BookmarkSubscribeRSS Feed
🔒 This topic is solved and locked. Need further help from the community? Please sign in and ask a new question.
SasPerson85
Calcite | Level 5

I am looking for a way (either already exists or to implement) that will track when a user is deleted from Management Console.

 

I have found when users are created and modified, the macros to query the metadata (%mduextr), I found folders of users that have been deleted, but I haven't found anything that tells me what date a user was deleted. Basically we are looking to incorporate this functionality into audits we do for our system.

 

Does such a thing exist somewhere or anyone have any ideas about how to go about this?

 

Thanks in advance for any advise!

1 ACCEPTED SOLUTION

Accepted Solutions
gwootton
SAS Super FREQ

When a user is deleted from SAS Management Console the Metadata Server's Audit.Meta loggers will write this information to the log. The below example is from me creating a user identity and then deleting it.

 

2019-10-25T12:00:23,131 INFO [54018033] 994262:sasadm@saspw Audit.Meta.Updates.PublicObjects - Audit Public Object Type=User Name=test1 ObjId=A5RWD7FM.AP00000C has been added.
2019-10-25T12:00:23,131 INFO [54018033] 994262:sasadm@saspw Audit.Meta.Updates.PublicObjects - Audit Public Object Type=Login Name= ObjId=A5RWD7FM.AS00000K has been added.
2019-10-25T12:00:23,133 INFO [54018033] 994262:sasadm@saspw Audit.Meta.Security.UserAdm - Added IdentityType=Person Name=test1, ObjId=A5RWD7FM.AP00000C.
2019-10-25T12:00:23,133 INFO [54018033] 994262:sasadm@saspw Audit.Meta.Security.UserAdm - Changed Login UserId=testuser1, ObjId=A5RWD7FM.AS00000K, AuthDomain= for Person Name=test1, ObjId=A5RWD7FM.AP00000C.
2019-10-25T12:00:23,133 INFO [54018033] 994262:sasadm@saspw Audit.Meta.Security.UserAdm - Added Login with UserId=testuser1, ObjId=A5RWD7FM.AS00000K, AuthDomain=DefaultAuth to IdentityType=Person Name=test1, ObjId=A5RWD7FM.AP00000C.
2019-10-25T12:00:23,225 INFO [54018046] 994262:sasadm@saspw Audit.Meta.Updates.PublicObjects - Audit Public Object Type=User Name=test1 ObjId=A5RWD7FM.AP00000C has been updated.
2019-10-25T12:00:23,225 INFO [54018046] 994262:sasadm@saspw Audit.Meta.Security.UserAdm - Changed IdentityType=Person Name=test1, ObjId=A5RWD7FM.AP00000C.
2019-10-25T12:00:28,079 INFO [54018070] 994262:sasadm@saspw Audit.Meta.Updates.PublicObjects - Audit Public Object Type=User Name=test1 ObjId=A5RWD7FM.AP00000C has been deleted.
2019-10-25T12:00:28,080 INFO [54018070] 994262:sasadm@saspw Audit.Meta.Updates.PublicObjects - Audit Public Object Type=Login Name=Login.test1.91 ObjId=A5RWD7FM.AS00000K has been deleted.
2019-10-25T12:00:28,080 INFO [54018070] 994262:sasadm@saspw Audit.Meta.Security.UserAdm - Removed IdentityType=Person Name=test1, ObjId=A5RWD7FM.AP00000C.
2019-10-25T12:00:28,080 INFO [54018070] 994262:sasadm@saspw Audit.Meta.Security.UserAdm - Removed Login with UserId=testuser1, ObjId=A5RWD7FM.AS00000K, AuthDomain=DefaultAuth from IdentityType=Person Name=test1, ObjId=A5RWD7FM.AP00000C.

 

If you have enabled the SAS Environment Manager Service Architecture Framework, this would also be captured in the nightly ETLs and be available in the report Products\SAS Environment Manager\Nightly Reports\Audit Reports (Log Forensic)\User Accounts Removed. The output of the report for this action looks like this.

 

Capture.PNG

 

Additional information on the SAS Environment Manager Service Architecture and the Audit.Meta loggers can be found in the links below.

 

SAS® Environment Manager 2.5: User’s Guide - Understanding SAS Environment Manager Service Architecture

https://go.documentation.sas.com/?docsetId=evug&docsetTarget=p0md48tpfq4yy7n1xxqn0re5v30l.htm&docset...

 

SAS® 9.4 Intelligence Platform: System Administration Guide - About Metadata Server Loggers

https://go.documentation.sas.com/?docsetId=bisag&docsetTarget=n0pitzrsxlrvyfn1o967czb2oww2.htm&docse...

