data Transmission

The third major area of security deals with securing servers and encryption. Sending unsecured data exposes it to various risks. How do you protect data transmissions? The SAS Intelligence Architecture and SAS Solutions Services make it easy for you to distribute critical information to key decision-makers while ensuring that this critical
32
Auditing
Chapter 3
information does not fall into the wrong hands. However, this distributed model often requires more than application-level authorization and data security. It is also important to consider how access to physical servers is congured. In general, the solutions are designed for use inside a corporate rewall. Because much of the data deals with particularly sensitive information, an organization typically deploys a rewall at appropriate network gateways to protect the resources of its private network from users of other networks. This private network (or intranet) enables an enterprise to provide its workers with access to protected data resources. As organizations distribute the business intelligence found in their data, there is an increased need to ensure the condentiality of business transactions over a network and within an enterprise. SAS Solutions Services makes available a number of data security technologies from SAS and from third parties to further protect data and credentials (such as user IDs and passwords) that are exchanged in a networked environment. Fundamental to these technologies is the use of proven, industry-standard encryption algorithms for data protection. Encryption is the transformation of intelligible data (plaintext) into an unintelligible form (ciphertext) by means of a mathematical process. The ciphertext is translated back to plaintext when the appropriate key that is necessary for decrypting (unlocking) the ciphertext is applied. Although encryption increases the protection of data, it does not prevent unauthorized access to data. For more information about these security mechanisms, see Chapter 9, Server Security and Encryption, on page 113.
Auditing
It is not enough to protect data resources and applications by prohibiting access by unauthorized users. A good security system must also provide a record that indicates who has accessed an application or resource and what operations he or she has performed during a given period of time. Such records are known as audit trails, and they are useful not just in maintaining security but also in identifying the process by which information is routed through the system. SAS Solutions Services provides several mechanisms for producing audit trails and user history, including a common user history mechanism in SAS Solutions Services that is used by the solutions (see View an Audit Trail for a User on page 103). The solutions have the capability to extend the auditing capabilities of SAS Solutions Services. For more information about those auditing capabilities, see the documentation for the solutions. In addition, SAS Solutions Services uses the auditing capabilities provided by SAS Data Integration Studio. For more information about these features, see the online Help for SAS Data Integration Studio.
33
CHAPTER
4
Authentication and User Security
Overview of Authentication and User Security 33 Group MembershipWhat Can I See? 34 About Groups 34 How Content Permissions Are Enforced 34 Role MembershipWhat Can I Do? 34 About Roles 34 Groups and Roles: An Example 34 How Roles Are Dened 35 How Role Permissions Are Enforced 36 Default Users and Groups 36 Default Users 36 Default Groups 38 Determining Group and Role Assignments 40 Overview of Group and Role Assignments 40 Assign a Solutions-Wide Group 40 Assign Custom Groups 41 Assign a Solutions-Wide Role 42 Assign SAS Strategic Performance Management Roles 42 Assign SAS Financial Management Roles 43 SAS Financial Management Studio 43 SAS Financial Management 44 Excel Reports 46 Stored Process Reports 46 Assign SAS Human Capital Management Roles 46 Assign SAS Web Report Studio Roles 47 Assign SAS Data Integration Studio Groups and Roles 48 Registering Users 48 About Registering Users 48 Bulk Loading Users and Groups 49 Synchronizing Users, Groups, and Roles 49 Synchronizing Data Tables 49 Creating Group Permission Trees for the Portal 50
Overview of Authentication and User Security

A metadata identity is created when you dene an individual user or group in the User Manager plug-in to the SAS Management Console, or when you import user and group denitions from an enterprise source by using SAS bulk-load macros. The authorization facility uses identity metadata to dene who is granted or denied permission to access a resource.
34
Group MembershipWhat Can I See?
Chapter 4
The SAS Intelligence Platform and SAS Solutions Services require a specic set of users that are created and congured during the deployment process. These users are described in the SAS Intelligence Platform: Security Administration Guide (available at http://support.sas.com/documentation/configuration/913admin.html). The users of a solutions application, however, are typically the business users in a particular domain, such as nance. A sites administrator must load all of the appropriate information for each user who requires access to the solutions application. This chapter describes the default metadata identities representing users, groups, and roles required by SAS Solutions Services, as well as the identities that need to be created on site. For background information about authentication and authorization, see About Security on page 29.
Group MembershipWhat Can I See?

About Groups
Grouping users is a way of simplifying the process of authorizing access to content. Typically, you create a folder structure on-site that best ts the sites needs, and you assign permissions to read, write, delete, and administer that content. After you dene a group of users, you can assign permissions to the group rather than to individual users. Default groups are congured in the installation processes of both the SAS Intelligence Platform and the solutions. These default groups are described in Default Users and Groups on page 36. On site, you create additional custom groups, and you assign users to the default and the custom groups, as described in Determining Group and Role Assignments on page 40 and Registering Users on page 48.
How Content Permissions Are Enforced

Content permissions are enforced by the metadata server. They can be assigned in the Document Manager or in the SAS Management Console. For instructions and an example, see Dening Security Authorization for Content on page 55. For more information about the way the metadata server enforces these permissions, see Understanding Authorization in the SAS Intelligence Platform: Security Administration Guide.
Role MembershipWhat Can I Do?

About Roles
In SAS Solutions Services, roles are predened on the basis of functionality that the user can perform in each solution. It is important to understand the difference between groups and roles, and the privileges that each conveys. Simply put, your group membership determines which content you have access to, whereas your role assignments determine which actions you can perform with this content. Note: Unlike groups, roles are not hierarchical; they do not inherit properties from other roles. Roles should be assigned to individual users, not to groups. 4
Groups and Roles: An Example

As an example, assume that you belong to a group called Travel, and you are assigned the Information Consumer role. The Travel group has permission to access the contents of a folder called Travel Dept, that is located under Shared Documents.
Role MembershipWhat Can I Do?
35
In the Document Manager, you can see the list of documents in the Travel Dept folder, because of the group permissions attached to that folder and its contents. However, you are an Information Consumer, which by default can view documents but cannot move them. When you open the action menu for a Web document, you see this list of available actions:
If you had been assigned the Analyst or System Administrator role instead, you would see an action menu that included the Move action, like this:
How Roles Are Dened

In the SAS Management Console, a role is dened as a special kind of group . If you open a roles properties, you will see a checkmark in the box that is labeled
Make this group available as a Role for applications.
During the solutions installation process, a set of default roles is dened. The Solutions Role Administrator is a member of all roles, and the SAS Demo User is a member of several of the roles. In addition to the default mappings, you must add site-created users to some of these roles. For more information, see Determining Group and Role Assignments on page 40. Note: Best practice suggests that roles not be added on-site unless they are for extensions that are added specically for that site. 4
36
Default Users and Groups
Chapter 4
How Role Permissions Are Enforced

Permissions that are based on roles are enforced in two different ways:
3 The Document Manager enforces the permissions that are set in the metadata
repository. For each content type, such as WebDocument, ExcelReport, or StoredProcessReport, there is a dened set of actions, such as Move, AddtoPortlet, and Comment. Roles are granted permission to perform various actions based on content type. In Groups and Roles: An Example on page 34, the permissions are set on the Move action for the WebDocument content type. If a user has one role that grants an action for a particular content type and another role that denies the same action, then the least restrictive permission applies. If a user is directly granted or denied permission to perform an action, then the users grant or denial applies, regardless of any roles the user might belong to.
3 In the solutions, roles are enforced by the application. Each application

determines the functionality that is permitted to various roles. It is not possible to modify role permissions in applications.
Default Users and Groups

Default Users
During installation of the SAS Intelligence Platform, several users are created in the metadata, as shown in the following table.
Table 4.1 Default Users That Are Created during SAS Intelligence Platform Installation
Logins* Metadata Identity SAS Administrator SAS Trusted User** User ID domain\sasadm domain\sastrust Default Password AdminAdmin1 UserUser1 Default Authentication Domain If you use Xythos as your WebDAV server, the authentication domain for sasadm and sastrust should be the same domain as the WebDAV server. DefaultAuth DefaultAuth DefaultAuth
SAS Guest SAS Demo User SAS Web Administrator
domain\sasguest domain\sasdemo domain\saswbadm or saswbadm
UserUser1 DemoDemo1 AdminAdmin1
* The Logins column shows the authentication mechanism for each metadata identity. The user IDs should correspond to accounts in your authentication provider. On Microsoft Windows,
Default Users
37
the user ID in the login should be fully qualied with a host or domain namefor example, myhostname\sassrv. That is the pattern shown in this table. ** The user that is specied as the metadata user in sas.solutions.services.ear/ sas.solutions.common.war/WEB-INF/web.xml must have read and write access to all areas of the metadata server. By default, this user is the SAS Trusted User.
The solutions installation creates additional users. The following table lists those metadata identities and associated information:
Table 4.2 Default Users That Are Created during SAS Solutions Services Installation
Logins Metadata Identity Solutions Installer Default Password AdminAdmin1 Default Authentication Domain Notes DefaultAuth The slninstl user account must exist on the data-tier machine and must belong to the machines Administrators group and SAS Server Users group. The slnadm user account must exist on the machine where the metadata server is located, and must be a member of the machines SAS Server Users group. This identity should not be used to log on to the portal.
User ID domain\slninstl
Solutions Role domain\slnadm Administrator*
AdminAdmin1
DefaultAuth
* The Solutions Role Administrator is a system user that should always be a member of all roles that are created by the solutions. It is used for cases in which a user must perform a query as a part of a larger process, but the query requires a role that the user does not generally need. Rather than requiring that the user be assigned that role, the application recognizes the Solutions Role Administrator as a user with the proper role in order to successfully complete the process.
Note: There are three special user identities that are cached when the J2EE application server is started: SAS Trusted User, SAS Administrator, and Solutions Role Administrator. Changes to these users in the SAS Management Console do not take effect until the J2EE application server is restarted. Other user identities are loaded from the metadata repository when the user logs on to the portal. 4 The SAS Intelligence Platform describes a small set of required users. Typically, there are many solutions users. For more information, see Determining Group and Role Assignments on page 40.
38
Default Groups
Chapter 4
Default Groups
The SAS Intelligence Platform conguration creates several default groups in the metadata:
3 3 3 3
SAS System Services SAS General Servers Portal Admins Portal Demos
In addition, there are two implicit groups: SASUSERS (which includes all users who have a metadata identity) and PUBLIC (which includes all users who can access the metadata server). For more information about these groups, see Standard Group Metadata Identities in the SAS Intelligence Platform: Security Administration Guide (available at http://support.sas.com/documentation/configuration/ 913admin.html). The following table lists these group metadata identities, their logins, and default members.
Table 4.3 Groups That Are Created during SAS Intelligence Platform Conguration
Logins Default Password Default Authentication Domain
Group SAS System Services
User ID
Default Members SAS Trusted User* SAS Web Administrator
SAS General Servers** Portal Admins
domain\sassrv
UserUser1
DefaultAuth
SAS Trusted User SAS Web Administrator SAS Trusted User*
Portal Demos
SAS Demo User
* The SAS Trusted User identity should not be used to log on to the portal. ** There is no metadata identity for the SAS General Server user (sassrv). It is the account used by the object spawner to launch stored process servers and requires Log on as a batch job rights.
The solutions installation congures an additional set of groups:
3 Solutions Users is the base group for all solutions users. 3 Administrators is a subgroup of Solutions Users. 3 The MYSQL Users group is used to grant access to users who run stored processes
and ETL processes that reference MYSQL tables. The following table lists these group metadata identities, their logins, and default members. In addition to the default mapping, you must add site-created users to some of the solutions groups. For more information, see Assign a Solutions-Wide Group on page 40.
Default Groups
39
Table 4.4
Groups That Are Created during SAS Solutions Services Installation

Logins
Group Administrators
User ID
Password
Authentication Domain
Default Members SAS Trusted User Solutions Installer
Solutions Users
domain\ sasspusr
UserUser1
SpAuth
Administrators group SAS Demo User Solutions Role Administrator
MYSQL Users
sqladmin
AdminAdmin1 MysqlAuth
SAS Demo User Solutions Installer SAS General Servers
HR
Members of this group have superuser access to HCM tables. There are no default members. These are example groups. They have no default permissions assigned.
Finance SPM Users
There is no metadata identity for sasspusr (the SAS Stored Process user). It is the account used to authenticate to the stored process server. This user exists on the stored process physical server and requires Log on as a batch job user rights; this user should have no access to data. With SAS Solutions Services, the stored process server is congured to have an authentication domain of SPAuth. Any user who invokes a stored process must be authenticated on this server, either with the users own login or via a group login. If you are installing other applications in addition to the solutions, and you do not want the users of those applications to be members of the Solutions Users group, you can create a similar group and stored process user. Follow these instructions:
1 On the stored process physical server, create a user (for example, sasspusr2).
This user should have no access to data.

2 If this is a Windows installation, grant this user the Log on as a batch job
right.
3 Log on to SAS Management Console as the administrative user (sasadm). 4 In the User Manager, create a group (for example, Stored Process Users). 5 On the Logins tab for this group, add a login for sasspusr2.
Enter the user name and password that you created in Step 1. For the authentication domain, select SPAuth.
6 Add your users to the Stored Process Users group.
Alternatively, you can give each user a login on the stored process physical server. Follow the same criteria as for the group login. Then add the login to the users properties in SAS Management Console.
40
Determining Group and Role Assignments
Chapter 4
Determining Group and Role Assignments

Overview of Group and Role Assignments
At each site, the system administrator creates metadata identities (user IDs) for each end user, denes the users authentication login, and assigns the user to the appropriate groups and roles. As a part of the planning process, you must determine the following information: 3 the authentication mechanisms to be used. Each solutions user is required to have a login to verify that he or she is authenticated. For the most current information regarding these mechanisms, see Understanding Authentication in the SAS Intelligence Platform: Security Administration Guide (available at http://support.sas.com/documentation/ configuration/913admin.html.
3 the set of users, groups, and roles, and the mapping between them.
Assigning groups and roles consists of these tasks:
1 Assign each user to a solutions-wide group. 2 Create custom groups for the site, and then assign users to those groups. 3 Assign each user to a solutions-wide role for Document Manager access. 4 Assign each user to one or more domain rolesfor example, roles for SAS
Financial Management or roles for SAS Human Capital Management. 5 Optionally, assign SAS Web Report Studio roles.
6 Optionally, create additional SAS Data Integration Studio users by assigning the
necessary groups and roles. Each of these tasks is described in the remainder of this chapter. Note: Some roles appear in more than one place; for example, the Analyst role applies to the Document Manager and to each of the solutions. This is the same role, but the functionality it confers depends on the application that is being used. 4
Assign a Solutions-Wide Group

Assign each user to one, and only one, of the groups that are described in the following table:
Assign Custom Groups
41
Table 4.5 Solutions-Wide Groups

Group Solutions Users Description The base group for all solutions users. Members of this group are able to access the Document Manager, are congured to run solutions stored processes, and have default portal customization capabilities. Any user who will log on to the portal to run solutions applications must belong to the Solutions Users group or to a subgroup of Solutions Users. Administrators A subgroup of Solutions Users. In the Document Manager, the SAS Content folder in each repository is accessible to Administrators. This folder contains standard reports and stored processes that are provided with the solutions. Administrators can also open the Solutions Web Administration application. In SAS Financial Management, members of the Administrators group have special superuser privileges that enables full access to SAS Financial Management objects (cycles, result models and composite results). Permissions on these objects are ignored for users in the Administrators group. (These special privileges apply only to these objects, not to cell data. There is no superuser for data level security in SAS Financial Management.) For details, see the online Help for SAS Financial Management Studio. Do not assign users to both the Administrators group and the Solutions Users group.
Assign Custom Groups

Assign users to one or more custom groups, as appropriate for the sites needs. If your custom groups are subgroups of Solutions Users, then you should not also assign those group members to Solutions Users. A common approach to dening groups for use in managing document security is to dene a single hierarchy, that is derived from Solutions Users, and that matches the content structure (see Organizing Content on page 52). Examples include groups made up of departments or projects. Add users to the lowest level group of which they are members. For example, assume you dened an organizationally-based group hierarchy that looked like this:
Finance Division Finance Planning Dept
You would then add John Doe, a member of the Finance Planning Department, to the Finance Planning Dept group. For an example of restricting access to content based on group membership, see Dening Security Authorization for Content on page 55. Note: In addition to the basic security that is applied to managing documents, specic security is applied to details within the SAS Financial Management data models. For more information, consult the SAS Financial Management documentation. 4 The installation includes two examples of custom groups: Finance and SPM Users. These groups have no default permissions assigned. You are free to use these groups or to create others. On the other hand, members of the HR group have superuser access to HCM tables, regardless of the hierarchical lters that are applied to those tables. As a
42
Assign a Solutions-Wide Role
Chapter 4
customization it is possible to restrict access to individual members of the HR group, by means of a user lter.
Assign a Solutions-Wide Role

The roles assigned to solutions users determine the users authorization level and the functionality that they are able to perform. Remember to assign users (not groups) to roles. Assign each user to one role from the following table, to control the actions users can perform in the Document Manager.
Table 4.6 Solutions-Wide Roles
Role Information Consumer Analyst System Administrator Document Manager Privileges Users with this role have read access to content. They cannot create or move content. Users with the Analyst role have the ability to view, edit, and move authorized content. Users with this role have full access to all functionality within the Document Manager. (Do not confuse this role with the Administrators group.)
Assign SAS Strategic Performance Management Roles

1 For each SAS Strategic Performance Management user or KPI Viewer user, select
one role from the following table. Roles are listed in increasing levels of functionality.
Assign SAS Financial Management Roles
43
Table 4.7 SAS Strategic Performance Management Roles

Role Scorecard Data Entry Description A user who enters data into forms for scorecards. Users with this role can access only the tables in projects and scorecards that they are authorized to view. They use these tables to manage and use data entry forms. Analyst A user who analyzes and creates reports, views scorecard information, and performs other similar tasks. Analysts can view tables, aggregate tables, dashboards, diagrams, associations, and ranges. They can edit column selections and set personal thresholds and formats, as well as access and customize historical trend charts. In addition, SPM Analysts can manage and use data entry forms. Unlike Scorecard Modelers, Analysts cannot create scorecard projects. Scorecard Modeler A modeler who implements the performance management strategy at a site. Users with this role can create scorecard projects and can fully manage the content of templates, projects, and scorecards that they are authorized to view, edit, and delete.
2 Optionally, assign users to the Dimension Modeler role. Table 4.8 Dimension Modeler Role
Role Dimension Modeler Description Users with the Dimension Modeler role are able to use the SAS Dimension Editor.
SAS Financial Management Studio

1 For users who will work in SAS Financial Management Studio, select one of the
roles in the following table:
44
Chapter 4
Table 4.9 SAS Financial Management Studio Roles

Role Finance Adjuster Description A nancial specialist who performs manual adjustments and creates or edits adjustment rules. Users with this role have the following privileges:
3 3
Finance Process Administrator
all features of the Models workspace except for creating and editing unbalanced manual adjustments read access to the Dimensions, Cycles, Rates, and Forms workspaces
An administrator who congures SAS Financial Management, creates cycles, rates, and formsets, manages data security, exports measures, and performs other administration tasks. Users with this role can use all the features of SAS Financial Management Studio.
2 Optionally, select the Dimension Modeler role that is described in the following
table:
Table 4.10
Role Dimension Modeler
Dimension Modeler Role in SAS Financial Management Studio

Description Finance Adjusters with the Dimension Modeler role have access to all features of the Dimensions workspace. (Without the Dimension Modeler role, Finance Adjusters have read-only access to this workspace.)
SAS Financial Management

For each user who will perform SAS Financial Management tasks in the portal, select one or more roles from the following table:
45
Table 4.11
Role
SAS Financial Management Roles in the Portal

Description A data entry person who submits budgets or other forms for approval. Users with this role can enter data in forms. They have access only to the forms that they have some responsibility for. In a top-down workow, all users need this role so that they can edit a form, if necessary, and push it to the next level. In a bottom-up workow, all users who might edit forms need this role.
Form Submitter
Form Approver
A user who approves forms and sends them to the next stage in the approval process. Users with this role can approve forms that they have some responsibility for. This role is not needed for top-down workows. In a bottom-up workow, all users who need to approve forms need this role.
Finance Process Administrator
An administrator who performs tasks such as freeing a form that is stuck in the workow process. Users with this role can enter data in forms and can approve forms. They have access to all currently active forms.
The need for these roles depends in part on the workow that the users will be participating in. In a top-down workow, data is entered at the highest level of the hierarchy and pushed down to lower levels. In a bottom-up workow, data is entered at the lowest level of the hierarchy (in the leaf forms) and submitted for approval to the next higher level in roll-up forms. For more information about workow, see the SAS Financial Management Users Guide (available at http://support.sas.com/ documentation/solutions/admin/index.html). Notice that bottom-up workows often require users to have both the Form Approver role and the Form Submitter role. If a user is assigned as the author for a roll-up form, then that user must have the Form Submitter role in order to submit the form to the next-level approver. If that user is also responsible for approving all leaf forms below that form, then the user must also have the Form Approver role, as shown in this example:
3 WW: Author=Fred (Form Submitter role, Form Approver role) 3 USA: Author=Mary (Form Submitter role), Approver=Fred 3 Europe: Author=Jean (Form Submitter role), Approver=Fred
However, it is possible to design a workow in which some users are only approvers, while other users are only form submitters. In this example, one user is assigned to roll up a form, while a different user approves leaf forms:
3 WW: Author=Fred (Form Submitter role) 3 USA: Author=Mary (Form Submitter role), Approver=Carl (Form Approver role) 3 Europe: Author=Jean (Form Submitter role), Approver=Carl
Note: In order for a user to receive alerts for forms that need attention, the user must be directly assigned to the Form Submitter or Form Approver role. Only individual usersnot groupsshould be assigned to roles. 4
46
Assign SAS Human Capital Management Roles
Chapter 4
Excel Reports
If the SAS Financial Management Add-in for Microsoft Excel is installed, then users with the appropriate permissions are able to view and create reports. The default role permissions are as follows:
Table 4.12
Role Information Consumer
Roles for Excel Reports

Description Users with the Information Consumer role can view Excel reports, by opening those reports from the portal or opening them directly in Microsoft Excel. They can edit an existing reportfor example, to format the dataand share a report.However, they cannot create new reports. Users with any of these roles can both view and create nancial reports in Microsoft Excel, whether they open a report from the portal or directly in Excel. Unlike Information Consumers, they can insert documents, read-only tables, and CDA tables.
Analyst Form Submitter Form Approver Finance Process Administrator
Stored Process Reports

The default role permissions do not restrict the refreshing and viewing of stored process reports in the portal. To restrict access to stored processes and stored process reports, it is recommended that you use group and user folder permissions. For example, you might create one set of stored process reports for managers and a smaller set of reports for individual users. The managers reports might expose a full set of parameters, to give managers greater exibility in creating reports, while the individual users reports might expose a more limited set of parameters. You would store these reports in separate folders and apply permissions accordingly. For more information, see Chapter 5, Content Administration, on page 51.
Assign SAS Human Capital Management Roles

For each user who will perform SAS Human Capital Management tasks, select one role from the following table:
Assign SAS Web Report Studio Roles
47
Table 4.13
Role HCM User
SAS Human Capital Management Roles

Description A user who views employee, organizational, and geographic data, and who creates presentations and reports. Users with the HCM User role have these capabilities:
3 3 3
Analyst
Employee Browser: all functions, including the ability to view employee detail (prole view), to search for employees, and to edit the category list Organizational Analysis: open and print organizational charts; launch a linked scorecard; create a presentation view Geographic Analysis: open a geographic analysis document and drill down into the content; print a map or employee list
An HR analyst who creates organizational and geographic analyses. Users with the Analyst role have these capabilities:
3 3
Employee Browser: all functions (same as the HCM User role) Organizational Analysis: in addition to the HCM User privileges, these users can add and remove measures, create new organizational charts, and modify the organizational structure or organizational analysis Geographic Analysis: in addition to the HCM User privileges, these users can create a geographic analysis document
3
HCM Administrator
An administrator who congures SAS Human Capital Management and manages data security. Users with the HCM Administrator role have full access to all functionality within SAS Human Capital Management. In addition to the capabilities described for Analysts, they can perform HCM conguration, including conguring data, organizational analysts, categories, and the employee browser.
Assign SAS Web Report Studio Roles

There are three roles that apply to authoring or viewing reports in SAS Web Report Studio. Each role (as listed in the following table) is a superset of the previous role. By default, these roles are not assigned, and as a result all users have implicit membership in all three roles. If you want to restrict SAS Web Report Studio functionality to certain users, then you should assign the roles accordingly. After you have assigned a role to a user, then that role and its superset(s) have no implicit members. Select one of the following roles:
48
Assign SAS Data Integration Studio Groups and Roles
Chapter 4
Table 4.14
Role
SAS Web Report Studio Roles

