WIXLIB

4ChecklistsInitial Task ChecklistTasks 1 to 38 in the checklist are larger tasks. You should consider performing them once. You should revisit these tasksif major elements of SAS Viya change or your business requirements change. Tasks in this checklist do not need to berepeated on a regular scheduled basis.1TaskWhenEnsure you can identify the components of SAS and third-party software that make upSAS Viya.After platformchanges.Know on which host the components run and have a basic awareness of what each componentdoes.If you do not already have one, create a shared location where all relevant documentationdescribing your SAS platform can be stored and used by all SAS or IT administrators and projectdelivery staff working on the SAS environments in your organization.Use this shared location to store up-to-date architecture documents, installation checklists, postinstallation documents, security models, log locations, this administration checklist, and otherdocumentation describing the structure and operation of your SAS platform. This location shouldinclude a document named D30 ArchitecturePlan that might have been created for you as partof the SAS Intelligent Platform Implementation methodology.An administrator is encouraged to maintain bookmarks to online versions of the SAS ViyaAdministration guide, SAS Deployment Guide, and more references on the support.sas.comwebsite for the versions of SAS Viya that he supports. These bookmarks should be on theadministrator’s preferred web browser.All SAS Viya user interfaces are web-based (SAS Viya 3.4 and earlier). If you have SAS 9running beside SAS Viya, then your deployment will include SAS 9 client applications on eachuser’s PC. For example, on a Citrix or terminal server.SAS Viya hosts typically run one and occasionally both of the following services: SAS Viya orCAS. It is common to have more than one host serving each service because the memory (RAM)required for each service can be larger than the memory available on the host. It is common todistribute SAS Viya services across multiple hosts to spread the load. Copies of SAS Viyaservices can be deployed across multiple hosts to provide higher performance and higheravailability.Your administrator should learn how your SAS Viya services are deployed across your hosts.There are several ways to do this.1. Review the inventory.ini files used to deploy and configure SAS Viya services using Ansible.Find the inventory files in the sas viya playbook on your Ansible controller. The hosts inyour deployment and the groups of hosts on which predefined sets of SAS Viya services aredeployed are defined in this file, making it one of the most useful files for SAS administratorsto be familiar with.Note: There can sometimes be more than one inventory file in a sas viya playbookdirectory. You might have a current version and older versions if you haveredeployed with a new distribution of servers across your hosts. You might have

5several current versions if extra hosts have been added to your SAS Viyadeployment since its initial deployment or if you have a multi-tenant deployment.2. The SAS Environment Manager web application’s Dashboard page has an Availabilityportlet, which shows services that are currently registered on the SAS Configuration Server.(There is always a SAS Configuration Server in a SAS Viya deployment.) This portlet can beused to identify services and the hosts on which they are running.Note: When a service is stopped gracefully, it deregisters itself from the SAS ConfigurationServer. As a result, the information about hosts and services on the Availabilityportlet can be incomplete.3. As root or as a user with sudo privilege, run a status command for the sas-viya-all-servicesservice on each host in your deployment to determine the names of SAS Viya servicesregistered on each host. One way to do this is using an Ansible command from the Ansiblecontroller. For example:cd /sas viya playbook ;ansible all -m shell -a "service sas-viya-all-services status"4. View details of your SAS Viya license and the products included in your order from the SASEnvironment Manager Licensed Products page.5. SAS employees can view details of a software order in the internal SAS COMSAT system.There are other ways to learn which services run on which hosts. Learn more about SAS Viyaservices and their management in the General Servers and Services: Overview in the SAS ViyaAdministration guide or from the equivalent documentation for your version of SAS Viya.One host in your deployment acts as the Ansible controller. Ansible is used for deployments,updates, and upgrades. It is used to start and stop services, for other distributed administrationtasks, and for running playbooks or submitting individual commands. The Ansible controller oftenperforms other SAS Viya or CAS roles because Ansible has no permanently running services.When it is not being actively used, it consumes no compute, memory, or network resources.2For enterprise-scale deployments, define a Service Level Agreement (SLA).The SLA states the measures that you use for service-level monitoring and reporting and howthey will be calculated. Implement a service-level reporting product to calculate these measureswhen they are based on time-history data from a service-level monitoring component.Consider measuring service-level performance for the system as a whole and for specificsubsystems that can operate independently.Outline preinstall, review,and adjustpost-install.See initial task18.Measure the service-level performance using metrics such as availability (over specific periods oftime), duration of each period of unavailability that is considered an outage, duration of plannedoutages, mean time between unplanned outages, and actual recovery time from unplannedoutages versus recovery time objective. (The last value is, in other words, when recovery issuccessfully achieved, which is either within the recovery point objective or is when you areforced to recover to an earlier recovery point because of a corrupted backup, and so on.)3Define your organization’s SAS support team structure, roles, and responsibilities.Document it. If appropriate, document when team members are scheduled to be on duty. Identifythe training needs of each team member, including SAS training.Your support team might include SAS and IT administrators, storage and databaseadministrators, product or technical specialists, and other support staff who assist users andAfterorganizationaland platformchanges.

