SAS Studio provides a common set of snippets. Snippets are lines of commonly used code or text that you can save and reuse. Currently there are two areas for snippets: "SAS Snippets" (provided by SAS) and "My Snippets" (the ones you create yourself).   You might want to have a third area "My Company Snippets". These would be user created snippets available to all SAS Studio users. This is currently not directly supported. This post will show you a way how to achieve this.   This method uses the functionality to create a shortcut to a SAS Content folder in another folder. This can be done manually using the "Share and Collaborate" application. In this post we are going to use the Folders API to do it, so it can be automated.   The basic steps are:   Create a folder that will hold general snippets Create a shortcut to this folder in each users "My Snippets" folder Add snippets to the folder from step 1   Snippets basics   When you create a snippet the screen will look like this:   Select any image to see a larger version. Mobile users: To view the images, select the "Full" version at the bottom of the page.   We have the following elements:   Name: the name we will see in the Snippets pane Abbreviation: This is a shortname we can give to the snippet. In the SAS program editor you can enter @abbreviation to add the text for a snippet or just enter @ to get a list of abbreviations. Description: some text explaining the purpose of the snippet Folder: this is the SAS content folder location where we will store the snippet. All the folders below the "My Snippets" folder are accessible Text: the text associated with the snippet   User defined snippets are stored as .csm files in a SAS content folder. See Working with Snippets for more information on using snippets. Now let's look at the three basic steps.   Step 1: Create a folder that will hold general snippets   In our example we create a folder for snippets in the Public folder. By default all users have read and write permission in this folder. Of course you may choose another folder where only certain users will have write access.   We use the sas-viya CLI like so:   sas-viya folders create --parent-path /Public --name "Company-Snippets" --description "Company provided snippets" Of course the folder can be created by any other method available like using the Explorer in SAS Studio.   Step 2: Create a shortcut to this folder in each users "My Snippets" folder   Now we need to create a shortcut to this new folder in each users "My Snippets" folder. This allows for easy access and the use of the @abbreviation functionality.  This can be done manually using the "Share and Collaborate" (SASDrive) application. For an automated implementation we are using operations from the Folders API to do this.   To add a shortcut to a folder in another folder we use the Add a member to a folder operation. This operation requires two folder URI's. Now you might ask what is a folder URI. You find more details in this article Uniform Resource Identifiers (URI) in SAS Viya, specifically Content URI's.   To get the folder URI from a SAS content folder we will make use of the FILESRVC file access method as it will create a macro variable with the folder URI. For more details see Generating a FILESRVC Macro Variable. See this code sample:   %symdel FILESRVC_SNIPFLD_URI / nowarn; filename snipfld filesrvc folderpath="/Public/Company-Snippets"; %put NOTE: &=_FILESRVC_SNIPFLD_URI; %symdel _FILESRVC_MYSNIP_URI / nowarn; filename mysnip filesrvc folderpath="/Users/&sysuserid/My Folder/My Snippets"; %put NOTE: &=_FILESRVC_MYSNIP_URI;   An alternative approach would be the Get a folder with a path or a child URI operation. The following code example shows how to do this.   %let base_url = %sysfunc(getoption(servicesbaseurl)); %put NOTE: &=base_url; %let folderName = /Public/Company-Snippets; filename resp temp; proc http method=get url="&base_url/folders/folders/@item" out=resp query=( "path" = "&folderName" ) oauth_bearer=sas_services ; headers "Accept" = "application/vnd.sas.content.folder+json, application/vnd.sas.content.folder.member+json" ; run; %put NOTE &=SYS_PROCHTTP_STATUS_CODE; %put NOTE: response; %put %sysfunc(jsonpp(resp, log)); libname resp json noalldata; %symdel folderUri / nowarn; data _null_; set resp.links; where rel = "self"; call symputx("folderUri", uri); run; %put NOTE: &=folderUri;   Next we use the Add a member to a folder operation to add the shortcut to the "My Snippets" folder. In the code sample below the following macro variables are used:   &folderWithSnippets holds the folder URI of the folder where we want to store the snippets. &mySnippetsFolder holds the folder URI of the "My Snippets" folder   The "type": "reference" in the request body indicates that we want to create a shortcut.   %let base_url = %sysfunc(getoption(servicesbaseurl)); %put NOTE: &=base_url; /*  * create request body  */ filename req temp; data _null_;   infile cards;   input;   _infile_ = resolve(_infile_);   file req;   put _infile_; cards; {   "name": "Company-Snippets",   "type": "reference",   "uri": "&folderWithSnippets",   "contentType": "folder" } ; filename resp temp; proc http   method=post   url="&base_url/&mySnippetsFolder/members"   in=req   out=resp   oauth_bearer=sas_services ;   headers     "Accept" = "application/vnd.sas.content.folder.member+json,application/vnd.sas.error+json" "Content-Type" = "application/json"   ; run; %put NOTE &=SYS_PROCHTTP_STATUS_CODE; %put NOTE: response; %put %sysfunc(jsonpp(resp, log));   A value of 201 in the macro variable SYS_PROCHTTP_STATUS_CODE indicates success.   You might want to add this code to a SAS macro, so that users have an easy way of running it.   Step 3: Add snippets to the folder   Let's create the snippets we need in the "Company-Snippets" folder.   If you already have a collection of snippets in your "My Snippets" area, use the Explorer pane and copy the corresponding snippet files (.csm) from the "My Folder/My Snippets" to the proper folder.   If you create a new snippet choose the right folder to store it.     The snippet is now available for use in the SAS program editor     The use of @abbreviation is switched on by default, but it can be switch off, see Setting Editors Preferences for more details.   To group your snippets, make use of sub folders within the "Company-Snippets" folder.   Summary   It is possible to add a folder that contains snippets, files with .csm extension, to the "My Snippets" in the Snippets section of the navigation pane. This has to be done individually either using the SASDrive application or using code as shown. The advantage of having snippets available through "My Snippets" is the use of abbreviations assigned to a snippet.     Find more articles from SAS Global Enablement and Learning here. ... View more

