Auditing Report Actions in SAS Viya 3.x

1 Like

There are a number of useful features, settings and tools that administrators can utilise to audit user activity in SAS Viya 3.x. In this post, we will explore the options available for the auditing of report actions in SAS Visual Analytics.

Important

Before reading on, it should be stressed that there may be a negative impact on system performance as a result of modifying the auditing configuration to capture more detailed records. Broadening the scope of the auditing configuration will generate considerable amounts of data, which will result in a level of slowness, as well as increased disk consumption. If you encounter poor performance after changing the configuration, you may need to reduce the scope by limiting the applications, actions or resources for which to capture audit records.

Overview

Auditing in SAS Viya is based on the SAS Operations Infrastructure, which is based on SAS's event-driven architecture. The event framework uses RabbitMQ as the message broker for processing all events generated by SAS Viya services.

The default behaviour is to capture four basic actions (create, read [failure], update and delete) on report objects. This can be modified using the configuration properties for the Audit service's sas.audit.record configuration instance in SAS Environment Manager.

01_AF_sas.audit_.record_cfginstance-1024x472.png

Select any image to see a larger version.
Mobile users: To view the images, select the "Full" version at the bottom of the page.

When processing an event, the Audit service uses the properties defined here to determine whether it is captured in the audit records.

02_border_AF_sas.audit_.record_properties.png

Configuration properties must be defined in a specific pattern. The following are valid options for configuring the audit service to capture records on a per application basis:

application-name.enabled
application-name.event-action-type.enabled
application-name.event-action-type.state

where application-name refers to the service name (for example, reports, identities or compute) and event-action-type is one of the action properties from an internal event action registry. State refers to the success or failure of the event action.

Additionally, the configuration properties can be set to capture actions based on entry type rather than by application. For example, security actions can be captured by setting security.action.login.state=all in the type property.

Audit records are written to the SAS Infrastructure Data Server. The data is not loaded to the CAS table that drives the pre-canned audit reports in Environment Manager until the Operations Infrastructure's genAudit task is run (every 2 hours by default). We can use the sas-admin CLI's audit plugin to view the audit records in PostgreSQL immediately. Keep reading for some examples.

Records older than 7 days in the datamart are archived to a specified location on disk. The sas.audit.archive configuration instance determines the rules for the archiving of audit records.

Auditing Report Access

How can we tell what reports our user (Ahmed) opened? Well, remember that audit records are only created for failed read attempts by default due to the setting of resource.action.read.state=failure in sas.audit.record. We can update this value to all to capture successful as well as failed attempts for all resources, but note that this is generally not recommended due to the impact on performance as a result of the amount of data generated. I set this option in my lab for the purpose of this demo, as I am the only user and it is a throwaway environment. After doing so, I ran the CLI command again, this time filtering for entries created by the reports application only.

/opt/sas/viya/home/bin/sas-admin --output text audit list --user-id Ahmed --application reports

ID                                     Time Stamp                 Action   State     User ID   Application   URI
94a2d4ba-aefc-4d71-9961-04ada7274e91   2019-10-02T02:31:05.253Z   read     success   Ahmed     reports       /reports/reports/cbf97b0a-457d-4b4f-8913-547e0cdf390c
b40b1ecc-8cd9-4733-99a7-c3e63e06adaf   2019-10-02T02:30:53.703Z   read     success   Ahmed     reports       /reports/reports/cbf97b0a-457d-4b4f-8913-547e0cdf390c
e57a7972-4b5c-4df9-90a6-ed038a4e74cb   2019-10-02T02:30:52.806Z   read     success   Ahmed     reports       /reports/reports/cbf97b0a-457d-4b4f-8913-547e0cdf390c
c71d2094-d18e-4cee-8e03-6e8c7505d070   2019-10-02T02:30:10.382Z   read     success   Ahmed     reports       /reports/reports/cbf97b0a-457d-4b4f-8913-547e0cdf390c
cb10dfb4-bf7d-40f8-a709-456abff091d9   2019-10-02T02:30:00.277Z   read     success   Ahmed     reports       /reports/reports/cbf97b0a-457d-4b4f-8913-547e0cdf390c
59735b62-d8f4-4f91-9a15-b447f76bb483   2019-10-02T02:16:54.625Z   read     success   Ahmed     reports       /reports/reports/cbf97b0a-457d-4b4f-8913-547e0cdf390c

Interestingly, there are multiple read entries for the same report. The reason is that these reads represent more than just the action of opening of a report. In fact, some of these records are created when a report is selected in the Content area of SAS Environment Manager, or when thumbnails for the reports are rendered in the list of Recent reports in Report Viewer and SAS Drive (documented in SAS Note 62355). To identify the record that represents the actual opening of the report, we need another option in our command.