Description Users who have this role can view reports and manipulate report data in the View Report view. Users can copy, move, save, rename, or delete reports. Users cannot create new reports. In addition to the abilities assigned to WRS Report Consumers, users who have this role can create reports with the report builder or report wizard. Users can also schedule reports. In addition to the abilities assigned to WRS Report Authors, users who have this role can distribute reports. Users cannot create or delete recipient lists that are used for report distribution.
WRS Report Consumer
WRS Report Author
WRS Advanced User
There is one additional role, WRS Administrator, that provides full access to SAS Web Report Studio functionality. However, adding a member to the WRS Administrator role does not affect implicit membership in the other three roles. For more information about these roles, see SAS Web Report Studio Administration in the SAS Intelligence Platform: Web Application Administration Guide (available at http://support.sas.com/documentation/configuration/913admin.html).
Assign SAS Data Integration Studio Groups and Roles

During the conguration process, you created a SAS Data Integration Studio user (see Chapter 2, Planning, Installing, and Conguring SAS Solutions Services and the Solutions, on page 7). These users run ETL jobs, submit data, and perform other ETL-related tasks for the solutions. You might want to dene additional SAS Data Integration Studio users for the solutions. These users must belong to the groups and roles that are described in the following table:
Table 4.15 SAS Data Integration Studio Groups and Roles
Description Required only if the user will be logging on to the portal and viewing solutions content. Required for all SAS Data Integration Studio users, in order to run jobs that access the MySQL database. Required for all SAS Data Integration Studio users. Users with this role receive information about ETL job status. For more information, see Restrict the Events That Data Administrators See (Optional) on page 17.
Group or Role Solutions Users group MYSQL Users group Data Administrator role
Registering Users
About Registering Users
After you determine the authentication mechanisms and the group and role assignments, you can register users in the metadata repository. The system
Synchronizing Data Tables
49
administrator can use the SAS Management Console to create the users interactively. There is also a mechanism for bulk loading a large set of users and groups (see Bulk Loading Users and Groups on page 49). When you dene each user, be sure to include the users login information, group and role membership as described in Determining Group and Role Assignments on page 40, and e-mail address. E-mail notications are often sent to users. Be sure to dene an e-mail address for every user as you create the users metadata identity. This is a requirement for the successful processing of some functions.
Bulk Loading Users and Groups

During rollout of solutions, large sets of users are typically added. These sets of users can come from other authentication systems or from currently existing products. The bulk-load process is used to create many metadata identities in a batch manner, rather than interactively. Bulk loading creates metadata identities and can also assign those identities (for example, users) to groups or roles. For more information about the bulk-load process, see Bulk-Load Processes for Identity Management in the the SAS Intelligence Platform: Security Administration Guide (available at http://support.sas.com/documentation/configuration/ 913admin.html). This appendix describes bulk-load examples under the topic How to Perform an Initial Import of Identity Information. Some of the sample code is in that section, and other examples are provided in the !SASROOT\core\sample directory (on Windows) or !SASROOT\samples (on UNIX). Before performing bulk loading, be sure you understand about users, groups, and roles.
Synchronizing Users, Groups, and Roles

Synchronizing Data Tables
When you add users, groups, and roles to the metadata repository, you must synchronize those changes with MySQL database tables that are used for data-level security. Information for users, groups, and roles is stored in database tables which must be kept in synchronization with the metadata. As a part of best practices, it is recommended that you set up a SAS Data Integration Studio job as a scheduled process to synchronize data tables. In some cases, changes to users, groups, and roles might need to be reected in the database as soon as those changes are made in the metadata. In that case you can run the jobs manually, rather than waiting for the scheduled process to run. If you need to synchronize on demand, follow these steps: 1 Log on to the portal as a member of the Administrators group. 2 Open the Document Manager and select the Solutions repository. 3 Navigate to the SAS Content I Data Management I Solutions Data Mart folder. 4 Select and run the Import Users and Groups stored process. To run the stored process, click the action menu process and select Refresh. to the left of the stored
In addition, if you create new groups or roles, group permission trees for the portal must be created in the metadata repository. Those group permission trees can be
50
Creating Group Permission Trees for the Portal
Chapter 4
created automatically, or you can initialize them with a batch job; see Creating Group Permission Trees for the Portal on page 50.
Creating Group Permission Trees for the Portal

Group permission trees enable content sharing for groups. If you simply add users to existing groups or roles, those user permission trees are created when the user logs on to the portal. If you create new groups or roles, those group permission trees are added to the metadata repository when the J2EE server for the portal Web application is started, or when a member of the Portal Admins group logs on to the portal. If there is a large number of new users or groups, this process could cause the portal to take a long time to open. On Windows, to create group permission trees without restarting the J2EE server or without logging on as a member of the Portal Admins group, you can run a batch job that creates the necessary metadata for the portal from users and groups that are currently listed in the metadata repository. Follow these steps:
1 Change directory to SAS-install-dir\Web\Portal2.0.1\Tools. 2 Edit the initPortalData.bat le and add weblogic.jar, sas.svc.sec.login.weblogic.jar,
sas.entities.jar, and sas.oma.joma.rmt.jar to the classpath. The JAR les are located in the remote services library folder (SAS-install-dir\SASSolutionsServices\1.3\RemoteServices\lib). If you copy the JAR les to the appropriate location (%CPJARSDIR%), then you can add these lines at the end of the set CLASSPATH section:
set set set set CLASSPATH=%CLASSPATH%;%CPJARSDIR%\weblogic.jar CLASSPATH=%CLASSPATH%;%CPJARSDIR%\sas.svc.sec.login.weblogic.jar CLASSPATH=%CLASSPATH%;%CPJARSDIR%\sas.entities.jar CLASSPATH=%CLASSPATH%;%CPJARSDIR%\sas.oma.joma.rmt.jar
3 Change directory to
SAS-install-dir\Web\Portal2.0.1\SASServices\WEB-INF\conf.
4 Update the sas_metadata_source_client.properties le so that it matches the
corresponding properties le in the WEB-INF\conf directory of the deployed Portal Web application.
5 Change directory to SAS-install-dir\Web\Portal2.0.1\Tools. 6 From a command prompt, run initPortalData.bat.
If the initPortalData utility runs successfully, then a message like the following is displayed:
Done initializing metadata information Transaction count: [0] DONE
The transaction count indicates the number of transactions that are still active when the utility exits. A value other than zero indicates an error. For more information about initPortalData.bat, see the SAS Web Infrastructure Kit: Administrators Guide, available at http://support.sas.com/documentation/ configuration/913admin.html.
51
CHAPTER
5
Content Administration
What Is Content? 51 Organizing Content 52 Default Folders 53 Create Document Manager Folders 53 About Security Authorization for Content 53 Permissions for Accessing Content 53 Default Shared Folder Security 54 Default User Folder Security 55 Dening Security Authorization for Content 55 Secure Content Via Document Manager Properties 55 Secure Content via the SAS Management Console 56 Example: Protecting Access to Shared Folders 57 Secure Content for SAS Web OLAP Viewer 58 Secure Content for SAS Web Report Studio 59 Secure Access for the SAS Guest User 59 Restrictive Permissions Property 60 Creating Site Content 60 Create Stored Process Reports 60 Enable Users to Refresh Stored Process Reports 60 Import Content 61
What Is Content?
In terms of SAS Solutions Services, content is any document, stored process, or viewable object. A content type is a specic object denition that deals with general business or domain intelligence, is stored in the SAS Metadata Server, and can be recognized and managed by the Document Manager application. The following content types are supported.
Table 5.1 Supported Content Types
Icon Content Type DataExploration ExcelReport Description Document containing bookmarks (stored views of an information map) Microsoft Excel (.xls) document
52
Organizing Content
Chapter 5
Icon
Content Type ExcelReport-Dynamic
Description Microsoft Excel document that can be updated dynamically from the server (can be imported but not opened in a portlet) Document Manager folder, which can contain documents and other folders A display of employee information using maps (available with SAS Human Capital Management) Key performance indicator (KPI) project Organizational chart (available with SAS Human Capital Management) PDF document Simulated organizational chart (available with SAS Human Capital Management) Link to another document Scorecard project (available with SAS Strategic Performance Management) Stored process Object that points to a stored process and contains information about stored process parameters Folder for deleted content HTML document or other valid MIME type, including Microsoft PowerPoint les and BMP or JPG images Report generated by SAS Web Report Studio Microsoft Word (.doc) document Microsoft Word document that can be updated dynamically from the server
Folder GeographicAnalysis KPIProject OrgChart PDFDocument SimOrgChart SolutionsLink SPMProject StoredProcess StoredProcessReport Trashcan WebDocument WebReportStudio WordDocument WordDocument-Dynamic
SAS Solutions Services provides a Web application, Document Manager, that displays content in a hierarchical folder structure. Content that is displayed within the Document Manager tree view can also be shown in portlets. With SAS Solutions Services and the portal, system administrators can customize content for a particular site, so that each group of users can have their own view of that content. This chapter describes the procedures, and some best practices, for organizing content and dening the way pages are viewed in the portal.
Organizing Content
As part of the planning for solutions, the system administrator or consultant should determine the content structure that best ts the sites needs. For information ow, it is
Permissions for Accessing Content
53
useful to create a set of folders that are based upon the intended recipients of the documents in those folders. For example, executives might want to view one set of reports, while managers view another set and general staff view yet another set of reports. Each solution, which is associated with a domain of knowledge such as Finance or Human Capital Management, has its own repository with its own data mart. Within each repository, Document Manager by default has a folder called Documents that serves as the root level of the sites content. Below that root folder, the folder structure should correspond to the security groupings that are created, so that the appropriate permissions can be easily applied to the folder levels, and so that content within each folder can inherit permissions from its parent folder. Note: The repository in which content is located is particularly important when you are dealing with data explorations, information maps, and SAS Web Report Studio reports. For more information, see A Note about Repositories on page 125. 4
Default Folders
By default, the Documents folder contains these folders: 3 SAS Content: a folder for SAS to ship content, such as standard reports, with the solutions. The folder structure is based upon the products that are included. By default, only Administrators have permissions to view this folder. 3 Shared Documents: the root level folder for the sites content. The folder can be renamed (for example, My Companys Documents). The folder structure should be designed to be appropriate for the site and its security. 3 Users: a root folder for the folders belonging to individual users. All users have a folder for personal content. The default permissions on each users folder allow access only to that user. However, a user can modify the permissions to let others view content in his or her personal folder. 3 Trash Can: a folder to hold deleted content.
Create Document Manager Folders

You create new folders via the Document Manager application in the portal. Follow these steps: 1 In the portal, select Document Manager. 2 Select the repository in which you want the new folder to reside. 3 Navigate to the folder in which you want the new folder to reside. 4 Select New I New Folder. 5 Name the folder and click OK. For the steps to secure these folders, see Dening Security Authorization for Content on page 55.
About Security Authorization for Content
Permissions for Accessing Content

During planning, the system administrator or content administrator determines the sites shared folder structure and security. The structure might be based on
54
Default Shared Folder Security
Chapter 5
departments, projects, or some other method of organization. In the SAS Intelligence Platform, users who are authenticated to the system have authorization privileges determined by their metadata identity. In the Document Manager, users with Administer permission for a given resource can open its properties and view or set the permissions for that resource. Permissions have the following meanings:
Table 5.2 Document Manager Security Permissions
Permission Read Meaning Read a metadata object Example If a user does not have Read permission for a resource, it does not appear in the Document Manager or in a My Favorites portlet. If a user does not have Write permission for a folder, the user cannot import documents into that folder. If a user does not have Delete permission for a document, the user cannot delete the document. If a user does not have Administer permission for a document or folder, the user does not see the Permissions section of the document or folder properties in the Document Manager.
Write
Create or update a metadata object Delete a resource described by a metadata object Perform administrative tasks
Delete
Administer
Administer permission is the most inclusive and includes Delete, Write, and Read permission. Delete permission includes Write and Read permission, and Write includes Read permission. Be aware that, while users might have permissions for various resources, the actions that they can perform on these resources might be restricted by the roles they belong to. For more information about roles, see Role MembershipWhat Can I Do? on page 34. For further information about the processing of permissions and how the Open Metadata Repository makes authorization decisions, see Understanding Authorization in the SAS Intelligence Platform: Security Administration Guide (available at http:// support.sas.com/documentation/configuration/913admin.html).
Default Shared Folder Security

The default security for the content tree shown in the Document Manager is as follows:
Secure Content Via Document Manager Properties
55
Table 5.3 Default Shared Folder Security

Content Permissions (R: Read; W: Write; D: Delete; A: Administer) Solutions Users Group Document Folders SAS Content Users RW None R Administrators Group RWDA RWDA RWDA PUBLIC None
Any folder that is loaded (but not listed above) inherits its permissions from the parent folder. As demonstrated above, if you assign permissions for Solutions Users to a folder, then the Administrators group should also be assigned permissions, because the Administrators group is a member of the Solutions Users group. If the folder has no Administrators-specic permissions, it reverts to using the Solutions Users group permissions. In particular, if you deny Solutions Users access to a folder, you should restore that access to the Administrators group. Note: The Administrators group must have, at a minimum, read/write access to all areas of the metadata server. The metadata user (by default the SAS Trusted User, a member of the Administrators group) performs a number of operations on behalf of users and requires these permissions. 4 Because many folders have conicting permissions for the Administrators and Solutions Users groups, an individual user should not be a member of both groups. In fact, no user should be a member of both Solutions Users and a subgroup of Solutions Users.
Default User Folder Security

As user folders are created under Users, they are assigned the following permissions by default.
Table 5.4 Default User Folder Security
Content Permissions (R: Read; W: Write; D: Delete; A: Administer) Solutions Users Group user folders None Administrators Group RWDA Creator RWDA
Dening Security Authorization for Content
Secure Content Via Document Manager Properties

Individual users can secure their own les and folders in the Document Manager. Administrators can use this method as well, but SAS Management Console can be an
56
Secure Content via the SAS Management Console
Chapter 5
easier way for administrators to secure a large number of les and folders (see Secure Content via the SAS Management Console on page 56. To secure les and folders in the Document Manager: 1 Select a repository. 2 Navigate to the containing folder. 3 click the folder or le you want to secure and select Properties. 4 Expand the Permissions section. Users (or groups) and permissions are displayed. Note: Users and groups that have only inherited permissions are not displayed, although you can view those permissions in the SAS Management Console. In the Document Manager properties, you see only those users and groups with permissions that are specically set for this le or folder.
5 To add a user or group, click Add Users & Groups. 6 To delete a user or group, click the Delete icon
to the right of the permissions for that user or group. 7 To grant a permission, select its check box. To deny a permission, clear the check box. Available permissions are described in About Security Authorization for Content on page 53. 8 Click OK to accept your changes. Note: If you set le or folder permissions in the Document Manager, your changes are reected in the SAS Management Console, and vice versa. 4
Secure Content via the SAS Management Console

In order to set authorization information for content in the SAS Management Console, complete the following steps: 1 Select the Solutions Repository. 2 Expand BI Manager I BIP Tree I Documents. You will see a tree structure similar to this:
3 Navigate to the appropriate folder or document, right-click, and select Properties. 4 Click the Authorization tab. 5 Add or remove permissions for users or groups.
Only users and groups should have assigned access to content. Roles should never be used to assign these permissions.
Example: Protecting Access to Shared Folders
57
Note: ReadMetadata and WriteMetadata permissions in the SAS Management Console correspond to Read and Write permissions in the Document Manager.
Note: If you directly set permissions for Solutions Users for a folder, you should also directly set permissions for Administrators. It is not sufcient for the Administrators group to inherit those permissions, because the direct settings for Solutions Users will override the inherited permissions for Administrators. In the SAS Management Console, inherited permissions are shown with a gray background, like this:
To change those permissions to direct grants (or denials), click the check box until the gray background disappears. 4
Example: Protecting Access to Shared Folders

Best practices for permission-based security are as follows: 3 Deny permissions broadly (for example, to Solutions Users) and grant permissions narrowly (for example, to a subgroup of Solutions Users).
3 Grant or deny permissions to groups rather than to individual users. 3 Apply permissions to folders and let content items in the folders inherit those
permissions. In this example, you have two departments, Travel and Accounting, and you want to create for each department a set of folders that only those department members can access. 1 In the SAS Management Console, you create two groups: Travel and Accounting.
2 You add both of these groups to the Solutions Users group.
58
Secure Content for SAS Web OLAP Viewer
Chapter 5
3 You add the members of the Travel department to the Travel group, and the
members of the Accounting department to the Accounting group, as shown in this simplied diagram:
4 In the Document Manager, you navigate to Shared Folders and create two
subfolders: Accounting and Travel.

5 You open the properties for the Travel folder and grant the Travel group Read,
Write, Delete, and Administer (RWDA) permission.

6 You grant the Accounting group similar permission to access the Accounting
folder.
7 You deny Solutions Users access to both these folders. 8 You grant the Administrators group RWDA access to both folders.
The results are as follows:

Folder Shared Folders Shared Folders/ Travel Shared Folders/ Accounting Travel Group RWDA RWDA None Accounting Group RWDA None RWDA Administrators Group RWDA RWDA RWDA Other Solutions Users RWDA None None
As a result, only members of the Accounting and Administrators groups can view the
Accounting folders. Only members of the Travel and Administrators groups can view the Travel folders.
Secure Content for SAS Web OLAP Viewer

If you installed SAS Web OLAP Viewer, that application creates a Users folder that is parallel to the Documents folder in the Foundation repository. Within the Users folder, each user has a folder entitled userid, with these default permissions: the user is granted ReadMetadata and WriteMetadata permission, and PUBLIC is denied these permissions. There are no default permissions for Solutions Users or Administrators. As a result, users (including members of the Administrators) group cannot access the Permissions section of document properties, and users cannot move content in these folders.
3 To enable users to access the Permissions section of document properties in their

own folders, grant users Administer privileges for their Users\userid folders.
Secure Access for the SAS Guest User
59
3 To enable users to move content that is located in their own folders, grant
Administrators ReadMetadata and WriteMetadata privileges for each of the Users\userid folders.
3 To enable Administrators to access the Permissions section of document properties

in these user folders, grant Administrators Administer privileges for each of the Users\userid folders.
Secure Content for SAS Web Report Studio

If you installed SAS Web Report Studio, that application creates ReportStudio folders that are parallel to the Documents folder in each repository in which SAS Web Report Studio is deployed. There are no default permissions for Solutions Users or Administrators for these folders, although PUBLIC does have some default permissions. As a result, users (including members of the Administrators) group cannot access the Permissions section of document properties.
3 To enable users to access the Permissions section of document properties in their

own folders, grant users Administer privileges for their Users\userid folders.
3 To enable Administrators to access the Permissions section of document properties

in these user folders, grant Administrators Administer privileges for each of the Users\userid folders. For SAS Web Report Studio, user folders are named using the fully-qualied userid, such as domain_name\userid or machine_name\userid. Note: For more information about SAS Web Report Studio, including its use of temporary les, see SAS Web Report Studio Administration in the SAS Intelligence Platform: Web Application Administration Guide. 4
Secure Access for the SAS Guest User

The SAS Guest user is intended as a guest to the portal. Out of the box, sasguest is able to view solutions content. To deny this access, modify the default Access Control Template (ACT) for each repository other than the Foundation. Open the SAS Management Console and follow these steps for each repository except the Foundation:
1 Select the repository from the drop-down list. 2 Expand Environment Management
Control Templates.
I Authorization Manager I Access
3 Right-click Default ACT and select Properties. 4 Click the Users and Permissions tab. 5 Click the Add button. 6 Move the SAS Guest user from Available Identities to Selected Identities
and click OK.

7 With SAS Guest highlighted in the names box, select the Deny check box for each
of the permissions.
8 Click OK.
You do not need to change any of the other ACTsfor example, the SolutionsFolderACT. Note: Do not make these changes to the Foundation repository. Doing so causes errors in the portal. 4
60
Restrictive Permissions Property
Chapter 5
Restrictive Permissions Property

In the Application Conguration of SAS Solutions Services, the
Security.RestrictiveDocumentManager property allows sites to specify whether they
want restrictive permissions to be applied when new content is created through the Document Manager classes. This propertys default value is false. Modifying its value is a customization.
Creating Site Content

There are several ways to create content for your site, including the following: 3 creating standard reports by running stored processes that are shipped with the solutions 3 creating and running site-specic stored processes (a customization) 3 importing content from external le systems
Create Stored Process Reports

The SAS Content folder contains many items that are shipped with the solutions, including standard reports. A standard report is often shipped as a stored process, with the expectation that what the non-administrative user desires to see is the output from the stored process. After creating the Shared Documents folder structure in the appropriate repository, follow these steps to create stored process reports: 1 In the Document Manager, select the appropriate repository. 2 Determine which of the standard reports from the SAS Content folders might be useful at the site. 3 Create stored process reports in the appropriate folders. Standard reports that accept parameters can have multiple output reports, so that you can tailor the output to users needs. and select Create Output. 4 To create a report, click the action menu 5 Set the reports name, any parameters, and location (such as Shared Documents or a subfolder). 6 After creating a stored process report, you can set additional properties, including alerts attached to the report and permissions for accessing the report. To run a stored process report, click the action menu and select Refresh. Note: A stored process report is a pointer to a stored process. In order to refresh a stored process report, users must have read permission for the stored process itself. The output from a stored process report is not written to the folder that was specied in SAS Management Console as the collection path for the stored process. Instead, the folder name is the global unique identier (GUID) of the stored process report. As a result, you can create multiple stored process reports for the same stored process, each report with its own parameter values and its own output. 4
Enable Users to Refresh Stored Process Reports

If you install SAS Human Capital Management and create stored process reports, you should grant members of the Solutions Users group ReadMetadata permission for the stored processes. Otherwise, those users cannot refresh the stored process reports.
Import Content
61
To add this permission:

1 In the SAS Management Console, select the HR repository. 2 In the navigation tree, select BI Manager
Content
I Standard Reports.
I BIP Tree I Documents I SAS
Under Standard Reports, there are several folders, each with a number of stored processes.
3 For each stored process that you want the Solutions Users group to be able to
refresh: Right-click the stored process and select Properties. Click the Authorization tab. Click Access Control Templates. In the Add/Remove Access Control Templates dialog box, move HRStoredProcessACT from the Available column to the Currently Using column. In addition to granting ReadMetadata privileges to Solutions Users, this ACT grants Administrators all privileges for the stored process. e Save your changes.
a b c d
For more information about Access Control Templates (ACTs), see the SAS Intelligence Platform: Security Administration Guide.
Import Content
Content of supported types can be imported from external le systems. This content is also registered in the appropriate Shared Document folders. See What Is Content? on page 51.
62
63
CHAPTER
6
J2EE Server Administration
BEA WebLogic Administration 64 Controlling the WebLogic Managed Servers 64 About the Managed Servers 64 Start the Managed Servers 64 Stop the Managed Servers 64 Conguring the Managed Servers 65 The Common Environment 65 Startup Scripts 65 URL Mapping 66 Execute Queues 67 Load Order for Themes 68 Setting Up Managed Servers as Windows Services 68 Changing the Port Number for a Managed Server 69 Change the Port Number for SASManagedServer 69 Change the Port Number for SASODCSServer 71 Selecting an Alternative Port 71 IBM WebSphere Administration 71 General Information 71 Start and Stop WebSphere Servers 71 Set Total Transaction Lifetime Timeout 72 Increase the Log File Size 72 Suppress Warning Messages for Data Access 73 Congure Starting Weight for Themes 73 Update jdom.jar after an Upgrade 73 Conguring the Web Applications 74 About Deployment Descriptors 74 Set Session Timeout Values 74 Set Timeout Values for Remote Portlet Sessions 74 Conguring Themes 75 Make the Winter Theme Available 75 Move Themes to a Web Server 75 Using ODCS Clustering to Reduce Wait Time 76 Overview of ODCS Clustering 76 Congure ODCS Target Machines 77 Congure ODCS Server Options 78
64
BEA WebLogic Administration
Chapter 6
BEA WebLogic Administration

Controlling the WebLogic Managed Servers
The following instructions assume that you installed the WebLogic administrator as a service, or that you started it from a command le.
About the Managed Servers

Depending on which solutions you installed and your choices during the conguration steps, your system might have two or more managed servers: 3 SASManagedServer, where SAS Solutions Services and the solutions run. 3 SASODCSServer, where the ODCS application runs. 3 the domain servers, where SAS Web Report Studio and SAS Web Report Viewer run. Each repository has its own domain server.
Start the Managed Servers

To start the managed servers: 1 First start the remote services (see Start the Remote Services on page 94). Note: The remote services and the managed servers must be started togetherrst the remote services, and then the managed servers. If you restart one, you must restart the others as well. This is true whether you start the remote services manually or as a service. In addition, when you restart the remote services and the managed servers, you should also restart the object spawner. 4 2 From the Windows Start menu, select SAS I SASSolutionsCong I Start ODCS. Note: This path will be slightly different if you used a conguration name other than SASSolutionsCong.
I SASSolutionsCong I Start WebLogic. 4 If you have installed any domain servers, start them with these commands from the Windows Start menu: 3 SAS I SASSolutionsCong I Start FoundationServer 3 SAS I SASSolutionsCong I Start SolutionServer 3 SAS I SASSolutionsCong I Start FinanceServer 3 SAS I SASSolutionsCong I Start PerfMgmtServer 3 SAS I SASSolutionsCong I Start HRServer
3 From the Windows Start menu, select SAS
For startup options that affect these commands, see The Common Environment on page 65 and Startup Scripts on page 65. Note: If you are running SAS Human Capital Management: we recommend that you restart the managed servers, as well as the SAS application servers, once a week to ensure best performance. 4
Stop the Managed Servers

To shut down a managed server from the WebLogic Administration console, complete these steps:
Conguring the Managed Servers
65
1 Log on to the WebLogic Administration Console at the following location: http://
hostname:7501/console.
2 Find SASSolutions
SASManagedServer and select Start/stop this server.
I Servers in the tree in the consoles left panel. Right-click
3 From the Start/Stop page that appears, select Graceful shutdown of this
server or Forced shutdown of this server. For an explanation of each type of
shutdown, consult the WebLogic documentation.

