Solved: Re: How to extract users on SAS VIYA?

jbond007 · Posted 09-12-2022 06:53 AM

Hi SAS Communities,

Is there a way to extract all the internal accounts on SAS 9.4 and VIYA?
The only way I think is to manually check the SASDM and try to update password from there to see the list of users.
For SAS VIYA, just get all the users on SAS Environment Manager.
Is there a script to run or a table to check to list down all the internal accounts?
Thank you

gwootton · Posted 09-13-2022 08:23 AM

Another program in that same folder called "get_user_create.sas" does pull creation date for all users (not just internal).
https://github.com/greg-wootton/sas-programs/blob/main/Users%20and%20Groups/get_user_create.sas

To pull last password change you would probably need to use the modified date for the InternalLogin object associated with the Person object for internal accounts (the last time it was modified would not necessarily be a password change). I do not have a program that does this, but it would be possible for you to modify my program to do so. You would use the METADATA_GETNASN function to get the InternalLoginInfo association for the person object. If it exists, the account is internal. Then pull the MetadataUpdated attribute for the InternalLogin object.

Here's an example based on the get_user_create.sas program:

/* Establish a connection to the Metadata server. This must be edited to provide the appropriate connection information. */

options metaserver="meta.demo.sas.com"
		metaport=8561
		metauser="sasadm@saspw"
		metapass="<password>"
		metaprotocol=bridge
		metarepository=foundation;

/* End edit. */

data users; /* Create a data set work.users. */

/* Initialize variables. */
length 
type 
id $ 17 
user_name 
user_dn 
user_mc 
user_uri
intlog_mm
intlog_uri $ 50
user_created
intlog_modified 8; 

call missing(of _character_);

label 	user_name="User Name"
		user_dn="User Display Name"
		user_created="User Created"
		intlog_modified="Internal Login Modified";	

format user_created intlog_modified datetime.;

/* Define search parameters. */

obj="omsobj:Person?@Id contains '.'";

/* Test if any users exist. */

user_count=metadata_resolve(obj,type,id);

/* If so, for each extract the name, display name, and metadata created attributes. */

if user_count > 0 then do i=0 to user_count;
	rc=metadata_getnobj(obj,i,user_uri);
	rc=metadata_getattr(user_uri,"Name",user_name);
	rc=metadata_getattr(user_uri,"DisplayName",user_dn);
	rc=metadata_getattr(user_uri,"MetadataCreated",user_mc);
	user_created=input(user_mc,datetime.);

    /* If an internal account, get the internal login URI */
	rc=metadata_getnasn(user_uri,"InternalLoginInfo",1,intlog_uri);
	if rc > 0 then do;

    /* Pull the MetadataUpdated attribute from that object. */
	rc=metadata_getattr(intlog_uri,"MetadataUpdated",intlog_mm);

    /* Convert it from a string to a number. */
	intlog_modified=input(intlog_mm,datetime.);
	end;

/* Output if a user name is defined. */
	if user_name = '' then continue; else output;
end;

/* Drop unwanted variables.*/

keep user_name user_created user_dn intlog_modified;
run;

/* Sort the data set by date. */

proc sort data=users;
by user_created;
run;

/* Produce a report. */

proc report data=users; run;

--
Greg Wootton | Principal Systems Technical Support Engineer

View solution in original post

gwootton · Posted 09-12-2022 09:25 AM

Viya doesn't have internal accounts apart from sasboot. Here is some code for Viya and SAS 9.4 for getting a user listing.

Viya: https://communities.sas.com/t5/Administration-and-Deployment/SAS-VIYA-Fetching-List-of-Users-Groups-...
SAS 9.4: https://github.com/greg-wootton/sas-programs/blob/main/Users%20and%20Groups/list_all_users.sas

--
Greg Wootton | Principal Systems Technical Support Engineer

jbond007 · Posted 09-12-2022 09:07 PM

Thanks greg, ill check on this but does it include the creation date and the last password change? or its not possible?

gwootton · Posted 09-13-2022 08:23 AM

Another program in that same folder called "get_user_create.sas" does pull creation date for all users (not just internal).
https://github.com/greg-wootton/sas-programs/blob/main/Users%20and%20Groups/get_user_create.sas

To pull last password change you would probably need to use the modified date for the InternalLogin object associated with the Person object for internal accounts (the last time it was modified would not necessarily be a password change). I do not have a program that does this, but it would be possible for you to modify my program to do so. You would use the METADATA_GETNASN function to get the InternalLoginInfo association for the person object. If it exists, the account is internal. Then pull the MetadataUpdated attribute for the InternalLogin object.