/opt/sas/viya/home/bin/sas-admin --output text audit list --user-id Ahmed --application reports --details

ID                                     Time Stamp                 Type       Action   State     Description   User ID   Application   Remote Address   URI
94a2d4ba-aefc-4d71-9961-04ada7274e91   2019-10-02T02:31:05.253Z   resource   read     success                 Ahmed     reports       192.168.1.2      /reports/reports/cbf97b0a-457d-4b4f-8913-547
b40b1ecc-8cd9-4733-99a7-c3e63e06adaf   2019-10-02T02:30:53.703Z   resource   read     success                 Ahmed     reports       192.168.1.1      /reports/reports/cbf97b0a-457d-4b4f-8913-547
e57a7972-4b5c-4df9-90a6-ed038a4e74cb   2019-10-02T02:30:52.806Z   resource   read     success                 Ahmed     reports       10.96.17.168     /reports/reports/cbf97b0a-457d-4b4f-8913-547

Adding the details option displays IP addresses in the output. The one that represents the report open is the one that containing the IP address of the client machine. In this example, that would be 10.96.17.168 (the record on the bottom).

We can use the CLI to display more detailed information about an audit record by running the audit plugin's show-info command. /opt/sas/viya/home/bin/sas-admin --output text audit show-info --id 94a2d4ba-aefc-4d71-9961-04ada7274e91

ID                 94a2d4ba-aefc-4d71-9961-04ada7274e91
Time Stamp         2019-10-02T02:31:05.253Z
Type               resource
Action             read
State              success
User ID            Ahmed
Remote Address     192.168.1.2
Trace ID           24b3c0cac3add8e3
Application        reports
URI                /reports/reports/cbf97b0a-457d-4b4f-8913-547e0cdf390c
Folder             /Products/SAS Visual Analytics/Samples
Report Name        Retail Insights
HTTP Status Code   200
HTTP Method        GET

As indicated in the SAS Note, only reports under the /Products and /Public folders produce audit records by default. Follow the steps in the note to modify the configuration to capture audit records for reports in all locations.

Auditing Report Actions

For auditing other report actions, such as filtering, exporting, printing, sharing reports, it's a little more complicated.

Filtering

Applying filters to your report will produce more audit records similar to the below from the reportData application, but there is currently no simple way to determine exactly how the report was filtered.

81d4100b-92e1-4dc2-9464-1fe102a062a9   2019-10-02T05:07:24.771Z   create   success   Ahmed     reportData      /reportData/jobs/0c3691a3-7c55-4774-af19-684a1eda8641_c36
de376ccb-30ee-4ec5-90d7-dfad2b548d19   2019-10-02T05:07:25.901Z   create   success   Ahmed     reportData      /reportData/jobs/0c3691a3-7c55-4774-af19-684a1eda8641_c35
8a632ec8-e145-4c1e-ad46-69e377270ecf   2019-10-02T05:07:25.943Z   read     success   Ahmed     reportData      /reportData/results/0c3691a3-7c55-4774-af19-684a1eda8641_0c3691a3-7c55-4774-af19-684a1eda8641_c35/files/dd27639.csv
b33a90b2-5ba1-4cda-aeb7-aeb42356f358   2019-10-02T05:07:25.949Z   read     success   Ahmed     reportData      /reportData/results/0c3691a3-7c55-4774-af19-684a1eda8641_0c3691a3-7c55-4774-af19-684a1eda8641_c35/files/dd27639index.csv

Exporting

The transfer service is responsible for handling the export of content. Therefore, assuming resource.action.read.enabled is set to its default value of failure, we need to turn on auditing for the transfer service. We can do so by adding these new entries to the application property in the sas.audit.record configuration instance.

This will capture all CRUD events (including successful reads) for the transfer service only. Now, when exporting a report from SAS Environment Manager's Content area, audit records similar to the below are captured.

51f68e79-000c-4f82-8015-dcaebdc6552e   2019-09-25T13:25:52.719Z   resource   create   success                 sasadm    transfer        10.96.10.154     /transfer/exportJobs/7f1bbfc7-fdfd-4f09-8527-97fb071746e0
...
82c18db3-414d-4cde-8b0a-6e76cb3fc315   2019-09-25T13:25:54.823Z   resource   read     success                 sasadm    transfer        10.96.10.154     /transfer/packages/85d85fac-f7f4-4d34-9e74-31401b34caf1

(Note that in this case, the User ID is sasadm. Remember that only administrators can export reports.)