During a recent class on SAS Viya Platform Administration, I was asked, if there was a way to put SAS Viya into "admin mode". Meaning only the SAS Administrators should have access, all other users would not be able to use the SAS Viya environment. I guess the question originated from the fact, that this is possible in SAS9.4 with pausing a metadata server for Administration.   So lets look at a way of doing this in SAS Viya.   How to approach this   The general authorization system controls all access to applications, services and SAS Content (folders, reports etc.). It uses a set of rules that determine the individual access for a user. So we start here.   The general authorization system is based on these principles: implicitly disallow any access that is not granted a Prohibit always wins A rule has these basic elements:   Element Description Target Can be a service, application, individual object etc. The target is represented as an URI (Uniform Resource Identifier). Principal The user, group or custom group to which the rule is assigned. Permission Specifies the type of access, such as read, create, update, delete, add, remove, and secure. Setting Determines whether access is provided (grant) or not allowed (prohibit). The setting can be conditional, using a constraint expression.   So we need to find a rule that affects everything, all applications, services etc. Looking at the documentation we will find this:   Rule's Target URI Rule's Relevance /** Relevant to all requests.   The rule to control all access   You might try to create a new rule with the following elements:   Element Content Target /** Principal Authenticated Users Permission Read Setting Prohibit   But wait, SAS Administrators are Authenticated Users too, so this rule would also block access for SAS Administrators. So nobody would be able to use the system. Never do this. Please read on to find a better way to control access, with conditional prohibit.   Using a conditional prohibit, we can set the setting based on a condition. We only want to apply the Prohibit if the requesting user is not a member of the of the SAS Administrators group. So our new rule would have the following elements:   Element Content Target /** Principal Authenticated Users Permission Read Setting Conditional Prohibit Condition !(groupsForCurrentUser().contains('SASAdministrators') || groupsForCurrentUser().contains('sasapp'))   Conditions are written using the Spring Expression Language (SpEL). Special functions are available like the groupsForCurrentUser(). You will find more functions in the documentation. Let's look at the condition in detail:   Element Description ! Stands for NOT ( Start of a group groupsForCurrentUser().contains('SASAdministrators') check if current user is member of the SASAdministrators group || Stands for OR groupsForCurrentUser().contains('sasapp') check if current user is member of the sasapp group. This is needed for internal users. ) End of a group   When using conditions in a rule this will happen: A rule that has a condition that evaluates to true for a particular access request is applied in the authorization decision process for that access request. A rule that has a condition that evaluates to false for a particular access request is ignored in the authorization decision process for that access request.   So any user that is not a member of the SAS Administrators or the sasapp group, the rule will apply.   Create the actual rule   The rule can be created using the Rules page in the SAS Environment Manager or the sas-viya command line interface. We are going to use the sas-viya authorization create-rules command together with a file. This has the following advantages:   we can specify a rule-id for easier handling afterwards we can specify the state of the rule to be disabled, so it does not have an immediate effect The file content looks like this, note the id and enabled keys and values: [   {     "op": "add",     "value": {       "objectUri": "/**",       "principalType": "authenticatedUsers",       "type": "prohibit",       "condition": "!(groupsForCurrentUser().contains('SASAdministrators') || groupsForCurrentUser().contains('sasapp'))",       "permissions": [         "read"       ],       "description": "disallow access except for SASAdministrators, sasapp groups",       "id": "offline-mode-sasadministrators-only",       "reason": "SAS Viya only available to SAS Administrators",       "enabled": false     }   } ]   This JSON format is documented under Patch authorization rules. Please note the id uses 3 hyphens in the name, this is important as otherwise the rule will not be found.   To create this rule we use this command: sas-viya authorization create-rules --file offline-mode.json The result of the command will tell us, that 1 rule has been created.   To check the rule just created, we use this command: sas-viya --output fulljson authorization show-rule --id offline-mode-sasadministrators-only. Note the --output fulljson to get back the complete JSON structure.   Enable the rule   Since we created the rule as disabled, it will not have any immediate effect. To enable it we use the following command: sas-viya authorization enable-rule --id offline-mode-sasadministrators-only   The response looks like this: Select any image to see a larger version. Mobile users: To view the images, select the "Full" version at the bottom of the page.   Now every user that is not part of the groups SAS Administrators or sasapp will no longer have any access to any of the applications, services etc. If a user wants to access a SAS Application the following message is displayed in the browser:   Likewise, if you want to access any of the SAS Viya API's you will receive this response:   { "version": 2, "httpStatusCode": 403, "message": "Forbidden", "details": [ "Unauthorized", "path: /folders/folders/@myFolder", "correlator: adcd63b3-55b4-4caa-b65d-c2e57cec9b9f" ] }   The HTTP status code 403 stands for Forbidden.   A user can still authenticate to SAS Viya but then no further access is possible     Disable the rule   To disable the rule use the following command:   sas-viya --yes-to-all authorization disable-rule --id offline-mode-sasadministrators-only   All users can now work as before.   Summary   We have seen that by using a specific rule with a condition in the general authorization system we can block non administrator users from working with SAS Viya. This rule can easily be enabled or disabled as needed. Always be very careful when using Prohibit together with the Authenticated User principal as this will include any SAS administrator as well.     Find more articles from SAS Global Enablement and Learning here. ... View more