During a recent class on SAS Viya Platform Administration, I was asked, if there was a way to put SAS Viya into "admin mode". Meaning only the SAS Administrators should have access, all other users would not be able to use the SAS Viya environment. I guess the question originated from the fact, that this is possible in SAS9.4 with pausing a metadata server for Administration.
So lets look at a way of doing this in SAS Viya.
How to approach this
The general authorization system controls all access to applications, services and SAS Content (folders, reports etc.). It uses a set of rules that determine the individual access for a user. So we start here.
The general authorization system is based on these principles:
implicitly disallow any access that is not granted
a Prohibit always wins
A rule has these basic elements:
Element
Description
Target
Can be a service, application, individual object etc. The target is represented as an URI (Uniform Resource Identifier).
Principal
The user, group or custom group to which the rule is assigned.
Permission
Specifies the type of access, such as read, create, update, delete, add, remove, and secure.
Setting
Determines whether access is provided (grant) or not allowed (prohibit). The setting can be conditional, using a constraint expression.
So we need to find a rule that affects everything, all applications, services etc. Looking at the documentation we will find this:
Rule's Target URI
Rule's Relevance
/**
Relevant to all requests.
The rule to control all access
You might try to create a new rule with the following elements:
Element
Content
Target
/**
Principal
Authenticated Users
Permission
Read
Setting
Prohibit
But wait, SAS Administrators are Authenticated Users too, so this rule would also block access for SAS Administrators. So nobody would be able to use the system. Never do this. Please read on to find a better way to control access, with conditional prohibit.
Using a conditional prohibit, we can set the setting based on a condition. We only want to apply the Prohibit if the requesting user is not a member of the of the SAS Administrators group. So our new rule would have the following elements:
Element
Content
Target
/**
Principal
Authenticated Users
Permission
Read
Setting
Conditional Prohibit
Condition
!(groupsForCurrentUser().contains('SASAdministrators') ||
groupsForCurrentUser().contains('sasapp'))
Conditions are written using the Spring Expression Language (SpEL). Special functions are available like the groupsForCurrentUser(). You will find more functions in the documentation. Let's look at the condition in detail:
Element
Description
!
Stands for NOT
(
Start of a group
groupsForCurrentUser().contains('SASAdministrators')
check if current user is member of the SASAdministrators group
||
Stands for OR
groupsForCurrentUser().contains('sasapp')
check if current user is member of the sasapp group. This is needed for internal users.
)
End of a group
When using conditions in a rule this will happen:
A rule that has a condition that evaluates to true for a particular access request is applied in the authorization decision process for that access request.
A rule that has a condition that evaluates to false for a particular access request is ignored in the authorization decision process for that access request.
So any user that is not a member of the SAS Administrators or the sasapp group, the rule will apply.
Create the actual rule
The rule can be created using the Rules page in the SAS Environment Manager or the sas-viya command line interface. We are going to use the sas-viya authorization create-rules command together with a file. This has the following advantages:
we can specify a rule-id for easier handling afterwards
we can specify the state of the rule to be disabled, so it does not have an immediate effect
The file content looks like this, note the id and enabled keys and values:
[ { "op": "add", "value": { "objectUri": "/**", "principalType": "authenticatedUsers", "type": "prohibit", "condition": "!(groupsForCurrentUser().contains('SASAdministrators') || groupsForCurrentUser().contains('sasapp'))", "permissions": [ "read" ], "description": "disallow access except for SASAdministrators, sasapp groups", "id": "offline-mode-sasadministrators-only", "reason": "SAS Viya only available to SAS Administrators", "enabled": false } } ]
This JSON format is documented under Patch authorization rules. Please note the id uses 3 hyphens in the name, this is important as otherwise the rule will not be found.
To create this rule we use this command: sas-viya authorization create-rules --file offline-mode.json The result of the command will tell us, that 1 rule has been created.
To check the rule just created, we use this command: sas-viya --output fulljson authorization show-rule --id offline-mode-sasadministrators-only. Note the --output fulljson to get back the complete JSON structure.
Enable the rule
Since we created the rule as disabled, it will not have any immediate effect. To enable it we use the following command:
sas-viya authorization enable-rule --id offline-mode-sasadministrators-only
The response looks like this:
Select any image to see a larger version. Mobile users: To view the images, select the "Full" version at the bottom of the page.
Now every user that is not part of the groups SAS Administrators or sasapp will no longer have any access to any of the applications, services etc. If a user wants to access a SAS Application the following message is displayed in the browser:
Likewise, if you want to access any of the SAS Viya API's you will receive this response:
{
"version": 2,
"httpStatusCode": 403,
"message": "Forbidden",
"details": [
"Unauthorized",
"path: /folders/folders/@myFolder",
"correlator: adcd63b3-55b4-4caa-b65d-c2e57cec9b9f"
]
}
The HTTP status code 403 stands for Forbidden.
A user can still authenticate to SAS Viya but then no further access is possible
Disable the rule
To disable the rule use the following command:
sas-viya --yes-to-all authorization disable-rule --id offline-mode-sasadministrators-only
All users can now work as before.
Summary
We have seen that by using a specific rule with a condition in the general authorization system we can block non administrator users from working with SAS Viya. This rule can easily be enabled or disabled as needed. Always be very careful when using Prohibit together with the Authenticated User principal as this will include any SAS administrator as well.
Find more articles from SAS Global Enablement and Learning here.
... View more