During installation and conguration, the WebLogic managed servers are congured to default values. For reference, this section describes some of those settings.
The Common Environment

The WebLogic le BEA-home-dir\weblogic81\common\bin\commEnv.cmd initializes the WebLogic environment for the Admin server and for the managed server instances. The WEBLOGIC_CLASSPATH is set in this le. In particular, note the following: 3 MySQL JDBC Driver: For WebLogic to access the MySQL database, the JAR le for the MySQL JDBC driver must be on the classpath for the managed servers. Make sure that the WEBLOGIC_CLASSPATH includes this JAR le. If the Pointbase JAR les are also on the classpath, the JAR le for the MySQL driver should come rst. 3 Patches: Your installation might include a number of security patches. For information about the latest security patches available, see the BEA Advisories & Notications Web page (http://dev2dev.bea.com/resourcelibrary/ advisoriesnotifications/index.jsp). The JAR les for these patches (typically located in BEA-home-dir\weblogic81\server\lib) should be referenced in the WEBLOGIC_CLASSPATH, before the references to weblogic_sp.jar and weblogic.jar. Note: BEA recommends placing a reference to weblogic_sp.jar in the classpath even though the lib directory might not currently contain such a JAR le.
Startup Scripts
During installation and conguration, the JAVA_OPTIONS in the startup scripts are set to default values, which might vary for different managed servers. However, each site needs to determine its optimal settings based on the server size and other factors. In particular, note these JAVA_OPTIONS and MEM_ARGS settings:
66
Chapter 6
Option -Xms860m -Xmx860m
Description These MEM_ARGS settings specify the initial and maximum total heap size. If the server allows NT remote terminal services, the values of 860m are correct for the SASManagedServer and the ODCSManagedServer. If the system has at least 4 GB of memory, use 960m rather than 860m. If the server does not allow remote terminal services, you should set both Xms and Xmx to 1280m (the maximum permitted value). Logging conguration le. The typical location is file:///c:/SAS/SASSolutionsConfig/Lev1/web/ Deployments/SASSolutionsServices/logging.xml
-Dlog4j.conguration
If you have installed SAS Human Capital Management, increase the heap size for the HR managed server as follows: Note: Do not make this modication if you have a single-machine installation.
1 Change directory to BEA-home-dir\user_projects\domains\SASSolutions. 2 Open the startHRServer.cmd le for editing. 3 Find this line:
set MEM_ARGS=-Xms512m -Xmx512m
4 Change the line as follows:

set MEM_ARGS=-Xms860m -Xmx860m
If the server has at least 4 GB of memory, specify 960m rather than 860m.
5 Save the le.
The change will be applied the next time you restart the managed server.
URL Mapping
WebLogic appears to treat domains differently if they are referenced differently (for example, http://Dxxx/yyy and http://Dxxx.mycompany.com/yyy). This causes problems when a Web application stores information in the HttpSession context. There is a conguration parameter called Frontend Host that addresses this issue. According to the WebLogic documentation, this parameter is set when the Host information coming from the URL might be inaccurate due to the presence of a rewall or proxy. If this parameter is set, the HOST header is ignored and this value is always used. To modify the Frontend Host parameter: 1 Open the WebLogic Administration Console. 2 Under the Servers node of the tree, click the name of the server (for example, SASManagedServer). 3 On the page that appears, select Protocols I HTTP. 4 Click the Show link beside Advanced Options. 5 In the Frontend Host box, enter the fully qualied name of your site (for example, sasmachine.mycompany.com). 6 In the Frontend HTTP Port box, enter the number of the port for this managed server. 7 Click Apply to update the conguration le cong.xml.
67
Note: You need to restart the server for the changes to take effect.
web_server.html.
For more information, see http://e-docs.bea.com/wls/docs81/adminguide/
Execute Queues
Execute queues help to prevent deadlock conditions when applications call into one another. Requests are placed in an execute queue and are assigned to a thread within that queue. By default, the solutions conguration process creates the execute queues described below and assigns them to the appropriate applications. If you need to create and assign these execute queues manually, follow these steps:
1 Log on to the WebLogic Administration Console. 2 Open the Servers node of the tree. 3 Right-click the server denition where the portal is running, and select the View
Execute Queues menu option.

4 On the page that is displayed, click Configure a new Execute Queue. 5 Enter the Queue Name and Thread Count, as shown in the following table. In the
table, the Location of weblogic.xml File is relative to where you deployed the applications; typically, they are deployed to BEA-home-dir\user_projects\domains\SASSolutions\applications. The suggested thread count values should be sufcient for most loads. You might need to modify this value for your site.
Table 6.1 Execute Queues
Thread Count 25 5 5 15
Queue Name sas.portal.default sas.doc.default sas.themes.default sas.commonapps.default
Location of weblogic.xml File Portal.war\WEB-INF SASDoc.war\WEB-INF SASTheme_default.war\WEB-INF sas.solutions.services.ear\ sas.solutions.commonapp.war\ WEB-INF sas.solutions.odcs.ear\ sas.solutions.odcs.services.axis.war\ WEB-INF sas.solutions.scorecard.ear\ sas.solutions.spm.webapp.war\ WEB-INF
sas.solutions.odcs.webservices 20
sas.spm.webapp
50
6 Click Create at the bottom of the page to update the WebLogic conguration le
(cong.xml) for that application.

7 In the relevant weblogic.xml le (as listed in the table), add a
<wl-dispatch-queue> entry like this:

<weblogic-web-app> ... <wl-dispatch-policy>queue_name</wl-dispatch-policy> </weblogic-web-app>
68
Setting Up Managed Servers as Windows Services
Chapter 6
Replace queue_name with the name you gave to the execute queuefor example, sas.portal.default or sas.themes.default. Note: If you deploy additional themes, they can share the same execute queue. Typically, you create a new theme by copying an existing theme and modifying the copy. As a result, the new theme has a copy of weblogic.xml with the execute queue already dened.
8 Save the le. 9 Restart the remote services and the managed servers.
For more information, see the WebLogic Administration Consoles online help.
Load Order for Themes

For the applications to load correctly, the deployment load order for the themes should be lower than the load order for the deployed applications. The reason for changing the load order is to make sure that the theme is loaded by the time the user accesses the portal. Otherwise, the portal displays a message advising the user to wait. Note: If you have deployed the themes to the Apache HTTP server, load order does not apply. 4 By default, both SASTheme_default and SASTheme_winter have load orders of 10. If you need to change the load order for a theme: 1 Open the WebLogic Administration Console.
2 In the tree on the left, click Deployments.
The Deployment Order page appears, listing the currently deployed applications. 3 Click the Change button associated with the theme. 4 On the Change Deployment Order page, give this theme a load order that is less than that of the other deployed applications. 5 Click Apply to update the conguration le cong.xml. You must restart the managed server for the change to take effect.
Setting Up Managed Servers as Windows Services

To set up your WebLogic managed servers as Windows services, follow these instructions: For each server you want to install and run as a service: 1 Change directory to BEA-home-dir\user_projects\domains\SASSolutions.
2 If you installed SAS Human Capital Management, modify the heap allocation for
the HR server, as follows: Note: Do not make this modication if you have a single-machine installation.
a Open the installHRServerService.cmd le for editing. b Find this line: set MEM_ARGS=-Xms512m -Xmx512m c Change the line as follows: set MEM_ARGS=-Xms860m -Xmx860m
If the server has at least 4 GB of memory, specify 960m rather than 860m.
d Save the le.
Changing the Port Number for a Managed Server
69
3 Run the installation script. 4 You can now start the service from Administrative Tools
I Services. The next time you restart your system, the service is started automatically.
Use the install-command from the table below.
Note: These scripts contain a dependency on the Admin server. To facilitate that dependency, the script to install the Admin server as a service (installService.cmd) species a delay of 60000 milliseconds. The delay causes Windows to wait for that amount of time before notifying dependent servers that they may start. To verify that a server has started, open the WebLogic Administration Console and navigate to SASSolutions I Servers I server-name. In the panel on the right, click the Control tab and then the Start/Stop tab. The page that appears shows the server statusfor example, STANDBY or RUNNING.
Note: If you make changes such as modifying the MEM_ARGS option or the WebLogic password, you will need to uninstall and reinstall the service. The table below lists the uninstall commands for each service. 4
Table 6.2 Service Install and Uninstall Commands
server-name SASODCSServer install-command installODCSService uninstall-command uninstallODCSService uninstallSASManagedService uninstallHRServerService uninstallFinanceServerService uninstallSolutionServerService uninstallFoundationServerService
SASManagedServer installSASManagedService HRServer FinanceServer SolutionServer FoundationServer installHRServerService installFinanceServerService installSolutionServerService installFoundationServerService
Change the Port Number for SASManagedServer

To change the port number for SASManagedServer:
1 Change the number for the Listen Port in WebLogics cong.xml le.
You can change this value by editing cong.xml (while the managed server is not running) or by modifying the managed server conguration in the WebLogic Administration Console. The cong.xml le is located in BEA-home-dir\user_projects\domains\SASSolutions.
SAS-config-dir\Lev1\web\Deployments\SASSolutionsServices.
3 Open EnvironmentFactory.xml for editing and change the port references
appropriately. If you were using the default port number, then you would replace all references to 7001 with the new port number. For information about port usage, see Selecting an Alternative Port on page 71.
4 Open the EnvironmentFactory.odcs.xml le for editing and change the port
references appropriately.
70
Chapter 6
5 Copy the EnvironmentFactory.xml le to this location:
BEA-home-dir\user_projects\domains\SASSolutions\applications\ sas.solutions.services.ear\sas.solutions.common.war. (This will overwrite the copy that resides in that directory.) 6 Change directory to BEA-home-dir\user_projects\domains\SASSolutions. 7 Update the JAVA_OPTIONS variable in startManagedWebLogic.cmd to include an additional specication: -Djava.naming.provider.url=t3://host:port. Note: If you have installed the managed server as a service, you need to uninstall the service, modify the JAVA_OPTIONS variable in the installation command le, and then reinstall the service. For details about uninstalling and installing the service, see Setting Up Managed Servers as Windows Services on page 68. 4 8 Change directory to BEA-home-dir\weblogic81\server\lib. 9 Update the weblogic.policy le to provide socket permissions as appropriate. See this example:
// ------------------ Socket Access to Themes -------------permission java.net.SocketPermission "localhost:port", "connect, resolve"; // ---------------------------------------------------------
SAS-install-dir\SASSolutionsServices\1.3\RemoteServices.
11 Update the StartRemoteServices.bat le to change the
java.naming.provider.url system property to match the port number that you
supplied in Step 1:
set SERVICES_OPTS=%SERVICES_OPTS% -Djava.naming.provider.url=t3:// host:port
12 Change directory to the directory in which your SASV9.CFG le residesfor
example, !SASROOT\nls\en.
13 Update the JREOPTIONS system option of SASV9.CFG so that the
-Denv.factory.location contains the new port number. 14 Using the Conguration Manager plug-in of SAS Management Console, update the connection information for all appropriate applications and modules for each repository:
a From the Repository drop-down list, select the appropriate repository. Conguration Manager. b Expand Application Management c Right-click the application or module name and select Properties.
Do not modify Operational Data and Compute Server, because it runs on the SASODCSServer. Do not modify the WRS Component modules (if they exist) if they run on separate domain servers. d Click the Connection tab. e Update Host Name and Port Number as appropriate. f Save your changes. 15 Restart the remote services, the managed servers, and the object spawner. 16 If you have installed SAS Financial Management Studio or SAS Dimension Editor:
a Open the applications .ini le for editing. b Find the -Denv.factory.location parameter and change its port number. c Save your changes.
Start and Stop WebSphere Servers
71
17 If you have installed SAS Financial Management Add-In for Microsoft Excel or
SAS Solutions Services Add-In for Microsoft Ofce, be sure to use the new port number when you log on to SAS.
Change the Port Number for SASODCSServer

To change the port number for SASODCSServer: 1 Modify the port number in the cong.xml le. 2 Update the EnvironmentFactory.xml ile and the EnvironmentFactory.odcs.xml le by modifying the port number for the ODCS server. If you had been using the default port number for the ODCS server, then you would replace all references to 7002 with the new port number. 3 Copy the EnvironmentFactory.xml le to this location: BEA-home-dir\user_projects\domains\SASSolutions\applications\ sas.solutions.services.ear\sas.solutions.common.war. 4 In the SAS Management Console, modify the Connection property for the Operational Data and Compute Server in the Solutions repository. 5 Restart the remote services and the managed servers. For details about any of these steps, see Change the Port Number for SASManagedServer on page 69.
Selecting an Alternative Port

For WebLogic managed servers, we recommend that you stay in the range between 7001 and 7011. For a list of the ports that are used in a default solutions deployment, see Appendix 1, Default Port Usage, on page 143. Most ports below 1024 are reserved for system use and should not be used without extra consideration. In particular, port 443 should not be used for an installation unless SSL support is enabled. Port 443 is reserved for that communication, and Java application servers have special cases for its usage. For example, during any redirection, WebLogic drops port 80 and port 443 from the UR, if either port is specied.
IBM WebSphere Administration

General Information
On UNIX systems, WebSphere is typically installed at /usr/local/WebSphere. The deployment directory for solutions applications is WebSphere-install-dir/ AppServer/installedApps/network_cell_name, where network_cell_name is the cell name of the deployment manager node. For information about log les that are generated by WebSphere, see Log Files on the Middle Tier on page 147.
Start and Stop WebSphere Servers

Before starting the WebSphere managed servers, start the remote services. For instructions, see Start the Remote Services on page 94. To start a managed server:
72
Set Total Transaction Lifetime Timeout
Chapter 6
1 Start the deployment manager, if necessary:

a Change directory to WebSphere-install-dir/DeploymentManager/bin. b Run these commands: ./startManager.sh ./startNode.sh
For more information about these commands, see the WebSphere documentation.
2 Log on to the WebSphere administrative console. 3 In the navigation tree, select Servers 5 Click Start.
I Application Servers.
4 On the Application Servers page, select the check box for the appropriate server.
To stop a managed server:

1 Log on to the WebSphere administrative console. 2 In the navigation tree, select Servers 4 Click Stop.
3 On the Application Servers page, select the check box for the appropriate server.
Set Total Transaction Lifetime Timeout

With WebSphere, the Total transaction lifetime timeout value species the length of time, in seconds, for a transaction to be completed before it is rolled back. The default value that is congured by the solutions is 1800 seconds (30 minutes). If your conguration needs additional time, increase this value as follows:
1 Log on to the WebSphere administrative console. 2 In the navigation tree, select Servers
3 On the Application Servers page, click the server name. 4 Under Additional Properties, click Transaction Service. 5 Specify a new value for Total transaction lifetime timeout. 6 Save your changes.
Increase the Log File Size

The default sizes for log les and history les might be too small to capture substantial logging. To change the log settings:
1 Log on to the WebSphere administrative console. 2 In the navigation tree, select Troubleshooting 4 Click JVM Logs. 5 For the System.out log, nd the File Size for the Log File Rotation and
I Logs and Trace.
3 On the Logging and Tracing page, click the server name.
change the Maximum Size from 1 MB to 10 MB. You can adjust this value to suit your conguration.
6 To save log les that have been rotated, increase the value of Maximum
Historical Log Files.

7 Make the same changes for the System.err log. 8 Save your changes.
Update jdom.jar after an Upgrade
73
Suppress Warning Messages for Data Access

WebSphere logs a warning message when an application event spawns a thread and later uses that thread to access data. To suppress these warning messages:
1 Change directory to WebSphere-install-dir/DeploymentManager/properties. 2 Open jc2.properties for editing. 3 Find this comment block:

4 Remove the comments and change the value of <logMissingTranContext> from
true to false.
The results should look like this:

<cm-properties> <manageCachedHandles>false</manageCachedHandles> <logMissingTranContext>false</logMissingTranContext> </cm-properties>
5 Save your changes. 6 Restart the managed servers.
Congure Starting Weight for Themes

The starting weight for themes should be set to a lower value than that of the other applications. The solutions conguration gives the Default theme and the Winter theme starting weights of 1. If you deploy additional themes, you should give them the same starting weight, as follows:
1 Log on to the WebSphere administrative console. 2 Use the tree on the left side of the console to navigate to the Enterprise
Applications Wizard (for example, Applications

3 Select the link for your new theme. 4 Change the Starting Weight value to 1. 5 Click OK.
I Enterprise Applications).
6 On the Enterprise Applications screen, click the Save link in the Message(s) area. 7 On the Save screen, click Save to save the changes to the master conguration.
Note:
If you deploy themes to an HTTP server, then starting weight does not apply.
Update jdom.jar after an Upgrade

During the solutions conguration, the jdom.jar le is copied from the sas.workow.ear application to the WebSphere/AppServer/lib and WebSphere/ DeploymentManager/lib directories. Upgrading WebSphere might overwrite these JAR les. If so, you should copy them again from the sas.workow.ear application.
74
Conguring the Web Applications
Chapter 6
Conguring the Web Applications

About Deployment Descriptors
Most of the application confguration is handled during the installation and congurations steps of the installation. The deployment descriptors for an application contain conguration information for the application. For example, they can disable checking for JSP or servlet updates or congure session timeout values. The Web applications have at least one deployment descriptor, web.xml, that is located in the WEB-INF directory of the application. If you update web.xml, you need to redeploy the application or restart the managed server for the change to take effect. Note: An application can have additional deployment descriptors that are specic to the J2EE application server. For more information, see the BEA WebLogic or IBM WebSphere documentation. 4
Set Session Timeout Values

The HttpSession timeout value governs the amount of time that any particular user login can remain idle before it is cleaned up. Larger values increase the users think time and enable the user to deal with interruptions without being forced to log on again. Smaller values increase the security of the application, because a user away from his or her desk will time out more quickly, preventing a malicious user from accessing the application under the original users credentials. Each session ties up server resources, so it is important to nd the right balance of user friendliness, security, and resource needs when setting this value. By default, the solutions set the timeout value in the web.xml le to 30 minutes, as shown below:
<session-config> <session-timeout>30</session-timeout> </session-timeout>
If you change the timeout settings, we recommend that they remain consistent across Web applications. New settings apply the next time you start the managed server. For more information about session timeout, see http://e-docs.bea.com/wls/docs81/ webapp/sessions.html and http://e-docs.bea.com/wls/docs81/webapp/ web_xml.html#1017275.
Set Timeout Values for Remote Portlet Sessions

In addition to the session timeout values, the web.xml les for some of the Web applications dene a lter for handling remote portlet sessions. This value is in milliseconds and should be synchronized with the regular session timeout. The denition should resemble the following:
<filter> <filter-name>RemoteSessionFilter</filter-name> <filter-class> com.sas.webapp.remote.session.RemoteSessionFilter </filter-class> <init-param>
Move Themes to a Web Server
75
 <param-name>session-timeout</param-name> <param-value>1800000</param-value> </init-param> </filter>
Conguring Themes
Make the Winter Theme Available

A theme is composed of style sheets, images, and templates that affect the look and feel of the portal pages. On the Preference page, portal users can select a default theme for their personal portals. The installation includes two themes: SASTheme_default, which is automatically deployed and added to the metadata repository, and SASTheme_winter, which is deployed but not added to the metadata repository. Note: For instructions about deploying a theme to the Apache Web server instead, see Move Themes to a Web Server on page 75. 4 To make the Winter theme available to users, you must add the theme connection to the metadata repository, as follows:
1 In SAS-install-dir\Web\Portal2.0.1\OMR, open LoadThemeConnection.sas for
editing.
2 Find this line:
%let SWCName=SASTheme_default;
3 Change SASTheme_default to SASTheme_winter. 4 Find this line:

%let service=/SASTheme_default;
5 Change /SASTheme_default to /SASTheme_winter. 6 If necessary, change the metadata options, host name, and port. The host name
and port should be the fully-qualied host name and port number for the Web server or J2EE application server to which the theme was deployed. (For WebLogic, the port is typically 7001.)
7 Save the le with a different name and a .sas extension (for example,
LoadWinterThemeConnection.sas).
8 Right-click the le and select Batch Submit with SAS 9.1. 9 Restart the remote services and the managed servers.
Move Themes to a Web Server

If your conguration includes a Web server that runs on a separate physical machine from the J2EE application server, you can realize signicant performance improvements by moving the theme applications from the J2EE application server to the Web server. This performance improvement is normally seen when the system is running under a heavy Web client load.
76
Using ODCS Clustering to Reduce Wait Time
Chapter 6
If you are using WebSphere, you cannot deploy themes to the same server that is used by applications that reference those themes; doing so causes eventual thread lock. You can deploy them to a separate WebSphere instance that does not share the same thread pool or to a Web server such as Apache HTTP Server, Microsoft Internet Information Services ( IIS), or Apache Tomcat. The instructions for deploying a theme to a Web server are similar, regardless of the brand of server. To deploy the default theme to the Apache Web server:
1 Copy the contents of
SAS-config-dir\Lev1\web\webapps\exploded\SASTheme_default.war to Apache-install-dir\htdocs\SASTheme_default. (Do not use a .war extension.)

2 Restart Apache. 3 Open the SAS Management Console. 4 Select the Foundation repository. 5 In the Conguration Manager plug-in, right-click SASTheme_default and select
Properties.
6 Select the Connection tab. 7 Change the Host Name to contain the fully-qualied name of the Apache Web
server host.
8 Change the Port Number to contain the port number for the Apache Web server
(for example, 80).

9 Save your changes. 10 Open the J2EE application servers administrative console and undeploy (stop) the
SASTheme_default application.
11 Restart the remote services and the managed servers.
Be sure that the HTTP server is running before you start the managed servers. To deploy the default theme to Apache Tomcat, you would copy the contents of
SAS-config-dir\Lev1\web\webapps\exploded\SASTheme_default.war to Tomcat-install-dir\webapps\SASTheme_default. (Do not use a .war extension.)
If you use Xythos WebFile Server as your WebDAV server, you cannot use the same instance of Tomcat for the themes. However, you can install another instance of Tomcat. It must use different port numbers for the listen port and the shutdown port. (These port numbers are dened in the server.xml le, which is located in the Tomcat-install-dir\conf directory.)
Using ODCS Clustering to Reduce Wait Time

Overview of ODCS Clustering
ODCS clustering is an optional conguration that is designed to reduce the wait time for ODCS processing in multi-user environments. With clustering, ODCS jobs are automatically routed to various machines where the ODCS query processor is running. Clustering is most effective in situations where there are many users with small requests. It does not speed up single computationally-expensive queries. Note: ODCS clustering has no relationship to WebLogic clusters.
Congure ODCS Target Machines
77
Congure ODCS Target Machines

For ODCS clustering, each target machine must be network-accessible from the ODCS server, and each target machine must have installed the JDK (for the correct version, see the system requirements document). To congure a machine for ODCS clustering:
1 Create a directory on the target machine. 2 Copy each of the JAR les from the ODCS deployment directory to the target
directory. 3 On the target machine, run the query processor:

java -classpath jarfiles -Xms800m -Xmx800m -Xss128k -Dodcs.dispatcher.host=host QueryProcessor
3 jarles is a list of the JAR les that you copied in the previous step. Separate
the lenames with semicolons. Typically, you would create a batch le that dynamically creates the CLASSPATH from the set of JAR les, rather than listing each JAR le separately. You could also create a batch le that both copies the JAR les to a target machine and runs the query processor. 3 -Xms and -Xmx represent initial and maximum total heap size. For best results, these values should be identical. 3 -Xss represents the thread stack size. A value of 128k is appropriate for Windows. On UNIX, use 256k instead. 3 -Dodcs.dispatcher.host species the name of the machine on which the ODCS application is running. You can include additional options, in the form -Doption=value, as described in the table below.
Option odcs.dispatcher.host Description and Default Value The TCP/IP port on which the in-process RMI registry is hosted by ODCS and through which the clustered query processors make the bootstrap contact. The default is localhost. odcs.dispatcher.passkey The password key handshake between the query processor and the dispatcher. If the passkey does not match, the query processor cannot connect to the dispatcher to run queries. The passkey must be specied by both the dispatcher and the query processor. The default value is passkey.
78
Congure ODCS Server Options
Chapter 6
Option odcs.queryprocessor.maxthreads
Description and Default Value The number of CPUs that are available on the machine that hosts the query processor. Because the algorithms are CPU-bound, adding more threads than physical CPUs will cause context switching and degrade performance. The default is <number of available processors>.
odcs.queryprocessor.reattach
If this value is set to false (the default), then the query processor shuts down when the ODCS dispatcher stops running. If the value is true, then the query processor waits for the dispatcher to start again and reattaches to the dispatcher immediately. In a production environment, reattaching might be practical. In a development environment, the typical reason for shutting down the ODCS server is to modify the JAR les; as a result, reattaching would result in a ClassCastException.
When a query processor is started, it checks to see if the ODCS server is running. If so, it attaches to the server and waits for the server to send it jobs to process. Otherwise, the query processor waits until the ODCS server starts and then attaches to the server.

