Hi all,
I am trying to investigate whether a specific user is accessing a specific SAS Viya 3.5 web application.
I need to find out if a user for example "224744" is accessing a specific web application like SAS Model Studio or SAS StudioV.
From the CLI command I can get some information on audit records, but not no where precisely indicating that the web application was accessed.
If I use a command like this:
/sas-admin audit list --user-id 224744 --sort-by timeStamp --limit "100000"
I get results similar to the following:
ID Time Stamp Action State User ID Application URI
af5792bd-3d52-4692-971f-894710b86a2e 2021-12-14T23:52:25.374Z SessionDestroyed success 224744 SASLogon
4f91408b-01cb-41e3-8fb8-b861299e0ff0 2021-12-15T06:33:42.450Z login failure 224744 SASLogon
94e38c00-4ec4-4d9a-8a27-9a638183b158 2021-12-15T08:17:09.653Z login success 224744 SASLogon
but nowhere does it indicate which web application is being accessed. Is this possible?
The only application that creates "login" action audit records is SASLogon. All logins to applications like SAS Visual Analytics, SAS Environment Manager, SAS Model Manager, etc go through SASLogon. The audit records do not distinguish between different applications that a user might access, therefor, you will not find audit records for the login action for individual web applications - only SASLogon.
One way you could achieve determining who logged in a specific application would be look into the specific application logs. We do not provide a mechanism to do this, but you could script it. For example. If you login to SASDrive, in the sasdrive log you will see an entry like this:
2021-11-05 09:53:25.109 INFO 20804 --- [0-auto-1-exec-3] c.s.commons.html.taglib.ApplicationTag : sasadm(e36d1efe) [a5679971ca1377ac] SASDrive ApplicationSwitcher enabled=true
Where sasdm is the user ID
Where e36d1efe is a unique value to the session (This value will remain constant when switching between applications)
Where SASDrive is the application
Where ApplicationSwitcher is the key phrase that indicates the application was accessed.
Of note, if you login to an application, you will actually see the ApplicationSwitcher message printed 4 times. So the line I gave above was actually in my log 4 times for a single login. Like this:
2021-11-05 09:53:25.109 INFO 20804 --- [0-auto-1-exec-3] c.s.commons.html.taglib.ApplicationTag : sasadm(e36d1efe) [a5679971ca1377ac] SASDrive ApplicationSwitcher enabled=true
2021-11-05 09:53:25.114 INFO 20804 --- [0-auto-1-exec-3] c.s.commons.html.taglib.ApplicationTag : sasadm(e36d1efe) [a5679971ca1377ac] SASDrive ApplicationSwitcher enabled=true
2021-11-05 09:53:28.482 INFO 20804 --- [0-auto-1-exec-4] c.s.commons.html.taglib.ApplicationTag : sasadm(e36d1efe) [7818738e2d5da009] SASDrive ApplicationSwitcher enabled=true
2021-11-05 09:53:28.482 INFO 20804 --- [0-auto-1-exec-4] c.s.commons.html.taglib.ApplicationTag : sasadm(e36d1efe) [7818738e2d5da009] SASDrive ApplicationSwitcher enabled=true
If you login to an application, and then use the "application switcher" the ApplicationSwitcher line will only be printed twice.