6keep services running.4Consider whether you require premium or customized support for your SAS deployment.Consider whether the members of your SAS support team can perform all the administrative andsupport tasks that you want. Appropriate training might be necessary.Before and/orafter platformchanges.Discuss your potential requirements for premium or customized support with your SAS accountmanager or with your SAS partner. Your discussion could be based on the checklists in thisdocument. Discussions should include your specific business applications for your SAS software.5Write and maintain a security policy that covers the SAS platform.Most organizations have a wider security policy in place. We recommend you include a section inthat security policy or a separate document to define policies specific to the SAS platform.Before and/orafter platformchanges.This should preferably be defined with the assistance of an experienced SAS architect beforeSAS software is installed because the installation process involves making several decisionsabout security. Security features are much less likely to be disruptive if applied during orimmediately after installation than if they are applied retrospectively. The security policy shouldbe periodically reviewed and revised as necessary throughout the lifetime of the platform.The security policy should cover the following tasks: How users of the SAS platform are authenticated (LDAP, Kerberos or IWA, OAuth, SAML,host accounts etc.) and how user identities and group memberships are stored in therequired LDAP directory structure. Set authorization (access rights and permissions) in SAS Viya, any databases accessed viaSAS, Hadoop (for example, Hive), and operating-system-managed assets (for example, filesand directories in the file system) used by SAS at a high level. Detailed authorization designis addressed by the security model in the next task. Manage certificates for Transport Layer Security. Encrypt content at rest (for example, data, files, code, passwords, and data sets stored ondisk and data stored in databases). Encrypt data in motion (for example, data, credential, and message transmission usingTransport Layer Security). Adopt standards of encryption and management, complexity, reuse, protection, and lifespanof cryptographic keys, passwords, salts, and so on. Protect system integrity (including physical security, availability, backup and recoveryobjectives, security of power, cooling, and so on). Audit.6Write and maintain a security model or an authorization model.The model implements certain requirements of your security policy and describes how usersshould be organized into groups. Groups determine their access to resources such as SAS Viyacontent, data, and application functionality. Define how users and groups will be added to,updated in, and removed from the SAS platform. (See also task 7.)Define what operating-specific settings and rights are required for each group of users of theSAS platform and whether any specific password management policies should apply (complexity,lifetime, and so on).There are several major components of a security model for the platform. You should maintaintwo document versions of your security model. The first is a relatively static document thatBefore and/orafter platformchanges and intandem withorganizationalchanges.

