In a tweet by Gordon Cox last month, I was reminded of the restricted options facility available with SAS® software on UNIX platforms. This is capability where an administrator can set mandatory SAS system options at multiple levels of granularity: globally, per-group, and/or per-user. The reason for this post is that I don’t look at the documentation for this very often and every time I do it takes me a while to track it down. I always think its going to be in the UNIX companion in the Base SAS area… but it’s not! That gets me every time. Instead it’s tucked away in the Configuration Guide for SAS 9.2 Foundation for UNIX Environments (PDF) in Chapter 2 – Restricted Options. You can find this document in the Install Center section of support.sas.com under SAS Installation Note 36467: Documentation for a SAS® 9.2 installation on UNIX.
The context of the tweet was that the restricted options facility is another mechanism whereby a default setting of the NOXCMD option for SAS platform servers could be overridden for a subset of trusted users or groups in a SAS platform installation. The NOXCMD option is discussed in an earlier post: NOXCMD: NO eXternal CoMmanDs!
A quick summary of restricted options:
- SAS Systems Options under UNIX set by an administrator, that cannot be changed by a user
- Processed in the order global, group, then user. The last instance of an option is the one that wins.
- Global restrictions are read from the file !SASROOT/misc/rstropts/rsasv9.cfg
- Group restrictions are read from the file !SASROOT/misc/rstropts/groups/<groupname>_rsasv9.cfg
- User restrictions are read from the file !SASROOT/misc/rstropts/users/<userid>_rsasv9.cfg
On Linux (at least) I can use the command “id -gn <userid>” to find out the effective group name for a user, given their user id. For example, “id -gn sassrv” might generate “sas“.
In my SAS 9.2 installation on Linux, whilst everyone else is still constrained by the NOXCMD option, I can ensure that the SAS Enterprise Guide user Bob Baxter, who has a user id of bob, can still use operating system commands in the SAS programs he runs on the SASApp server, by creating the file /usr/local/SAS/SASFoundation/9.2/misc/rstropts/users/bob_rsasv9.cfg with the following contents:
-xcmd
Of course, this only applies to SAS processes launched and run as the requesting user. Whilst it can be used to override NOXCMD for specific users/groups using a standard workspace server, it cant be used to distinguish between different users on the same stored process server, since all users will share SAS stored process server processes running under a shared identity (like sassrv). In that situation directing the users to separate SAS application servers would be more appropriate. There is an example of this in Jim Fenton & Robert Ladd’s SAS Global Forum 2010 paper 311-2010: A Practical Approach to Securing a SAS® 9.2 Intelligence Platform Deployment
Thanks to Gordon for reminding me about the restricted options facility.
Paul, this topic fits well with some new capabilities in 9.3, where the options facility can reveal more information about how a system option was set, and from what source (which config file). See the details in this topic: http://support.sas.com/documentation/cdl/en/lesysoptsref/63325/HTML/default/viewer.htm#n1ag2fud7ue3aln1xiqqtev7ergg.htm
Hi Chris,
Thanks for the info/link. Those new options certainly look like they will be good for troubleshooting. I’ll have to check them out. Can’t wait to get hold of SAS 9.3!
Cheers
Paul
It’s really an awesome thing !!!
Hi There,
I have a thought here. In most fo the environments, endusers will not have direct shell access to OS. That is one of the reason
why they prefer to use XCMD from SAS to access server resources.
If we allow all users to use XCMD from SAS and if we deny their Shell Execute access from the server, then they will still wont be able to execute X Commands. But the only thing is, when they try to run proc option option=XCMD, it may say that XCMD enabled.
But infact it will not work. What do you think about this approach?
Hi Rambill,
Sorry, I’m not entirely sure I understand which approach you are taking. It sounds like you plan on allowing XCMD access from SAS but denying the ability to execute shell commands / scripts / executables at the level of the operating system. Could you provide a little more information on the specific method(s) you are planning to use to implement this restriction?
Thanks
Paul
I’ve since found out that SAS 9.3 for Windows also documents support for restricted options at the global and user level (but not at the group level it seems). There are more details in chapter 4 of the following configuration guides located in the Install Center area of support.sas.com:
* Configuration Guide for SAS 9.3 Foundation for Microsoft Windows
* Configuration Guide for SAS 9.3 Foundation for Microsoft Windows for x64
Restricted options do not appear to be documented with SAS 9.2 for Windows.