07-28-2016 11:20 AM
1. I am migrating 9.2 security to 9.4 . Is there any way to know which folders or places an ACT is applied? I see many custom ACTs in my environment and want to check if they are used at all or not? basically I want to get rid of them if they are not used anywhere.
2. Also is there any way to export security of version 9.2 to 9.4 ? I do not see export package option in9.2 but the same is available from 9.3 onwards.
3. Is there way to create report on existing ACTs with their Authorisation and permission pattern?
07-28-2016 03:10 PM
08-02-2016 10:39 AM
I tried but could not succced in getting what I needed. basically I want to be able to see details (permissions, authorizations) for each ACT which are in Authorization manager and objects it has been applied to.
I tried like %mdsecds(membertypes="Access control template");
I could also generate dataset for folders but could do it specifically for ACTs .
Note: I want to do this in SAS 9.2 , SMC 9.2
07-28-2016 10:44 PM
If you are interested in a point & click solution for (1) and (3), we have an ACT Reviewer as part of our Metacoda Plug-ins and that particular plug-in happens to be available free of charge. It has an Objects tab that shows you which objects a selected ACT has been applied to. There is also an In Use column that lets you see at a glance which ACTs are not being used and could be candidates for removal. You can export a HTML report too. You can find more info at https://www.metacoda.com/en/products/security-plug-ins/act-reviewer/ where you can register to download the plug-ins if you want.
For (2), as suggested by @LinusH, for SAS 9.2 to SAS 9.4, one option is to use the SAS Migration Utility (SMU) during the initial installation of SAS 9.4. Post-installation migration of users, group, and roles can be done with the the SAS MDU macros - there is some sample code in SAS Sample 42251: Partial Promotion of User and Group Metadata at http://support.sas.com/kb/42/251.html We also provide a point & click method (including a few other features) in our Identity Sync plug-in. Using this plug-in you can download/export an XML file from SAS Management Console 9.2 and then upload/import that XML file using SAS Management Console 9.4. However, the Identity Sync plug-in is not one of the free ones, so if you're a SAS coder then you may want to start out by looking at the SAS sample referenced above.
For migrating ACTs from SAS 9.2 to SAS 9.4, it depends on how many you have. If there are only a few then it would be easier to just recreate them from scratch. If you have a significant number then you could consider writing some code in SAS 9.2 to generate scripts to run in SAS 9.4. SAS 9.4 has some batch tools that can be used to create an ACT (sas-make-act) and apply an ACT (sas-set-metadata-access). The metadata querying side of things in SAS 9.2 to create the scripts is not a simple task however, which is why you would have to have a significant number of ACTs to migrate to make it worthwhile.
If you are interested in a commercial solution for the verification of the successful migration of the SAS metadata security implementation from SAS 9.2 to SAS 9.4 then you could look at our automated Metacoda Security Testing Framework. This is a topic I discussed in my SAS Global Forum 2014 paper: Test for Success: Automated Testing of SAS® Metadata Security Implementations.
07-29-2016 10:29 AM
how to execute sas-set-metadata-access and sas-make-act ? sas documentation lists syntax but does not mention where to execute. Can I execute in enterprise guide like below?
sas-make-act -host "hostname" -user "xyz@saspw" -port "1234" -password "xxxxxxxx" "Default ACT" -show
07-29-2016 10:42 AM
one way would be:
./sas-set-metadata-access -host localhost -port 8561 -user sasadm@saspw -password "BLA" "/System/Servers/test (ApplicationServer)" -addACT "Hide Server ACT" (ACT name)
07-29-2016 09:34 PM
Those batch commands are including in the SAS Platform Object Framework so you can run them on any machine that has that component installed. That could be a server or even a workstation. For example I have a Windows machine that only has SAS clients installed, including SAS Management Console, and those batch commands are in the C:\Program Files\SASHome2\SASPlatformObjectFramework\9.4\tools directory.
If you want to run them from SAS Enterprise Guide, in a platform environment, connecting to a SAS Workspace Server, then they will run on a server and you can use any of the SAS language features you would normally use to run operating system commands from SAS code: call system, x, systask, filename pipe, etc. Also consider that, depending on your current config with respect to noxcmd and lockdown, you may or may not be able to run operating system commands on the server via SAS EG without some config changes.
08-02-2016 07:20 PM
Following on from my comment the other day, here's an example of the export output generated by our free ACT Reviewer. It shows the SAS Administrator Settings ACT (from a SAS 9.2 environment) showing its definition
(Permissions section), where it has been applied (Objects section), and how it has been protected (ACTs and ACEs sections).
08-18-2016 10:14 AM
The security reporting macros in 9.2 as far as I can remember do not provide with such details about ACT.
To do this job, SAS does provide another API which goes by the sweet name of "Data Step Functions for Metadata Security Administration" :
Using this tools, you shall be able to build comprehensive reports as regards ACT list & scope (objects, permissions etc.).
Ths might be tedious if you're not very familiar with this kind of coding, which rarely happens from my experience. I succeeded once in 2011/2012 to enroll a seasoned coder with this, & I must say he remained the only one of his kind I know on a large portion of the entire SAS world (perhaps until today !).
Metacoda ACT plugin is the way to go if you haven't much time to code from scratch.