Here's an example based on the get_user_create.sas program:

/* Establish a connection to the Metadata server. This must be edited to provide the appropriate connection information. */

options metaserver="meta.demo.sas.com"
		metaport=8561
		metauser="sasadm@saspw"
		metapass="<password>"
		metaprotocol=bridge
		metarepository=foundation;

/* End edit. */

data users; /* Create a data set work.users. */

/* Initialize variables. */
length 
type 
id $ 17 
user_name 
user_dn 
user_mc 
user_uri
intlog_mm
intlog_uri $ 50
user_created
intlog_modified 8; 

call missing(of _character_);

label 	user_name="User Name"
		user_dn="User Display Name"
		user_created="User Created"
		intlog_modified="Internal Login Modified";	

format user_created intlog_modified datetime.;

/* Define search parameters. */

obj="omsobj:Person?@Id contains '.'";

/* Test if any users exist. */

user_count=metadata_resolve(obj,type,id);

/* If so, for each extract the name, display name, and metadata created attributes. */

if user_count > 0 then do i=0 to user_count;
	rc=metadata_getnobj(obj,i,user_uri);
	rc=metadata_getattr(user_uri,"Name",user_name);
	rc=metadata_getattr(user_uri,"DisplayName",user_dn);
	rc=metadata_getattr(user_uri,"MetadataCreated",user_mc);
	user_created=input(user_mc,datetime.);

    /* If an internal account, get the internal login URI */
	rc=metadata_getnasn(user_uri,"InternalLoginInfo",1,intlog_uri);
	if rc > 0 then do;

    /* Pull the MetadataUpdated attribute from that object. */
	rc=metadata_getattr(intlog_uri,"MetadataUpdated",intlog_mm);

    /* Convert it from a string to a number. */
	intlog_modified=input(intlog_mm,datetime.);
	end;

/* Output if a user name is defined. */
	if user_name = '' then continue; else output;
end;

/* Drop unwanted variables.*/

keep user_name user_created user_dn intlog_modified;
run;

/* Sort the data set by date. */

proc sort data=users;
by user_created;
run;

/* Produce a report. */

proc report data=users; run;

--
Greg Wootton | Principal Systems Technical Support Engineer

jbond007 · Posted 09-13-2022 12:51 PM

Hi Greg,

the first program you mentioned works wonders. however, im still missing some users. It doesn't extract users inside the sas postgres (Web Infrastructure Platform Data Serverlike for example the default sas postgres user SharedServices and dbmsowser

gwootton · Posted 09-13-2022 01:39 PM

Are you talking about the Viya program or the SAS 9.4 one?

The external accounts used to sign into postgres like dbmsowner are stored credentials, not users. They can also be pulled, but it is a different question. On my github the list_users_and_logins.sas does this for SAS 9.4.

--
Greg Wootton | Principal Systems Technical Support Engineer

joeFurbee · Posted 09-12-2022 09:53 AM

Hi @jbond007 ,

Others may have input here that differs from this method. Hopefully, you'll get advice on multiple ways of doing this.

For SAS Viya, you should be able to use the identities API through the CLI, possibly in combination with the pyviyatools scripts on GitHub. If you've not used the CLI before, here's a great video to get you started. I believe @DarrellBarton gives an example for identities.

Join us for SAS Community Trivia
SAS Bowl XXXVIII, SAS Programming: Getting Started
Wednesday, February 14, 2024, at 10 a.m. ET | #SASBowl

jbond007 · Posted 09-13-2022 12:57 PM

Hi Joe,

I understand that this one would need download addtional plugins on the server but this may not be allowed is there a script we can run on SASStudio?