Solved: Re: Naming Convention for SAS User Groups and User Roles in SAS SMC

VasilijNevlev · Posted 08-02-2017 03:28 PM

Hello!

Does anyone have a good naming convention for SAS User Groups and User Roles in SAS SMC? I.e. something that follows some sort of standard on granularity, easy to interpret group names into business meaning, etc?

Thank you!

=======================================
For more information about {An}alytium, visit https://www.analytium.co.uk

JuanS_OCS · Posted 08-09-2017 07:23 AM

Hi @VasilijNevlev,

I would not complicate myself too much on that matter. You want to set up a standard, but for naming. Therefore the important part is that can be understood and accepted by the relevant departments at your company. All depends as well in the

An extreme example is that some companies accept only one level of grouping, meaning you cannot nest groups. In this case, I would set names top to down such as organization (8char max), department - country (3 + 2 chars) or something like this.

If you have freedom over the naming, I would just create groups top to down on the AD such, and following a logic.

Perhaps in the AD those groups have a strange naming convention, because they may come from other systems, or even different Domain Controlers, but with the Shadow Groups you can give a normal name, which must be understood just by the SASAdmins and the Auditors.

Point is: probably nobody can give you a best name convention, without knowing your business upfront. My best suggestion here is to follow your common sense. And what ever will be implemented, it is what will become standard.

View solution in original post

JuanS_OCS · Posted 08-03-2017 06:07 AM

Hello @VasilijNevlev,

for the roles, simply what is easier for you. SAS already provides some naming for the default roles, but feel free to select any.

And for the groups, I would clearly use similar names (or the same) as in your Active Directory/LDAP. And in case you use shadow groups, you could start with some prefix (eg "SAS") to be able to recognize them from the AD groups registered in the SAS metadata.

VasilijNevlev · Posted 08-04-2017 03:38 AM

Thank's Juan, good idea to reuse AD naming convention. Now if only my client's IT had a very consistent naming convention applied to AD 🙂

Thanks you for pointing towards shadow groups. It is a must to have them in place in case the sync fails.

Vasilij

=======================================
For more information about {An}alytium, visit https://www.analytium.co.uk

JuanS_OCS · Posted 08-04-2017 04:55 AM

Haha, yeah, that is a challenge sometimes. Although I understand why it happens sometimes.

Ahd, yes, indeed, shadow groups is a good idea 🙂

@VasilijNevlev: are you aware of the Metacoda Idenntity Sync plug-ins? They help a lot with those questions. They are also a close interface for IT, something they can understand, and it cqan run in batch mode. If you are interested, I am sure @MichelleHomes or @PaulHomes can chime in to give you a hand. They are experts in this area.

MichelleHomes · Posted 08-04-2017 05:38 AM

Thanks @JuanS_OCS for mentioning the Metacoda Identity Sync Plug-in.

@VasilijNevlev, I was going to refer you to a post about shadow groups that may be of interest where @PaulHomes shares his experiences with AD sync that you may find helpful too https://communities.sas.com/t5/SAS-Communities-Library/Shadow-Groups-for-LDAP-Synchronisation/ta-p/3...

For some further technical detail on the plug-in you could have a look at Paul's blog post that includes a 10 minute screencast https://platformadmin.com/blogs/paul/2015/07/synchronizing-sas-platform-identities/

Kind Regards,

Michelle

//Contact me to learn how Metacoda software can help keep your SAS platform secure - https://www.metacoda.com

VasilijNevlev · Posted 08-09-2017 07:13 AM

Hello Michelle,

Thank you for the links. I did see the post, I think it came up as 2nd link on Good Search 🙂 I have sent you a private message to have a chat about the plug in.

@JuanS_OCS Thank you for the suggestion.

Regards,

Vasilij

=======================================
For more information about {An}alytium, visit https://www.analytium.co.uk

JuanS_OCS · Posted 08-08-2017 06:51 AM

Hello @VasilijNevlev,

I am wondering, would you need additional information or support with your question?

Kind regards,

Juan

VasilijNevlev · Posted 08-09-2017 07:15 AM

Hello Juan,

I am trying to work out a more robust naming convention that involves suffixes for different countries, organisations and functions. Ideally an answer with workable convention would be the right answer. Do you have any ideas?

Regards,
Vasilij

=======================================
For more information about {An}alytium, visit https://www.analytium.co.uk

JuanS_OCS · Posted 08-09-2017 07:23 AM

Hi @VasilijNevlev,

I would not complicate myself too much on that matter. You want to set up a standard, but for naming. Therefore the important part is that can be understood and accepted by the relevant departments at your company. All depends as well in the

An extreme example is that some companies accept only one level of grouping, meaning you cannot nest groups. In this case, I would set names top to down such as organization (8char max), department - country (3 + 2 chars) or something like this.

If you have freedom over the naming, I would just create groups top to down on the AD such, and following a logic.

Perhaps in the AD those groups have a strange naming convention, because they may come from other systems, or even different Domain Controlers, but with the Shadow Groups you can give a normal name, which must be understood just by the SASAdmins and the Auditors.

Point is: probably nobody can give you a best name convention, without knowing your business upfront. My best suggestion here is to follow your common sense. And what ever will be implemented, it is what will become standard.