BookmarkSubscribeRSS Feed
Grumbler
Obsidian | Level 7

SAS(R) 9.3 Language Interfaces to Metadata

I found in this link some examples of listing metadata information.  One in particular will list all of the users.

Is there a way to create a table in which will contain all users and all objects?

I need to be able to filter by users or filter by objects and see permissions.

For example,

User   Object                 Permission

John   Folder/STP.sas       Write

John   Folder                       Read Only

Joe     Folder                        Read Only

Jack   Folder/Sub/Sub.sas   Read Only

Something like this that I can just use Excel to filter.

Thanks.

7 REPLIES 7
ronan
Lapis Lazuli | Level 10

Yes, SAS provides Security Report Macros which should address your need :

Security Report Macros :: SAS(R) 9.3 Intelligence Platform: Security Administration Guide

Grumbler
Obsidian | Level 7

thanks.  I will try these when I get to work.  Smiley Happy

jakarman
Barite | Level 11

You can list with the security report macros the user and groups not their permissions to some record.

I used the record in the context of an auditor where it has the meaning of some artifact of any kind  database - data - allowed actions/changes.

As you are asking excel to filter I getting the feeling of some auditor being the questioner as a SAS guy filtering would be done using SAS. Another commonlu BI tool for CSO 's is Splunk but BI can also be done using SAS.

The real permissions with the SAS metadatabase (mentioning SMC is humbug) is done with setting op ACT's ACE's .

These should be designed in a easy ay to understand. That is a common issue with SAS enviroments by not doing that. How could you see all that in a more understandable ways?

Have a look at Metacoda Security Plug-ins - Metacoda

---->-- ja karman --<-----
Grumbler
Obsidian | Level 7

thanks.  I will take a look at it too.  I mean management console or environment manager has the features they want, but they feel it's too powerful and easily to make mistakes on it.  so just some summary report of some sort.

PaulHomes
Rhodochrosite | Level 12

Thanks for the mention Jaap!

Grumbler, if you do look at Metacoda Plug-ins, you might also be interested in these 2 blog posts I did:

  • Sneak Peek at our new Effective Permissions Explorers: and older post that shows how we investigate the 2 perspectives of looking at effective permissions and access levels for all users on a single object, and also for a single user on large collections of objects.
  • Getting Ready for SASGF15: a more recent post where I talk about how some of our users use these permissions explorers for providing access level reports to management and auditors. It also mentions enhancements we'll be showing at SAS Global Forum 2015 in a couple of weeks, including exporting from the permissions explorers to HTML or CSV (for importing into Excel).

If you're going to SASGF15 and would like to talk about this some more, please come and see us at our stand in The Quad.

Cheers

Paul

jakarman
Barite | Level 11

" ...  but they feel it's too powerful and easily to make mistakes on it. "   

There is no need to be afraid for making mistakes when they cannot harm anything.

How to achieve that?

When doing an audit you are only are needing read access with no access to sensitive data or anything. It is rather easy to define it hat way in the SAS metadata.

The only thing is nobody seems to have been thinkinig on an auditors function. There is a dual account note SAS(R) 9.4 Intelligence Platform: Security Administration Guide, Second Edition

The auditing function can be implemented in the same way as that dual account or when the role is  for a person as a single unique task on his common  account.

Define in the default ACT aside Public and Users a group "auditors" and grant them all the read-only rights (no writes)

Have attention on the default open write needed and In the revoking ACT's where all the users are revoked on the write also the auditors getting that one.

For the appservers:

-  a WS running by a personal account cannot add any security risks when the OS level is well secured.  Ah they can verify the OS level controls with that.

- The real risk are imposed by "privilege escalation" as is implemented by using the shared accounts usage by a SP or pooled WS or  ....

   Limit the view for those App servers (SPW Pooles WS)_is a sure one SAS(R) 9.4 Intelligence Platform: Security Administration Guide, Second Edition 

That is another an auditor could check on consistency.

When feeling confident go ahead look around and the questions on the content being consistent and according requirements is their work to do.  
Finding Security threats is another one that could be a result of this effort. Wondering whether SAS has something like a RDP policy Responsible disclosure - Wikipedia, the free encyclopedia.

---->-- ja karman --<-----
mariusg
Obsidian | Level 7

Hi Grumbler,

lately I have spent a lot of time in analyzing the sas metadata model.

I don’t want this thread to be an advertisement, but i've built an application

to easily readout sas metadata and format them visually.

Related to your question :

You can easily see in detail, which SAS User(s) or SAS Group(s) has which Permission

and especially why (ACT, Group etc.). This is perfect for troubleshooting.

If you are interested have a look at this page.

greetings from germany

marius

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

CLI in SAS Viya

Learn how to install the SAS Viya CLI and a few commands you may find useful in this video by SAS’ Darrell Barton.

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 7 replies
  • 2037 views
  • 1 like
  • 5 in conversation