cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
BookmarkSubscribeRSS Feed
EyalGonen
Lapis Lazuli | Level 10 EyalGonen
Lapis Lazuli | Level 10

How to enable non SAS Admins to view the SAS supplied user activity report

Posted 12-12-2023 12:17 AM (1711 views)

Hi experts,

 

For SAS Viya 3.5 there is a SAS Environment Management supplied report named User Activity which shows audit info for users accessing VA reports. We have a need to open access to this report (and the underlying CAS data) for some group of users who are not members of the SAS Administrators group. Are there instructions for accomplishing this?

 

Thanks

0 Likes
Reply
3 REPLIES 3
ronf_sas
SAS Employee ronf_sas
SAS Employee

Re: How to enable non SAS Admins to view the SAS supplied user activity report

Posted 12-12-2023 09:05 AM (1667 views)  |   In reply to EyalGonen

Hi,

The User Activity report is in the /Products/SASEnvironmentManager/Dashboard Items path in SAS Content, which has a rule conditionally prohibiting Authenticated Users from seeing it. You will need to modify the condition of this rule to include a group this user is a member of, or call them out specifically. For instance by replacing this:
 
!groupsForCurrentUser().contains('SASAdministrators') && !groupsForCurrentUser().contains('sasapp')
 
with this:
 
!groupsForCurrentUser().contains('SASAdministrators') && !groupsForCurrentUser().contains('sasapp') && !groupsForCurrentUser().contains('NewGroup')
 
or:
 
!groupsForCurrentUser().contains('SASAdministrators') && !groupsForCurrentUser().contains('sasapp') && !currentUser() == 'userid'
 
General Authorization: How To (Rules page)
https://go.documentation.sas.com/doc/en/calcdc/3.5/calauthzgen/p1bh4gj8c2xv1nn1fx011prusmii.htm
 
The User Activity report uses the SystemData.Audit CAS table which Authenticated Users by default does not have permission to see, so the user/group will need to be granted permission on the SystemData caslib as well.
 
CAS Authorization: How To (Authorization Window)
https://go.documentation.sas.com/doc/en/calcdc/3.5/calauthzcas/n10ey3zz0qwxrsn0z6l25qo310q7.htm

0 Likes
Reply
EyalGonen
Lapis Lazuli | Level 10 EyalGonen
Lapis Lazuli | Level 10

Re: How to enable non SAS Admins to view the SAS supplied user activity report

Posted 12-12-2023 09:12 AM (1661 views)  |   In reply to ronf_sas

Hi @ronf_sas 

 

Thanks for replying. Two questions:

 

1. Is there no issue/pitfall with opening the permissions for the folder and caslib to non SAS Admins?

2. I want to open access only to this specific report and only to the specific CASLIB table and not to open access to the entire VA report folder and to the entire SystemData CASLIB. Is there an easy way to accomplish this?

0 Likes
Reply
gwootton
SAS Super FREQ gwootton
SAS Super FREQ

Re: How to enable non SAS Admins to view the SAS supplied user activity report

Posted 12-12-2023 10:26 AM (1639 views)  |   In reply to EyalGonen
1. Generally speaking the permissions are set such that non-administrators only have access to their own information. The User Activity report and SystemData.Audit CASLIB contain data on all users, so this is not granted by default.
2. Yes, you can set authorizations on specific objects and tables, so you can achieve this, you would just need to add additional permission configurations.

By default the rule against the Dashboard folder is a conditional prohibit on Authenticated Users to /folders/folders/folder_id/**, so Authenticated Users have permission to see the folder, but permission is revoked to see any objects inside the folder (convey permission). As you want to grant access to a single object within the folder, you would not be able to use this rule, so you'd need to disable it which would grant users Read permission conveyed to all the objects within it. You'd then need to edit the permissions for each report in the folder and conditionally prohibit permission, with the same condition as the prohibit you disabled (prohibit Authenticated Users unless they are a member of the SAS Administrators or sasapp group)

Similarly for the SystemData CASLIB, Authenticated Users by default do not have ReadInfo permission on the library. This would need to be granted at the library level and then removed at the table level for all tables but AUDIT, which would need ReadInfo and Select granted.
--
Greg Wootton | Principal Systems Technical Support Engineer
Reply

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

Get Started with SAS Information Catalog in SAS Viya

SAS technical trainer Erin Winters shows you how to explore assets, create new data discovery agents, schedule data discovery agents, and much more.

Watch Get Started with SAS Information Catalog in SAS Viya on YouTube

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 3 replies
  • ‎12-12-2023 12:17 AM
  • 1712 views
  • 1 like
  • 3 in conversation