Conveniently, the last column in the second record displays the URI to the package file. We can use the sas-admin CLI's transfer plug-in to display its contents.

/opt/sas/viya/home/bin/sas-admin transfer show-contents --uri /transfer/packages/85d85fac-f7f4-4d34-9e74-31401b34caf1

Name                   ContentUri                                              ContentMediaType
Retail Insights        /reports/reports/cbf97b0a-457d-4b4f-8913-547e0cdf390c   application/vnd.sas.report
Samples                /folders/folders/8af48321-d89c-4522-9557-079bce15edce   application/vnd.sas.content.folder
SAS Visual Analytics   /folders/folders/f865778e-db27-4b4a-be3d-6322bd4ff81d   application/vnd.sas.content.folder
Products               /folders/folders/1d8b18bf-853b-4a57-8600-c9bd37cf49ae   application/vnd.sas.content.folder

In this example, the package contains the Retail Insights report and its corresponding SAS folder structure.

When importing packages, the transfer service will generate similar events that are also captured as audit records.

What about when exporting data to Excel from within a VA report? This will require successful reads to be turned on for the reportData application (reportData.action.read.state=all). We will then get the following records.

d81d2344-35ff-4bc8-af81-6ad957f37271   2019-10-02T03:34:32.592Z   read     success   Ahmed     reportData      /reportData/results/310e8def-27a1-4f32-8676-05ce504d24b3_c1635e4d-618c-4968-9d9c-2d624fcb4279/exportFiles/dd431.xlsx
...
6778fbdb-2cce-4844-8fd1-beca87ce4cec   2019-10-02T03:34:32.445Z   create   success   Ahmed     reportData      /reportData/jobs/c1635e4d-618c-4968-9d9c-2d624fcb4279

The read entry lists the Excel file, which is great, but notice anything that links it to the create entry? The URI contains a reference (after the underscore) to the create job entry.

Printing

Printing in Visual Analytics or Report Viewer generates a PDF of the report which the user can then print. This action results in the following audit records, indicating the name of the PDF that was produced.

4ebe39db-dd57-4c20-a61e-506f70602a9e   2019-09-25T11:34:14.826Z   resource   read     success                 Ahmed     reportRenderer   10.96.10.154     /reportRenderer/reports/3BIEOARCKYIRJU4KKR67XKTXDQAU3MWA/Retail%20Insights%20on%2009-25-2019.pdf
5fe92d47-ff6f-4134-880e-234985589c6d   2019-09-25T11:34:14.755Z   resource   create   success                 Ahmed     reportRenderer   10.96.10.154     /reportRenderer/reports/3BIEOARCKYIRJU4KKR67XKTXDQAU3MWA

Other Client-side Actions

Many other user actions performed in SAS Visual Analytics are client-side, meaning they do not interact with other services in a meaningful way (in this context). As such, they do not currently generate audit records in a manner that can be surfaced appropriately in SAS Viya 3.x. Auditing capabilities are constantly being improved, though, particularly in later versions of SAS.

Conclusion

Many organizations perform auditing for regulatory compliance or to report on security and usability aspects of the platform. Viya goes some way to meet basic auditing requirements out of the box, and provides the flexibility to expand the auditing scope with relative ease - BUT, do not forget the potential performance implications, as they can be significant. Keep an eye out for further improvements in auditing functionality in future releases. In later posts, we will explore auditing other areas of the SAS Viya platform.

For more information, refer to the official documentation.

Thanks to Eric Bourn, Todd Braswell and Anant Patil for their invaluable contributions to this post.

Thank you for reading. I hope the information provided in this post has been helpful. Please leave a comment below to share your own experiences.

Find more articles from SAS Global Enablement and Learning here.

sikandarkazmi · ‎02-20-2025

Thank you for this insightful post! Auditing is indeed a crucial aspect of regulatory compliance and security management. The flexibility that Viya offers in expanding the auditing scope is impressive, though performance implications must always be considered. Looking forward to future posts exploring other auditing areas within the SAS Viya platform. As a software company near me focusing on innovation, we always strive to stay updated on best practices in auditing and compliance. Appreciate the contributions of Eric Bourn, Todd Braswell, and Anant Patil to this discussion!