BookmarkSubscribeRSS Feed
ucvikas
Obsidian | Level 7

Dear Admins,

 

1. I am migrating 9.2 security to 9.4 . Is there any way to know which folders or places an ACT is applied? I see many custom ACTs in my environment and want to check if they are used at all or not? basically I want to get rid of them if they are not used anywhere.

2. Also is there any way to export security of version 9.2 to 9.4 ? I do not see export package option in9.2 but the same is available from 9.3 onwards.

3. Is there way to create report on existing ACTs with their Authorisation and permission pattern?

 

TIA

 

9 REPLIES 9
ucvikas
Obsidian | Level 7

I tried but could not succced in getting what I needed. basically I want to be able to see details (permissions, authorizations) for each ACT which  are in Authorization manager and objects it has been applied to. 

I tried like %mdsecds(membertypes="Access control template");

 

I could also generate dataset for folders but could do it specifically for ACTs .

 

Note: I want to do this in SAS 9.2 , SMC 9.2

LinusH
Tourmaline | Level 20
If you are on the same platform you could try SMU which I think offers more content support than export packages.
Data never sleeps
PaulHomes
Rhodochrosite | Level 12

If you are interested in a point & click solution for (1) and (3), we have an ACT Reviewer as part of our Metacoda Plug-ins and that particular plug-in happens to be available free of charge. It has an Objects tab that shows you which objects a selected ACT has been applied to. There is also an In Use column that lets you see at a glance which ACTs are not being used and could be candidates for removal. You can export a HTML report too. You can find more info at https://www.metacoda.com/en/products/security-plug-ins/act-reviewer/ where you can register to download the plug-ins if you want.

 

For (2), as suggested by @LinusH,  for SAS 9.2 to SAS 9.4, one option is to use the SAS Migration Utility (SMU) during the initial installation of SAS 9.4. Post-installation migration of users, group, and roles can be done with the the SAS MDU macros - there is some sample code in SAS Sample 42251: Partial Promotion of User and Group Metadata at http://support.sas.com/kb/42/251.html  We also provide a point & click method (including a few other features) in our Identity Sync plug-in. Using this plug-in you can download/export an XML file from SAS Management Console 9.2 and then upload/import that XML file using SAS Management Console 9.4. However, the Identity Sync plug-in is not one of the free ones, so if you're a SAS coder then you may want to start out by looking at the SAS sample referenced above.

 

For migrating ACTs from SAS 9.2 to SAS 9.4, it depends on how many you have. If there are only a few then it would be easier to just recreate them from scratch. If you have a significant number then you could consider writing some code in SAS 9.2 to generate scripts to run in SAS 9.4. SAS 9.4 has some batch tools that can be used to create an ACT (sas-make-act) and apply an ACT (sas-set-metadata-access). The metadata querying side of things in SAS 9.2 to create the scripts is not a simple task however, which is why you would have to have a significant number of ACTs to migrate to make it worthwhile.

 

If you are interested in a commercial solution for the verification of the successful migration of the SAS metadata security implementation from SAS 9.2 to SAS 9.4 then you could look at our automated Metacoda Security Testing Framework. This is a topic I discussed in my SAS Global Forum 2014 paper: Test for Success: Automated Testing of SAS® Metadata Security Implementations.

ucvikas
Obsidian | Level 7

how to execute sas-set-metadata-access and sas-make-act ? sas documentation lists syntax but does not mention where to execute. Can I execute in enterprise guide like below?

 

sas-make-act -host "hostname" -user "xyz@saspw" -port "1234" -password "xxxxxxxx" "Default ACT" -show

anja
SAS Employee

Hi,

 

one way would be:

./sas-set-metadata-access -host localhost -port 8561 -user sasadm@saspw -password "BLA" "/System/Servers/test (ApplicationServer)" -addACT "Hide Server ACT" (ACT name)

PaulHomes
Rhodochrosite | Level 12

Those batch commands are including in the SAS Platform Object Framework so you can run them on any machine that has that component installed. That could be a server or even a workstation. For example I have a Windows machine that only has SAS clients installed, including SAS Management Console, and those batch commands are in the C:\Program Files\SASHome2\SASPlatformObjectFramework\9.4\tools directory.

 

If you want to run them from SAS Enterprise Guide, in a platform environment, connecting to a SAS Workspace Server, then they will run on a server and you can use any of the SAS language features you would normally use to run operating system commands from SAS code:  call system, x, systask, filename pipe, etc. Also consider that, depending on your current config with respect to noxcmd and lockdown, you may or may not be able to run operating system commands on the server via SAS EG without some config changes.

PaulHomes
Rhodochrosite | Level 12

Following on from my comment the other day, here's an example of the export output generated by our free ACT Reviewer. It shows the SAS Administrator Settings ACT (from a SAS 9.2 environment) showing its definition

(Permissions section), where it has been applied (Objects section), and how it has been protected (ACTs and ACEs sections).

 

Selection_001.png

ronan
Lapis Lazuli | Level 10

The security reporting macros in 9.2 as far as I can remember do not provide with such details about ACT. 

 

To do this job, SAS does provide another API  which goes by the sweet name of "Data Step Functions for Metadata Security Administration" :

 

https://support.sas.com/documentation/cdl/en/lrmeta/60739/HTML/default/a003121439.htm

 

Using this tools, you shall be able to build comprehensive reports as regards ACT list & scope (objects, permissions etc.). 

Ths might be tedious if you're not very familiar with this kind of coding, which rarely happens from my experience. I succeeded once in 2011/2012 to enroll a seasoned coder with this, & I must say he remained the only one of his kind I know on a large portion of the entire SAS world (perhaps until today !).

 

Metacoda ACT plugin is the way to go if you haven't much time to code from scratch. 

 

 

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

CLI in SAS Viya

Learn how to install the SAS Viya CLI and a few commands you may find useful in this video by SAS’ Darrell Barton.

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 9 replies
  • 2618 views
  • 6 likes
  • 6 in conversation