7defines the overall principals and guidelines for how users are managed and granted or deniedpermissions. But, it avoids user-specific detail. The second is a more frequently changing livingdocument that records the specific state in which users and groups (within the context of the SASplatform) should currently be.Users and groups in SAS Viya are defined in an external LDAP directory server such as ActiveDirectory and loaded by the SAS Viya Identities service. Additional custom groups are definedand managed by the Identities service. They can also be managed through the SASEnvironment Manager Users page and through the sas-admin identities command-lineinterface.See SAS Viya Administration: Identity Management or the equivalent for your version of SASViya for more on managing identities.See SAS Viya 3.4 Administration: Orientation to Authorization for a guide to the CASauthorization system and the SAS Viya general authorization system, which are used together inSAS Viya deployments.7Define a process for onboarding and off boarding users.Document any steps that must be performed when new users are onboarded and given accessto your SAS Viya deployment.After platformchanges. Seeregular task 39.Because users in SAS Viya are added and removed only through your LDAP directory server,consider whether and how you will know when users are added, moved, or removed? Considergroup memberships for new or leaving users, especially custom group memberships. Does youronboarding or off boarding process need steps to maintain the application of your authorizationmodel for new users? Do new users require training or orientation? Should they be required toagree to any terms or conditions of use or working practices before gaining access?Learn about your LDAP provider (for example, Active Directory, OpenLDAP, or somethingsimilar). Know what Distinguished Names, Common Names, Entries, and Attributes are. Learnhow to use an LDAP client GUI to view (or edit if you have permission) the LDAP directory usedby your SAS Viya deployment. Familiarize yourself with its structure.Review the objectFilter queries in the sas.identities.providers.ldap.group andsas.identities.providers.ldap.user configuration instances for the Identities service on theConfiguration page of SAS Environment Manager. Consider adjusting objectFilter queries tomodify the groups and users returned to your deployment’s Identities service to excludeunwanted users and groups from the SAS Viya deployment.You might find Gerry Nelson’s post on the SAS Users blog about LDAP basics for the SAS ViyaAdministrator helpful, along with the official documentation in the Identities Service Configurationtopic. This is mostly a post-installation task, but it is useful for SAS Viya administrators to knowabout it.8Ensure that home directories get automatically created for users if they do not alreadyexist.Although most SAS Viya services and processes run under a shared identity such as sas or cas,several SAS Viya processes run as the user instead so that the user’s permissions on file systemfiles, data, and other resources are applied correctly.The following three services might run as the user. When they run as the user, they expect theuser to have a home directory on the server on which they run, or they might fail.1. SAS Launcher Server and SAS Compute ServerPre-install orpost-install.

82. SAS Studio 43. SAS Cloud Analytic Services (CAS)Ensure users of each of these services either already have a home directory or have a homedirectory created for them the first time they use the service on each host machine on whicheach service runs.Stuart Rogers wrote a great blog post on the SAS Communities site explaining this, called SASViya 3.4 Automatic Home Directories.1. For the SAS Launcher Server and SAS Compute Server (used in SAS Studio 5 and SAS ModelStudio), the SAS Viya for Linux: Deployment Guide describes how to configure the SASLauncher Service using the sas-bootstrap-config command-line interface. It explains how to setthe SASMAKEHOMEDIR and SASHOMEDIRPERMS properties so that they, together with theuser’s POSIX attributes in LDAP (which define the user’s home directory path and default shell),enable the automatic creation of user accounts including home directories for SAS ComputeServer users.2. SAS Studio 4 uses a SAS Object Spawner to launch a SAS Workspace Server. The SASObject Spawner launch script can be configured to set similar environment variables that,together with the user’s POSIX attributes in LDAP, enable the automatic creation of the user’shome directory.3. CAS is more complicated. CAS sessions will not fail to start just because the user does nothave a home directory. However, the user’s personal CASUSER caslib will not be created aspart of their CAS session. In his internal blog post, Stuart explains that in some situations, thisreally does not matter. By default, users of the SAS Viya visual interfaces run CAS sessionsunder the CAS owner account (usually cas). Therefore, they do not need their own accounts orhome directories on the CAS controller. If CAS is deployed in a distributed way and co-locatedwith HDFS, users’ CAS sessions running under their own accounts have their personal caslibsdefined in HDFS rather than on the host file system. As a result, they do not need homedirectories on the file system. Having a home directory does matter for users of the SAS Viyavisual interfaces who are in the CASHostAccountRequired custom group or for users who areusing CAS from SAS Studio 4 and have CAS sessions running under their own user accounts.These users need home directories on the CAS controller if they want to use their personalCASUSER caslibs. CAS cannot be configured to automatically create home directories forusers, so we need to use a workaround to call oddjob from a SASAUTH file in the PAMconfiguration file. This is described by Gordon Cox in his internal blog post called MakingHomes for the homeless, which was inspired by a blog post by Paul Homes of Metacoda andplatformadmin.com called Auto Creation of Linux Home Directories for SAS Users.See the SAS Viya Infrastructure Resource Kit (VIRK) – Home Directory Creator Playbook, whichautomates the insertion of that workaround in your PAM configuration file.9Secure the SAS platform on the filesystem to prevent inappropriate Read and Writeaccess.Ensure users who are not administrators, installers, or the appropriate types of developers do nothave access to resources on the filesystem that contain sensitive information that they do notrequire. Ensure they do not have access to change resources such as configuration files andscripts that are crucial to the integrity and stability of the SAS platform.These resources include the directories used in all path-based caslibs, including the Formats andPublic caslibs. They include installation and configuration directories for SAS and other third-Post-install,and afterplatformchanges.

