I like the rules of http://support.sas.com/resources/papers/proceedings11/376-2011.pdf Although I do not like their example as that is implying copyin the SAS Danish office Organization. Definitely not yours. Like your remark of the stadnard SASApp is not enough. Only for demo and single department it will do.

I would following that recommendation

1/ only setting ACT's on all Artifacts never change (hmm never) change it by adding groups/users for additional rights.

2/ only having groups being mentioned in the ACT's never having users in those.

3/ only adding users to groups (this is the common RBAC process approach). An Identity management system - Wikipedia, the free encyclopedia yis becoming often a business requirement with all auditability traceability belonging to those.

Yup, it is some more work adding maintaining Act's as initial steps but they can be made scripted.  (batch tools are there)

Put the OS security at the same structure (user/groups) and it must become highly structured with the best achievable security.  (No SAS restrictions needed)

Yes agree for the anyway it is too tedious, explanation welcome.

To be added a dedicated backup/restore with metadata and webdav content (you can store egp projects there) is lacking.

This is normal required functionality having end-users allowed to store data somewhere.

There are parallel security mechanisms outside of Metadata in 9.4 that use the name of identities as an effective foreign key. These mechanisms will be impacted when renaming identities. If you'd like to proceed with the renaming process, can you please open a tech support track and we can work through some options to propagate the changes? If you open a track, please ask that I be included on it so we can short circuit the triage and cut to the chase.

Hi Zachary,

Thanks for providing some background. Is it possible for you to name some of those software components that are using the parallel security mechanisms. i.e. is there the possibility that some customers might not have those components and so it may not be so much of a concern for them? Having said that, I'm wondering if one of those components might be SAS Environment Manager and so used in all new SAS 9.4 platform installations?

Are you also able to shed some light on why the Name attribute (known to change on some occasions) was used as an effective foreign key over an unchanging unique key like the metadata object id?

Finally, I believe that the bulk user loading macros (%MDU*) still allow for a Name attribute change when updating users. Will these macros be modified in a later release to prevent Name attribute changes too?

Thanks

Paul

Ronan, You mentioned one place where hard code the names of user (or display name) is used: the cubes at row level.

As it is programmed by application/report builders it can cause headaches by lack of standards.

Another is Zachary's paper http://support.sas.com/resources/papers/proceedings11/017-2011.pdf. As he explaining the user and password are part of the REST http approach easily to decode as it is base64. By that only to be accepted when there is encryption over the wire. That implies it could by seen and leaked with loggings tracing the webtraffic at an unencrypted point.  Security by obscurity is not very sensible for a real service level.      

Going for the RBAC process there is always the SSN being unique to each human. As it used for the payroll and more is sure a stable informational one. Even when women marry change names that one is kept the same.
You could use that one although some can complain on privacy concerns. The alternative is something like http://www.caisley-tags.co.uk/wp-content/uploads/2011/12/Cattle-tags2-1500x430.jpg. I am kidding but not sure with that with politicians. 

When the new person comes running down of the HR department all other things are brought in place like the physical access and the IT controls (RBAC).

Would make much sense to be aligned with those processes. This can be a requirement with more sensitive data. The employee-number is mostly coming from HR and associated (hidden) with their administration.

The operational username on the other hand is often used with all changing personal names for each of recognition that makes sense (auditiability traceability)   

There appears to be lots of helpful information here, as well as a correct answer or two. Given that, I am marking the original question as "assumed answered" so that others with a similar question can find the help they need. You can do this yourself, at any time. Thanks for using the communities!