So here is an example of user sasadm logging into SAS Environment Manager, switching to SAS StudioV, switching to SAS Data Explorer and then switching to SAS Visual Analytics, all without logging out and keeping the same session;
Login to SAS Environment Manager URL directly (message printed in environmentmanager log 4 times for a single login):
2021-11-05 11:38:31.554 INFO 10089 --- [-auto-1-exec-10] c.s.commons.html.taglib.ApplicationTag : sasadm(555db3b6) [add2246c77a710df] envmgrapp ApplicationSwitcher enabled=true
2021-11-05 11:38:31.554 INFO 10089 --- [-auto-1-exec-10] c.s.commons.html.taglib.ApplicationTag : sasadm(555db3b6) [add2246c77a710df] envmgrapp ApplicationSwitcher enabled=true
2021-11-05 11:38:33.839 INFO 10089 --- [0-auto-1-exec-3] c.s.commons.html.taglib.ApplicationTag : sasadm(555db3b6) [3a1086d7283a18dc] envmgrapp ApplicationSwitcher enabled=true
2021-11-05 11:38:33.839 INFO 10089 --- [0-auto-1-exec-3] c.s.commons.html.taglib.ApplicationTag : sasadm(555db3b6) [3a1086d7283a18dc] envmgrapp ApplicationSwitcher enabled=true
Switch to sasstudioV (message printed twice in sasstudioV log for switching to application)
2021-11-05 11:38:53.165 INFO 25935 --- [0-auto-1-exec-3] c.s.commons.html.taglib.ApplicationTag : sasadm(555db3b6) [bfe0f54373b86a4a] sasstudiov ApplicationSwitcher enabled=true
2021-11-05 11:38:53.166 INFO 25935 --- [0-auto-1-exec-3] c.s.commons.html.taglib.ApplicationTag : sasadm(555db3b6) [bfe0f54373b86a4a] sasstudiov ApplicationSwitcher enabled=true
Switch to dataExplorer (message printed twice in dataExplorer log for switching to application)
2021-11-05 11:39:05.244 INFO 25886 --- [0-auto-1-exec-4] c.s.commons.html.taglib.ApplicationTag : sasadm(555db3b6) [e39caea24cd4c1a8] data_explorer_ui ApplicationSwitcher enabled=true
2021-11-05 11:39:05.244 INFO 25886 --- [0-auto-1-exec-4] c.s.commons.html.taglib.ApplicationTag : sasadm(555db3b6) [e39caea24cd4c1a8] data_explorer_ui ApplicationSwitcher enabled=true
Switch to VA (message printed twice in sasvisualanalytics log for switching to application
2021-11-05 11:39:22.404 INFO 25503 --- [0-auto-1-exec-5] c.s.commons.html.taglib.ApplicationTag : sasadm(555db3b6) [ef18eacc6d3ca1b0] VANextLogon ApplicationSwitcher enabled=true
2021-11-05 11:39:22.408 INFO 25503 --- [0-auto-1-exec-5] c.s.commons.html.taglib.ApplicationTag : sasadm(555db3b6) [ef18eacc6d3ca1b0] VANextLogon ApplicationSwitcher enabled=true
Hello,
you can Extract list of audit records from SAS Infrastructure Data Server using REST API.
if you don't want to use REST API, use a sql connection to your sas viya posgres data base.
Charif
The only application that creates "login" action audit records is SASLogon. All logins to applications like SAS Visual Analytics, SAS Environment Manager, SAS Model Manager, etc go through SASLogon. The audit records do not distinguish between different applications that a user might access, therefor, you will not find audit records for the login action for individual web applications - only SASLogon.
One way you could achieve determining who logged in a specific application would be look into the specific application logs. We do not provide a mechanism to do this, but you could script it. For example. If you login to SASDrive, in the sasdrive log you will see an entry like this:
2021-11-05 09:53:25.109 INFO 20804 --- [0-auto-1-exec-3] c.s.commons.html.taglib.ApplicationTag : sasadm(e36d1efe) [a5679971ca1377ac] SASDrive ApplicationSwitcher enabled=true
Where sasdm is the user ID
Where e36d1efe is a unique value to the session (This value will remain constant when switching between applications)
Where SASDrive is the application
Where ApplicationSwitcher is the key phrase that indicates the application was accessed.