The ODCS server (the managed server on which the ODCS application is running) acts as the dispatcher. When you start the server, you can pass it any of the optional arguments that are listed in the table below. Use the syntax -Doption=value.
Option odcs.dispatcher.port Description and Default Value The TCP/IP port on which the in-process RMI registry is hosted by ODCS and through which the clustered query processors make the bootstrap contact. The default port number is 9876. odcs.dispatcher.passkey The password key handshake between the query processor and the dispatcher. If the passkey does not match, the query processor is not allowed to connect to the dispatcher to run queries. The passkey must be specied by both the dispatcher and the query processorfor example, by passing this argument to the command lines of both the ODCS server and the query processor: -Dodcs.dispatcher.passkey=mysecretpassword The default is passkey.
79
Option odcs.dispatcher.ipfilter
Description and Default Value A comma-separated list of Internet addresses of machines that are allowed to connect. If you specify such a list, and a query processor tries to connect to an IP address that is not in the list, the connection is rejected. There is no default.
odcs.dispatcher.use.internal.qp
If true (the default), the dispatcher makes use of the built-in internal query processor, in addition to any external query processors that might be available. There are benets to running queries locally. In-process queries do not require the data to be serialized to them. Moreover, if you congure only a few external query processors, then the ODCS server might be better used to share the query load, in addition to the data and dispatch. If this argument is false, the dispatcher does not process any queries locally, so that it is always available to route queries to external query processors. This mode is useful if you have a large number of query processors.
80
81
CHAPTER
7
Portal Administration
About Portal Administration 81 Assigning a Content Administrator 81 Types of Content Administrators 82 Assign an Administrator for All Portal Content 82 Assign a Content Administrator for a Group 82 Creating Default Portal Pages 83 About Page Templates 83 Applying the Solutions Users Page Templates 83 Delete the PUBLIC Templates 83 Apply the Solutions Users Templates 83 Creating Custom Page Templates 84 Customizing the Portal 84 About Portal Customizations 84 My Favorites Portlets 84 My Alerts Portlets 87 About Alerts and My Alerts Portlets 87 Add a My Alerts Portlet 88 Add a Custom Alerts Portlet 88 URL Display Portlets 89 View a Report 89 Create a View a Report Portlet 89 Create a Link to a Document 90 Performance Management Portlets 90 Accessing the Default Portlets of the SAS Information Delivery Portal Securing Logs to Enhance Portal Security 91
91
About Portal Administration

This chapter describes how to set up default portal pages for different groups at a site, as well as how to customize the portal pages for an individual user. It also provides information about accessing the default portlets that ship with the SAS Information Delivery portal, securing logs, and initializing portal user data.
Assigning a Content Administrator
82
Types of Content Administrators
Chapter 7
Types of Content Administrators

It is recommended that you assign a user to administer portal content. This could be the user who is the system administrator for the site. You can assign a single user to administer all portal content, or you can assign different content administrators for different groups. These user identities must also have logins that can be authenticated on the metadata server host. Group content administrators can perform the following tasks:
3 Access content of all users, subject to le and folder permissions as described in

Chapter 5, Content Administration, on page 51. For example, only members of the Administrators group can access the Documents\SAS Content folders.
3 Share, unshare, and delete content with members of the group(s) which they
administer, subject to the le and folder permissions. For example, they could delete les from a users personal portal, or they could share users personal portlets or pages with other members of the group.
3 Create custom page templates in the portal. For more information about page
templates, see Creating Default Portal Pages on page 83.
Assign an Administrator for All Portal Content

To assign a user to administer all portal content, assign that user to the Portal Admins group, as well as the Administrators group. Members of the Portal Admins group can be considered as a kind of superuser and should not be used for general logging on to the portal. It is strongly recommended that you limit this group to as few members as possible.
Assign a Content Administrator for a Group

To assign a content administrator for a particular group:
1 Log on to SAS Management Console as the SAS Administrator. 2 In the Foundation repository, navigate to Authorization Manager
Management
I By Application I BIP Service.
I Resource
3 Expand the Portal Application Tree folder, and select the group for which you want
to assign a content administrator.

4 Right-click the group and select Properties. 5 In the Properties dialog box, click the Authorization tab. In the Names list box
on the Authorization tab, select a user to be the content administrator. If a particular user is not listed, click Add and use the Add Users and/or Groups dialog box to add the user. When you return to the Authorization tab, select that user in the Names list box. Note: You can also assign a group to be a content administrator, in the same way that you assign a user.
6 In the Permissions list, select Grant for the WriteMetadata permission.
Note: Be sure that the permission is directly assigned, instead of inherited. The check box for a permission that is directly assigned has no added background color. If the check box for a permission has a background color, clicking the check box will remove the background color and assign the permission directly.
Applying the Solutions Users Page Templates
83
Creating Default Portal Pages
About Page Templates

A page template denes the initial structure and default content of a page. Templates can dene which portlets are displayed on a page, the default content of those portlets, and their relative position on the page. When a user logs on to the portal, the system checks to see which groups the user belongs to, and loads the pages that are associated with those groups. If the user is a member of multiple groups, and each group is associated with its own set of page templates, then multiple pages are loaded. Working in the portal, the user or the administrator can customize the pages for that user, as described in Customizing the Portal on page 84. The solutions include a set of portal page templates that were created especially for solutions users. These templates dene a set of pages with predened portlets. All members of the Solutions Users group can view these portal pages. As part of the system conguration process, before users log onto the portal, you should delete the PUBLIC templates, and either load the Solutions Users templates, or load custom page templates that you create.
Applying the Solutions Users Page Templates
Delete the PUBLIC Templates

To delete the PUBLIC templates, so that they are not applied in addition to the Solutions Users templates, follow these steps:
1 On the data-tier server, change directory to
SAS-cong-dir\Lev1\SASMain\SASSolutionsServices\SASCode.
2 Run DeletePageTemplatePUBLIC.sas by right-clicking on the le and choosing
Batch Submit with SAS 9.1.
Apply the Solutions Users Templates

Apply the Solutions Users templates by following one of these procedures:
3 If you have licensed SAS Solutions Services with KPI and/or SAS Strategic
Performance Management and not SAS Financial Management:
SAS-cong-dir\Lev1\SASMain\SASSolutionsServices\SASCode.
2 Run LoadPageTemplateSolutionsHome.sas. 3 Run LoadPageTemplateSolutionsTasks.sas.
3 If you have licensed SAS Financial Management:

SAS-cong-dir\Lev1\SASMain\SASFinancialManagement\SASCode.
2 Run LoadPageTemplateSolutionsFMHome.sas. 3 Run LoadPageTemplateSolutionsFMTasks.sas.
84
Creating Custom Page Templates
Chapter 7
Note: The two SAS Financial Management jobs contain all the code that is in LoadPageTemplateSolutionsHome.sas and LoadPageTemplateSolutionsTasks.sas, as well as some additional code that is specic to SAS Financial Management.
Creating Custom Page Templates

Group content administrators can also create custom page templates in the portal. For information about creating custom page templates, search for page templates in the online Help.
Customizing the Portal
About Portal Customizations

While page templates determine the initial view when users log on to the portal, users go on to customize their own portal views. Here are some suggestions for customizations.
3 Home page: Every user should have a home page, and one is supplied by the
default portal templates.
3 Additional pages: The structure and content of additional pages depend on the
way each user or group of users wants to use the portal. Here are some examples of page functionality:
3 task-oriented pages: Managers, administrators, and executives have different

sets of tasks. The default template has an additional My Tasks page that is designed for an analyst.
3 goal-oriented pages: Each manager is responsible for a certain set of

objectives and goals for the organization and might have pages devoted to budgeting, nancial reports, and so on.
3 organization-based pages: Branches within the organization might have their

own pages.
3 Additional portlets: Users, or groups of users, will customize their pages. The
following sections contain examples of how some of the SAS Solutions Services portlets can be used. These portlets can also be added to the portal templates for a group of users. Note: To search for portlets, select Options Edit Content. Then click the Add Portlets button. On the Add Portlets to Page screen, select the Search tab, enter one or more keywords, and click Search. To nd all available portlets, use an asterisk (*) as the keyword. The available portlets are limited by the users
identity. For example, users who are not Administrators do not see the Solutions Web Administration portlet.
My Favorites Portlets
The My Favorites portlet has many uses. The portlet allows users to create lists of documents, les, folders, links, and tasks. Here are some examples of My Favorites portlets that users can create:
85
3 Daily Information
A My Favorites portlet containing URLs, folder links, document links, and tasks to generate information that the user looks at daily.
3 Corporate Information
A My Favorites portlet containing links to corporate information, such as the corporate home page and corporate Web applications. Note: When creating this portlet, add a link to the Shared Documents folder. This link allows users to access Document Manager folders without selecting the Manage Documents task.
3 My Tasks
A My Favorites portlet containing the appropriate tasks for that user. Tasks are Web applications that can be added to My Favorites portlets. The list of available tasks depends on the solutions that are installed:
Table 7.1 Tasks for the My Favorites Portlet
Task Manage Documents Manage Measures New Scorecard Project Manage Scorecard Projects Manage Financial Forms Description Opens the Document Manager, which enables users, and administrators in particular, to organize and manage content. Opens Measure Manager, which enables users to dene measures for use in KPIs and scorecards. If you have SAS Strategic Performance Management installed, these tasks open a new scorecard or KPI project or let you edit an existing project. Otherwise, the tasks are the same, except that the projects are restricted to KPI projects. If SAS Financial Management is installed, this task enables users to enter nancial data by means of forms that were designed in SAS Financial Management Studio. If SAS Human Capital Management is installed, these tasks enable users to browse employee demographic information, create a geographic analysis (a map-based analysis of employee information), or create an organizational analysis (a real or simulated organizational chart). If SAS Web OLAP Viewer is installed, this task enables users to open an information map, a data exploration, or a SAS OLAP cube. If SAS Web Report Studio is installed, this task enables users to create or edit a report using data from an information map.
Browse Employee Information New Geographic Analysis New Organization Analysis Open SAS Web OLAP Viewer Open SAS Web Report Studio
For more information about these tasks, see the online Help.
86
Chapter 7
3 Web Data Entry Forms

A My Favorites portlet with links to one or more forms, so that users can easily add data to the scorecard from the portal. To add a form to a portlet, follow these steps: 1 Open a scorecard project and select Project I Data Entry Forms to display the Manage Forms page. 2 Click the arrow next to the form name and select Add to Portlet from the menu. 3 Select a portlet from the Portlet list.
4 Click OK.
3 My Documents
A My Favorites portlet with document, folder, and URL links. Note: Suggest to users that they customize this portlet with a link to their Users folder.
3 My Scorecards
A My Favorites portlet with links to scorecard project documents.
3 My People
A My Favorites portlet centered around the corporations goals. A similar portlet might be called My Finances. 3 Corporate Documents A My Favorites portlet that is structured to reect the organizational or project structure at the company. This kind of portlet contains documents that are distributed to a group of people within a division or department, or to a group of people who are working on a particular project. To create this kind of portlet:
1 Use the Document Manager navigation pane to locate the folder containing
the documents that you want to make available.

2 Click Add to Portlet. 3 On the Add to Portlet page, select Show the contents of the folder. 4 From the Portlet drop-down list, select <Create a new portlet>. 5 Give the portlet a name and, optionally, a description. 6 Check Add to page and select a page from the drop-down list. 7 Click OK. 8 In the main Document Manager page, click the folder icon and choose
Properties to display the properties for this folder.

9 Opt-in to alerts for this folder by selecting to receive an alert when
documents are added or removed.
My Alerts Portlets
87
10 Optionally, open the properties of a document in the folder and opt-in to
receive an alert when a comment is added.
Note: Notications about comments are available only on the document level, not the folder level.
Depending on the number of portlets required, secondary pages can be created around the same concept.
My Alerts Portlets
About Alerts and My Alerts Portlets

An alert is a notication of an event that the user might need to respond to. There are three types of alerts:
88
My Alerts Portlets
Chapter 7
Alert Type User Opt-in
Description Alerts that users choose to receive by setting properties on a document or a folder in the Document Manager. For example, a user might ask to be informed of a document being added to a folder, or of a comment being added to a document. Notications of tasks that the user has to perform, such as approving a budget item. Users cannot choose not to receive these alerts. Notications of DataChanged events from SAS Data Integration Studio. (ETL notications are a subset of workow alerts.)
Planning Workow ETL Notications
All users should have a My Alerts portlet, typically one that receives only opt-in alerts. Data administrators should also have an ETL Notications alerts portlet so that they can be notied of DataChanged events. Finance approvers and submitters should have a To Do List portlet for their planning. Note: Multiple My Alerts portlets are permitted.
Add a My Alerts Portlet

To add an alerts portlet to a page:
1 From the Options menu, select Edit Content.
The Edit Page Content screen appears.

2 Click Add Portlets. 3 From the Portlet type drop-down list, select My Alerts. 4 Enter a name for the portlet and, optionally, a description and keywords. 5 Select the column that the portlet will appear in. 6 Click Add.
By default, the My Alerts portlet receives all alerts. However, after you create the portlet, you can edit it to select the type of alerts you want ("all" or a single type).
Add a Custom Alerts Portlet

You can also add custom alerts portlets that receive only ETL Notication alerts or only Workow alerts. To add a custom alerts portlet, follow these steps:
1 From the Options menu, select Edit Content.
The Edit Page Content screen appears.

2 Click Add Portlets. 3 Click the Search tab and search for one of the following strings:
3 to do: to nd To Do List portlets 3 ETL: to nd ETL Notications portlets

The search results display the Name, Description, Location, and Creation Date of each portlet. The Location column tells you which user or group the portlet applies to.
4 In the search results, check the box for the portlet you want to add. 5 Click Add.
The portlet is added to the current page.
View a Report
89
URL Display Portlets

You can add a URL as a link to a My Favorites portlet. You can also display the contents of a Web page by adding a URL display portlet. When you edit the portlet to add the URL, we recommend that you select Show URL content inside an I-Frame, which displays a complete HTML page within the I-Frame Height that you specify. Otherwise, the portlet displays an HTML fragment, which is subject to the portals security policies. For more information, see the online Help. Note: If the Web page allows navigation only via the browsers back button, it is best to tell users to select any links in the web page by right-clicking the link and selecting Open in New Window. 4
View a Report
Reports or documents that use graphs and that are viewed by the user on a regular basis are good candidates for a View a Report portlet, which displays the contents of a document rather than a link to the document.
Create a View a Report Portlet

To create a View a Report portlet, follow either of these procedures:
3 Create a portlet from an open document:

1 In the Document Manager, view the document. 2 At the top of the document, click Add to Portlet. 3 On the Add to Portlet screen, select Display a view of the document.
Note: Only certain document types, such as stored process reports and Web documents, can be displayed in a View a Report portlet. If the document type cannot be displayed in the portlet, then the only choice you see is to add a link.
4 Give the portlet a name and, optionally, a description. 5 Check Add to page and select a page from the drop-down list. 6 Click OK.
The portlet is created on the page you specied, and the document is displayed within the portlet, subject to your Internet Explorer settings. (Some documents might be opened in a separate browser window.)
3 Create a portlet and then add a document:

1 On a portal page, select Options
I Add portlets.
The Add Portlets page appears.

2 From the Portlet type drop-down list, select View a Report. 3 Enter a name for the portlet, and, optionally, a description and key words. 4 Select the column in which you want the portlet to appear. 5 Click Add. 6 Once the portlet is added to the page, click the Edit icon
in the portlet.
7 From the folders in the Document eld, select the document that you want to
appear in the portlet.

8 In the Height eld, enter the height of the IFRAME in pixels.
90
Performance Management Portlets
Chapter 7
9 Click OK.
Create a Link to a Document

Instead of adding a view of the document, you can add a link to the document. Follow these steps: 1 In the Document Manager, view the document. 2 At the top of the document, click Add to Portlet. 3 On the Add to Portlet screen, select Add a link to the document. 4 To add the link to an existing portlet, select the portlet from the drop-down list. 5 To add the link to a new portlet:
a Select and give the portlet a name and, optionally, a description. b Check Add to page and select a page from the drop-down list.
6 Click OK.
If you created a new portlet, a My Favorites portlet is created containing the link. Otherwise the link is added to the portlet you selected.
Performance Management Portlets

All Solutions Users can add the following portlets to their portals:
Table 7.2 Portlets Available with SAS Solutions Services
Portlet Type Performance Dashboard portlet Description Displays KPIs and scorecard elements in graphical format.Each element is represented by a dashboard that displays, in graphical format, the data ranges that have been dened. In addition to ranges, you can display comments, history data, and element properties from a dashboard. Displays data for the selected KPI or scorecard in tabular form.
Performance Table portlet
If you have licensed SAS Strategic Performance Management, the Performance Dashboard and Performance Table portlets display scorecard elements as well as KPIs, and the following portlets are also available:
Table 7.3 Portlets Available with SAS Strategic Management
Portlet Type Performance Aggregate Table portlet Performance Association portlet Performance Diagram portlet Description Displays data for the selected scorecard and all of its children. Displays the hierarchical relationship between scorecard elements of a single scorecard or project. Displays data in the form of diagrams, to illustrate the relationships between elements. The data can be based on project element types or scorecard element types.
For information about dening these portlets, see the online Help.
Securing Logs to Enhance Portal Security
91
Accessing the Default Portlets of the SAS Information Delivery Portal

The default conguration of SAS Solutions Services limits restricts the access that members of the Solutions Users group have to certain default portal portlets. These portlets might be of use to administrators or to sites that have a mix of BI and solutions content. To override the defaults and grant the Solutions Users group access to a given portlet, rst create the default portal pages as described in Creating Default Portal Pages on page 83. Then follow these steps:
1 In SAS Management Console, select the Foundation repository. 2 Open Authorization Manager
I Resource Management I By Type.
3 Under Prototype, scroll to nd the template for the portlet that you want to make
accessiblefor example, StoredProcessNavigator template.

4 Right-click the template and choose Properties. 5 On the Authorization tab, select Solutions Users and grant ReadMetadata
and WriteMetadata permissions.

6 Click OK.
Note: We recommend that you do not grant access to portlets (such as the Alerts portlet) that duplicate functionality that is already available with the SAS Solutions Services portlets. 4
Securing Logs to Enhance Portal Security

If a user has access to the logs on a machine or is given permission to read these logs, then the user could copy a session ID from the log and then access a portlet as another user. This scenario is possible because a URL is visible when the portal displays portlet messages. To prevent this type of security hole, it is strongly recommended that you secure machine logs.
92
93
CHAPTER
8
Application Administration
Administering the Remote Services 94 About the Remote Services 94 Start the Remote Services 94 Install a Service to Start the Remote Services 94 About Solutions Administration 96 Conguring Applications Using the SAS Management Console 96 About Conguration Settings 96 Modify Application Connection Information 97 Modify E-Mail Settings 97 Monitor Error Notications 99 Using the Solutions Web Administration Application 99 About the Administration Console 99 Open the Solutions Web Administration Application Directly 100 Add the Solutions Web Administration Application to a Portlet 100 Maintaining and Monitoring Solutions Applications 100 View Application Status 101 Generate and Send a Status Report 101 Quiesce the System 101 Restart the System 102 Working with Users 102 Tools for Working with Users 102 Send E-Mail to System Users 102 Send E-Mail to Selected Users 103 Force Users to Log Off 103 View an Audit Trail for a User 103 Clear Users in Role Cache 105 Conguring Log Files 105 Change the Logging Congurations 105 Dynamically Change Logging Levels 106 Using Command-Line Diagnostic Tools 106 Check System Status 107 About the status Command 107 Run the status Command 107 Display User Information 109 About the users Command 109 Run the users Command 109 Validate Group Assignments 109 Overview and Setup 109 Run UserGroupValidation 110 Validate the Domain for the SAS Stored Process Server 110 Overview and Setup 110
94
Administering the Remote Services
Chapter 8
Run StoredProcessValidation Validate the E-Mail Interface 111 Overview and Setup 111 Run MailValidation 111
111
Administering the Remote Services
About the Remote Services

The SAS Foundation Services provide access to several different capabilities in standard ways, such as logging, user authentication, state management, federated searches across disparate repositories, and so on. This set of services can be seen by any application at the site and is used as an integration point for all of the applications. At a site, there should be a single instance of the SAS Foundation Services that is running in a Java Virtual Machine (JVM) and that is designated as the remote services. The remote services that are installed with SAS Solutions Services augment the base functionality provided by SAS Foundation Services.
Start the Remote Services

The SAS solutions running on the managed servers communicate with remote services running in a separate JVM, as described above. You must start these services before you start the managed servers. In addition, whenever you restart the remote services and the managed servers, you should also restart the object spawner. To start the remote services, follow these instructions: 3 Windows: From the Windows Start menu, select SAS I SASSolutionsCong I Start SAS Services Application. 3 UNIX: Change directory to SAS-install-dir\SASSolutionsServices\1.3\RemoteServices, and type this command:
./StartRemoteServices.sh
Note: You should run only one instance of the remote services. For SAS Solutions Services, you must run the version that is located in SAS-install-dir\SASSolutionsServices\1.3\RemoteServices. 4 The log for the remote services (services.log) is located in SAS-cong-dir\Lev1\web\Deployments\SASSolutionsServices. For information about creating a more (or less) verbose log, see Conguring Log Files on page 105.
Install a Service to Start the Remote Services

On Windows, it is possible to install a service to start the remote services. To do so, follow these steps: 1 First, check to ensure that the remote services are not already installed as a service (named SAS Foundation Services). If the service is installed, run the UninstallRemoteServices.bat le that is associated with that service.
Install a Service to Start the Remote Services
95
SAS-install-dir\SASFoundationServices\1.1\Wrapper\conf.
3 Open the wrapper.conf le for editing. 4 Modify the service name and description:
a Find these lines: # Name of the service wrapper.ntservice.name=SASFoundationServices # Display name of the service wrapper.ntservice.displayname=SAS Foundation Services # Description of the service wrapper.ntservice.description=SAS Foundation Services remote deployment b Change the lines as follows: # Name of the service wrapper.ntservice.name=SAS Remote Services # Display name of the service wrapper.ntservice.displayname=SAS Remote Services # Description of the service wrapper.ntservice.description=SAS Remote Services remote deployment
5 To avoid outofmemory problems, modify the heap allocation for the remote
services by adding these lines to the wrapper properties:

# Java heap allocation wrapper.java.initmemory=512m wrapper.java.maxmemory=512m
Note: Each site must determine its optimal settings, which should be based on server size and other factors.
6 If your deployment metadata is stored in a SAS Metadata Repository, and the SAS
Metadata Server has been installed as a service on the same machine as the remote services, then you can specify a service dependency to ensure that the services start in the correct order. You can specify the service dependency by adding the following line to wrapper.conf:
wrapper.ntservice.dependency.1=Metadata-Service-Name
7 Save the le. 8 Change directory to SAS-install-dir\SASFoundationServices\1.1\Wrapper\bin. 9 Run the following command: InstallSolutionsRemoteServices.bat
Initially, you need to start this service manually. However, you can open the service properties and change the Startup type so that it starts automatically.
96
About Solutions Administration
Chapter 8
About Solutions Administration

SAS Solutions Services provides several utilities that can assist with the administration of solutions applications. These utilities include:
3 a Conguration Manager plug-in to the SAS Management Console

See Conguring Applications Using the SAS Management Console on page 96.
3 a Solutions Web Administration application that also includes a status display

portlet See Using the Solutions Web Administration Application on page 99.
3 command-line utilities
See Using Command-Line Diagnostic Tools on page 106.
Conguring Applications Using the SAS Management Console

About Conguration Settings
SAS Solutions Services provides a Conguration Manager plug-in to the SAS Management Console that you can use to modify application conguration attributes. This plug-in enables you to congure the various applications that obtain conguration settings from the SAS Metadata Server, including the SAS Information Delivery Portal, SAS Solutions Services, SAS Financial Management, and others. The Conguration Manager plug-in is available under the Application Management tree in the SAS Management Console. It supports application settings such as the application name, default presentation capabilities, e-mail and notication settings, display formats, and localization settings. To modify the conguration settings for the solutions:
1 In the SAS Management Console, select the appropriate repository. 2 Expand the Configuration Manager. 3 Right-click the application that has settings you want to modify and select
Properties from the pop-up menu.

