BookmarkSubscribeRSS Feed
Raas
Calcite | Level 5

Hi,

We use SAS 9.2 TS2M3 and DI Studio 4.2M2.

Our metadata security model does not allow the SAS developers to make direct changes to DI jobs in the Foundation repository, forcing the developers to check-in/check-out their jobs via project repositories. But a user needs write permission to the Foundation job in order to deploy the code. If the developers were granted this permission it would result in all manner of issues including deleted jobs and loss of audit trail as the project repositories could be bypassed.

Currently only the 'techincal lead' & admin users have write permission on the jobs folders in order to deploy jobs. Its a pain - has anyone found a workable way to allow jobs to be deployed from Foundation without opening a massive security hole?

Cheers.

5 REPLIES 5
LinusH
Tourmaline | Level 20

I agree, this is a bit painful. The same goes for other object that sometimes ETL-developer needs to be involved, such as database servers, schemas, Cubes, Information Maps etc.

One way to handle this is to "open up" specific folders for write access for this user group, so that deployed jobs are stored somewhere else in the folders than the originating job.

Data never sleeps
Raas
Calcite | Level 5

True, although we have workable processes to take care of most of the other BI objects.

We also took the approach to seperate the job from the deployed job objects as you've mentioned. Yet it seems write permission is still needed on the job object itself when deploying code, which is the big security issue.

LinusH
Tourmaline | Level 20

That is correct, forgotten that.

What we did at one site is having a separate userid for each developer for deploying jobs. This would at least preventing most incidental changes of jobs. I presume that your develeoprs are honest people and intend to follow development guidelines?

Data never sleeps
Raas
Calcite | Level 5

They are a fine bunch of SAS developers. All the same, I would prefer the security model to do the work. Thanks for the suggestion LinusH.

Edwin_N
Calcite | Level 5
This topic is from a couple of years ago but we're stumbling into the same issue. Did you manage to get this done without granting write access?
I am thinking of creating a user transform/job so developers can issue the (re-)deploy command. Some meatadata would be input (job,batchserver..). And a user with write access would be the executing user in the code. In this way we would be able to prevent developers forgetting the check out.
What was your solution?

sas-innovate-2024.png

Join us for SAS Innovate April 16-19 at the Aria in Las Vegas. Bring the team and save big with our group pricing for a limited time only.

Pre-conference courses and tutorials are filling up fast and are always a sellout. Register today to reserve your seat.

 

Register now!

How to Concatenate Values

Learn how use the CAT functions in SAS to join values from multiple variables into a single value.

Find more tutorials on the SAS Users YouTube channel.

Click image to register for webinarClick image to register for webinar

Classroom Training Available!

Select SAS Training centers are offering in-person courses. View upcoming courses for:

View all other training opportunities.

Discussion stats
  • 5 replies
  • 643 views
  • 3 likes
  • 3 in conversation