Solved: Re: User Auditing: Has user x accessed a specific web application in S...

JessLund · Posted 12-22-2021 07:03 AM

Hi all,

I am trying to investigate whether a specific user is accessing a specific SAS Viya 3.5 web application.

I need to find out if a user for example "224744" is accessing a specific web application like SAS Model Studio or SAS StudioV.

From the CLI command I can get some information on audit records, but not no where precisely indicating that the web application was accessed.

If I use a command like this:

/sas-admin audit list --user-id 224744 --sort-by timeStamp --limit "100000"

I get results similar to the following:

ID Time Stamp Action State User ID Application URI
af5792bd-3d52-4692-971f-894710b86a2e 2021-12-14T23:52:25.374Z SessionDestroyed success 224744 SASLogon
4f91408b-01cb-41e3-8fb8-b861299e0ff0 2021-12-15T06:33:42.450Z login failure 224744 SASLogon
94e38c00-4ec4-4d9a-8a27-9a638183b158 2021-12-15T08:17:09.653Z login success 224744 SASLogon

but nowhere does it indicate which web application is being accessed. Is this possible?

ronf_sas · Posted 12-22-2021 09:06 AM

@JessLund

The only application that creates "login" action audit records is SASLogon. All logins to applications like SAS Visual Analytics, SAS Environment Manager, SAS Model Manager, etc go through SASLogon. The audit records do not distinguish between different applications that a user might access, therefor, you will not find audit records for the login action for individual web applications - only SASLogon.

One way you could achieve determining who logged in a specific application would be look into the specific application logs. We do not provide a mechanism to do this, but you could script it. For example. If you login to SASDrive, in the sasdrive log you will see an entry like this:

2021-11-05 09:53:25.109 INFO 20804 --- [0-auto-1-exec-3] c.s.commons.html.taglib.ApplicationTag : sasadm(e36d1efe) [a5679971ca1377ac] SASDrive ApplicationSwitcher enabled=true

Where sasdm is the user ID

Where e36d1efe is a unique value to the session (This value will remain constant when switching between applications)

Where SASDrive is the application

Where ApplicationSwitcher is the key phrase that indicates the application was accessed.

Of note, if you login to an application, you will actually see the ApplicationSwitcher message printed 4 times. So the line I gave above was actually in my log 4 times for a single login. Like this:

2021-11-05 09:53:25.109 INFO 20804 --- [0-auto-1-exec-3] c.s.commons.html.taglib.ApplicationTag : sasadm(e36d1efe) [a5679971ca1377ac] SASDrive ApplicationSwitcher enabled=true

2021-11-05 09:53:25.114 INFO 20804 --- [0-auto-1-exec-3] c.s.commons.html.taglib.ApplicationTag : sasadm(e36d1efe) [a5679971ca1377ac] SASDrive ApplicationSwitcher enabled=true

2021-11-05 09:53:28.482 INFO 20804 --- [0-auto-1-exec-4] c.s.commons.html.taglib.ApplicationTag : sasadm(e36d1efe) [7818738e2d5da009] SASDrive ApplicationSwitcher enabled=true

If you login to an application, and then use the "application switcher" the ApplicationSwitcher line will only be printed twice.

So here is an example of user sasadm logging into SAS Environment Manager, switching to SAS StudioV, switching to SAS Data Explorer and then switching to SAS Visual Analytics, all without logging out and keeping the same session;

Login to SAS Environment Manager URL directly (message printed in environmentmanager log 4 times for a single login):

2021-11-05 11:38:31.554 INFO 10089 --- [-auto-1-exec-10] c.s.commons.html.taglib.ApplicationTag : sasadm(555db3b6) [add2246c77a710df] envmgrapp ApplicationSwitcher enabled=true

2021-11-05 11:38:33.839 INFO 10089 --- [0-auto-1-exec-3] c.s.commons.html.taglib.ApplicationTag : sasadm(555db3b6) [3a1086d7283a18dc] envmgrapp ApplicationSwitcher enabled=true

Switch to sasstudioV (message printed twice in sasstudioV log for switching to application)

2021-11-05 11:38:53.165 INFO 25935 --- [0-auto-1-exec-3] c.s.commons.html.taglib.ApplicationTag : sasadm(555db3b6) [bfe0f54373b86a4a] sasstudiov ApplicationSwitcher enabled=true

2021-11-05 11:38:53.166 INFO 25935 --- [0-auto-1-exec-3] c.s.commons.html.taglib.ApplicationTag : sasadm(555db3b6) [bfe0f54373b86a4a] sasstudiov ApplicationSwitcher enabled=true

Switch to dataExplorer (message printed twice in dataExplorer log for switching to application)

2021-11-05 11:39:05.244 INFO 25886 --- [0-auto-1-exec-4] c.s.commons.html.taglib.ApplicationTag : sasadm(555db3b6) [e39caea24cd4c1a8] data_explorer_ui ApplicationSwitcher enabled=true

Switch to VA (message printed twice in sasvisualanalytics log for switching to application

2021-11-05 11:39:22.404 INFO 25503 --- [0-auto-1-exec-5] c.s.commons.html.taglib.ApplicationTag : sasadm(555db3b6) [ef18eacc6d3ca1b0] VANextLogon ApplicationSwitcher enabled=true

2021-11-05 11:39:22.408 INFO 25503 --- [0-auto-1-exec-5] c.s.commons.html.taglib.ApplicationTag : sasadm(555db3b6) [ef18eacc6d3ca1b0] VANextLogon ApplicationSwitcher enabled=true

View solution in original post

rifcha · Posted 12-22-2021 08:15 AM

Hello,

you can Extract list of audit records from SAS Infrastructure Data Server using REST API.

https://communities.sas.com/t5/SAS-Communities-Library/Audit-your-SAS-Viya-platform-with-REST/ta-p/6...

if you don't want to use REST API, use a sql connection to your sas viya posgres data base.

Charif

ronf_sas · Posted 12-22-2021 09:06 AM