Architecting, installing and maintaining your SAS environment

Importing AD groups and users and Mapping them to SAS Metadata

Accepted Solution Solved
Reply
Occasional Contributor
Posts: 17
Accepted Solution

Importing AD groups and users and Mapping them to SAS Metadata

Our SAs users are looking for using AD  groups in SAS 9.4 M3 linux server using utility macros(importad.sas).  As of now, Our users using PAM(Binding)  for authentication.

Please let us know, What are the risks involved using AD  groups in SAS 9.4 M3 linux server?

 

 

 


Accepted Solutions
Solution
‎04-27-2017 09:41 AM
Super Contributor
Posts: 441

Re: Importing AD groups and users and Mapping them to SAS Metadata

Posted in reply to againreddy

We have a strict sync process between AD and SAS metadata which works very well. If there is a risk it probably will come from a lack of discipline because manual updates can interfere with the ones coming from AD. That may yield errors and problems resulting from an incomplete sync. We just don't do manual updates; any new user or group membership change will go through an audited and monitored approval process. And that's it. So this is taken fro IT to the business, where we feel it belongs. We see or experience no downside.

 

In fact, if you take the trouble of adding Kerberos authentication to the mix, you can setup a authentication and authorization process that runs itself and extends beyond the metadata to the filesystems and back-end database management systems (we extend it to the Teradata realm). Users, admins and security officers will benefit equally. No more password resets or locked out users. And very clear reporting. In short, highly recommended.

 

If you want syncing managed from SAS Management Console have a look at the Metadatcoda plug-ins. They have done wonders in this field.

 

Regards,

- Jan.

View solution in original post


All Replies
Solution
‎04-27-2017 09:41 AM
Super Contributor
Posts: 441

Re: Importing AD groups and users and Mapping them to SAS Metadata

Posted in reply to againreddy

We have a strict sync process between AD and SAS metadata which works very well. If there is a risk it probably will come from a lack of discipline because manual updates can interfere with the ones coming from AD. That may yield errors and problems resulting from an incomplete sync. We just don't do manual updates; any new user or group membership change will go through an audited and monitored approval process. And that's it. So this is taken fro IT to the business, where we feel it belongs. We see or experience no downside.

 

In fact, if you take the trouble of adding Kerberos authentication to the mix, you can setup a authentication and authorization process that runs itself and extends beyond the metadata to the filesystems and back-end database management systems (we extend it to the Teradata realm). Users, admins and security officers will benefit equally. No more password resets or locked out users. And very clear reporting. In short, highly recommended.

 

If you want syncing managed from SAS Management Console have a look at the Metadatcoda plug-ins. They have done wonders in this field.

 

Regards,

- Jan.

Trusted Advisor
Posts: 1,321

Re: Importing AD groups and users and Mapping them to SAS Metadata

Posted in reply to jklaverstijn

Thanks Jan for mentioning Metacoda Plug-ins.

 

FYI, we have an Identity Sync Plug-in that may help with you with your active directory synchronization requirements. Some background information on the plug-in can be found at the following blog that also includes a screencast on the Metacoda Identity Sync Plug-in in action. https://platformadmin.com/blogs/paul/2015/07/synchronizing-sas-platform-identities/ Please let me know if you'd like to get a 30 day free evaluation to try it out.

 

Kind Regards,

Michelle

Occasional Contributor
Posts: 17

Re: Importing AD groups and users and Mapping them to SAS Metadata

Posted in reply to jklaverstijn
Thank you Jan and Michelle for your responses..
☑ This topic is solved.

Need further help from the community? Please ask a new question.

Discussion stats
  • 3 replies
  • 222 views
  • 5 likes
  • 3 in conversation