Architecting, installing and maintaining your SAS environment

Find all User Accounts with an Internal Account Defined

Reply
Occasional Contributor
Posts: 6

Find all User Accounts with an Internal Account Defined

I am looking for methods to identify user accounts that have an internal account created.

For instance the SAS Administrator user has an internal account named 'sasadm@saspw'.

 

Looking at user properties one at a time and navigating to the accounts tab is too slow to check every account.

PROC Star
Posts: 424

Re: Find all User Accounts with an Internal Account Defined

[ Edited ]

Hi Tyler,

 

I have a few suggestions, some code, some point & click, some free and some commercial.

 

1) Write some SAS code using proc metadata or the data step functions to query metadata for InternalLogin objects and then follow the associations to find the associated person (user). For more info check the documentation resources SAS® Language Interfaces to Metadata, SAS® Open Metadata Interface: Reference and Usage and SAS® Metadata Model: Reference

 

2) If you have access to SAS Display Manager use the metabrowse feature to browse the InternalLogin objects and follow the associations to find the associated person (user).

 

3) If you have access to SAS Management Console, use our free Metacoda Metadata Explorer plug-in to search for all users that have an associated InternalLogin object and export the results to a CSV file.

 

4) If this is something you expect to be doing regularly, have a need to generate documentation, and potentially want to get email alerts when somebody adds an internal login for a user that is not in an 'approved' list, then you might consider looking at our commercial Metacoda Security Plug-ins product. This includes several metadata security focused plug-ins, including Internal Login Reviewer and a Metadata Security Testing Framework.

 

I hope this helps.

 

Cheers

Paul

PROC Star
Posts: 424

Re: Find all User Accounts with an Internal Account Defined

Posted in reply to PaulHomes

A bit more info on option 3 (using the free Metacoda Metadata Explorer plug-in) ....

 

I wrote a blog post about this plug-in a few years ago: https://platformadmin.com/blogs/paul/2012/08/metacoda-metadata-explorer-plug-in/ That post included a few examples of special-mode queries that use the SAS XMLSELECT functionality for more advanced queries.

 

An extra query that you would find useful with your requirement, that was not in that blog post, is:

 

{{{ Person[InternalLoginInfo/InternalLogin] }}}

 

If you copy and paste this query into the search bar in the Metadata Explorer plug-in it will give you a list of Person objects (users) that have an associated InternalLogin object through the association named InternalLoginInfo. You can then export this list as a CSV file.

Frequent Contributor
Posts: 96

Re: Find all User Accounts with an Internal Account Defined

Hi @Tyler;

 

Try this code :

 

/*Connect to the metadata server using the metadata system options as 
shown in the first example. */

options metaserver="servername/ipaddress"
	metaport=8561
	metauser="sasadm@saspw"
	metapass="Password"
	metarepository="Foundation";


data work.Identities;

/* The LENGTH statement defines the lengths of variables for function arguments. */
length IdentId IdentName DispName ExtLogin IntLogin DomainName $32 
uri uri2 uri3 uri4 $256;

/* The LABEL statement assigns descriptive labels to variables. */
label
	IdentId    = "Identity Id"
	IdentName  = "Identity Name"
	DispName   = "Display Name"
	ExtLogin   = "External Login"
	IntLogin   = "Is Account Internal?"
	DomainName = "Authentication Domain";

/* The CALL MISSING statement initializes the output variables to missing values. */
call missing(IdentId, IdentName, DispName, ExtLogin, IntLogin, DomainName, 
uri, uri2, uri3, uri4);
n=1;
n2=1;

/* The METADATA_GETNOBJ function specifies to get the Person objects in the repository. 
The n argument specifies to get the first person object that is returned. 
The uri argument will return the actual uri of the Person object. The program prints an 
informational message if no objects are found. */

rc=metadata_getnobj("omsobj:Person?@Id contains '.'",n,uri);
if rc<=0 then put "NOTE: rc=" rc
"There are no identities defined in this repository" 
" or there was an error reading the repository.";

/* The DO statement specifies a group of statements to be executed as a unit. 
The METADATA_GETATTR function gets the values of the Person object's Id, Name, 
and DisplayName attributes. */
do while(rc>0); 
	objrc=metadata_getattr(uri,"Id",IdentId);
	objrc=metadata_getattr(uri,"Name",IdentName); 
	objrc=metadata_getattr(uri,"DisplayName",DispName);

/* The METADATA_GETNASN function gets objects associated via the
InternalLoginInfo association. The InternalLoginInfo association returns
internal logins. The n2 argument specifies to return the first associated object
for that association name. The URI of the associated object is returned in
the uri2 variable. */

objrc=metadata_getnasn(uri,"InternalLoginInfo",n2,uri2);

