Hello @infmja,

in simple words: you will need to create a loop for the different OUs, for the users and for the groups, so they will be added/appended to the canonical tables.

An example, but not a unique solution, is that you can set the different OUs on different variables (ADPerBaseDN1..ADPerBaseDN10 for 10 OUs) or on a matrix and let it do the loop:

%do i = 1 %to &ads_containers.;
		%pers( &&ADPerBaseDN&i.., &i. );
	%end;

	data &extractlibref..ldapusers;
	  set %do i = 1 %to &ads_containers.;
		  	ldapusers&i.
	      %end;
		  ;
	run;	


/* after....  */

%do i = 1 %to &ads_containers.;
		%grps( &&ADGrpBaseDN&i.., &i. );
	%end;

	data &extractlibref..ldapgrps;
	  set %do i = 1 %to &ads_containers.;
		  	ldapgrps&i.
	      %end;
		  ;
	run;

Also, if you are not familiar with the AD sync scripts, you can always check the excellent Identity Sync plug-in for SMC provided by Metacoda ( @PaulHomes and @MichelleHomes ).

Yes, you can always modify the macros or create macros of your own on order to filter.

There are some other options for you: 

- Sys admins may create a custom OU for you, just containing a "link" to the groups that are interesting for you from the other OUs.

- You can always ask your sys admins to create a csv file as out put of a custom query to get the groups and users you need. The csv can be also imported/sync-ed.

How do I check if a variable contains a specific string?

Regarding checking whether a variable contains a string there are a few ways. One of the simplest is to use the INDEX function. For more complex requirements you could also consider using Perl Regular Expressions.

@JuanS_OCS provides the best advice here in this case, imho : try to push down the selection request as far as possible into AD, for instance, using complex AD filter clauses or even with some sort of a custom filter ("SAS" OU) created on purpose by the AD Admin.

Trying to code the selection request in SAS using the LDAP/AD API will be more time consuming, less efficient and more error-prone : a row-oriented SAS Data Step is not the best tool to navigate hierarchical (tree-like) databases like AD or LDAP directories ... Instead of debugging complex SAS loops, time might be better spent devising a clear and simple AD Filter.   

Thanks @JuanS_OCS for mentioning the Metacoda Identity Sync plug-in 🙂

Martin, if you are interested in trying it out you can register for a free 30 day evaluation at https://www.metacoda.com/en/evaluation/

There are a few different ways the Identity Sync plug-in can be configured, but the most common way sounds like what you are trying to do. You can configure a set of high level groups and then the plug-in will find all members of those groups, including members of multiple levels of nested groups, to find all of the groups and users that will be sync-ed with SAS metadata. These users and groups can come from many different OUs in the directory and potentially other domains too. Some of our customers even go so far as to drive the sync process from a single group in AD and thus manage the target user/group selection from AD itself. It can be run both in batch and interactively - so you can see a preview the changes before they are applied.

If you want to find out more, a good starting point is a blog post at https://platformadmin.com/blogs/paul/2015/07/synchronizing-sas-platform-identities where I have a screencast of the process of setting it up.  There are a few other blog posts that discuss the identity sync process at https://platformadmin.com/blogs/paul/tag/identity-sync/  We also have some example Identity Sync Profiles in a github repository at https://github.com/Metacoda/idsync-utils with documentation on the samples and some of the features they show at https://metacoda.github.io/idsync-utils/

I hope this is useful. Please let me know if you have any questions.