04-15-2015 02:29 AM
I found in this link some examples of listing metadata information. One in particular will list all of the users.
Is there a way to create a table in which will contain all users and all objects?
I need to be able to filter by users or filter by objects and see permissions.
User Object Permission
John Folder/STP.sas Write
John Folder Read Only
Joe Folder Read Only
Jack Folder/Sub/Sub.sas Read Only
Something like this that I can just use Excel to filter.
04-15-2015 04:29 AM
Yes, SAS provides Security Report Macros which should address your need :
04-15-2015 05:22 AM
You can list with the security report macros the user and groups not their permissions to some record.
I used the record in the context of an auditor where it has the meaning of some artifact of any kind database - data - allowed actions/changes.
As you are asking excel to filter I getting the feeling of some auditor being the questioner as a SAS guy filtering would be done using SAS. Another commonlu BI tool for CSO 's is Splunk but BI can also be done using SAS.
The real permissions with the SAS metadatabase (mentioning SMC is humbug) is done with setting op ACT's ACE's .
These should be designed in a easy ay to understand. That is a common issue with SAS enviroments by not doing that. How could you see all that in a more understandable ways?
Have a look at Metacoda Security Plug-ins - Metacoda
04-15-2015 08:36 PM
thanks. I will take a look at it too. I mean management console or environment manager has the features they want, but they feel it's too powerful and easily to make mistakes on it. so just some summary report of some sort.
04-15-2015 09:09 PM
Thanks for the mention Jaap!
Grumbler, if you do look at Metacoda Plug-ins, you might also be interested in these 2 blog posts I did:
If you're going to SASGF15 and would like to talk about this some more, please come and see us at our stand in The Quad.
04-16-2015 02:06 AM
" ... but they feel it's too powerful and easily to make mistakes on it. "
There is no need to be afraid for making mistakes when they cannot harm anything.
How to achieve that?
When doing an audit you are only are needing read access with no access to sensitive data or anything. It is rather easy to define it hat way in the SAS metadata.
The only thing is nobody seems to have been thinkinig on an auditors function. There is a dual account note SAS(R) 9.4 Intelligence Platform: Security Administration Guide, Second Edition
The auditing function can be implemented in the same way as that dual account or when the role is for a person as a single unique task on his common account.
Define in the default ACT aside Public and Users a group "auditors" and grant them all the read-only rights (no writes)
Have attention on the default open write needed and In the revoking ACT's where all the users are revoked on the write also the auditors getting that one.
For the appservers:
- a WS running by a personal account cannot add any security risks when the OS level is well secured. Ah they can verify the OS level controls with that.
- The real risk are imposed by "privilege escalation" as is implemented by using the shared accounts usage by a SP or pooled WS or ....
Limit the view for those App servers (SPW Pooles WS)_is a sure one SAS(R) 9.4 Intelligence Platform: Security Administration Guide, Second Edition
That is another an auditor could check on consistency.
When feeling confident go ahead look around and the questions on the content being consistent and according requirements is their work to do.
Finding Security threats is another one that could be a result of this effort. Wondering whether SAS has something like a RDP policy Responsible disclosure - Wikipedia, the free encyclopedia.
07-02-2015 02:30 AM
lately I have spent a lot of time in analyzing the sas metadata model.
I don’t want this thread to be an advertisement, but i've built an application
to easily readout sas metadata and format them visually.
Related to your question :
You can easily see in detail, which SAS User(s) or SAS Group(s) has which Permission
and especially why (ACT, Group etc.). This is perfect for troubleshooting.
If you are interested have a look at this page.
greetings from germany