/* If a Person does not have any internal logins, set their IntLogin
variable to 'No' Otherwise, set to 'Yes'. */
IntLogin="Yes";
DomainName="**None**";
if objrc<=0 then
do;
put "NOTE: There are no internal Logins defined for " IdentName +(-1)".";
IntLogin="No";
end;

/* The METADATA_GETNASN function gets objects associated via the Logins association. 
The Logins association returns external logins. The n2 argument specifies to return 
the first associated object for that association name. The URI of the associated 
object is returned in the uri3 variable. */

objrc=metadata_getnasn(uri,"Logins",n2,uri3);

/* If a Person does not have any logins, set their ExtLogin
variable to '**None**' and output their name. */
if objrc<=0 then
do;
put "NOTE: There are no external Logins defined for " IdentName +(-1)".";
ExtLogin="**None**";
output;
end;

/* If a Person has many logins, loop through the list and retrieve the name of 
each login. */
do while(objrc>0);
objrc=metadata_getattr(uri3,"UserID",ExtLogin);

/* If a Login is associated to an authentication domain, get the domain name. */
DomainName="**None**";
objrc2=metadata_getnasn(uri3,"Domain",1,uri4);
if objrc2 >0 then
do;
 objrc2=metadata_getattr(uri4,"Name",DomainName);
end;

/*Output the record. */
output;

n2+1;

/* Retrieve the next Login's information */
objrc=metadata_getnasn(uri,"Logins",n2,uri3);
end; /*do while objrc*/

/* Retrieve the next Person's information */
n+1;
n2=1;

rc=metadata_getnobj("omsobj:Person?@Id contains '.'",n,uri);
end; /*do while rc*/

/* The KEEP statement specifies the variables to include in the output data set. */
keep  IdentName DispName ExtLogin IntLogin ; 
run;
proc sql noprint;
create table Internal_user_list as
   select DispName as Username, cats(identname,'@saspw') as internal_account
         from work.Identities
      where IntLogin="Yes";
quit;

proc sort data=internal_user_list nodupkey ;
by Username internal_account;
run;

proc delete data=internalusers;
run;

proc print data=internal_user_list ;
run;

It will give you the SAS Username with internal account,

 

We have modified this code to view internal account with it's Username, original code you can find on this link(Example : Listing Users and their Logins) :

http://support.sas.com/documentation/cdl/en/lrmeta/63180/HTML/default/viewer.htm#p1k9zipe59ha2an1pq3...

 

Thanks,

Kalind

SAS Employee
Posts: 3

Re: Find all User Accounts with an Internal Account Defined

You could also use the Report Center in SAS Environment Manager to run a report. (The Service Architecture would need to be enabled to see and use the Report Center.)

 

Go to: Analyze -- Report Center.  The report that you would want is: System--Applications--SAS Environment Manager--Ad Hoc Reporting, and the APM Metadata Inventory stored process. The report can show a number of different metadata based on the parameters you supply. I noticed that you could get a list of all metadata identities, and not just internal accounts. There is a location though, to write in a where clause, but you would want to be familiar with the table that is used in the datamart and subset with the correct values. (You could look at the table in EG or SASStudio as long as you have permissions since they are metadata and by default are stored in the System folder and SAS Environment Manager.)

 

Sheila

 

 

Frequent Contributor
Posts: 87

Re: Find all User Accounts with an Internal Account Defined

There is a macro readily available that provides user information, you can read more about this in this blog post SAS administrators tip: Keeping track of SAS users

 

It generates severals tables which allows you to create all sorts of reports on users.

Occasional Contributor
Posts: 6

Re: Find all User Accounts with an Internal Account Defined

@Resa thanks for the link. The image showing all the tables the %MDUEXTR macro produces is useful. 

Unfortunately, I'm unable to find any data referring to internal account credentials among these tables.

 

Frequent Contributor
Posts: 87

Re: Find all User Accounts with an Internal Account Defined

@Tyler, my bad! Smiley Frustrated

Just had a look at the tables at my side and you are right, there are no credentials included in the tables with regard to internal accounts.

 

You can get (some) information by taking for example the information from the PERSON_INFO table for which the ID is not listed in the PERSON_ID from the LOGIN_INFO table but this will give you no credential information.

I think then the best way to move forward is to use for example the code as suggested by @Kalind_Patel or make use of the (Metacoda tool) as suggested by @PaulHomes

 

Good luck

Ask a Question
Discussion stats
  • 7 replies
  • 661 views
  • 9 likes
  • 5 in conversation