BookmarkSubscribeRSS Feed
🔒 This topic is solved and locked. Need further help from the community? Please sign in and ask a new question.
againreddy
Obsidian | Level 7

Our SAs users are looking for using AD  groups in SAS 9.4 M3 linux server using utility macros(importad.sas).  As of now, Our users using PAM(Binding)  for authentication.

Please let us know, What are the risks involved using AD  groups in SAS 9.4 M3 linux server?

 

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
jklaverstijn
Rhodochrosite | Level 12

We have a strict sync process between AD and SAS metadata which works very well. If there is a risk it probably will come from a lack of discipline because manual updates can interfere with the ones coming from AD. That may yield errors and problems resulting from an incomplete sync. We just don't do manual updates; any new user or group membership change will go through an audited and monitored approval process. And that's it. So this is taken fro IT to the business, where we feel it belongs. We see or experience no downside.

 

In fact, if you take the trouble of adding Kerberos authentication to the mix, you can setup a authentication and authorization process that runs itself and extends beyond the metadata to the filesystems and back-end database management systems (we extend it to the Teradata realm). Users, admins and security officers will benefit equally. No more password resets or locked out users. And very clear reporting. In short, highly recommended.

 

If you want syncing managed from SAS Management Console have a look at the Metadatcoda plug-ins. They have done wonders in this field.

 

Regards,

- Jan.

View solution in original post

3 REPLIES 3
jklaverstijn
Rhodochrosite | Level 12

We have a strict sync process between AD and SAS metadata which works very well. If there is a risk it probably will come from a lack of discipline because manual updates can interfere with the ones coming from AD. That may yield errors and problems resulting from an incomplete sync. We just don't do manual updates; any new user or group membership change will go through an audited and monitored approval process. And that's it. So this is taken fro IT to the business, where we feel it belongs. We see or experience no downside.

 

In fact, if you take the trouble of adding Kerberos authentication to the mix, you can setup a authentication and authorization process that runs itself and extends beyond the metadata to the filesystems and back-end database management systems (we extend it to the Teradata realm). Users, admins and security officers will benefit equally. No more password resets or locked out users. And very clear reporting. In short, highly recommended.

 

If you want syncing managed from SAS Management Console have a look at the Metadatcoda plug-ins. They have done wonders in this field.

 

Regards,

- Jan.

MichelleHomes
Meteorite | Level 14

Thanks Jan for mentioning Metacoda Plug-ins.

 

FYI, we have an Identity Sync Plug-in that may help with you with your active directory synchronization requirements. Some background information on the plug-in can be found at the following blog that also includes a screencast on the Metacoda Identity Sync Plug-in in action. https://platformadmin.com/blogs/paul/2015/07/synchronizing-sas-platform-identities/ Please let me know if you'd like to get a 30 day free evaluation to try it out.

 

Kind Regards,

Michelle

//Contact me to learn how Metacoda software can help keep your SAS platform secure - https://www.metacoda.com
againreddy
Obsidian | Level 7
Thank you Jan and Michelle for your responses..

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

CLI in SAS Viya

Learn how to install the SAS Viya CLI and a few commands you may find useful in this video by SAS’ Darrell Barton.

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 3 replies
  • 2483 views
  • 5 likes
  • 3 in conversation