9party components of your SAS Viya deployment on every host. They include server logs andserver start-up, shutdown, and status scripts. Ordinary users should not be able to alter these.However, note that some processes execute and write log files as the user. For example, SASWorkspace Server sessions write SAS Workspace Server logs as the user, so users requireWrite access to the SAS Workspace Server log directory to be able to use the SAS WorkspaceServer.If you are using SAS Viya 3.3 or earlier, consider changing the top-level directory accessible tousers of SAS Studio 4 to something other than the root directory on the SAS Studio 4 host. (ForSAS Viya 3.4 and later, SAS Studio 4 does not show the system root by default.)To prevent users from accessing filesystem root from SAS Studio 4 on SAS Viya 3.3, edit the/opt/sas/viya/config/etc/sasstudio/default/init usermods.properties file.First, set the property webdms.showSystemRoot to false if it is not already set to false in anotherproperties file such as init deployment.properties. For example:webdms.showSystemRoot FalseAdd a new property called webdms.customPathRoot to specify a path for the root node in theSAS Studio Folders tree. For example, add one of the following:webdms.customPathRoot /our content folderwebdms.customPathRoot /home/ userid Restart SAS Studio to pick up the change:systemctl restart sas-viya-sasstudio-defaultFor SAS Viya 3.3, see the SAS Studio section of the SAS Viya Administration guide. For SASViya 3.4, see the SAS Studio 4.x section of the SAS Viya Administration guide.10Maintain a secure and encrypted password-protected password database using anappropriate software tool.KeePass is a popular, good, free, and open-source choice. Other password database toolsinclude One Identity, CyberArk Enterprise Password Vault, and Centrify. For smallerorganizations, consider something like 1Password, LastPass, or Dashlane.Maintain the passwords in this database for batch and administrative accounts, externaldatabase-outbound logins, and so on.Keep the password database on a machine that is physically better protected than a desktop orlaptop PC so that it cannot easily be stolen. (In other words, store the database on a host in thedatacenter.)Post-install,after platformchanges, andwhen anyshared orheadlessaccount’spasswordchanges.Consider implementing two-factor authentication for access to the hosts in the data center onwhich the password database is stored.11If you store any credentials to external database systems in Domains, establish aprocedure to ensure they are changed whenever the passwords are changed in theexternal database system.Database passwords should be known only by a limited group of administrators. The procedurecould be that

This document contains two lists of tasks. There is a schedule for the second list. You, as an IT administrator or a SAS administrator, should consider these lists for the SAS Viya environments that you maintain. Perform all tasks that are relevant to your environment to keep your SAS Viya deployment operating at its best over the long term.