Privileged Users
Users in SAS Enterprise Session Monitor can be separated into the following roles:
- General Users
- Privileged Users
- The Administrator
When SAS Enterprise Session Monitor is license by Cores General Users do not require any authentication within SAS Enterprise Session Monitor. Privileged Users and the Administrator are prompted for credentials when they attempt to use the advanced features of the application. The roles are hierarchical: Privileged Users and Administrators are able to access all of the functionality available to General Users, and the Administrator is able to access all of the functionality available to Privileged Users.
To add a user to the list of Privileged Users, click the 'Add Privileged User' button. This will change the focus to the username
field further down the screen where you'll be prompted to create a password for the user and assign the permissions for the user:
Sessions¶
If permitted by the Operating System and the SAS Enterprise Session Monitor configuration, the SAS Enterprise Session Monitor agent can be used to terminate unresponsive, orphaned or unwanted SAS sessions. Once a session is identified, it can be terminated using a menu accessed by right-clicking on the session in the List Portlet in the Live View.
The menu presents the following options:
- Terminate Process
This sends the process the equivalent of a SIGTERM signal for UNIX platforms, and a taskkill command on Windows platforms. Once the process is terminated, the Agent ensures that the temporary directories related to that process have been removed.
- Force Terminate Process
This sends the process the equivalent of a SIGKILL signal for UNIX platforms, and a taskkill /f command on Windows platforms. Once the process is terminated, the Agent ensures that the temporary directories related to that process have been removed.
- Force Terminate Process leaving temporary directories intact
This sends the process the equivalent of a SIGKILL signal for UNIX platforms, and a taskkill /f command on Windows platforms. Once the process is terminated, the Agent leaves any temporary directories that may be related to that process intact.
Note
If a process is known by SAS Enterprise Session Monitor to be a System (SYS) process, or if it is not an instance of the sas binary executing, the process can not be acted upon. This limitation is imposed as a security precaution[^advanced].
Important
All actions performed using the Session Management menu are audited by SAS Enterprise Session Monitor. A history of all Session Management actions can be seen in the Privileged Users section of the SAS Enterprise Session Monitor Admin Settings screen.
Logs¶
When SAS Enterprise Session Monitor is passed a 'log file' option for a Session, such as in the case of a Batch Job, SAS Enterprise Session Monitor will continually monitor that log file for occurrences of WARNING and ERROR messages. When either a Warning or Error message occurs, it is plotted against the timeline of that session in real time as a flag. Hovering over the flag using the mouse displays the warning or error text. Clicking on the flag retrieves the log file in question, opens it in a new tab and navigates to the line where the error occurred.
If this behavior is configured as restricted to Privileged Users, suitable credentials must be entered prior to the logfile being retrieved.
Disabling a privileged user¶
When Enterprise Session Monitor is licensed by number of authorized users only active users defined in the privileged users table can access the application. The application will prevent an Enterprise Session Monitor Administrator from adding more users to the privileged users table where the number of active users will be greater than the number of authorized users as specified in the license.
To allow you to list more users, it is possible to mark a privileged user as Disabled. By disabling a user they will remain in the privileged users table but the username specified will not be able to access the application even if they authenticate correctly. The users will receive the following message:
Changing the SAS Enterprise Session Monitor Administrator Password¶
The overriding password for the SAS Enterprise Session Monitor Administrator is stored in a main password file and secured using filesystem-level security.
To change the SAS Enterprise Session Monitor Administrator username and password, log on to the machine where the SAS Enterprise Session Monitor Server is running as a suitably privileged user. Then, edit the admin.txt plaintext file, located in esm-server/conf
The format of admin.txt should as follows:
esmadminusername
esmadminpassword
Note: When saving the password file, ensure that the correct permissions continue to be applied to it. It can only be read by the SAS Enterprise Session Monitor system account, and written by a designated user / administrator of the underlying operating system.
Created: April 24, 2023