Of note, if you login to an application, you will actually see the ApplicationSwitcher message printed 4 times. So the line I gave above was actually in my log 4 times for a single login. Like this:
2021-11-05 09:53:25.109 INFO 20804 --- [0-auto-1-exec-3] c.s.commons.html.taglib.ApplicationTag : sasadm(e36d1efe) [a5679971ca1377ac] SASDrive ApplicationSwitcher enabled=true
2021-11-05 09:53:25.114 INFO 20804 --- [0-auto-1-exec-3] c.s.commons.html.taglib.ApplicationTag : sasadm(e36d1efe) [a5679971ca1377ac] SASDrive ApplicationSwitcher enabled=true
2021-11-05 09:53:28.482 INFO 20804 --- [0-auto-1-exec-4] c.s.commons.html.taglib.ApplicationTag : sasadm(e36d1efe) [7818738e2d5da009] SASDrive ApplicationSwitcher enabled=true
2021-11-05 09:53:28.482 INFO 20804 --- [0-auto-1-exec-4] c.s.commons.html.taglib.ApplicationTag : sasadm(e36d1efe) [7818738e2d5da009] SASDrive ApplicationSwitcher enabled=true
If you login to an application, and then use the "application switcher" the ApplicationSwitcher line will only be printed twice.
So here is an example of user sasadm logging into SAS Environment Manager, switching to SAS StudioV, switching to SAS Data Explorer and then switching to SAS Visual Analytics, all without logging out and keeping the same session;
Login to SAS Environment Manager URL directly (message printed in environmentmanager log 4 times for a single login):
2021-11-05 11:38:31.554 INFO 10089 --- [-auto-1-exec-10] c.s.commons.html.taglib.ApplicationTag : sasadm(555db3b6) [add2246c77a710df] envmgrapp ApplicationSwitcher enabled=true
2021-11-05 11:38:31.554 INFO 10089 --- [-auto-1-exec-10] c.s.commons.html.taglib.ApplicationTag : sasadm(555db3b6) [add2246c77a710df] envmgrapp ApplicationSwitcher enabled=true
2021-11-05 11:38:33.839 INFO 10089 --- [0-auto-1-exec-3] c.s.commons.html.taglib.ApplicationTag : sasadm(555db3b6) [3a1086d7283a18dc] envmgrapp ApplicationSwitcher enabled=true
2021-11-05 11:38:33.839 INFO 10089 --- [0-auto-1-exec-3] c.s.commons.html.taglib.ApplicationTag : sasadm(555db3b6) [3a1086d7283a18dc] envmgrapp ApplicationSwitcher enabled=true
Switch to sasstudioV (message printed twice in sasstudioV log for switching to application)
2021-11-05 11:38:53.165 INFO 25935 --- [0-auto-1-exec-3] c.s.commons.html.taglib.ApplicationTag : sasadm(555db3b6) [bfe0f54373b86a4a] sasstudiov ApplicationSwitcher enabled=true
2021-11-05 11:38:53.166 INFO 25935 --- [0-auto-1-exec-3] c.s.commons.html.taglib.ApplicationTag : sasadm(555db3b6) [bfe0f54373b86a4a] sasstudiov ApplicationSwitcher enabled=true
Switch to dataExplorer (message printed twice in dataExplorer log for switching to application)
2021-11-05 11:39:05.244 INFO 25886 --- [0-auto-1-exec-4] c.s.commons.html.taglib.ApplicationTag : sasadm(555db3b6) [e39caea24cd4c1a8] data_explorer_ui ApplicationSwitcher enabled=true
2021-11-05 11:39:05.244 INFO 25886 --- [0-auto-1-exec-4] c.s.commons.html.taglib.ApplicationTag : sasadm(555db3b6) [e39caea24cd4c1a8] data_explorer_ui ApplicationSwitcher enabled=true
Switch to VA (message printed twice in sasvisualanalytics log for switching to application
2021-11-05 11:39:22.404 INFO 25503 --- [0-auto-1-exec-5] c.s.commons.html.taglib.ApplicationTag : sasadm(555db3b6) [ef18eacc6d3ca1b0] VANextLogon ApplicationSwitcher enabled=true
2021-11-05 11:39:22.408 INFO 25503 --- [0-auto-1-exec-5] c.s.commons.html.taglib.ApplicationTag : sasadm(555db3b6) [ef18eacc6d3ca1b0] VANextLogon ApplicationSwitcher enabled=true
The SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment.
SAS technical trainer Erin Winters shows you how to explore assets, create new data discovery agents, schedule data discovery agents, and much more.
Find more tutorials on the SAS Users YouTube channel.