BookmarkSubscribeRSS Feed
infmja
Obsidian | Level 7

Hello everyone

 

I know how to sync users from a specific OU in the AD.

In the current case I need to sync users from specific groups. Is that possible? If yes, how?

 

SAS version 9.4

VA version 7.3

 

 

Kind regards

Martin

8 REPLIES 8
JuanS_OCS
Amethyst | Level 16

Hello @infmja,

 

in simple words: you will need to create a loop for the different OUs, for the users and for the groups, so they will be added/appended to the canonical tables.

 

An example, but not a unique solution, is that you can set the different OUs on different variables (ADPerBaseDN1..ADPerBaseDN10 for 10 OUs) or on a matrix and let it do the loop:

 

 

%do i = 1 %to &ads_containers.;
		%pers( &&ADPerBaseDN&i.., &i. );
	%end;

	data &extractlibref..ldapusers;
	  set %do i = 1 %to &ads_containers.;
		  	ldapusers&i.
	      %end;
		  ;
	run;	


/* after....  */

%do i = 1 %to &ads_containers.;
		%grps( &&ADGrpBaseDN&i.., &i. );
	%end;

	data &extractlibref..ldapgrps;
	  set %do i = 1 %to &ads_containers.;
		  	ldapgrps&i.
	      %end;
		  ;
	run;

 

Also, if you are not familiar with the AD sync scripts, you can always check the excellent Identity Sync plug-in for SMC provided by Metacoda ( @PaulHomes and @MichelleHomes ).

infmja
Obsidian | Level 7
Thanks for the answer, but the users are spread across multiple OUs and in those OUs are users I don't need to sync. Therefore I cannot sync the whole OU. That's the reason why I wanted to get the users from groups and sync only the those.
I think I'm going to try to filter for group memberships (if user is in group a or b or c then sync). It should be possible to differentiate the users to sync from the users not to sync that way, right?
JuanS_OCS
Amethyst | Level 16

Yes, you can always modify the macros or create macros of your own on order to filter.

 

There are some other options for you: 

- Sys admins may create a custom OU for you, just containing a "link" to the groups that are interesting for you from the other OUs.

 

- You can always ask your sys admins to create a csv file as out put of a custom query to get the groups and users you need. The csv can be also imported/sync-ed.

infmja
Obsidian | Level 7

How do I check if a variable contains a specific string?

PaulHomes
Rhodochrosite | Level 12

Regarding checking whether a variable contains a string there are a few ways. One of the simplest is to use the INDEX function. For more complex requirements you could also consider using Perl Regular Expressions.

ronan
Lapis Lazuli | Level 10

@JuanS_OCS provides the best advice here in this case, imho : try to push down the selection request as far as possible into AD, for instance, using complex AD filter clauses or even with some sort of a custom filter ("SAS" OU) created on purpose by the AD Admin.

 

Trying to code the selection request in SAS using the LDAP/AD API will be more time consuming, less efficient and more error-prone : a row-oriented SAS Data Step is not the best tool to navigate hierarchical (tree-like) databases like AD or LDAP directories ... Instead of debugging complex SAS loops, time might be better spent devising a clear and simple AD Filter.   

PaulHomes
Rhodochrosite | Level 12

Thanks @JuanS_OCS for mentioning the Metacoda Identity Sync plug-in 🙂

 

Martin, if you are interested in trying it out you can register for a free 30 day evaluation at https://www.metacoda.com/en/evaluation/

 

There are a few different ways the Identity Sync plug-in can be configured, but the most common way sounds like what you are trying to do. You can configure a set of high level groups and then the plug-in will find all members of those groups, including members of multiple levels of nested groups, to find all of the groups and users that will be sync-ed with SAS metadata. These users and groups can come from many different OUs in the directory and potentially other domains too. Some of our customers even go so far as to drive the sync process from a single group in AD and thus manage the target user/group selection from AD itself. It can be run both in batch and interactively - so you can see a preview the changes before they are applied.

 

If you want to find out more, a good starting point is a blog post at https://platformadmin.com/blogs/paul/2015/07/synchronizing-sas-platform-identities where I have a screencast of the process of setting it up.  There are a few other blog posts that discuss the identity sync process at https://platformadmin.com/blogs/paul/tag/identity-sync/  We also have some example Identity Sync Profiles in a github repository at https://github.com/Metacoda/idsync-utils with documentation on the samples and some of the features they show at https://metacoda.github.io/idsync-utils/

 

I hope this is useful. Please let me know if you have any questions. 

infmja
Obsidian | Level 7
Thanks for all the answers.
I found time to continue to work on this topic and I would like to learn how the programming/scripting language works. Are there any tutorial series, docs or something similar?

sas-innovate-2024.png

Join us for SAS Innovate April 16-19 at the Aria in Las Vegas. Bring the team and save big with our group pricing for a limited time only.

Pre-conference courses and tutorials are filling up fast and are always a sellout. Register today to reserve your seat.

 

Register now!

Discussion stats
  • 8 replies
  • 2934 views
  • 11 likes
  • 4 in conversation