Enable users to deploy jobs without granting write access.

Reply
Occasional Contributor
Posts: 5

Enable users to deploy jobs without granting write access.

Hi,

We use SAS 9.2 TS2M3 and DI Studio 4.2M2.

Our metadata security model does not allow the SAS developers to make direct changes to DI jobs in the Foundation repository, forcing the developers to check-in/check-out their jobs via project repositories. But a user needs write permission to the Foundation job in order to deploy the code. If the developers were granted this permission it would result in all manner of issues including deleted jobs and loss of audit trail as the project repositories could be bypassed.

Currently only the 'techincal lead' & admin users have write permission on the jobs folders in order to deploy jobs. Its a pain - has anyone found a workable way to allow jobs to be deployed from Foundation without opening a massive security hole?

Cheers.

Super User
Posts: 5,256

Re: Enable users to deploy jobs without granting write access.

I agree, this is a bit painful. The same goes for other object that sometimes ETL-developer needs to be involved, such as database servers, schemas, Cubes, Information Maps etc.

One way to handle this is to "open up" specific folders for write access for this user group, so that deployed jobs are stored somewhere else in the folders than the originating job.

Data never sleeps
Occasional Contributor
Posts: 5

Re: Enable users to deploy jobs without granting write access.

True, although we have workable processes to take care of most of the other BI objects.

We also took the approach to seperate the job from the deployed job objects as you've mentioned. Yet it seems write permission is still needed on the job object itself when deploying code, which is the big security issue.

Super User
Posts: 5,256

Re: Enable users to deploy jobs without granting write access.

That is correct, forgotten that.

What we did at one site is having a separate userid for each developer for deploying jobs. This would at least preventing most incidental changes of jobs. I presume that your develeoprs are honest people and intend to follow development guidelines?

Data never sleeps
Occasional Contributor
Posts: 5

Re: Enable users to deploy jobs without granting write access.

They are a fine bunch of SAS developers. All the same, I would prefer the security model to do the work. Thanks for the suggestion LinusH.

Senior User
Posts: 1

Re: Enable users to deploy jobs without granting write access.

This topic is from a couple of years ago but we're stumbling into the same issue. Did you manage to get this done without granting write access?
I am thinking of creating a user transform/job so developers can issue the (re-)deploy command. Some meatadata would be input (job,batchserver..). And a user with write access would be the executing user in the code. In this way we would be able to prevent developers forgetting the check out.
What was your solution?
Ask a Question
Discussion stats
  • 5 replies
  • 271 views
  • 3 likes
  • 3 in conversation