Does anyone know of a good resource with some examples on how to programmatically add/delete/update the group of a user in the SAS Metadata?
I've come across SAS 9.4 Language Interfaces to Metadata (https://support.sas.com/documentation/cdl/en/lrmeta/70119/HTML/default/viewer.htm#titlepage.htm) and the SAS Blog (http://blogs.sas.com/content/sgf/2016/01/13/sas-administrators-tip-keeping-track-of-sas-users/) but didn't see some concrete examples of what I was looking for as the examples are more to just view but I'll need to either remove or add a group to specific users through a batch processed script.
Greatly appreciate your thoughts. Thanks in advance.
Have a look at the sample programs mentioned in http://support.sas.com/kb/40/628.html, they might provide you with a way to do that (extract metadata, manipulate the group relationship, then run the whole update/sync process).
Have a look at the sample programs mentioned in http://support.sas.com/kb/40/628.html, they might provide you with a way to do that (extract metadata, manipulate the group relationship, then run the whole update/sync process).
I have managed to make it work based on the documentation link you have provided.
Just to give a summary of the steps I did for other people's reference as well.
1. Called %mduextr to extract metadata tables
2. Called %mducmp comparing it to itself which will give me all the empty _add and _delete tables I need
3. Populate the grpmems_add to include users in the Restricted access and populate the grpmems_delete to include all current groups the users are included
4. Call %mduchglb to perform the update in metadata
Thanks a lot for the help! Greatly appreciate it.
Cheers!
What type of groups are you referring to? For example if you are working in a Windows environment it is best practice to add SAS OS user accounts to SAS-related AD groups based on business requirements. These are then imported into SAS metadata as metadata groups usually via a daily batch synchronisation job. This avoids most manual configuration and ensures OS permissions align with metadata groups.
The challenge on this on our requirement is that the authentication should not be based on the AD, but rather some text file which another source is providing.
Basically the input file is a text file containing the user and the group which is loaded as a table. This username is also defined in SAS Metadata. Everyday the file will be processed and will be compared with the previous data. If there is the change in the user's group, that user should be deleted from all other groups assigned to him in SMC and then will be assigned to another group which have Deny RM in most of the SAS folders.
Then you should look at the program that synchronizes from UNIX passwd and group files. You should be able to build the initial tables from your text file.
Hi there,
curious about the changes of a user's group membership and permissions:
you mention that a txt file is read on a daily basis. Does a group membership or permissions for a user
change frequently?
Where is that txt file coming from, how is it created?
If I understand this correctly, the batch program you are looking for would have to compare, delete, change permissions
and add the user to a new group?
The bulkload / examples Kurt suggested could help you with this as you can modify it to your needs.
Thanks
Anja
How do you intend to align OS permissions with metadata group permissions then? If you don't, then any user could define a LIBNAME outside of your metadata and bypass the metadata permissions. This could be prevented though if you used metadata-bound libraries.
The SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment.
SAS technical trainer Erin Winters shows you how to explore assets, create new data discovery agents, schedule data discovery agents, and much more.
Find more tutorials on the SAS Users YouTube channel.