4 Click the appropriate tab and review or modify the settings as needed. 5 Click OK to accept changes.
It is important to understand how application properties are honored:
3 All solutions applications inherit their settings from the SAS Solutions Services
properties.
3 Each application can dene a value for one or more properties as required. If a
setting is explicitly dened for an application, it always overrides a parent value. If a value is not explicitly set, the application looks up to its parent to obtain the appropriate setting. For example, if no setting is specically set in SAS Financial Management, it looks to SAS Solutions Services. Not all applications provide the same items to congure. Also, remember that if you want to make a change available to more than one application, you can modify the parent component or application. For example, if you wanted to set the default alert notications type for both SAS Strategic Performance Management and SAS Financial Management, you might set it at the SAS Solutions Services level. Such changes apply to all solutions applications unless they have their own settings. In addition, there can
Modify E-Mail Settings
97
be separate conguration settings within the solution applications themselves. Those conguration settings override any settings that are congured here.
Modify Application Connection Information

In addition to general application settings, the Conguration Manager provides a way to manage the connection information for a given application. This capability not only consolidates the information that identies where a particular application is deployed. It also makes it easy for one application to locate another via a metadata search. All applications that appear under the Conguration Manager have connection information that is initially congured during installation. You will need to update or modify these values if your server name changes or if you split the deployment of some applications across application servers. For example, you can deploy the SAS Documentation application and SAS Solutions Services on different servers. To modify the connection information for an application: 1 In the SAS Management Console, select the repository that hosts the applications metadata. 2 Expand the Configuration Manager. Then right-click the application that has settings you want to modify and select Properties from the pop-up menu. 3 Select the Connection tab and enter the appropriate information for Communication Protocol, Server Name, and Port Number. (You typically do not need to modify the Service attribute.) 4 Click OK to accept the changes. This connection information is used to construct the URL to access a particular application by combining the values for communication protocol, server name, port, and service. For example, the URL to the portal is derived from this connection:
http://server-name:port/Portal

To change the default e-mail settings for your site: 1 Select the E-mail tab of SAS Solutions Services properties. You see a window similar to this one :
98
Chapter 8
2 To change the host name, type a new value in the Host name of mail server
eld. This eld species the name of the SMTP server used to provide e-mail support. To modify the character set, select a new value from the drop-down list in the Character set for encoding e-mail eld. This value is set to UTF-8 by default. This setting should be correct for most congurations. To change the sender name from the default, type a new value in the Value of FROM field. The sender name applies to e-mail messages (such as alert notications) that are sent to end users. If you do not want users to reply to such messages, you might want to create a send-only account on your mail server that is valid. Users can then add the account to their safe senders list but cannot reply. This eld does not apply to administrative messages. Set the format of e-mail messages by selecting or deselecting the Use text/HTML MIME type check box. If the check box is selected, then e-mail messages use Multipurpose Internet Mail Extensions (MIME), an Internet standard for the format of e-mail. If the box is not selected, then e-mail messages are displayed as plain text. In the Recipients of admin. messages box, specify one or more e-mail addresses of administrators who should receive administrative messages. (See Monitor Error Notications on page 99.) To add an e-mail address, click Add and type an address in the selected box. To remove an e-mail address, select it and click Remove. In the Recipients of error messages box, specify one or more e-mail addresses of administrators who should receive error messages.
About the Administration Console
99
8 Save your changes.
You can test your e-mail settings with the MailValidation utility. See Validate the E-Mail Interface on page 111.
Monitor Error Notications

SAS Solutions Services provides an error-handling facility that directs all error notices from the user to a central administrator (or set of administrators). The error-handling facility routes a detailed error report to designated recipients. This error report contains the exception or event that occurred, as well as a snapshot of the state of the system at the time that the exception occurred. The system state information includes the following data: 3 build versions and metadata information
3 3 3 3
details about the user who encountered the error HTTP form parameters that might have been passed with the user request any values stored in the HttpRequest or HttpSession of the application the Java system properties available to the application server
This report can be useful in tracking down system conguration errors, user misuse of the system, or even defects in the applications themselves. You should keep a record of these notications and be prepared to make them available to SAS Technical Support. You can specify who receives the error notications for a given application in the Conguration Manager plug-in. To specify recipients for all solutions applications, dene the recipients on the E-mail tab of the SAS Solutions Services properties. You can also specify recipients for specic domain applications.
Using the Solutions Web Administration Application
About the Administration Console

The Solutions Web Administration application enables an administrative user to view, update, monitor, or maintain system information using its Administration Console. The Administration Console includes tabbed sections that provide the following capabilities.
100
Open the Solutions Web Administration Application Directly
Chapter 8
Table 8.1 Solutions Web Administration Capabilities

Tab Status Description Enables you to check the current system settings, including application and content conguration. For more information, see Maintaining and Monitoring Solutions Applications on page 100. Contains utilities for managing users, themes, logging, directives, and data security. For information about managing users, see Working with Users on page 102. For information about log les and changing logging levels dynamically, see Conguring Log Files on page 105. Creating and applying themes, directives, and security lters are customizations. Provides additional monitoring utilities for the Operational Data and Compute Server that is deployed with SAS Solutions Services.
Management
Data
Open the Solutions Web Administration Application Directly

Alternatively, members of the Administrators group can log on directly to the Solutions Web Administration application:
1 Direct your Web browser tohttp://server-name:port/SASSolutionsAdmin, where
server-name is the name of the server on which the applications are deployed and port is the port number (such as 7001 or 9098). A Log On page is displayed.
2 Enter your user ID and password credentials.
The Administration Console is displayed.
Add the Solutions Web Administration Application to a Portlet

The Solutions Web Administration portlet is available to members of the Administrators group. To add the portlet to a page in your portal, follow these steps:
1 Log on to the portal as a user who is a member of the Administrators group. 2 From the Options menu, select Edit Content. 3 Select Add Portlets. 4 Click the Search tab and search for admin. 5 Add the Solutions Web Administration portlet to your selected page.
The portlet displays general information about the application, such as the time that the system was started and the numbers of users. To access a Web application that provides more administrative information, select the More info link from the Solutions Web Administration portlet. This link gives you access to the Solutions Web Administration application.
Maintaining and Monitoring Solutions Applications

The Status tab of the Administration Console provides access to several functions that help you maintain and monitor SAS Solutions Services and the solutions. This section describes how to use the functions available from the Status tab as well as other monitoring tasks that you need to perform as a SAS Solutions Services administrator.
Maintaining and Monitoring Solutions Applications
101
View Application Status

The System Status tab displays a view of solutions applications that are deployed and running. The tree view on the left side of the page displays a hierarchical list of congured items. When the SAS Solutions node is active (which is the default view), the system start time, license summary, and version number of SAS Solutions Services are displayed. To view additional information, expand the SAS Solutions node. For example, you can select the Startup Configuration item to view the initial conguration settings. To view license information for a particular application, expand the Applications node, and then expand the node for the selected application. You can then select the License Information item.
Generate and Send a Status Report

The Solutions Web Administration application provides access to status and diagnostic information about the currently deployed Solutions applications. In addition to viewing this information in the Administration Console, you can also generate a report that contains an aggregation of the status information. The report contains information about SAS licenses, conguration details, connections, site-specic settings, SAS-supplied and customized content, and report exceptions. The information can be sent via e-mail as an HTML-formatted report. You can keep appropriate versions of the report if you need to contact SAS Technical Support with a problem. To send a status report via e-mail:
1 On the System Status tab of the Administration Console, select Send Status
Report on the toolbar. The Send Mail page appears.

2 In the To eld, enter the intended recipients mail address. 3 Modify the Subject eld if needed. 4 Click Send. A message is displayed indicating that the report has been sent.
Note: The report does not include information about managed servers that are not running at the time. 4
Quiesce the System

The Status tab on the Administration Console provides a mechanism by which you can quiesce the system (temporarily put the system into an inactive state). When the system is quiesced, user logon capabilities are temporarily disabled. Note: The cache is not cleared when you resume operation. Do not use this method to synchronize users and groups, update metadata, or change other data that might be cached. 4 To quiesce the system and prevent users from logging on, follow these steps:
1 Notify all users who are currently logged on about the pending maintenance
operation. See Working with Users on page 102 for information about sending e-mail messages to logged-on users.
2 Click the Status tab. 3 From the toolbar, select Quiesce System. 4 On the Conrm Quiesce page, click OK to proceed with the quiesce operation.
If the system is quiesced, a warning message appears, noting that user logon capabilities have been disabled. Users attempting to log on via the SAS Information Delivery Portal receive an HTTP 403 Error: Unauthorized or forbidden error page in
102
Working with Users
Chapter 8
their browsers. Users who are already logged on can continue to use the system. (In contrast, see Restart the System on page 102.) To restart the system and re-enable user logon capabilities, follow these steps: 1 Click the Status tab.
2 From the toolbar, select Resume System.
Resuming the system runs the appropriate parts of the StartupServlet.
Restart the System

During a typical deployment of the Solutions applications, it might be necessary to prevent users from accessing the system while maintenance is performed, updates are applied, or some other routine operation is needed. The Administration Console provides a convenient wizard for performing this operation. The Maintenance Restart Wizard noties logged-on users, shuts down the system after a specied time, and quiesces the system. While the system is quiesced, you can perform maintenance operations such as running the Import Users and Groups stored process, making changes to the metadata, or republishing budget forms that contained an errorin other words, operations during which you do not want users to be logged on. When you click Next to restart the system, the startup servlet is run and the cache is cleared. However, the remote services and the managed servers are not restarted. To restart the system: 1 Select the Restart System menu item on the Status tabs toolbar.
2 Follow the instructions displayed in the Maintenance Restart Wizard.
Note: During a restart operation, the system is quiesced for a period of time. Make sure that you do not close your browser or otherwise end your session. If you do, you will not be able to access the Web application and you will need to restart the managed servers. 4
Working with Users

Tools for Working with Users
The Solutions Web Administration Console provides a set of tools for working with users. To access these tools: 1 Log on to the Solutions Web Administration Console.
2 Click the Management tab. 3 In the navigation tree on the left, go to SAS Solutions
I Users I Current Users.
The console displays a list of users who are currently logged on. 4 Use the links on the left side of the page to access the user tools.
Send E-Mail to System Users

You can automatically send an e-mail message to all system users. This feature is useful if you want to notify users of an impending system operation or a system outage. Note: You must have dened e-mail addresses for these users in the metadata.
To send an e-mail message to all users who are currently logged on, follow these steps: 1 Select the Notify Users menu item on the Management tabs toolbar. 2 On the Send Mail page, enter the subject and text of the message.
Working with Users
103
3 Select whether you want to send the e-mail message to all addressees at one time,
or to each user individually. The second option provides an additional security measure by not disclosing who is currently logged on.
4 Click Send to send the message.
An informational message is displayed, with a list of users to whom the e-mail was sent.
Send E-Mail to Selected Users

To send an e-mail message to one or more selected users, follow these steps:
1 On the Management tab, select SAS Solutions
2 Using the check box in the right-most column, select the user or users to whom
you want to send a message. Note: You must have dened e-mail addresses for these users in the metadata.
3 Select the Send Mail option from the columns pop-up menu. 4 On the Send Mail page, enter the subject and text of the message. 5 Click Send to send the message.
An informational message is displayed, with a list of users to whom the e-mail was sent.
Force Users to Log Off

In some cases, users might not be actively working with a SAS Solutions Services application, and yet their sessions remain active in the system. You can force the termination of these user sessions using the Administration Console. Note: This operation cannot be undone.
To force a logoff of a user session, follow these steps:

1 On the Management tab, select SAS Solutions
2 Using the check boxes in the right-most column, select the user or users that you
want to log off.

3 Select the Force Log Off option from the columns pop-up menu.
The Force Log Off conrmation page displays the user ID(s), e-mail address, and last logon time. Review this information to ensure that you want to continue with the logoff operation.
4 Click OK to force the logoff, or click Cancel to return to the list.
View an Audit Trail for a User

SAS Solutions Services provides a facility that enables each solution to log user activity. The facility is based on a combination of metadata denitions that are stored in the SAS Metadata Server and transaction information that is stored in a data table in the SAS Solutions Data Mart. The base installation of SAS Solutions Services provides the metadata descriptors for history actions and auditable objects (that is, those objects that can be included in a history record). Each subsequent solution that is installed can add its own history actions and auditable objects metadata. All transactions on any auditable object in the integrated system are then added to the history table. By default, the following kinds of actions are audited:
104
Working with Users
Chapter 8
3 3 3 3
adding or replying to a comment Web service authenticationfor example, entering or exiting Document Manager entering or exiting a solutions application such as SAS Financial Management entering table view, aggregate view, dashboard view, association view, or diagram view in a scorecard project
The SAS Solutions Web Administration application includes a user history facility that enables auditing by a system administrator. To view this information, follow these steps: 1 On the Management tab, select SAS Solutions I Users I User History. 2 Select the user for whom you want to view history information. 3 Click Show History. The appropriate user history is displayed.
In the user history, you can see the following information:

Table 8.2 User History Column Descriptions
Column Heading Action Time Solution Description Lists the action taken, such as Login, Logout, or Update. Displays a timestamp that shows when the action occurred. Contains the name of the software component that this history record applies to, such as Solutions Common, ODCS, or Financial Management Solutions. Displays the object typefor example, ses/document (for all SAS Solutions Services actions), odcs/dimension, or fms/cycle. Lists the object that was affected by the action. In the case of a comment that was added to a document using Comment Manager, this eld can contain the GUID of an attachment.
Type Object
Change the Logging Congurations
105
Column Heading Transaction
Description Transaction identier (a value of 1 indicates no transaction association). It is used to link a history transaction to a set of audit transactions (that is, updated data). An optional text comment that indicates conditions or other annotations of the action. Some actions, such as submitting, approving, or rejecting a form, offer the opportunity for the user to make a comment. This comment is sent in the user notication for the form as well as included in the history for the action.
Comment
Note: If you select the User History option and do not see your users in the drop-down list, or if you receive a message that says there are no users present in the system, then the USERS table in the SAS Solutions Data Mart has not been properly loaded or updated. Verify that the appropriate job has been run to create users and groups. (See Synchronizing Users, Groups, and Roles on page 49.) 4 This user history information is maintained in the SAS Solutions Data Mart. Each application can also provide customized or domain-oriented views on the recorded transactions.
Clear Users in Role Cache

The Clear Users in Role Cache utility is used to clear a cache that is used only by SAS Financial Management planning security. For performance reasons, roles are cached when the J2EE application server is started. If you have made changes to role assignments in the SAS Management Console and want to ush this cache without restarting the managed server, follow these steps: 1 On the Management tab, select SAS Solutions I Users I Role Cache.
2 Click Clear Users in Role Cache.
Note: This role cache and this utility do not apply to other parts of SAS Financial Management, to other solutions, or to SAS Solutions Services. 4
Conguring Log Files

Change the Logging Congurations
The SAS Logging Service supports different levels of priorities, which are used to determine which logging statements are written to the log. 3 The logging levels for the remote services are set in the le SAS-cong-dir\Lev1\web\Deployments\SASSolutions\logging_config.xml. 3 The logging levels for the Web applications are set in the le SAS-cong-dir\Lev1\web\Deployments\SASSolutions\logging.xml. The priority attribute species the logging level. There are ve levels, listed in ascending priority: 3 DEBUG 3 INFO 3 WARN
106
Dynamically Change Logging Levels
Chapter 8
3 ERROR 3 FATAL
The SAS Logging Service outputs only those log requests with a priority level equal to or greater than its own. For example, a priority of WARN displays only errors and warnings. A priority of DEBUG displays all log statements. This capability effectively controls the output to the log les, where log statements of lesser importance can generally be suppressed unless a debugging situation occurs. After editing either of the logging conguration les, you must restart the remote services and then the application servers, in order for your changes to take effect. Note: You can temporarily change the priorities for Web application logging, without restarting the servers, in the Solutions Administration Console. See Dynamically Change Logging Levels on page 106. 4 For information about other log les, including the log le used by the portal, see Appendix 2, Log Files, on page 147.
Dynamically Change Logging Levels

The Logging tab of the Solutions Web Administration console enables you to change logging priorities for the Web applications on the ythat is, without requiring a restart of the remote services or the managed servers. To change one or more priorities in the Administration Console, follow these steps: 1 Select the Logging tab. Default logging contexts are displayed on the page. 2 Locate the priority you want to change and select the radio button in the appropriate DEBUG, INFO, WARN, ERROR, or FATAL column. Note: SAS Technical Support might provide you with a specic logging context. If so, type the context in the box at the bottom of the page and select a priority. 4 3 Click Apply to change the logging priorities that you selected, or click Reset to cancel any changes you have made. The logging changes are immediately available. However, when you restart the managed servers, the logging priorities revert to the priorities that are dened in logging.xml.
Using Command-Line Diagnostic Tools

On the middle tier, the SAS-install-dir\SASSolutionsServices\1.3\MidTier\Tools\diagnostics directory contains the following diagnostic tools:
Table 8.3 Command-Line Diagnostic Tools
Command status users UserGroupValidation Description Provides status and diagnostic information about solutions that are currently deployed. Displays information about users who are currently logged on. Checks for potential errors in group assignments.
Check System Status
107
Command StoredProcessValidation MailValidation
Description Veries that the domain for the SAS Stored Process Server is correct. Veries that the e-mail interface is set up correctly.
Note: The metadata server must be running before you can use any of these utilities. Before you can use the status and users utilities, the remote services and the managed servers must also be running. 4
Check System Status

About the status Command
The status utility provides status and diagnostic information about applications that are currently deployed. You can run this command to validate a solutions installation or to provide a description of your sites implementation. The report contains information about SAS licenses, conguration details, connections, site-specic settings, SAS-supplied and customized content, and report exceptions. The information can be saved as an HTML-formatted report, and it can be e-mailedfor example, to SAS Technical Support. This utility is available only on Windows, although you can generate a similar status report from the Solutions Administration Console in the portal. See Generate and Send a Status Report on page 101. Note: The report does not include information about managed servers that are not running at the time. 4
Run the status Command

To run the status command, follow these steps: 1 If they are not already running, start the remote services and the managed servers. 2 At a command prompt, change directory to SAS-install-dir\SASSolutionsServices\1.3\MidTier\Tools\diagnostics. 3 Type the following command:
status options
Options are as follows:
108
Check System Status
Chapter 8
Option -html or -nohtml or -text -file [path]
Description Species the format for the output. The default is -html, an HTML le. Both -nohtml and -text specify output in text le format. Species that the output be written to a le. The path is optional. If you specify a path, use forward slashes rather than backslashes as separators. Here are some examples of valid paths: c:/temp/status.html ./status.html The second example writes the output to the current folder. Notice that you cannot simply specify the lename; you must preface it with ./ or a full path. If you do not specify a path, the output is written to a le named statusyyyymmdd-hhmmss.<html or txt>, in the diagnostics folder. If you invoke the status command without specifying -file, -send, or -nolog, the default is -file.
-send email-address
Species that the output be sent in an e-mail message, rather than being written to a le. The e-mail address is optional. If it is omitted, the message is sent to the user who is specied to receive administrative e-mail messages. (See Modify E-Mail Settings on page 97.) Species no logging output. This option cannot be used with the -file or -send option. However, it can be used with the -users option, to generate a simple list of current users. In fact, that is what the users.bat command le does. In the console window, this option prints a list of current users and the time that they logged in. This information is not included in a le or e-mail message. Species the locale for the output, such as en_US or fr_FR. Locales are specied as language-code[_country-code]. Species that information about content be omitted. The default is to include information about repositories, themes, stored processes, and content types that have been dened. Asks that server start time be included in the output. This is also the default. Provides verbose output from the command.
-nolog
-users or -u -loc locale or -locale locale -noc or -nocontent -t or -time -v or -verbose -h
Prints help for the status command.
Following is a sample command with verbose output:

status -t -html -v
Here is the console output:
Validate Group Assignments
109
SAS Solutions Services SiteStatus v.1.3.0.0 Checking current site deployment... The current deployment started on 2005-12-13 08:38:45.463. Logging site information...Done. Logging application summary...Done. Logging startup configuration...Done. Logging connections...Done. Logging application details...Done. Logging configured content...Done. The report has been saved to status20051213-084527.html. Done.
In the console or at the end of the status report, you might see a list of exceptions that the utility encountered. Typically these exceptions occur for two reasons, both of which can be ignored: not all SAS components have separate license keys, and so their license information cannot be retrieved; and some components (that are not part of SAS Solutions Services) do not store conguration information in the metadata repository, and so that information cannot be retrieved.
Display User Information

About the users Command
The users command displays a list of users who are currently logged on, including the time/date stamp that indicates when the session was created. Run this utility if you need a quick snapshot of current user activity, or if you need to gauge an appropriate time to perform system maintenance. The users command is available only on Windows.
Run the users Command

To run the command, follow these steps: 1 If they are not already running, start the remote services and the managed servers. 2 At a command prompt, change directory to SAS-install-dir\SASSolutionsServices\1.3\MidTier\Tools\diagnostics. 3 Type users. The following is a sample console output from the script:
User ID Log on time --------------------------------------------------------------SAS Administrator Tue Jul 13 08:38:55 EDT 2005 SAS Trusted User Tue Jul 13 08:38:51 EDT 2005 Solutions Role Administrator Tue Jul 13 08:38:54 EDT 2005 bboard Tue Jul 13 08:45:22 EDT 2005 jsmith Tue Jul 13 09:08:06 EDT 2005
Validate Group Assignments

Overview and Setup
UserGroupValidation ags potential errors in group assignments, such as the following:
110
Validate the Domain for the SAS Stored Process Server
Chapter 8
3 users who are not members of the Solutions Users group or a single subgroup of
Solutions Users. Any user who logs on to the portal must be a member of Solutions Users or a subgroup of Solutions Users. However, users who do not log on to the portal are exempt from this requirement.
3 existence of the Solutions Installer user. This user should be removed after the
installation and conguration are completed. Before running the utility, edit the UserGroupValidation.cmd script, as follows:
1 Open the UserGroupValidation.cmd le for editing.
This le is located in SAS-install-dir\SASSolutionsServices\1.3\MidTier\Tools\diagnostics.

2 Set the value of these variables:
Variable OMRHOST OMRPORT OMRUSER OMRPASS Value Name of the metadata server host. Port number of the metadata server (typically 8561). Name of an administrative user, such as sasadm. Password of the metadata user. The password can be encoded or in plain text.
Run UserGroupValidation
UserGroupValidation requires only that the metadata server be running. To run the UserGroupValidation command, follow these steps:
1 At a command prompt, change directory to
SAS-install-dir\SASSolutionsServices\1.3\MidTier\Tools\diagnostics.
2 Type one of the following commands:
Windows:
UserGroupValidation.bat
UNIX:
./UserGroupValidation.sh
Any potential error conditions are listed in the console window.
Validate the Domain for the SAS Stored Process Server

Overview and Setup
StoredProcessValidation tests to make sure that the domain for the SAS Stored Process Server is set up correctly. This domain (SPAuth) should be the same for the stored process server and all the multibridge connections. Before running the utility, edit the StoredProcessValidation.cmd script. Follow the directions for editing UserGroupValidation.cmd.
Validate the E-Mail Interface
111
Run StoredProcessValidation
StoredProcessValidation requires only that the metadata server be running. To run the StoredProcessValidation command, follow these steps:
Windows:
StoredProcessValidation.bat
UNIX:
./StoredProcessValidation.sh
The utility displays a conrming message or a list of any errors it encounters.

Overview and Setup
The MailValidation utility tests to see that the email interface is set up correctly. Before running the utility, you must edit the command le to set some values, as follows: 1 Change directory to
SAS-install-dir\SASSolutionsServices\1.3\MidTier\Tools\diagnostics
2 Open the MailValidation.cmd le for editing. 3 Set the value of these variables:
Variable ADDRESS OMRHOST OMRPORT OMRUSER OMRPASS Value Address of the person to receive the email message. Name of the metadata server host. Port number of the metadata server (typically 8561). Name of an administrative user, such as sasadm. Password of the metadata user. The password can be encoded or in plain text.
Run MailValidation
This utility requires only that the metadata server be running. To run the MailValidation utility, follow these steps:
Windows:
112
Chapter 8
MailValidation.bat
UNIX:
./MailValidation.sh
If the command succeeds, you will receive an e-mail message notifying you of the fact. If it fails, check to be certain that you have set up the mailhost correctly in the SAS Management Console. For more information, see Modify E-Mail Settings on page 97.
113
CHAPTER
9
Server Security and Encryption
About Server Security 113 Basic Protections 113 Securing Data Exchanges between Server Components Secure Sockets Layer (SSL) 114
113
About Server Security

For background information about server security and encryption, see Server Security and Data Transmission on page 31. This chapter explains how additional server security can be applied, including (where appropriate) the use of encryption. For detailed information about security for SAS servers, see Securing a Deployment in the SAS Intelligence Platform: Security Administration Guide (available at http:// support.sas.com/documentation/configuration/913admin.html).
Basic Protections
Basic protections include the following: 3 protecting the physical server(s) that make up the data-tier level (in other words, the servers where your MySQL database is located and where your SAS application servers are running) as well as the physical server(s) that make up the mid-tier level, where your J2EE server is running. In addition to the MySQL database, les on these servers might contain vital information such as encoded passwords. 3 encoding passwords 3 securing the metadata repositories For information about le system protection for the solutions, see Congure Security Settings for Folders and Files (Windows) on page 11. For additional information, see Securing a Deployment in the SAS Intelligence Platform: Security Administration Guide
Securing Data Exchanges between Server Components

With SAS Solutions Services and the solutions that use SAS Solutions Services, two different data providers are used: SAS data sets and MySQL tables. The standard conguration of both of these data servers is intended to be as fast as possible, so encrypted connections are not used by default. Encrypting data is a CPU-intensive
114
Secure Sockets Layer (SSL)
Chapter 9
operation that can detract from other client/server activities and from overall performance in general. However, an enterprise might require the security provided by encrypted connections; if so, the extra computation is warranted. By default, user credentials in an initial credential exchange are protected using the SAS proprietary 32bit algorithm that is included with BASE SAS software. It requires no additional SAS product licenses. The underlying encoding system uses a single/ symmetric key method, which means that the same key is employed by SAS for both xed encoding and decoding of data sets. The SASProprietary algorithm is strong enough to protect your data from casual viewing. The SASProprietary method provides what security experts might call a medium level of security at about the same performance overhead cost as data set compression. While it does help prevent unauthorized access to the data, the SASProprietary xed-encoding method is a single-tier system, which does not use RSA or any other licensed external software. SAS/SECURE software and Secure Sockets Layer (SSL) encryption provide a high level of security but include additional performance considerations and incur additional export restrictions. For information about conguring additional security with SAS/SECURE software, see Securing a Deployment in the SAS Intelligence Platform: Security Administration Guide. After the data security technology is installed, the site system administrator congures the encryption method (and the level of encryption) to be used in all client/ server data exchanges in that installation.

