Architecting, installing and maintaining your SAS environment

Updating User Group of Metadata Users

Accepted Solution Solved
Reply
Super Contributor
Posts: 316
Accepted Solution

Updating User Group of Metadata Users

Does anyone know of a good resource with some examples on how to programmatically add/delete/update the group of a user in the SAS Metadata? 

 

I've come across SAS 9.4 Language Interfaces to Metadata (https://support.sas.com/documentation/cdl/en/lrmeta/70119/HTML/default/viewer.htm#titlepage.htm) and the SAS Blog (http://blogs.sas.com/content/sgf/2016/01/13/sas-administrators-tip-keeping-track-of-sas-users/)  but didn't see some concrete examples of what I was looking for as the examples are more to just view but I'll need to either remove or add a group to specific users through a batch processed script.

 

Greatly appreciate your thoughts. Thanks in advance.


Accepted Solutions
Solution
‎06-13-2017 11:34 PM
Super User
Posts: 6,928

Re: Updating User Group of Metadata Users

Have a look at the sample programs mentioned in http://support.sas.com/kb/40/628.html, they might provide you with a way to do that (extract metadata, manipulate the group relationship, then run the whole update/sync process).

---------------------------------------------------------------------------------------------
Maxims of Maximally Efficient SAS Programmers

View solution in original post


All Replies
Solution
‎06-13-2017 11:34 PM
Super User
Posts: 6,928

Re: Updating User Group of Metadata Users

Have a look at the sample programs mentioned in http://support.sas.com/kb/40/628.html, they might provide you with a way to do that (extract metadata, manipulate the group relationship, then run the whole update/sync process).

---------------------------------------------------------------------------------------------
Maxims of Maximally Efficient SAS Programmers
Super Contributor
Posts: 316

Re: Updating User Group of Metadata Users

I have managed to make it work based on the documentation link you have provided.

 

Just to give a summary of the steps I did for other people's reference as well.

 

1. Called %mduextr to extract metadata tables

2. Called %mducmp comparing it to itself which will give me all the empty _add and _delete tables I need

3. Populate the grpmems_add to include users in the Restricted access and populate the grpmems_delete to include all current groups the users are included

4. Call %mduchglb to perform the update in metadata

 

Thanks a lot for the help! Greatly appreciate it.

 

Cheers!

Super User
Posts: 3,101

Re: Updating User Group of Metadata Users

What type of groups are you referring to? For example if you are working in a Windows environment it is best practice to add SAS OS user accounts to SAS-related AD groups based on business requirements. These are then imported into SAS metadata as metadata groups usually via a daily batch synchronisation job. This avoids most manual configuration and ensures OS permissions align with metadata groups.

Super Contributor
Posts: 316

Re: Updating User Group of Metadata Users

The challenge on this on our requirement is that the authentication should not be based on the AD, but rather some text file which another source is providing.

 

Basically the input file is a text file containing the user and the group which is loaded as a table. This username is also defined in SAS Metadata. Everyday the file will be processed and will be compared with the previous data. If there is the change in the user's group, that user should be deleted from all other groups assigned to him in SMC and then will be assigned to another group which have Deny RM in most of the SAS folders.

Super User
Posts: 6,928

Re: Updating User Group of Metadata Users

Then you should look at the program that synchronizes from UNIX passwd and group files. You should be able to build the initial tables from your text file.

---------------------------------------------------------------------------------------------
Maxims of Maximally Efficient SAS Programmers
SAS Super FREQ
Posts: 291

Re: Updating User Group of Metadata Users

[ Edited ]

Hi there,

 

curious about the changes of a user's group membership and permissions:

you mention that a txt file is read on a daily basis. Does a group membership or permissions for a user

change frequently?

Where is that txt file coming from, how is it created?

 

If I understand this correctly, the batch program you are looking for would have to compare, delete, change permissions

and add the user to a new group?

 

The bulkload / examples Kurt suggested could help you with this as you can modify it to your needs.

 

Thanks

Anja

Super User
Posts: 3,101

Re: Updating User Group of Metadata Users

[ Edited ]

How do you intend to align OS permissions with metadata group permissions then? If you don't, then any user could define a LIBNAME outside of your metadata and bypass the metadata permissions. This could be prevented though if you used metadata-bound libraries.

☑ This topic is SOLVED.

Need further help from the community? Please ask a new question.

Discussion stats
  • 7 replies
  • 171 views
  • 4 likes
  • 4 in conversation