10-17-2017 05:35 AM
I know how to sync users from a specific OU in the AD.
In the current case I need to sync users from specific groups. Is that possible? If yes, how?
SAS version 9.4
VA version 7.3
10-17-2017 05:51 AM - edited 10-17-2017 05:54 AM
in simple words: you will need to create a loop for the different OUs, for the users and for the groups, so they will be added/appended to the canonical tables.
An example, but not a unique solution, is that you can set the different OUs on different variables (ADPerBaseDN1..ADPerBaseDN10 for 10 OUs) or on a matrix and let it do the loop:
%do i = 1 %to &ads_containers.; %pers( &&ADPerBaseDN&i.., &i. ); %end; data &extractlibref..ldapusers; set %do i = 1 %to &ads_containers.; ldapusers&i. %end; ; run; /* after.... */ %do i = 1 %to &ads_containers.; %grps( &&ADGrpBaseDN&i.., &i. ); %end; data &extractlibref..ldapgrps; set %do i = 1 %to &ads_containers.; ldapgrps&i. %end; ; run;
10-17-2017 06:30 AM
10-17-2017 06:39 AM
Yes, you can always modify the macros or create macros of your own on order to filter.
There are some other options for you:
- Sys admins may create a custom OU for you, just containing a "link" to the groups that are interesting for you from the other OUs.
- You can always ask your sys admins to create a csv file as out put of a custom query to get the groups and users you need. The csv can be also imported/sync-ed.
10-17-2017 08:05 PM
10-20-2017 09:12 AM - edited 10-20-2017 09:14 AM
@JuanS_OCS provides the best advice here in this case, imho : try to push down the selection request as far as possible into AD, for instance, using complex AD filter clauses or even with some sort of a custom filter ("SAS" OU) created on purpose by the AD Admin.
Trying to code the selection request in SAS using the LDAP/AD API will be more time consuming, less efficient and more error-prone : a row-oriented SAS Data Step is not the best tool to navigate hierarchical (tree-like) databases like AD or LDAP directories ... Instead of debugging complex SAS loops, time might be better spent devising a clear and simple AD Filter.
10-17-2017 07:59 PM - edited 10-17-2017 08:01 PM
Thanks @JuanS_OCS for mentioning the Metacoda Identity Sync plug-in
Martin, if you are interested in trying it out you can register for a free 30 day evaluation at https://www.metacoda.com/en/evaluation/
There are a few different ways the Identity Sync plug-in can be configured, but the most common way sounds like what you are trying to do. You can configure a set of high level groups and then the plug-in will find all members of those groups, including members of multiple levels of nested groups, to find all of the groups and users that will be sync-ed with SAS metadata. These users and groups can come from many different OUs in the directory and potentially other domains too. Some of our customers even go so far as to drive the sync process from a single group in AD and thus manage the target user/group selection from AD itself. It can be run both in batch and interactively - so you can see a preview the changes before they are applied.
If you want to find out more, a good starting point is a blog post at https://platformadmin.com/blogs/paul/2015/07/synchronizing-sas-platform-identities where I have a screencast of the process of setting it up. There are a few other blog posts that discuss the identity sync process at https://platformadmin.com/blogs/paul/tag/identity-sync/ We also have some example Identity Sync Profiles in a github repository at https://github.com/Metacoda/idsync-utils with documentation on the samples and some of the features they show at https://metacoda.github.io/idsync-utils/
I hope this is useful. Please let me know if you have any questions.
10-31-2017 08:27 AM