BookmarkSubscribeRSS Feed
🔒 This topic is solved and locked. Need further help from the community? Please sign in and ask a new question.
kjohnsonm
Lapis Lazuli | Level 10

Okay I manage a SAS VA Server (7.3) on Windows that I did not install (the app or OS), it has AD user integration but I wanted to know if I have a AD group that I want every member in the group to have the same base read only access can I just add the whole group? If yes is there a document that discusses this that someone can point out to me?


I am aware of this doc: https://documentation.sas.com/?docsetId=bisecag&docsetTarget=n0iqe26rd4ui8ln1sqg5g7cs4qhc.htm&docset...    however so far can not find anything about AD groups. 
-- I did just try and define a group and give it some basic rights in SAS Management Console then login as a test user that has been added to the AD group.  no joy at least so far.  -KJ

1 ACCEPTED SOLUTION

Accepted Solutions
PaulHomes
Rhodochrosite | Level 12

Hi KJ,

 

When you say AD integration, do you mean the host OS has been configured for AD integration (joined a domain) so that you can log in as an AD user and use AD groups for file system access controls, or do you mean that SAS has also been configured to synchronize SAS metadata groups with corresponding AD groups so that you can, in effect, use AD groups for SAS metadata access controls. Unlike SAS Viya, the SAS 9.4 platform (underlying the older SAS VA 7.3 release) does not use native AD/LDAP groups for access control. Instead SAS admins usually set up a scheduled process whereby a set of AD groups is replicated in SAS (as similar/same-named metadata groups) and any changes to those AD groups (name, members etc) are applied to the SAS groups on a regular basis.

 

If you can provide a bit more background on how AD integration has been done in your environment then you'll be able to get more focused help.

 

Also providing a worked example of what you have done with respect to SAS access controls in SAS Management Console will help too. When you say no joy, what does that mean? Do they have access when they shouldn't? Have no access when they should? What is it they are trying to do that is failing? What are they trying to access? What type of access controls have been applied (ACTs, explicit permissions), for what groups/users on what objects?

 

Thanks

Paul

View solution in original post

3 REPLIES 3
PaulHomes
Rhodochrosite | Level 12

Hi KJ,

 

When you say AD integration, do you mean the host OS has been configured for AD integration (joined a domain) so that you can log in as an AD user and use AD groups for file system access controls, or do you mean that SAS has also been configured to synchronize SAS metadata groups with corresponding AD groups so that you can, in effect, use AD groups for SAS metadata access controls. Unlike SAS Viya, the SAS 9.4 platform (underlying the older SAS VA 7.3 release) does not use native AD/LDAP groups for access control. Instead SAS admins usually set up a scheduled process whereby a set of AD groups is replicated in SAS (as similar/same-named metadata groups) and any changes to those AD groups (name, members etc) are applied to the SAS groups on a regular basis.

 

If you can provide a bit more background on how AD integration has been done in your environment then you'll be able to get more focused help.

 

Also providing a worked example of what you have done with respect to SAS access controls in SAS Management Console will help too. When you say no joy, what does that mean? Do they have access when they shouldn't? Have no access when they should? What is it they are trying to do that is failing? What are they trying to access? What type of access controls have been applied (ACTs, explicit permissions), for what groups/users on what objects?

 

Thanks

Paul

kjohnsonm
Lapis Lazuli | Level 10

Paul,
...AD integration (joined a domain) only. I think you just answered my when you wrote "...7.3 release) does not use native AD/LDAP groups for access control." I am currently not giving passwords when I add my users in the console Ad\{SomeUserID}, so assumed it could also add a group somewhere instead. I guess I just assumed I had missed the notes/instructions on configuring that service. If 7.3 needs to be scripted to add users to metadata then at least until we upgrade my user pool is small enough to just manually add the users. I was hoping to get a head start on expanded used. Thank you for replying.  If I have miss under stood your comment please advise.  -KJ

PaulHomes
Rhodochrosite | Level 12

Hi KJ,

 

When you are manually adding AD users via SAS Management Console User Manager you do not need to specify a password. Think of that user as a reference to an AD user and the user id is the key (linking the host/AD authenticated user to the SAS identity in metadata).  AD authenticates the user but SAS needs an entity within SAS metadata to use for (SAS metadata) access control decisions, to associated private user content, store user preferences etc. The SAS metadata groups have no connection to AD groups unless you set up a sync process to effectively copy/replicate the desired set of groups into SAS metadata.  When you have a small number of users it may be easier to manage them and the local SAS groups manually like this. As the number of users increases people often turn to AD synchronisation to automate this process using AD as the source of user and group information. If you're a SAS coder, take a look at the User Import Macros section of the SAS® 9.4 Intelligence Platform: Security Administration Guide. We also have a commercial Metacoda Identity Sync plug-in that makes this easier to implement for those who are not coders (or do not want to keep maintaining code). 

 

To find out more about managing users, groups and access (and many other SAS admin topics) I would wholeheartedly recommend the SAS Platform Administration: Fast Track course from SAS Education. In terms of documentation I would start with the About User Administration section in the SAS® 9.4 Intelligence Platform: Security Administration Guide. That book also has some nice worked examples of group-based access control for SAS metadata content in the Access to Metadata Folders section. Another document to read is the SAS® 9.4 Management Console: Guide to Users and Permissions.  In addition to the SAS documentation I would definitely recommend looking at some of the best practice papers for proven patterns that make this much more manageable:

 

Cheers
Paul

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

CLI in SAS Viya

Learn how to install the SAS Viya CLI and a few commands you may find useful in this video by SAS’ Darrell Barton.

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 3 replies
  • 1640 views
  • 5 likes
  • 2 in conversation