Secure Sockets Layer (SSL) enables secure communication between applications connected through a network. Authentication allows a server and, optionally, a client to verify the identity of the application on the other end of a network connection. Encryption makes data transmitted over the network intelligible only to the intended recipient. Note: Conguring SSL for the solutions is a customization.
In the SAS Intelligence Platform and the solutions, there are several communication points that can be protected by SSL. For example:
3 HTTP servers such as those that provide WebDAV capabilities can be congured to
support access via the HTTPS protocol, assuming that the servers have been congured to support SSL.
3 Communication with the Event Broker Service using the HTTP transport type can
be congured to use SSL.
3 Applications such as the SAS Information Delivery Portal and the solutions
applications can support SSL communication when they are deployed on a J2EE application server that is congured for SSL authentication. In addition, MySQL has support for secure (encrypted) connections between MySQL clients and the server using the Secure Sockets Layer (SSL) protocol. Note that SSL is an on-the-wire protocol that protects data travelling from the client to the server. It does not, however, protect data that is stored in MySQL databases.
115
CHAPTER
10
MySQL Server Administration
MySQL Overview 115 MySQL Installation and Conguration (Windows) 115 Access to libmysql.dll 115 Reconguring MySQL 115 MySQL Installation and Conguration (UNIX) 116 Backing Up MySQL Databases 116 MySQL Security Issues 116
MySQL Overview
SAS Solutions Services stores common data in a MySQL database that is created during the installation process. Support for INNODB tables must be enabled within MySQL to provide transaction support, which is required by a number of SAS Solutions Services components such as the Fiscal Calendar component. Transaction support enables you to roll back or commit changes on an all-or-nothing basis. A common example is an ATM transfer from a savings account to a checking account. You would not want the debit to the savings account to occur unless the credit to the checking account succeeded.
MySQL Installation and Conguration (Windows)

Access to libmysql.dll
For SAS Solutions Services to access the MySQL database, the path to the MySQL client library (libmysql.dll) must be in your system path; typically, this path is c:\mysql\bin. If the metadata server is on a different machine, libmysql.dll must also be available on that machine; for instructions, see the installation guide for the solutions. In addition, the JAR le for the JDBC driver for MySQL must be in the classpath for the J2EE application server; see The Common Environment on page 65.
Reconguring MySQL
The MySQL server is congured to read its conguration settings from the MySQL-install-dir\my.ini conguration le. If you need to adjust your MySQL conguration, you can modify these conguration settings in the MySQL Administrator,
116
MySQL Installation and Conguration (UNIX)
Chapter 10
or you can edit the my.ini le directly. Before you make any changes, be sure to make a backup copy of the my.ini le. After making your changes, restart the service. The MySQL client reads its conguration information from a copy of the my.ini le that is located in the Windows root directory (for example, C:\WINNT\my.ini). If you modify the MySQL-install-dir\my.ini le, be sure to copy your modied le to the Windows root directory.
MySQL Installation and Conguration (UNIX)

The path to the MySQL executable (typically, /usr/local/mysql/bin) must be on the users path. For information about installing and conguring MySQL on UNIX, see the installation guide for the solutions. On Solaris, you can improve performance by editing the my.cnf le to set the thread_concurrency value. This value is used in determining the number of threads that should be run simultaneously. The recommended value is as follows:
number-of-cpus * (2..4)
Backing Up MySQL Databases

The Backup, Restore and Migrate (BRM) tool can be used to back up MySQL data. For additional information about backups and other administrative issues, refer to the MySQL documentation, located in the installation directory.
MySQL Security Issues

On Windows, MySQL is installed as a system service by default; consequently, the service has access to all directories. MySQL can be used only with its own user IDs. For information about starting MySQL on UNIX, see the installation guide for the solutions. Note: During the conguration process, the sqladmin user is created, and the root user for MySQL is deleted after it is no longer needed. 4 For additional information about security and MySQL, see Chapter 9, Server Security and Encryption, on page 113. For information about MySQL logs, see Appendix 2, Log Files, on page 147.
117
CHAPTER
11
WebDAV Server Administration
About WebDAV 117 Conguring Content Folder Permissions on the Xythos WebFile Server Permissions During Conguration 117 Permissions After Conguration 118 Improving Performance 118 Changing the Apache Port Number 118 Modify the http.conf File 118 Update the weblogic.policy File 119 Update the Metadata 119 More Information 120
117
About WebDAV
The Web-based Distributed Authoring and Versioning (WebDAV) protocol is an extension to HTTP that provides write access, version control, and other features in addition to the basic features of HTTP. WebDAV is typically enabled only for specic folders on an HTTP server. If you are using Xythos WebFile Server as your WebDAV server, see Conguring Content Folder Permissions on the Xythos WebFile Server on page 117. If you are using the Apache HTTP server as your WebDAV server, it is recommended that you place the server behind a rewall and allow access only to the middle-tier machine. For greater security, use Xythos as your WebDAV server.
Conguring Content Folder Permissions on the Xythos WebFile Server

Permissions During Conguration
If you are using Xythos as your WebDAV server, the conguration process asks you to set the following permissions on content folders on the Xythos server:
118
Permissions After Conguration
Chapter 11
Table 11.1
Xythos Permissions Required for Solutions Conguration

Folder Permissions Granted Read and InheritAll permissions for /sasdav folder. Granted all permissions for /sasdav/wrs folder.
User or Group SAS Web Administrator
Users with accounts
Granted all permissions for /sasdav folder.
Permissions After Conguration

After the conguration process is nished, modify the Xythos permissions as follows:
Table 11.2 Xythos Permissions Required to Run the Solutions
Folder Permissions Granted all permissions for /sasdav folder.
User or Group SAS Trusted User SAS Administrator Solutions Role Administrator SAS Web Administrator
Granted Read and InheritAll permissions for /sasdav folder. Granted all permissions for /sasdav/wrs folder.
Users with accounts
Granted Read permission only for the /sasdav and /sasdav/ Users folders.
Improving Performance
If you use Xythos as your WebDAV server, you can improve its performance by changing the document store location to external storage in a le system location. The SAS installation instructions for Xythos WFS follow this recommended approach.
Changing the Apache Port Number

If you are using Apache as your WebDAV server and want to change the port number from the default (80), follow these steps:
Modify the http.conf File

1 Stop Apache. 2 Edit the Apache httpd.conf le, which is located in
Apache-install-dir\Apache2\conf. Before making any changes, make a backup copy of the le.
3 Find this line:
Listen 80
WebDAV Server Administration
Update the Metadata
119
Listen new_port_number
5 Find this line:

ServerName hostname:80

ServerName hostname:new_port_number
7 Save the le. 8 Restart Apache.
Update the weblogic.policy File

If you are using WebLogic as your J2EE application server: 1 Open the weblogic.policy le (typically located at BEA-home-dir/weblogic81/ server/lib/weblogic.policy). 2 Find these lines:
// ------------- Socket Access to Servers --------------// WebDAV server permission java.net.SocketPermission "hostname:80", "connect, resolve";
Make the following change:

// ------------- Socket Access to Servers --------------// WebDAV server permission java.net.SocketPermission "hostname:new_port_number", "connect, resolve";
3 Save the le.
Note: If you are using WebSphere, this kind of change is not necessary because the default policy le species allpermissions. 4
Update the Metadata

1 Log on to the SAS Management Console. 2 Select the Foundation repository. 3 Navigate to Foundation Services Manager
Local Services OMR.

a b c d e f
I ID Portal Local Service I BIP
Right-click BIP Information Service and select Properties. In the Properties dialog box, select the Service Configuration tab. Click Edit Configuration. Click the Repositories tab. In the Information Repositories box, select DAV and then click Edit. Change the Port Number to the new port number and then click OK to save the change. g Click OK. h Click OK. 4 Navigate to Foundation Services Manager I Remote Services I BIP Remote Services OMR.
120
More Information
Chapter 11
5 Perform steps 3a through 3h. 6 Navigate to Server Manager
I HTTP DAV Server.

HTTP DAV Server and select
7 In the right window, right-click Connection:
Properties.
8 On the Options tab, change the Port Number to the new port number and click OK. 9 Stop and restart the WebLogic managed server.
Note: If you have also installed other applications that use WebDAV, consult the documentation for those applications for instructions about updating the port number.
More Information
For more information about Xythos security, see "Implementing Authentication and Authorization for the Xythos WFS WebDAV Server" in the SAS Integration Technologies: Server Administrators Guide.
121
CHAPTER
12
Conguration Files
Overview 121 Metadata Repositories 121 Databases 122 The Lev1\Data Folder 122 The Lev1\SASMain\SASSolutionsServices Folder
122
Overview
This chapter gives a general view of the state of your system after installing the SAS Solutions Services. It is intended to supplement "Conguration Files" in the SAS Intelligence Platform: System Administration Guide (available at http:// support.sas.com/documentation/configuration/913admin.html). The les are typically installed on the server where your SAS application servers are running, including the metadata server. SAS-config-dir refers to the path to the conguration directory. In Windows congurations, an example would be C:\SAS\SASSolutionsConfig. On UNIX, the typical path is /usr/local/SAS/SASSolutionsConfig. Beyond that point, the paths are the same, except that on UNIX systems, the path separator is a forward slash (/).
Metadata Repositories
In addition to the Foundation repository, SAS Solutions Services and the solutions require these custom metadata repositories:
Table 12.1 Metadata Repositories
Contains Metadata about the common applications and common congurations Metadata about the Solutions Data Mart Metadata used by SAS Financial Management Depends on Foundation repository
Repository Name Solutions
Detail Data Store Finance
Foundation repository Foundation and Solutions repositories
122
Databases
Chapter 12
Repository Name Performance Management
Contains Metadata used by SAS Strategic Performance Management Metadata used by SAS Human Capital Management
Depends on Foundation and Solutions repositories Foundation and Solutions repositories
HR
The repositories are located in

SAS-config-dir\Lev1\SASMain\MetadataServer\MetadataRepositories.
Databases
The SAS Solutions Services installation includes the MySQL database server, The installation process creates the following MySQL databases used by SAS Solutions Services:
Table 12.2
Database sassdm hcm spm
MySQL Databases
Description SAS Solutions Data Mart, which contains the common data model and application data SAS Human Capital Management library SAS Strategic Performance Management library
These databases are located in MySQL-install-dir\data on the data server.
The Lev1\Data Folder

The SAS-config-dir\Lev1\Data folder holds data that is specic to this level but that is shared across application server contexts. It contains these subfolders: 3 ConformedDataMart 3 DDSData 3 errorData 3 FMSData (if you installed SAS Financial Management) 3 HCMdata (if you installed SAS Human Capital Management) 3 sassdm 3 SPMData 3 stagedds For more information, see the SAS Solutions Services: Data Administration Guide (http://support.sas.com/documentation/solutions/admin).
The Lev1\SASMain\SASSolutionsServices Folder

The contents of the folder SAS-config-dir\Lev1\SASMain\SASSolutionsServices supplement the les that are located in
The Lev1\SASMain\SASSolutionsServices Folder
123
SAS-config-dir\Lev1\SASMain\SASMain\SASEnvironment. In particular, note these
subfolders:
Table 12.3
Folder SASCode
Subfolders of SASSolutionsServices
Description Contains a Jobs directory that stores the SAS code for each job in the environment. Within the SASCode directory, you can also create a UserDened directory to store stored processes that are created on-site.
SASFormats
Contains the SAS format and informat catalogs that are necessary for the data and for the code that is accessed through the current SAS application server. Contains the SAS Autocall macros that are invoked via SAS code that executes through the current SAS application server.
SASMacros
There are similar folders for each solutions that is installed: for example, you might have SASFinancialManagement, SASStrategicPerformanceManagement, and SASHumanCapitalManagement folders.
124
125
CHAPTER
13
Deploying SAS Web OLAP Viewer and SAS Web Report Studio
Overview 125 A Note about Repositories 125 SAS Web OLAP Viewer for Java 126 Dene SAS Web OLAP Viewer for Java Services 126 Deploy SAS Web OLAP Viewer 127 Enable Use of SAS Themes 127 Test SAS Web OLAP Viewer 127 SAS Web Report Studio and SAS Web Report Viewer 128 Deploy to a Domain Server 128 Attach the WebDAV Server as the Content Manager for the BIP Tree 128 Import the Query and Reporting Service 129 Duplicate the Query and Reporting Service Deployment 129 Create Managed Servers (Windows) 130 Create Managed Servers (UNIX) 130 Deploy Web Applications to WebLogic (Windows) 131 Deploy Web Applications to WebSphere (UNIX) 131 Deploying SAS Web Report Studio and SAS Web Report Viewer to the Same Managed Server as the Portal 132 Test Your Applications 133
Overview
If you installed SAS Web OLAP Viewer for Java or SAS Web Report Studio, or both, but did not congure them when you congured the solutions, then you can follow the instructions in this chapter to congure these applications.
A Note about Repositories

If you use SAS Information Map Studio to create a map that is based on a table in a solutions data mart, the map must reside in the same repository as the table that it references or in a dependent repository. (The map can reference a table in a parent repository, but it cannot reference a table in a dependent repository.) For example, you could create an information map in the Finance repository that is based on a table in the Solutions repository, because the Finance repository is dependent on the Solutions repository. But you could not create an information map in the Solutions repository that is based on a table in the Finance repository. To access an information map from SAS Web Report Studio, you must be working in the same repository as the map. When you open SAS Web Report Studio from a portlet
126
SAS Web OLAP Viewer for Java
Chapter 13
or from the New menu in the Document Manager, you are asked to select a repository in which to work. If you are working with OLAP cubes, the metadata objects that describe the cube and the cubes associated libraries and source tables must be stored in the same repository, or the metadata that describes the cube must be in a custom repository that is dependent on the repository that contains the library and table objects. Also, to be able to view a cube in a custom repository, the cubes SAS OLAP Server and OLAP schema must reside in the same repository. Otherwise, you are not able to create the cube. In addition, the library and table objects that are referenced by a cube must always be in the same repository.
SAS Web OLAP Viewer for Java

In order to run SAS Web OLAP Viewer for Java, you must dene the SAS Web OLAP Viewer services and then deploy the Web application.
Dene SAS Web OLAP Viewer for Java Services

Follow these steps:
1 Log on to the SAS Management Console as an administrative user. 2 In the Foundation repository, right-click Foundation Services Manager and
select Import Service Deployment.

3 If you have not already done so, import the
sas_services_webolapviewer_local_omr.xml le from SAS-cong-dir\Lev1\web\Deployments\SASWebOLAPViewerforJava. Note: Typically, this step would have been performed during the initial system conguration.
4 Click OK to save your changes. 5 Merge service congurations as follows:

a In the Foundation Services Manager, expand SAS Web OLAP Viewer Local
Services
b Right-click Platform Information Service and select Merge Service
I BIP Core Services.
Configuration.
c Merge the appropriate les from the table that follows. d Click OK to save your changes.
Table 13.1
SAS Web OLAP Viewer: Files to Merge

File to Merge solutionsLocalInformationServicesAdditions.xml, in SAS-cong-dir\Lev1\ SASMain\SASSolutionsServices\services performanceLocalInformationServicesAdditions.xml, in SAS-cong-dir\Lev1\ SASMain\SASStrategicPerformanceManagement\services
Component SAS Solutions Services
SAS Strategic Performance Management
Test SAS Web OLAP Viewer
127
Component SAS Human Capital Management SAS Financial Management
File to Merge hrLocalInformationServicesAdditions.xml, inSAS-cong-dir\Lev1\ SASMain\SASHumanCapitalManagement\services nanceLocalInformationServicesAdditions.xml, in SAS-cong-dir\Lev1\ SASMain\SASFinancialManagement\services
Deploy SAS Web OLAP Viewer

To deploy the Web application:
SAS-config-dir\Lev1\Utilities\SASSolutionsServices\Deployment\bin.
2 Run one of these commands:
Windows:
WebOlapViewer.bat
UNIX (run as the root user):

./WebOlapViewerWS.sh
If this script fails, correct the problem and run the script again.
Enable Use of SAS Themes

After you deploy SAS Web OLAP Viewer, you might want to enable SAS themes, so that the user interface looks like the portal; otherwise, the application uses its own themes. To enable SAS themes: 1 Open WebOLAPViewer.xml for editing. This le is located in the WEB-INF directory of the deployed application. 2 Find this line:
<SASThemes enabled="false"/>

<SASThemes enabled="true"/>
4 Save the le.
The next time you reload the application or restart the J2EE application server, the SAS themes will be applied. Note: For additional information about conguring SAS Web OLAP Viewer, see the SAS Intelligence Platform: Web Application Administration Guide (available at http:// support.sas.com/documentation/configuration/913admin.html). 4
Test SAS Web OLAP Viewer

To test whether your conguration and deployment succeeded, do the following: 1 If you plan to use OLAP cubes, then start the SAS OLAP Server on the data tier, for each repository in which you want to build or use cubes.
128
SAS Web Report Studio and SAS Web Report Viewer
Chapter 13
3 Windows: Start the OLAP servers as services, or start them from the
Windows Start menu. At installation time, if you chose to install applications as services, then each OLAP server was installed as a service to be started automatically.
3 UNIX: Change to the appropriate directory from the table below and execute
the following command:
./OLAPServer.sh start Domain Foundation Solutions Performance Management Finance HR Directory SAS-config-dir/Lev1/SASMain/OLAPServer SAS-config-dir/Lev1/SASMain/OLAPServer_Solution SAS-config-dir/Lev1/SASMain/OLAPServer_PerfMgmt
SAS-config-dir/Lev1/SASMain/OLAPServer_Finance SAS-config-dir/Lev1/SASMain/OLAPServer_HR
2 Log on to the portal. 3 Add the SAS Web OLAP Viewer task to a My Favorites portlet.
For more information about adding a task to a portlet, see the online Help.
4 In the portlet, click the task.
If you receive an error when you are trying to access an information map, you might need to grant to Solutions Users ReadMetadata and Read permission for the Maps folder. For instructions, see Modify Permissions for Information Maps on page 23. If you receive an error when you are trying to access a cube, you might need to set the cubes access permissions. See Modify Permissions for OLAP Cubes on page 23.
SAS Web Report Studio and SAS Web Report Viewer

Deploy to a Domain Server
To deploy SAS Web Report Studio and SAS Web Report Viewer to a domain server, you need to import (or duplicate) the Query and Reporting service, create a managed server, and deploy the applications.
Attach the WebDAV Server as the Content Manager for the BIP Tree
For each domain to which you want to deploy SAS Web Report Studio, perform these steps to attach the WebDAV server as the content manager for the BIP Tree: Note: For the Foundation repository, this step is usually performed during installation and conguration. 4
1 Log on to the SAS Management Console as an administrative user.
129
2 Select the appropriate repository. 3 Expand the BI Manager node. 4 Right-click BIP Tree and select Properties. 5 Click the Content Mapping tab. 6 Select WebDAV location. 7 From the Server drop-down list, select HTTP Dav Server. 8 From the Base Path drop-down list, select /sasdav/wrs. 9 Save your changes.
If you omit the user ID and password, the BI Manager displays a warning that these credentials are recommended for security reasons. For non-production systems, you can leave these elds empty. If you are using Xythos WebFile Server as your WebDAV server, then for production systems, it is recommended that you enter the user ID and password of the SAS Web Administrator (saswbadm), which should match the user who is granted access to the /sasdav/wrs folder in Xythos (see Conguring Content Folder Permissions on the Xythos WebFile Server on page 117). Note: If you use the same content mapping for multiple repositories, they share the same space in the WebDAV repository. As a result, if you had reports with the same name and path in more than one repository, they could overwrite one another. To avoid this situation, you might create different content mappings for each repositoryfor example, /sasdav/wrs_hr and /sasdav/wrs_fm. You would need to create the base path in the properties for the HTTP DAV Server and then specify that base path in the content mapping as explained above. Be sure to apply the same permissions to these folders that you apply to the /sasdav/wrs folder. 4
Import the Query and Reporting Service

If you have not already done so, import the Query and Reporting service to the Foundation Services: Note: Typically, this step would have been performed during the initial system conguration. 4
1 Open the SAS Management Console as an administrative user. 2 In the Foundation repository, right-click Foundation Services Manager and
select Import Service Deployment. 3 Import the hostname_sas_pfs_queryandreporting.xml le from SAS-cong-dir\Lev1\web\Deployments\WebReportStudio.

4 Click OK to save your changes.
Duplicate the Query and Reporting Service Deployment

For each additional domain, perform these steps to duplicate the Query and Reporting service:
1 Log on to the SAS Management Console as an administrative user. 2 In the Foundation repository, expand the Foundation Services Manager. 3 Right-click Query and Reporting and select Duplicate Service Deployment. 4 Change the Name to Query and Reporting domain, where domain is one of the
following:
3 Solution
130
Chapter 13
3 PerfMgmt 3 HR 3 Finance
5 6 7 8 9 10 11
Click OK. Expand Query and Reporting Solution I BIP Core Services. Right-click Platform Information Services and select Properties. Select the Service Configuration tab. Click the Edit Configuration button. Select the Repositories tab and click the Edit button. On the Edit Information Service Repository page, make these changes: 3 Change the Name eld from Foundation to the name of the repository, which can be one of the following: Solutions, Performance Management, HR, or Finance. 3 Change the Description eld so that it references the appropriate repository name. 3 Change the Base eld from Foundation to the name of the repository.
Create Managed Servers (Windows)

SAS-cong-dir\Lev1\Utilities\SASSolutionsServices\Deployment\bin.
2 For each of the domain managed servers you want to create, use the appropriate
command from the following list:

Domain Foundation Solutions Performance Management HR Finance Command to Create Managed Server FoundationManagedServer.bat SolutionsManagedServer.bat PerformanceManagementManagedServer.bat HRManagedServer.bat FinanceManagedServer.bat
Create Managed Servers (UNIX)

2 For each of the domain managed servers you want to create, use the appropriate
command from the following list:

Domain Foundation Solutions Performance Management Command to Create Managed Server ./FoundationManagedServerWS.sh ./SolutionsManagedServerWS.sh ./PerformanceManagementManagedServerWS.sh
131
Domain HR Finance
Command to Create Managed Server ./HRManagedServerWS.sh ./FinanceManagedServerWS.sh
Note: These commands must be executed as the root user because they affect WebSphere. 4
Deploy Web Applications to WebLogic (Windows)

You should deploy both SAS Web Report Studio and SAS Web Report Viewer. On Windows, to deploy the applications to a managed server: 1 Start the managed server by using the appropriate shortcut in Start I Programs I SAS I SASSolutionsCong. Select from the list below:
3 3 3 3 3
StartFoundationServer StartSolutionServer StartPerfMgmtServer StartHRServer StartFinanceServer
For information about modifying the heap allocation for the HR server, see Startup Scripts on page 65. 2 At a command prompt, change directory to SAS-cong-dir\Lev1\Utilities\SASSolutionsServices\Deployment\bin. 3 To deploy SAS Web Report Studio, type the command to deploy the applications. Select from this list:
Domain Foundation Command to Deploy Web Application FoundationWebReportStudio.bat FoundationWebReportViewer.bat Solutions SolutionsWebReportStudio.bat SolutionsWebReportViewer.bat Performance Management PerfMgmtWebReportStudio.bat PerfMgmtWebReportViewer.bat HR HRWebReportStudio.bat HRWebReportViewer.bat Finance FinanceWebReportStudio.bat FinanceWebReportViewer.bat
The deployment takes some time to execute because it precompiles all the JSP les.
Deploy Web Applications to WebSphere (UNIX)

