BookmarkSubscribeRSS Feed
ANLYNG
Pyrite | Level 9

Do you have an example/code for reading alle changes for all objects in metadata?? I would like to have all informations , whats has been changes , when og by who? Is it possible on SAS 9.4 M& out of the box and with SAS code?

 

I know there is build-in macros as %MDUEXTR and %mdsecds and the following snippet (se below) but I want more variables eg. user, timestamp etc.

 

data All_Metadata_Object_types (keep=id name PublicType ApplicablePermissions desc);

length id $20 name PublicType $70 _uri ApplicablePermissions desc $256 ;

_nobj=1;

_n=1;

call missing(id, _uri, name, PublicType, ApplicablePermissions ,desc);

do while(_n le _nobj);

_nobj=metadata_getnobj(“omsobj:TypeDefinition?@Id contains ‘.'”,_n,_uri);

_rc=metadata_getattr(_uri,“Id”,id);

_rc=metadata_getattr(_uri,“Name”,name);

_rc=metadata_getattr(_uri,“PublicType”,PublicType);

_rc=metadata_getattr(_uri,“ApplicablePermissions”,ApplicablePermissions);

_rc=metadata_getattr(_uri,“Desc”,Desc);

output;

_n=_n+1;

end;

run;

4 REPLIES 4
SASKiwi
PROC Star

@ANLYNG  - The first thing to realise is that your current metadata repository only includes current data - there is no history kept. To get history you would have to read repository backups. For example if you read yesterdays backup and compared it to today's then you would know what has changed since yesterday only.

 

The second thing to realise is the metadata repository data model is horribly complicated and consists of variable level data hierarchies depending on the attributes you are trying to read.

 

So to track metadata changes you would have to read the daily metadata backups for the period you want to track changes then try and line up the data between the versions. So unless there is a tool or utility for doing this already (and I'm not aware of any) then this would be extremely complicated and very time-consuming. IMO it is a cure worse than the disease...   

ronan
Lapis Lazuli | Level 10

There is no such thing as a (re-usable) audit trail of metadata changes over time. However, you can enable such a change capture database  - at least for high level objects (ACE, ACT, User, Group) with SAS Environment Manager Service Framework Architecture reports. See for instance the Audit Reports (log forensic) :

 

https://support.sas.com/rnd/emi/SASEnvMgr/EVSAF/SAS_Environment_Manager_Service_Architecture_Quickst...

 

https://support.sas.com/rnd/emi/SASEnvMgr/EVSAF/Report_Center_Report_Listings.pdf

 

This summary list is not 100% up to date with latest M6 release.

DanielKaiser
Pyrite | Level 9

We did something similar.
We create a "snapshot" each Weekend and compare it with the "snapshot" of the last week.
Pretty easy via a cronjob.

We use the Batch interface of the Metacoda Security Plugin.

The plugin creates a report, that lists every (wished) difference.
For example Objects, that got a new ACT, new Users, deleted Users, Capabilities per User that are gone or new,...

Looks like this:

# Test Reason
1 ACTs/ACT('Server ACT - TS Server')/PermissionPattern/Group('BI Web Services Users')/permissions Mismatched permission pattern found. Expected <"MCM unspecified"> but got <"+MCM">.
2 ACTs/ACT('Private User Folder ACT')/Objects/complete The test specifies a COMPLETE set of protected objects for the Access Control Template (ACT) 'Private User Folder ACT'. The test has failed because the ACT was actually found to be applied to an additional 3 unspecified objects. Additional test failures will occur for each unspecified object.


I am pretty sure @PaulHomes or @MichelleHomes can help you.

MichelleHomes
Meteorite | Level 14

Thanks @DanielKaiser for describing how the Metacoda Security Plug-ins with the Metacoda Metadata Testing Framework helps to ensure the integrity of your SAS security implementation.

 

@ANLYNG if you are wanting to monitor SAS metadata security over time the Metacoda Metadata Testing Framework may also help you. Please read @PaulHomes' blog post which references his SAS Global Forum paper on the topic https://platformadmin.com/blogs/paul/2014/03/sas-metadata-security-testing/ We also provide 30 day free evaluations where you can try it out in your own environment.

 

As @ronan mentioned you may also want to look at the Audit reports within Environment Manager.

 

Kind Regards,

Michelle

//Contact me to learn how Metacoda software can help keep your SAS platform secure - https://www.metacoda.com

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

Get Started with SAS Information Catalog in SAS Viya

SAS technical trainer Erin Winters shows you how to explore assets, create new data discovery agents, schedule data discovery agents, and much more.

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 4 replies
  • 1564 views
  • 5 likes
  • 5 in conversation