--
Greg Wootton | Principal Systems Technical Support Engineer

View solution in original post

2 REPLIES 2
gwootton
SAS Super FREQ

When a user is deleted from SAS Management Console the Metadata Server's Audit.Meta loggers will write this information to the log. The below example is from me creating a user identity and then deleting it.

 

2019-10-25T12:00:23,131 INFO [54018033] 994262:sasadm@saspw Audit.Meta.Updates.PublicObjects - Audit Public Object Type=User Name=test1 ObjId=A5RWD7FM.AP00000C has been added.
2019-10-25T12:00:23,131 INFO [54018033] 994262:sasadm@saspw Audit.Meta.Updates.PublicObjects - Audit Public Object Type=Login Name= ObjId=A5RWD7FM.AS00000K has been added.
2019-10-25T12:00:23,133 INFO [54018033] 994262:sasadm@saspw Audit.Meta.Security.UserAdm - Added IdentityType=Person Name=test1, ObjId=A5RWD7FM.AP00000C.
2019-10-25T12:00:23,133 INFO [54018033] 994262:sasadm@saspw Audit.Meta.Security.UserAdm - Changed Login UserId=testuser1, ObjId=A5RWD7FM.AS00000K, AuthDomain= for Person Name=test1, ObjId=A5RWD7FM.AP00000C.
2019-10-25T12:00:23,133 INFO [54018033] 994262:sasadm@saspw Audit.Meta.Security.UserAdm - Added Login with UserId=testuser1, ObjId=A5RWD7FM.AS00000K, AuthDomain=DefaultAuth to IdentityType=Person Name=test1, ObjId=A5RWD7FM.AP00000C.
2019-10-25T12:00:23,225 INFO [54018046] 994262:sasadm@saspw Audit.Meta.Updates.PublicObjects - Audit Public Object Type=User Name=test1 ObjId=A5RWD7FM.AP00000C has been updated.
2019-10-25T12:00:23,225 INFO [54018046] 994262:sasadm@saspw Audit.Meta.Security.UserAdm - Changed IdentityType=Person Name=test1, ObjId=A5RWD7FM.AP00000C.
2019-10-25T12:00:28,079 INFO [54018070] 994262:sasadm@saspw Audit.Meta.Updates.PublicObjects - Audit Public Object Type=User Name=test1 ObjId=A5RWD7FM.AP00000C has been deleted.
2019-10-25T12:00:28,080 INFO [54018070] 994262:sasadm@saspw Audit.Meta.Updates.PublicObjects - Audit Public Object Type=Login Name=Login.test1.91 ObjId=A5RWD7FM.AS00000K has been deleted.
2019-10-25T12:00:28,080 INFO [54018070] 994262:sasadm@saspw Audit.Meta.Security.UserAdm - Removed IdentityType=Person Name=test1, ObjId=A5RWD7FM.AP00000C.
2019-10-25T12:00:28,080 INFO [54018070] 994262:sasadm@saspw Audit.Meta.Security.UserAdm - Removed Login with UserId=testuser1, ObjId=A5RWD7FM.AS00000K, AuthDomain=DefaultAuth from IdentityType=Person Name=test1, ObjId=A5RWD7FM.AP00000C.

 

If you have enabled the SAS Environment Manager Service Architecture Framework, this would also be captured in the nightly ETLs and be available in the report Products\SAS Environment Manager\Nightly Reports\Audit Reports (Log Forensic)\User Accounts Removed. The output of the report for this action looks like this.

 

Capture.PNG

 

Additional information on the SAS Environment Manager Service Architecture and the Audit.Meta loggers can be found in the links below.

 

SAS® Environment Manager 2.5: User’s Guide - Understanding SAS Environment Manager Service Architecture

https://go.documentation.sas.com/?docsetId=evug&docsetTarget=p0md48tpfq4yy7n1xxqn0re5v30l.htm&docset...

 

SAS® 9.4 Intelligence Platform: System Administration Guide - About Metadata Server Loggers

https://go.documentation.sas.com/?docsetId=bisag&docsetTarget=n0pitzrsxlrvyfn1o967czb2oww2.htm&docse...

--
Greg Wootton | Principal Systems Technical Support Engineer
SASKiwi
PROC Star

If you are automatically updating metadata users from Active Directory or similar then the users to be deleted will be in your AD data feed.

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

Get Started with SAS Information Catalog in SAS Viya

SAS technical trainer Erin Winters shows you how to explore assets, create new data discovery agents, schedule data discovery agents, and much more.

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 2 replies
  • 2033 views
  • 5 likes
  • 3 in conversation