Deploy both SAS Web Report Studio and SAS Web Report Viewer. To deploy the applications to a domain managed server:
132
Chapter 13
2 As the root user, type the appropriate commands from this list:
Domain Foundation Command to Deploy Web Application ./FoundationWebReportStudioWS.sh ./FoundationWebReportViewerWS.sh Solutions ./SolutionsWebReportStudioWS.sh ./SolutionsWebReportViewerWS.sh Performance Management ./PerfMgmtWebReportStudioWS.sh ./PerfMgmtWebReportViewerWS.sh HR ./HRWebReportStudioWS.sh ./HRWebReportViewerWS.sh Finance ./FinanceWebReportStudioWS.sh ./FinanceWebReportViewerWS.sh
3 Start the managed server:

a Log on to the WebSphere administrative console. Application Servers. b In the navigation tree, selectServers c On the Application Servers page, select the check box for the appropriate
server.
d Click Start.
Deploying SAS Web Report Studio and SAS Web Report Viewer to the Same Managed Server as the Portal
It is possible to deploy SAS Web Report Studio and SAS Web Report Viewer to the same managed server as the portal, rather than to a separate managed server. This can be useful in an upgrade situation if you have links to reports that were created on the SASManagedServer. Follow these steps:
1 If you have already deployed SAS Web Report Studio and SAS Web Report Viewer
to the Foundation Server, use the administration console of the J2EE application server to undeploy these applications.
2 Open the SAS-config-dir\solutionsmid.properties le for editing. 3 Modify the values of SWOVFOUNDATION_NAME and
SWOVFOUNDATION_PORT so that they point to the correct managed server. Here is an example:
SWOVFOUNDATION_NAME=SASManagedServer SWOVFOUNDATION_PORT=7001
4 Save your changes. 5 From a command prompt, run the FoundationWebReportStudio and
FoundationWebReportViewer commands to deploy the applications.
For detailed instructions, see Deploy Web Applications to WebLogic (Windows) on page 131 and Deploy Web Applications to WebSphere (UNIX) on page 131. Note: Do not create or start the Foundation Server.
Test Your Applications
133
6 Modify the connection information for these applications:

a Log on to SAS Management Console as the administrative user (sasadm). b In the Conguration Manager, right-click WRS Component for Foundation
Repository and select Properties.

c Click the Connection tab. d Modify the port number and click OK. e Right-click WRS Component for Foundation Repository and select
Properties.
f Click the Connection tab. g Modify the port number and click OK.
7 Restart the remote services and the managed servers.
Note: Collection portlets expect SAS Web Report Studio reports to exist only in the Foundation repository, and they expect SAS Web Report Viewer to be deployed on the same managed server as the portal. If your reports do not t those criteria, add them to a My Favorites portlet instead. 4
Test Your Applications

To test whether your deployment succeeded:
1 If you plan to use OLAP cubes, then start the SAS OLAP Server for the
appropriate repository on the data-tier machine. For instructions, see Test SAS Web OLAP Viewer on page 127.
2 Log on to the portal. 3 Add the SAS Web Report Studio task to a My Favorites portlet.
For more information about adding a task to a portlet, see the online Help. You can also open SAS Web Report Studio from the Document Manager: select New I Web Report Studio Report.
4 In the portlet, click the task. 5 When you are prompted, select a repository. 6 Create a report.
If you receive an error when you are trying to access an information map, you might need to grant to Solutions Users ReadMetadata and Read permission for the Maps folder. For instructions, see Modify Permissions for Information Maps on page 23. If you receive an error when you are trying to access a cube, you might need to set the cubes access permissions. See Modify Permissions for OLAP Cubes on page 23.
7 Add the report to a portlet and try to open it, or try to open it from the Document
Manager. At runtime, SAS Web Report Studio is opened when a user selects the Open SAS Web Report Studio task from the portal or selects New I Web Report Studio Report from the Document Manager. SAS Web Report Viewer is opened when a user clicks on an existing report in the portal or in the Document Manager. Note: For additional information about conguring SAS Web Report Studio and SAS Web Report Viewer, see the SAS Intelligence Platform: Web Application Administration Guide (available at http://support.sas.com/documentation/configuration/ 913admin.html). 4
134
135
CHAPTER
14
Client Installation and Conguration
Client Setup 135 Client Applications 136 SAS Solutions Services Add-In for Microsoft Ofce 136 SAS Financial Management Add-In for Microsoft Excel 137 Install the Applications 137 Verify the Installation 137 Complete the Installation of the SAS Financial Management Add-In Verify the SAS Financial Management Add-In 138 SAS Solutions Services Dimension Editor 139 SAS Financial Management Studio 139 SAS Data Integration Studio 139 SAS Strategic Performance Management Migration Wizard 139 SAS Management Console 140 Java Runtime Environment 140 Conguring Logging for ETL Jobs 140 Uninstalling the Client Applications 141
137
Client Setup
Client applications must be installed on Windows machines. Before installing client applications, you must determine how users will access the clients. The following instructions assume that the clients will be installed on users desktops by means of SAS Software Navigator (SSN). When SSN is used, the following steps apply to all installations. Note: If you have a previous installation of any of the client applications, uninstall them before proceeding. See Uninstalling the Client Applications on page 141. 4 To install the client applications, complete the following steps.
1 On the client machine, open SSN. 2 Select a language for SSN. Click Next. 3 On the deployment type page, select Advanced. Click Next. 4 Select the SAS Installation Data (SID) le. Click Next. 5 Select the folder for the client deployment plan. Click Next. 6 On the installation options screen, select the appropriate software, as described in
Client Applications on page 136. You can install these client applications separately or at the same time. If you install the Microsoft Ofce add-ins separately, the installation order is important; see SAS Solutions Services Add-In for Microsoft Ofce on page 136 and SAS
136
Client Applications
Chapter 14
Financial Management Add-In for Microsoft Excel on page 137. Otherwise, the applications can be installed in any order. 7 Click Next. 8 The next screen asks for the default install path. Select the default or navigate to a different folder for the installation. Click Next. 9 Select the set of help les to install and click Next. You have two choices in terms of help le languages: 3 the current language 3 or all available languages
10 On the Review options screen, look over your installation options. If they are
correct, click Install. If you are installing SAS Financial Management Studio, SAS Dimension Editor, or SAS Solutions Services Add-In for Microsoft Ofce, the installation prompts you for the URL to the le that denes the available servers, in the form http:// server-name:port. For server-name, enter the name of the middle-tier server, where the J2EE application server is running. For port, enter the port number that is used to log on to the portal. Here is an example: http:// myserver.mycompany.com:7001. If users are installing client applications on their own machines, be sure that they are aware of this middle-tier server name and port. The installation program uses this information to determine the path to the EnvironmentFactory.xml le, which denes one or more site-specic environments (for example, default, dev, or test). When users log on to SAS Financial Management Studio or SAS Dimension Editor or when they log on to the middle-tier server from Microsoft Word or Excel, they are asked to select one of these environments.
Client Applications
SAS Solutions Services Add-In for Microsoft Ofce

The SAS Solutions Services Add-In for Microsoft Ofce allows users to access items from the Document Manager. These items can then be displayed and refreshed from within Microsoft Excel or Microsoft Word. All Strategic Performance Management (SPM) items are available for viewing, including key performance indicator (KPI) projects and custom balanced scorecard projects. Stored processes can also be run within Excel and Word. (Currently, stored processes with parameters must rst be run in Document Manager; then the output is available in Excel and Word.) To create reports that include solutions content with Microsoft Ofce products, users need the SAS Solutions Services Add-In for Microsoft Ofce. To install this client on the users desktop, select this application on the installation options screen: SAS Solutions Services Add-In for Microsoft Office. After the SSN installation is completed, follow these steps to complete installation of the SAS Solutions Services Add-In for Microsoft Ofce: 1 Open Microsoft Excel. 2 From the Tools menu, select Add-Ins. The Add-Ins dialog box appears.
SAS Financial Management Add-In for Microsoft Excel
137
3 Click Browse to search for SAS SPM Functions.xla.
This le should be located in Microsoft-Ofce-install-dir\Office\Library, Office10\Library, or Office11\Library, depending on the version of Microsoft Ofce that is installed.
4 Click OK to add it to the Add-Ins dialog box. 5 In the Add-Ins dialog box, make sure that SAS SPM Functions is selected. 6 Click OK. 7 Click OK.
To verify that the installation succeeded, open Microsoft Excel or Microsoft Word. You should see a new menu item, SAS Solutions, that is available to users who belong to the Solutions Users group and the Analyst role..

When SAS Financial Management is licensed, users who are nancial process administrators, who participate in the planning process by entering or approving forms, or who create nancial reports with Excel use the Financial Management Add-In for Microsoft Excel.
Install the Applications

To install this client on the users desktop, select the following applications on the installation options screen. They can be installed separately or at the same time. If they are installed separately, they must be installed in this sequence:
1 SAS Solutions Services Add-In for Microsoft Office (see the previous
section)
2 SAS Financial Management Add-In for Microsoft Excel
Verify the Installation

To verify that the installation of the rst two applications succeeded, open Excel and Word. You should see a new menu item, SAS Solutions.
Complete the Installation of the SAS Financial Management Add-In

After the SSN installation is completed, follow these steps to complete installation of the SAS Financial Management Add-In for Microsoft Excel:
1 Open Microsoft Excel. 2 From the Tools menu, select Add-Ins.
The Add-Ins dialog box appears.

3 Click Browse to search for SAS Financial Management Functions.xla.
This le should be located in Microsoft-Ofce-install-dir\Office\Library, Office10\Library, or Office11\Library, depending on the version of Microsoft Ofce that is installed.
4 Click OK to add it to the Add-Ins dialog box. 5 In the Add-Ins dialog box, make sure that SAS Financial Management
Functions is selected.
138
Chapter 14
6 Click OK. 7 Click OK.
If you had an existing installation of Microsoft Excel and the SAS Financial Management Add-In, you might need to delete the existing add-in rst, as follows:
1 Open Microsoft Excel. 2 From the Tools menu, select Add-Ins. 3 Clear the checkbox for SAS Financial Management Functions.
When you are asked if you want to delete the add-in, say yes.
4 Close Excel and reopen it. 5 Then follow the instructions, above, to add SAS Financial Management Functions
to the Add-Ins dialog box.
Verify the SAS Financial Management Add-In

To verify that the add-in has been correctly installed, follow these steps:
1 In Excel, from the SAS Solutions menu, select Log On.
2 Enter a valid user name and password and the name and port for the middle-tier
server.
SAS Strategic Performance Management Migration Wizard
139
3 Click OK.
The application connects to the middle-tier server. 4 From the SAS Solutions menu, select Insert. If the installation is successful, a pop-up menu appears showing the options Document, Read-only Table, CDA Table, and Member Labels. If the Insert menu item is dimmed, try the following steps:
1 From the Help menu, select About Microsoft Excel. 2 Click the Disabled Items button. 3 Check that the add-in is not on the disabled items list.
For more troubleshooting information, see Errors Running Client Applications on page 154.
SAS Solutions Services Dimension Editor

Users who manage data dimensions often use the Dimension Editor. To install SAS Solutions Services Dimension Editor on the users desktop, select these items: 3 SAS Solutions Services Dimension Editor 3 Java Runtime Environment (SAS Private Version) Volume 3 For information about the groups and roles that are required to run this client application, see Determining Group and Role Assignments on page 40.
SAS Financial Management Studio

To install SAS Financial Management Studio (FM Studio) on the users desktop, select these items: 3 SAS Financial Management Studio 3 Java Runtime Environment (SAS Private Version) Volume 3 For information about the groups and roles that are required to run this client application, see Determining Group and Role Assignments on page 40.
SAS Data Integration Studio

To install SAS Data Integration Studio on the users desktop, select these items: 3 Java Runtime Environment (SAS Private Version) Volume 3 3 SAS Data Integration Studio For information about hot xes that are required for SAS Data Integration Studio, see Apply Hot Fixes on page 15. For information about the groups and roles that are required to run this client application, see Assign SAS Data Integration Studio Groups and Roles on page 48. For debugging information, see Conguring Logging for ETL Jobs on page 140.
SAS Strategic Performance Management Migration Wizard

The SAS Strategic Performance Management Migration Wizard is a tool for migrating existing Strategic Performance Management (SPM) projects from the data structures in SPM 1.4 to the new data structures required for SPM 2.1.
140
SAS Management Console
Chapter 14
To install this client on the users desktop, select SAS Strategic Performance Management Migration Wizard in the list of installation options.
SAS Management Console

Users who administer metadata, users, and system resources use the SAS Management Console. At a minimum, these users must be members of the System Administrator role and the Administrators group. To install this client on the users desktop, select these items:
3 3 3 3
Java Runtime Environment (SAS Private Version) Volume 3 SAS Management Console SAS Foundation Services with SAS Management Console plug-ins SAS Solutions plug-ins for SAS Management Console
Java Runtime Environment

The Java Runtime Environment (SAS Private Version) --- Volume 3 is required for many of the client applications. During the installation process, the Java Service Pack Wizard runs automatically to update the SAS products to the current service pack level. The installer asks for an install location; it is recommended that you use the default. The wizard lists any products that need updating. Select the products that you want to update. Click Next and follow the wizards instructions to complete the update. Note: It is recommended that you do not update this private JRE after installation, because updates might contain minor changes that might be incompatible with the software. 4
Conguring Logging for ETL Jobs

To capture logging from ETL jobs that invoke SAS code, follow these steps:
1 In the SAS-install-dir\SAS9.1\nls\en directory, open SASV9.CFG for editing. 2 Add the following command to the rst JREOPTIONS line:
-Dlog4j.configuration=file:/c:/tmp/log4j.properties
If you choose to store this le in a different directory, edit the path in the above code accordingly.
3 Save the le. 4 In the C:\tmp directory, create a log4j.properties le, similar to the following.
Note:
The lines that begin [%t] are continuations of the previous line.
# Hiearchy: DEBUG < INFO < WARN < ERROR < FATAL log4j.appender.A1=org.apache.log4j.ConsoleAppender log4j.appender.A1.layout=org.apache.log4j.PatternLayout log4j.appender.A1.layout.ConversionPattern=%d{MM-dd HH:mm:ss,SSS} [%t][%-5p %c{1}] - %m%n log4j.appender.F1=org.apache.log4j.RollingFileAppender log4j.appender.F1.file=c:/tmp/fms_log4j.log log4j.appender.F1.layout=org.apache.log4j.PatternLayout
Uninstalling the Client Applications
141
log4j.appender.F1.layout.ConversionPattern=%d{MM-dd HH:mm:ss,SSS} [%t][%-5p %c{1}] - %m%n log4j.rootLogger=WARN, F1 log4j.rootCategory=WARN, F1 log4j.category.com.bea=WARN log4j.category.com.sas=WARN log4j.category.com.sas.solutions=DEBUG log4j.category.com.sas.solutions.finance=DEBUG
5 Restart the object spawner to pick up the new changes.
Uninstalling the Client Applications

If you are upgrading from an existing installation, you must rst uninstall any existing client applications. Follow these steps:
1 Close any open Microsoft Ofce applications, such as Microsoft Word, Excel, or
Outlook.
2 From the Windows Start menu, select Control Panel. 3 Select Add or Remove Programs.
The list of currently installed programs appears.

4 From the list, uninstall the client applications.
The Add-Ins for Microsoft Ofce must be uninstalled in this sequence:

a SAS Financial Management Add-In for Microsoft Excel b SAS Solutions Services Add-In for Microsoft Ofce
Note: The other client applications can be uninstalled at any point in the sequence.
5 Restart your machine.
142
143
APPENDIX
1
Default Port Usage
Port Usage
143
Port Usage
The following table lists ports that might be used in a default solutions deployment. For a list of default ports that are used by the SAS Intelligence Platform, see Default SAS Ports in the SAS Intelligence Platform: System Administration Guide.
Port 25 Entity/Service SMTP mail Description/Purpose Port used by mailhost or Simple Mail Transfer Protocol (SMTP). Used to send administrative e-mail notices and end-user alert notications. This functionality is not provided by SAS, but is made available by the site. Handles proxy requests to application server. Also used for static assets such as themes, stylesheets, and images. Apache DAV support provided via standard HTTP server; typical use is in Windows deployments where no Xythos server is installed or available. Both proxy requests and DAV requests can use the same server and port. Default port used by Apache Web Server for Secure Sockets Layer; congured only for HTTPS access in a secured environment. Default port for the Backup, Restore, and Migration tool. User-congurable. All JDBC access from the application server(s) goes through this port to the MySQL server. SAS/ACCESS to MySQL also uses this port. (Deprecated) Used by the Event Broker of SAS Foundation Services to manage multiple brokers.
80
HTTP Server
80
Apache HTTP DAV Server
443
2206 3306
Backup and Restore MySQL Server
5098
Event Broker Admin
144
Port Usage
4
Port 5099
Appendix 1
Entity/Service RMI access to SAS Foundation Services
Description/Purpose All client access to remote Foundation Services is directed through this port. In Solutions deployments, only middle-tier clients communicate via RMI. Therefore, it is not necessary to open this port to external access (that is, to other clients on the network) in a rewall-protected environment. Port that is used by Xythos WebFile Server to access the PostgresSQL database. Ports that are used by the SAS OLAP Server. The default port number (5451) applies to the Foundation domain. Ports 1545115454 are used for deployment to additional domains. (WebLogic) Default port for a single managed server. Used by the solutions Web applications and by many of the client applications, such as SAS Financial Management Studio. (WebLogic) Default port for the ODCS managed server. (WebLogic) Default congured ports for the domain servers: FoundationServer, SolutionServer, PerfMgmtServer, FinanceServer, and HRServer. These domain servers are used for deploying SAS Web Report Studio. Default congured port for the WebLogic administration server. Port used by SAS/CONNECT Server. Server that is congured by SAS Solutions Services for HTTP transports into the Foundation Services Event Broker. Events red by SAS code into the middle tier are communicated via this port. Default port for Xythos congurations. Xythos works in conjunction with its own deployed Apache Tomcat server that handles requests on this port. Port used by the SAS/SHARE Server. Default port for metadata access. Load-balancing requests from SAS Object Spawner go through this port. Default Object Spawner operator port. Default port for SAS IOM Workspace Server. 8601 is the default port for the SAS Stored Process Server. 8611, 8621, and 8631 are the defaults for any additional SAS Stored Process Servers.
5432 5451, 15451 15454 7001
PostgresSQL SAS OLAP Server
SASManagedServer
7002 71017104
ODCSManagedServer Domain managed servers
7501 7551 8118
BEA WebLogic Admin Server SAS/CONNECT HTTP Server for Event Broker
8300
Xythos WFS Server
8551 8561 8571 8581 8591 8601, 8611, 8621, 8631
SAS/SHARE Server SAS Metadata Server SAS Object Spawner Load Balancing SAS Object Spawner Operator SAS IOM Workspace Server SAS Stored Process Server
Default Port Usage
Port Usage
145
Port 9080 9090
Entity/Service IBM WebSphere Application Server IBM WebSphere Application Server
Description/Purpose Default listen port for the WebSphere Application Server. Default administration port for the WebSphere Application Server. If there is a conict with port 9090, 9091 is typically used. For more information about additional ports that are used by WebSphere, see the documentation for the WebSphere Application Server.
17000
Ant server
Ant server listen port (used during installation).
146
147
APPENDIX
2
Log Files
Overview Log Files Log Files Log Files of Log Files 147 on the Middle Tier 147 on the Data Tier 148 for Client Applications 149
Overview of Log Files

The following log les are created by the solutions, the portal, the SAS Intelligence Platform, and related third-party software. These logs should be monitored and rotated if necessary. In particular, the WebLogic access logs, the Apache logs, and the metadata server logs can become relatively large.
Log Files on the Middle Tier

These log les are typically located on the middle tier, where you installed the J2EE application server.
Table A2.1 Object BEA WebLogic Middle-Tier Log Files Log File Location and Notes BEA-home-dir\user_projects\domains\SASSolutions\* WebLogic writes to a number of log les, including a domain log le (SASSolutions.log) and a log le for each managed server. If you contact SAS Technical Support about a problem running a Web application, it is a good idea to include a copy of the relevant managed server log (for example, SASManagedServer.log). For WebLogic 8.1, this page has a good overview of log les: http:// e-docs.bea.com/platform/docs81/admin/admin.html#1072571. This page describes how to congure server logs, including settings that govern log le rotation: http://e-docs.bea.com/wls/docs81/ConsoleHelp/ logging.html#1047443. IBM WebSphere WebSphere-install-dir/AppServer/logs/server-name/ SystemOut.log and /SystemErr.log You can view these les with a text editor or from the administrative console.
148
Log Files on the Data Tier
Appendix 2
Object SAS Solutions Services
Log File Location and Notes SAS-cong-dir\Lev1\web\Deployments\SASSolutionsServices Contains a conguration le (logging_cong.xml) and log le (services.log) for the remote services, and a conguration le (logging.xml) and log le (server.log) for SAS Solutions Services that are part of the Web applications. For information about modifying logging options, see Conguring Log Files on page 105. SAS-cong-dir\Lev1\web\Deployments\Portal\logs Contains logs for the portal, the SASStoredProcess Web application, and the SASPreferences Web application. The Portal directory contains conguration les for these logs.
SAS Information Delivery Portal
In addition to the logs that are described above, you can congure a log le to be written when a stored process uses the Javaobj interface, a mechanism that is similar to Java Native Interface (JNI) for instantiating Java classes and accessing their methods and elds. This applies to the standard reports that are shipped with SAS Financial Management Solutions. For information about log les for other applications, such as SAS Web Report Studio and SAS Web OLAP Viewer, see the SAS Intelligence Platform: Web Application Administration Guide, available at http://support.sas.com/documentation/ configuration/913admin.html.
Log Files on the Data Tier

These les typically reside on the data-tier server, where the SAS Metadata Server is installed and running. Depending on your installation conguration, there might be additional log les. For more information, see Understanding the State of Your System in the SAS Intelligence Platform: System Administration Guide (available at http://support.sas.com/documentation/configuration/913admin.html).
Table A2.2 Object Apache Web Server Data-Tier Log Files Log File Location and Notes Apache-install-dir\Apache2\logs. Created if you install Apache as your WebDAV server. MySQL Server MySQL-install-dir\iblogs MySQL-install-dir\data The MySQL error log (machine_name.err) is located in MySQL-install-dir\data. This le contains start and stop information as well as information about critical errors. However, MySQL can have several additional logs, including a query log and a binary log. For information about conguring and rotating log les, see the
manual.html#Log_Files topic of the MySQL documentation, which is

located in MySQL-install-dir\Docs. SAS Metadata Server SAS-cong-dir\Lev1\SASMain\MetadataServer\logs This log le can grow quite large. SAS Object Spawner SAS-cong-dir\Lev1\SASMain\ObjectSpawner\logs
Log Files
Log Files for Client Applications
149
Object SAS Stored Process Server SAS Workspace Server Xythos WebFile Server
Log File Location and Notes SAS-cong-dir\Lev1\SASMain\StoredProcessServer\logs SAS-cong-dir\Lev1\SASMain\WorkspaceServer\logs SAS Workspace Server logging is not enabled by default. Xythos-install-dir\appserver-version\logs Created if you install Xythos as your WebDAV server. In addition, the database server that you use with Xythos typically has its own log les.
Log Files for Client Applications

Some of the client applications, such as SAS Financial Management Studio, congure logging options in their .ini les. In addition, Conguring Logging for ETL Jobs on page 140 explains how to log information from ETL jobs.
150
151
APPENDIX
3
Troubleshooting
General Troubleshooting Tips 151 Errors in the SASV9.CFG File 151 Errors in the Portal 152 BEA WebLogic Errors 153 IBM WebSphere Errors and Warnings 154 MySQL Errors 154 Errors Running Client Applications 154
General Troubleshooting Tips

3 Be sure that you run the correct version of the remote services. You must run the
version that is located in SAS-install-dir\SASSolutionsServices\1.3\RemoteServices, on the middle tier.
3 Be sure that you start the remote services before you start the managed servers. If
you restart the remote services and managed servers, you should also restart the object spawner.
3 Check log les. For information about nding and conguring log les, see
Appendix 2, Log Files, on page 147.
3 If you need to contact SAS Technical Support, it is a good idea to generate a status
report that can be sent along with your question. Check System Status on page 107 explains how to run the status utility from the command line, and Generate and Send a Status Report on page 101 explains how to generate a status report from the Solutions Web Administration console.
Errors in the SASV9.CFG File

3 You encounter an error in accessing a Java classfor example, when you try to
run a stored process, you receive an error message that one or more Java classes could not be found. Examine the JREOPTIONS in the SAS conguration le (sasv9.cfg). In particular, note the sequence of sasmisc (or misc) directories, which is important. Note: Some line breaks have been inserted for the sake of readability.
3 Windows congurations:
On Windows, this le can be found at !SASROOT\nls\en (for an installation in English). There are two sets of JREOPTIONS. The rst set should include
152
Errors in the Portal
Appendix 3
these values, which are set during solutions conguration (in addition to other values that are set during the platform conguration):
JREOPTIONS= (... -Denv.factory.location=http://host:port/SASConfig/EnvironmentFactory.xml -Dsas.javaobj.experimental=no)
The second set of JREOPTIONS applies only to the solutions and should have these contents:
JREOPTIONS= (-Dsas.app.class.dirs=!sasroot\soltnsdata\sasmisc; !SASROOT\core\sasmisc; !SASROOT\finance\sasmisc; C:\Program Files\SAS\Shared Files\applets\9.1)
If you did not install SAS Financial Management, the options will not include
!SASROOT\finance\sasmisc.
3 UNIX congurations:
On UNIX, there is a single set of JREOPTIONS in the sasv9.cfg le, which can be found at !SASROOT. The options should include these values, which are set during solutions conguration (in addition to other values that are set during the platform conguration):
JREOPTIONS= (-Dsas.app.class.dirs=!SASROOT/misc/soltnsdata: !SASROOT/misc/base:!SASROOT/misc/finance:!SASROOT/misc/applets ... -Denv.factory.location=http://host:port/SASConfig/EnvironmentFactory.xml -Dsas.javaobj.experimental=no)
If you did not install SAS Financial Management, the options will not include
!SASROOT/misc/finance.
Errors in the Portal

