Architecting, installing and maintaining your SAS environment

User management component in SAS Management Console

Reply
Contributor
Posts: 29

User management component in SAS Management Console

Hello All,

I need some expertise in finding a solution on automation of creating users in SAS Management Console (SMC)

As we already know in SMC, for adding a user, we use the user manager component to fill the general details, add relevant groups and account as well.

Now,I am from admin team and have a scenario where users get to create their SAS account induvidually which is handled by some other team and later come to us to manually create metadata in SMC to access resources.

Is there any other way to automate this user management by end users ??

I am looking at a solution involving simple things such as importing an excel sheet with appropriate values filled in into SMC  by doing so, I believe we can add multiple users at a time , also users themseleves can be provided with this approach even though they do not have technical knowledge on SMC.

Another idea :  In my scenario, we have SAS accounts created on UNIX server,

So we can extract the account details to a text file .  Is there any way to import these details into SMC after some minor modifications so that the accounts created on server and user details in SMC should be in sync.

Please help me with details if any such way already exists.

Thank you.

Regards

Mark

Super User
Posts: 5,256

Re: User management component in SAS Management Console

Frequent Contributor
Posts: 117

Re: User management component in SAS Management Console

I assume (wrongly ?) that the credentials (login,password) for your users are created and stored in some kind of external LDAP directory server (Microsoft Active Directory, SUN/ORACLE Directory Server, even Unix local passwd/shadow files). In this case, you don't create users with their credentials only inside the Metatada respository using internal logins (@saspw), which is generally  - and wisely - prohibited by security policies.

So you need to synchronize your list of SAS users with all their attributes, their group in the first place, with the metadata repository. SAS provides such a set of tools called User Import Macros :

User Import Macros :: SAS(R) 9.3 Intelligence Platform: Security Administration Guide

User Import Macros :: SAS(R) 9.4 Intelligence Platform: Security Administration Guide, Second Editio...

The tool extracts user/group synchronized from both sources External LDAP (1) and SAS Metadata (2), then compares (1) with (2) and updates accordingly (based on your choice) the metadata appling the latest change coming from LDAP.

There is also this note which provides a sample code easier to handle, excerpted from the User Import Macros :

http://support.sas.com/kb/42/251.html

Valued Guide
Posts: 3,208

Re: User management component in SAS Management Console

What you are describing is the common approach with a RBAC process for a lot of companies. 
The technical links for that have already been provided. You can find the LDAP-import macros-(sample) as a sources in the macro-library of your installation.

You will have to adjust those for your situation and naming conventions. AD is a LDAP implementation but AD is not complete enough for a Unix approach (id/gid missing).

The password file is readable in a Unix environment as the passwords have been moved to the shadow file a long time ago.

The problems you can run into is that they these sources (AD , old password file) are logical incorrect having too many issues.

Another is the question what to do having found an account that is not in those sources but is in the SAS metadata. Personal accounts should get deleted, but service accounts are needed for the system. That is why you are seeing an additional list in that KB-note. Deleting a service account can place you in an very difficult to correct situation.

---->-- ja karman --<-----
Ask a Question
Discussion stats
  • 3 replies
  • 578 views
  • 0 likes
  • 4 in conversation