3 The WebLogic log indicates that the Solutions Role Administrator does not have a
login with the SPAuth authentication domain. Be sure that you have added Solutions Role Administrator to the Solutions Users group. 3 A user can log on to the Portal but cannot access the SAS Solutions Services portlets. Make sure that you added the user to the Solutions Users group or to a subgroup of Solutions Users. The UserGroupValidation utility checks for this group membership; see Validate Group Assignments on page 109. 3 You are not receiving administrator e-mail messages when you expect to. For example, you see a message informing you that an error has occurred and the administrator has been sent an e-mail message, but no message arrives. Make sure that you designated an SMTP server and e-mail addresses for administrative and error messages. The MailValidation utility checks to see that the e-mail interface was set up correctly; see Validate the E-Mail Interface on page 111. For instructions about designating the SMTP server and e-mail addresses, see Modify E-Mail Settings on page 97. 3 When you browse the portal pages, images are not displayed. (You see an "X" instead.) This problem might be caused by a DNS issue: Depending on your network area, fully qualied names are not always resolved to an IP address.
Troubleshooting
BEA WebLogic Errors
153
To circumvent this problem, you can change the connection information that is stored in the metadata, as follows: 1 Open SAS Management Console. 2 Select the Foundation repository. 3 Navigate to Application Management I Conguration Manager. 4 Right-click SASTheme_default and select Properties. 5 Click the Connection tab. 6 Modify the Host Name and click OK. Make similar changes, if appropriate, for the other objects that have
Connection tabs, in the Foundation repository and in other repositories. After
making your changes, stop and restart the remote services and the managed servers. Note: If you are using a WebLogic developers license, you are limited to ve connections, and this limitation can also result in images not always displaying correctly.
3 When you refresh a stored process, you receive a failed to authenticate error.
In SAS Management Console, check to see that the authentication domain for the SAS Stored Process Server is SPAuth. If it is not, change the authentication domain as follows: 1 Open SAS Management Console. 2 Select the Foundation repository. 3 From the navigation tree, expand Server Manager I SASMain I SASMain Logical stored Process Server I SASMain Stored Process Server. 4 In the right pane, right-click the Connection denition and select Properties. 5 Click the Options tab. 6 From the Authentication Domain box, select SPAuth. 7 Click OK. Make the same change to each of the load balanced (LB) connection denitions. You do not need to set any advanced options. If the authentication domain is correct, but you are still receiving stored process errors: 3 Try restarting the object spawner. 3 Make sure that the users groups and roles are sufcient for the task. For details, see Chapter 4, Authentication and User Security, on page 33. 3 In SAS Management Console, check to be sure that the stored process name and output location are correct.
BEA WebLogic Errors

3 You run startManagedWeblogic, but the WebLogic managed server does not start.
Be sure that the WebLogic Admin server is running. 3 The WebLogic Admin server (which has been installed as a service) does not start. If you changed the username, password, or classpath, you need to uninstall and reinstall the service so that it will pick up the new values. See uninstallservice.cmd and installservice.cmd in BEA-home-dir\user_projects\domains\SASSolutions.
154
IBM WebSphere Errors and Warnings
Appendix 3
3 You have a JDBC error when starting the managed server or when deploying one
of the applications. Be sure that the following conditions are true: 3 The JAR le for the JDBC driver is in the WEBLOGIC_CLASSPATH. If you installed MySQL after installing WebLogic, and you are running the WebLogic Admin server as a service, you need to uninstall the service and reinstall it so that it will pick up the new classpath that includes the JDBC driver. 3 There are no other versions of the JDBC driver being used. In particular, check the jre/lib/ext folder and delete any other versions of this driver. (Note that it is not sufcient to rename the JAR le; you must move or delete it.) 3 The path to libmysql.dll is in the system path.
IBM WebSphere Errors and Warnings

3 In the WebSphere logs, you see warnings that resemble the following:
An active transaction should be present while processing method ...
See Suppress Warning Messages for Data Access on page 73.
3 Your WebSphere log les do not capture all the logging information.
Resize the log les; see Increase the Log File Size on page 72.
3 Transactions time out.

Modify the Total transaction lifetime timeout property. See Set Total Transaction Lifetime Timeout on page 72.
MySQL Errors
If you encounter MySQL errors, be sure that the MySQL bin directory is on the users path. Here is a typical error message:
ERROR: The SAS/ACCESS Interface to MYSQL cannot be loaded. The libmysql code appendage could not be loaded. ERROR: Error in the LIBNAME statement. ERROR: an error occured during submission of libname command for SASLibrary object: HCMData. Regdata.regutil.class, method _buildLibname failed. ERROR: failure occured during _buildLibname() for SASLibrary HCMData. Regdata.BuildLibname.scl aborting. ERROR: Failure creating libref to: HCMData.
For complete instructions about installing and conguring MySQL, see the installation guide.
Errors Running Client Applications

3 When you try to run SAS Dimension Editor or SAS Financial Management Studio,
or when you try to log on to the middle-tier server from Microsoft Word or Microsoft Excel, you receive an error such as the following:
Troubleshooting
Errors Running Client Applications
155
Server Error detected; user could not be validated.
These client applications must validate the user on the middle-tier server. The J2EE application server must be running, and the client application must be able to nd the EnvironmentFactory.xml le, which contains site-specic information about one or more environments (see Client Setup on page 135). To modify the address of EnvironmentFactory.xml:
1 Open the client applications .ini le for editing. The .ini les are located in the
following locations:
SAS-install-dir\SAS Solutions Services\Add-In for Microsoft Office\SASSolutionsOfficeClient.ini SAS-installdir\SASSolutionsServices\DimensionEditor\1.3\SASDimEditor.ini SAS-installdir\SASFinancialManagement\Studio\4.3\sasfmstudio.ini
2 Find the reference to EnvironmentFactory.xml, which should have a value in
the form http://server-name:port/SASConfig/EnvironmentFactory.xml. The server-name should be the name of the middle-tier server, where the J2EE application server is running. The port should be the port number that is used to log on to the portal. Here is an example: http:// myserver.mycompany.com:7001/SASConfig/EnvironmentFactory.xml.
3 Save the le. 4 Restart the client application.
3 In SAS Data Integration Studio, when you try to run a job that loads data from
the DDS to SASSDM, you see an error like this:
ERROR: Could not instantiate class com/sas/solutions/etl/metadata/client/MDLoad at line 26 column 18. ERROR: DATA STEP Component Object failure. Aborted during the EXECUTION phase.
The SASManagedServer must be running in order to use some of the Web services that are necessary for this operation.
156
Index 157
Index
A
actions 31 Administer permission 54 administration 2 Administration Console 99 Administrators group 38 alerts 1 multiple 88 My Alerts portlets 87 types of 87 Apache Web server installation directory 4 moving themes to 75 port number 118 application administration command-line diagnostic tools 106 application properties 10 applications See also client applications conguration settings 96 conguring 2 conguring J2EE application server 25 conguring Web applications 25 conguring with SAS Management Console 96 connection information 97 error notications 99 honoring properties 96 loading client applications 25 maintaining and monitoring 100 quiescing the system 101 restarting the system 102 Solutions Web Administration 99 status of 101 status reports 101 architecture 2, 4 assumptions and recommendations 3 audit trails 32 viewing 103 auditing 32 authentication 29 host authentication 29 user security and 33 authentication domain changing, for SAS Stored Process Server 153 authentication provider 29 authorization 30 See also content security authorization object-based authorization facility 31
B
backup script 19 backups 19 batch job rights 21 BEA home directory 4 BIP Tree WebDAV server as content manager for Browse Employee Information task 85 bulk loading users and groups 49
128
C
clear users in role cache 105 client applications 136 loading 25 SAS Data Integration Studio 139 SAS Financial Management Add-In for Microsoft Excel 137 SAS Financial Management Studio 139 SAS Management Console 140 SAS Solutions Services Add-In for Microsoft Ofce 136 SAS Solutions Services Dimension Editor 139 SAS Strategic Performance Management Migration Wizard 139 troubleshooting errors 154 uninstalling 141 client setup 135 clock synchronization 26 collaboration 1 command-line administration tools status script 107 users script 109 command-line diagnostic tools 106 conguration 8 applications, with SAS Management Console 96 content conguration 22 content folders on Xythos WebFile Server 118 Information Delivery Portal 24 J2EE application server 25 log les 105 managed servers 65 modifying application settings 96 MySQL 115 security settings for folders and les 11 steps for 8
themes 75 Web applications 25, 74 conguration directory 4 Conguration Manager plug-in 96 connection information 97 content 51 See also content security authorization access permissions 53 conguring 22 creating 60 creating for site 24 creating stored process reports 60 default folders 53 importing 61 organizing 52 permissions 34 shared folder security 53 types 51 content administrators 22 assigning 82 assigning for a group 82 assigning for all portal content 82 types of 82 content folders conguring on Xythos WebFile Server 118 modifying permissions 15 structure 22 content manager WebDAV server as, for BIP Tree 128 content security authorization 53 content access permissions 53 default shared folder security 54 default user folder security 55 dening 55 in Document Manager properties 55 in SAS Management Console 56 in SAS OLAP Viewer 58 in SAS Web Report Studio 59 restrictive permissions property 60 SAS Guest user access 59 content types 51 conventions 4 Corporate Information portlet 85 cubes permissions for 23 repositories and 126 custom groups 41 custom page templates 84 custom trees 31 customizing the portal
158
Index
See portal customization
D
Daily Information portlet 85 dashboard 90 data and compute tier 2, 121 databases 122 Lev1\Data folder 122 Lev1\SASMain\SASSolutionsServices folder 122 metadata repositories 121 data exchanges securing 113 data-level security 2 data tables synchronizing 49 data tier log les on 148 data transmission security 31 data transmissions securing 15 databases 122 Default Backup 19 default folders 53 default groups 38 default portal pages 83 default portlets accessing 91 default shared folder security 54 default user folder security 55 default users 36 Delete permission 54 deployment descriptors for Web applications 74 diagrams 90 Dimension Editor 139 dimension management 2 Dimension Modeler role 44 directives 1 document management 1 Document Manager 52 creating folders 53 securing content in 55 security permissions 54 documentation conventions 4 documents creating a link to 90 Manage Documents task 85 domain servers 64
error notications 99 ETL Notications alerts 87 ETL transformations and jobs importing 17 loading 15 events setting permissions on 17 Excel reports 46 execute queues 67
host authentication 29
I
importing content 61 ETL transformations and jobs 17 Query and Reporting service 129 Information Delivery Portal conguring 24 information maps permissions for 23 repositories and 125 install scripts for Windows services 68 installation 3 MySQL 115 of software 9 planning 8 SAS/Graph maps 9 verifying 8 Windows services 68 installation directory 4 installation verication data 8
F
favorites See My Favorites portlets les security settings for 10 nancial forms 85 rewall 32 folders content folder structure 22 creating with Document Manager 53 default folders 53 default shared folder security 54 default user folder security 55 SAS Content folder 53 security settings for 10 Shared Documents folder 53 shared folder security 53, 57 Trash Can folder 53 Users folder 53 forcing log-off 103 Foundation domain server deploying SAS Web Report Studio to 128 deploying SAS Web Report Viewer to 128 Foundation managed server creating 130 deploying Web applications to 131 Foundation Services importing Query and Reporting service to 129
J
J2EE application server 29 conguring 25 securing conguration 15 Java Runtime Environment 140 Java services dening SAS Web OLAP Viewer for jobs importing ETL jobs 17 loading ETL jobs 15
126
K G
geographic analysis 85 group content administrators 82 group permission trees 50 groups 34 assignment 40 bulk loading 49 creating 21 custom groups 41 default groups 38 dening 34 enforcing content permissions 34 Portal Admins 82 roles and 34 SAS Data Integration Studio 48 SAS Intelligence Platform 38 solutions-wide 40 synchronizing users, groups, and roles key 32 key performance indicator (KPI) 1, 90
L
LDAP server 29 Lev1\Data folder 122 Lev1\SASMain\SASSolutionsServices folder 122 links adding to My Favorites portlets 89 to documents 90 load order for themes 68 loading client applications 25 ETL transformations and jobs 15 production data 24 sample data 19 log les 147 conguring 105 on data tier 148 on middle tier 147 log on as batch job rights 21
E
e-mail sending to selected users 103 sending to system users 102 e-mail addresses for administrative and error messages 10 for administrators 10 for notications 49 employee information 85 encryption 15, 32 error messages e-mail addresses for 10
49
H
hidden les and folders 3
Index 159
logging levels dynamically changing 106 logging off forcing 103 logging priorities 105 logs securing for portal security 91
New Scorecard Project task 85
O
object-based authorization facility 31 ODCS clustering 76 OLAP cubes permissions for 23 repositories and 126 OLAP server authentication 29 Open SAS Web OLAP Viewer task 85 Open SAS Web Report Studio task 85 operating environment 3 protection for 11 organization analysis 85
M
Manage Documents task 85 Manage Financial Forms task 85 Manage Measures task 85 Manage Scorecard Projects task 85 managed servers 64 changing port numbers 69 common environment 65 conguring 65 creating Foundation managed server 130 execute queues 67 load order for themes 68 selecting alternative port 71 starting 64 startup scripts 65 stopping 64 URL mapping 66 mapping URL mapping 66 measure and metric management 1, 85 merging les 126 metadata identities 33 creating 22 removing default identities 11 metadata repositories 121 securing 113 metadata security 30 metadata server authentication 29 threading options for 9 Microsoft Excel reports 46 Microsoft Ofce integration 2 middle tier 2 log les on 147 migrating SPM data 25 Migration Wizard 139 monitoring 26 monitoring applications 100 My Alerts portlets 87 adding 88 adding a custom portlet 88 My Favorites portlets 84 linking to 89 MySQL 115 installation and conguration 115 installation directory 4 securing data 114 security 116 MySQL Users group 38
P
page templates 83 applying 83 creating custom templates 84 deleting PUBLIC templates 83 pages displaying Web page content 89 portal pages 83 passwords 4 performance tuning system performance 26 Performance Aggregate Table portlet 90 Performance Association portlet 90 Performance Dashboard portlet 90 Performance Diagram portlet 90 performance management portlets 90 Performance Table portlet 90 permission trees 50 permissions content permissions 34 for content access 53 group permission trees 50 information maps 23 OLAP cubes 23 restrictive permissions property 60 role permissions 36 setting for events 17 Xythos content folders 15 Planning Workow alerts 87 port number 118 port numbers changing for managed servers 69 changing for SASManagedServer 69 changing for SASODCSServer 71 portal administration 81 accessing default portlets 91 assigning content administrator 82 creating default portal pages 83 customizing the portal 84 securing logs 91 Portal Admins group 82 portal customization 84 My Alerts portlets 87 My Favorites portlets 84 performance management portlets 90 URL display portlets 89
viewing reports 89 portal pages 83 creating default pages 83 page templates 83 portal security 91 portals troubleshooting errors in 152 portlets accessing default portlets 91 accessing Solutions Web Administration application from 100 My Alerts 87 My Favorites 84 Performance Dashboard 90 performance management portlets 90 Performance Table 90 SAS Strategic Management 90 searching for 84 URL display portlets 89 View a Report 89 ports default usage 143 selecting alternative port 71 presentation tier 2 production data loading 24 properties honoring application properties 96 PUBLIC group 38 PUBLIC templates deleting 83
Q
Query and Reporting service duplicating the deployment 129 importing to Foundation Services quiescing the system 101 129
R
Read permission 54 recommendations and assumptions 3 registering users 48 remote services 94 installing a service for starting 94 service for starting 10 starting 94 starting for managed servers 64 troubleshooting 151 reports viewing 89 repositories 125 cubes and 126 information maps and 125 metadata repositories 113 required skills 4 restarting the system 102 restoring the system 21 restrictive permissions property 60 role-based user interface customization and authorization 2 role cache, clearing 105
N
n-tier architecture 2, 4 New Geographic Analysis task 85 New Organization Analysis task 85
160
Index
roles 34 assignment 40 dening 35 enforcing permissions 36 for Excel reports 46 groups and 34 SAS Data Integration Studio 48 SAS Financial Management 43 SAS Human Capital Management 46 SAS Strategic Performance Management 42 solutions-wide 42 synchronizing users, groups, and roles 49 row-level security 31
S
sample data 8 loading 19 restoring the system 21 verifying with 19 SAS Administrator 37 SAS Content folder 53 SAS Data Integration Studio 139 groups 48 importing ETL transformations and jobs 17 loading ETL transformations and jobs 15 roles 48 setting permissions on events 17 setting up users 16 SAS Financial Management 2 roles 43 SAS Financial Management Add-In for Microsoft Excel 137 SAS Financial Management Studio 139 SAS Foundation Services 94 SAS General Server user 38 SAS/Graph maps installing 9 SAS Guest user securing access for 59 SAS Human Capital Management 2 non-English languages 10 roles 46 SAS Intelligence Platform groups created during installation 38 SAS Logging Service editing conguration 105 SAS Management Console 140 conguring applications with 96 securing content with 56 SAS Notes 27 SAS OLAP Viewer securing content 58 SAS Solutions Services 1 SAS Solutions Services Add-In for Microsoft Ofce 136 SAS Solutions Services Dimension Editor 139 SAS Stored Process Server changing authentication domain 153 SAS Stored Process user 39 SAS Strategic Management portlets 90 SAS Strategic Performance Management 2 roles 42 SAS Strategic Performance Management Migration Wizard 139 SAS Trusted User 37, 38
SAS Web OLAP Viewer 126 dening for Java services 126 deploying 127 merging les 126 testing 127 SAS Web Report Studio 133 deploying to Foundation domain server 128 Open SAS Web Report Studio task 85 query cache 11, 13 securing content 59 testing deployment 133 SAS Web Report Viewer 133 deploying to Foundation domain server 128 testing deployment 133 SASManagedServer 64 changing port number for 69 SASODCSServer 64 changing port number for 71 SASUSERS group 38 scorecards displaying data in tabular form 90 Manage Scorecard Projects task 85 New Scorecard Project task 85 scripts managed server startup scripts 65 status script 107 users script 109 searching for portlets 84 security 29 See also content security authorization See also server security auditing 32 authentication 29 authentication and user security 33 authorization 30 data-level 2 data transmissions 15 default shared folder security 54 default user folder security 55 J2EE server conguration 15 metadata security 30 MySQL 114, 116 removing default metadata identities 11 row-level 31 securing logs for portal security 91 server security and data transmission 31 settings for folders and les (UNIX) 13 settings for folders and les (Windows) 11 shared folder security 53, 57 system security 10 WebDAV installation 15 server clock synchronization 26 server security 31, 113 communications between other servers 114 data exchanges between server components 113 metadata repositories 113 session timeout values 74 setlocs.sas le 10 Shared Documents folder 53 shared folder security 53, 57 default 54 skill requirements 4 software installation 9 SAS Stored Process Server and 153 solutions 2 solutions administration utilities 96
Solutions Role Administrator 37 Solutions Users group 38 Solutions Users templates See page templates Solutions Web Administration forcing users to log off 103 logging priorities 105 sending e-mail to selected users 103 sending e-mail to system users 102 viewing user audit trails 103 Solutions Web Administration application 99 accessing directly 100 accessing from a portlet 100 Administration Console 99 logging levels 106 maintaining and monitoring applications 100 tools for working with users 102 solutions-wide groups 40 solutions-wide roles 42 SPAuth authentication domain 39 SPM data migrating 25 startup scripts managed servers 65 status of applications 101 status reports 101 status script 107 stored process reports 46 creating 60 stored process server authentication domain 39 synchronizing server clocks 26 synchronizing users, groups, and roles 49 system backup 19 system monitoring 26 system performance tuning 26 system security 10 system verication 19
T
tabular data displays 90 tasks 85 testing SAS Web OLAP Viewer 127 SAS Web Report Studio deployment 133 SAS Web Report Viewer deployment 133 themes conguring 75 load order for 68 moving to Apache Web server 75 winter theme 75 third-party servers 29 threads options for metadata server 9 tiered architecture 2, 4 timeout values 74 transformations importing ETL transformations 17 loading ETL transformations 15 Trash Can folder 53 troubleshooting general tips 151 portals 152 remote services 151
Index 161
running client applications 154 WebLogic managed server 153 tuning system performance 26
U
uninstall scripts for Windows services 68 uninstalling client applications 141 UNIX security settings for folders and les 13 URL display portlets 89 URL links linking to My Favorites portlets 89 user audit trails 103 user folder security, default 55 user identities cached 37 user interface customization and authorization 2 User Opt-in alerts 87 user security authentication and 33 UserGroupValidation utility 22 users bulk loading 49 clear role cache 105 creating 21
default users 36 log on as batch job rights 21 registering 48 sending e-mail to 102, 103 setting up Data Integration Studio users 16 synchronizing users, groups, and roles 49 Users folder 53 users script 109 utilities for solutions administration 96
V
verifying the system 19 View a Report portlet 89 creating 89
W
Web applications as tasks 85 conguring 25, 74 deploying to Foundation managed server 131 deployment descriptors 74 session timeout values 74
Web browser 4 Web pages displaying content of 89 WebDAV 117 Apache port number 118 content folders on Xythos WebFile Server 118 securing installation 15 WebDAV server as content manager for BIP Tree 128 WebLogic managed server troubleshooting errors 153 WebLogic managed servers See managed servers WebSphere administration 71 Windows security settings for folders and les 11 Windows services install and uninstall scripts 68 installing 68 winter theme 75 Write permission 54
X
Xythos WebFile Server conguring content folders on 118 installation directory 4 modifying content folder permissions
15
Your Turn
If you have comments or suggestions about SAS Solutions Services 1.3: System Administration Guide, Second Edition, please send them to us on a photocopy of this page or send us electronic mail. For comments about this book, please return the photocopy to SAS Publishing SAS Campus Drive Cary, NC 27513 E-mail: yourturn@sas.com For suggestions about the software, please return the photocopy to SAS Institute Inc. Technical Support Division SAS Campus Drive Cary, NC 27513 E-mail: suggest@sas.com

SAS® Solutions Services 1.3

Încărcat de

Informații document

Descriere originală:

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

SAS® Solutions Services 1.3

Încărcat de

Drepturi de autor:

Formate disponibile

SAS Publishing

SAS Solutions Services 1.3

System Administration Guide Second Edition

4 Understanding SAS Solutions Services

4 Planning, Installing, and Conguring SAS Solutions Services and the

4 Planning the Sites Security

4 Authentication and User Security

4 J2EE Server Administration

4 Server Security and Encryption 4 MySQL Server Administration

4 WebDAV Server Administration

Overview 121 Metadata Repositories Databases 122

The Lev1\Data Folder 122 The Lev1\SASMain\SASSolutionsServices Folder

Overview 125 A Note about Repositories

Client Setup 135 Client Applications 136 Java Runtime Environment

4 Client Installation and Conguration

4 Default Port Usage

Overview of Log Files 147 Log Files on the Middle Tier

Overview of SAS Solutions Services

3 Role-based user interface customization and authorization provide a means of

Understanding SAS Solutions Services

Assumptions and Recommendations

Figure 1.1 SAS Solutions Services Tiered Architecture

SAS Data Integration Studio

Assumptions and Recommendations

Refers to path to the SAS installation directory

Examples Windows: C:\Program Files\SAS UNIX: /usr/local/SAS

path to the conguration directory

Windows: C:\SAS\SASSolutionsConfig UNIX: /usr/local/SAS/ SASSolutionsConfig

path to the BEA WebLogic home directory

Windows: C:\bea UNIX: n.a.

path to the IBM WebSphere installation directory

UNIX: /usr/local/WebSphere Windows: n.a.

Understanding SAS Solutions Services

Refers to path to the MySQL installation directory

Examples Windows: C:\mysql UNIX: /usr/local/mysql

path to the Apache installation directory

Windows: C:\Program Files\Apache Group\Apache2 UNIX: /usr/local/IBMIHS

path to the Xythos WebFile Server installation directory

Windows: C:\Xythos UNIX: /usr/local/SAS/xythos

Plan the Installation

Planning, Installing, and Conguring

Congure the SAS Servers for Alternative Authentication Mechanisms (Optional)

Install the Software

Platform, as well as SAS Solutions Services and any licensed solutions.

Install SAS/GRAPH Maps (Optional)

listing under SAS 9.1.

Change Threading Options for SAS Metadata Server (Optional)

Congure the SAS Servers for Alternative Authentication Mechanisms (Optional)

Set Application Properties

Set Application Properties

3 Set e-mail addresses for administrators.

3 Optionally, install a service to start the remote services.

Make Localization Changes, If Necessary

2 Change directory as follows:

Windows: !SASROOT\hrds\sasmacro UNIX: !SASROOT\sasautos 3 Open the setlocs.sas le for editing.

SAS Management Console.

Secure Your System

Planning, Installing, and Conguring

Congure Security Settings for Folders and Files (Windows)

Remove Unnecessary Default Metadata Identities

Congure Security Settings for Folders and Files (Windows)

Protect System Conguration Folders

BatchServer, SASEnvironment, Users, Utilities, WorkspaceServer WorkspaceServer\logs