BookmarkSubscribeRSS Feed

Bulk addition and removal of CAS access controls in SAS Viya 3.5

Started ‎04-03-2020 by
Modified ‎04-03-2020 by
Views 4,295

The sas-admin cas plugin in SAS Viya 3.5 introduces a feature I've wanted for a long time: bulk addition and removal of specific CAS access controls without entirely replacing existing access controls. This may not sound exciting, but it does make code to maintain access controls smaller and faster.

 

If you use scripts to maintain authorization for CAS data, you'll want to start using sas-admin cas caslibs add-controls and remove-controls and their equivalent commands for CAS tables.

 

What's new in the sas-admin cas plugin?

The table below lists the sub-commands listed in the help text output by the sas-admin cas caslibs command in a SAS Viya 3.4 and SAS Viya 3.5 deployment:

 

sas-admin cas caslibs command Purpose SAS Viya 3.4 SAS Viya 3.5
add-control Adds the specified direct access control to the requested caslib.
add-controls Adds the direct access controls in the specified source file to the requested caslib.  
clear-controls Deletes all of the direct access controls for the specified caslib.
create Adds caslibs.
delete Deletes the specified caslib.
help, h Shows a list of commands or help for one command.
list Lists all caslibs in a specified CAS server or all caslibs in the system.
list-controls Provides access information for the specified caslib.
remove-control Deletes the specified direct access control.
remove-controls Deletes the direct access controls in the specified source file from the requested caslib.  
replace-controls Replaces the direct access controls on the specified caslib.
show-info Shows information for the specified caslib.
sources Manages the data sources for a caslib in a CAS server.

 

While we're at it, let's also compare the sub-commands listed in the help text output by the sas-admin cas tables command in a SAS Viya 3.4 and SAS Viya 3.5 deployment:

 

sas-admin cas tables command Purpose SAS Viya 3.4 SAS Viya 3.5
add-control Adds the specified access control to the requested table.
add-controls Adds the direct access controls in the specified source file to the requested table.  
clear-controls Deletes all of the direct access controls for the specified table.
delete Deletes the specified table.  
help, h Shows a list of commands or help for one command.
import Imports and loads a specified file into CAS as a table.  
list Lists all tables in a specified caslib or all tables in the system. To list all tables in a specified caslib, the caslib must be specified.
list-controls Lists the access controls for the specified table.
load Loads either the specified table or all of the tables in the specified CAS server and caslib.
remove-control Deletes the specified direct access control.
remove-controls Deletes the direct access controls in the specified source file from the requested table.  
replace-controls Replaces the direct access controls on the specified table.
show-info Shows information for the specified table.
unload Unloads either a specific table or all tables from the specified caslib.

 

So the sas-admin cas tables command also gained add-controls and remove-controls sub-commands, as well as a couple of other useful sub-commands that are not the subject of this post: delete and import.  

 

Who is this for?

As a SAS Viya administrator, when you create a new CAS library (or table), one of the most common things you need to do is add multiple access controls (perhaps 12 or 13 of them!) which grant permissions to one or more groups of administrators. This enables them to see and administer the new caslib (or table) without having to assume the CAS superuser role. Assuming the CAS superuser role should be viewed a bit like becoming root or using sudo on a UNIX or Linux host: it's for special occasions only, not for basic data management work.

 

When you onboard a new team into an existing SAS Viya deployment, you may need to add multiple access controls (usually somewhere between 2 and 11) to one or more existing corporate caslibs (or tables), to grant the group that represents the team access to see and work with data in the existing corporate caslibs (or tables).

 

That's quite a bit of admin overhead to implement and document, for adding a new caslib or team to your deployment.

 

Before Viya 3.5, your options for doing this were:

  • Manually add the new access controls one at a time, using the visual interfaces (the GUI). This is fine for occasional one-off changes, but slow and error prone if you have to do it a lot.
  • Use the sas-admin cas caslibs add-control command to add each new access control one at a time. This is also a bit slow. It seems to take around 2 seconds per access control on the hosts I'm using, which is no big deal for occasional one-off changes, but is tedious if you have a LOT of changes to make. At least it is much less error-prone than doing the same thing manually in the GUI.
  • Create a JSON file describing ALL of the permissions you wish the caslib (or table) to have, not just the new ones - perhaps using sas-admin cas caslibs list-controls. Modify the JSON to include entries for the new access controls. Then use sas-admin cas caslibs replace-controls to replace all of the existing access controls on the caslib or table with those in the JSON file. This is a bit convoluted, and is most efficient when you have to apply the same access controls to a lot of caslibs or tables, or when the number of updates you expect to do allows you to justify the effort of scripting the whole process.

Running the following series of 13 individual sas-admin cas caslibs add-control commands takes about 31 seconds on my low-spec test system:

 


# Grant all permissions on salesdl for SASAdministrators
/opt/sas/viya/home/bin/sas-admin cas caslibs add-control --server cas-shared-default --caslib salesdl --group SASAdministrators --grant ReadInfo
/opt/sas/viya/home/bin/sas-admin cas caslibs add-control --server cas-shared-default --caslib salesdl --group SASAdministrators --grant Select
/opt/sas/viya/home/bin/sas-admin cas caslibs add-control --server cas-shared-default --caslib salesdl --group SASAdministrators --grant LimitedPromote
/opt/sas/viya/home/bin/sas-admin cas caslibs add-control --server cas-shared-default --caslib salesdl --group SASAdministrators --grant Promote
/opt/sas/viya/home/bin/sas-admin cas caslibs add-control --server cas-shared-default --caslib salesdl --group SASAdministrators --grant CreateTable
/opt/sas/viya/home/bin/sas-admin cas caslibs add-control --server cas-shared-default --caslib salesdl --group SASAdministrators --grant DropTable
/opt/sas/viya/home/bin/sas-admin cas caslibs add-control --server cas-shared-default --caslib salesdl --group SASAdministrators --grant DeleteSource
/opt/sas/viya/home/bin/sas-admin cas caslibs add-control --server cas-shared-default --caslib salesdl --group SASAdministrators --grant Insert
/opt/sas/viya/home/bin/sas-admin cas caslibs add-control --server cas-shared-default --caslib salesdl --group SASAdministrators --grant Update
/opt/sas/viya/home/bin/sas-admin cas caslibs add-control --server cas-shared-default --caslib salesdl --group SASAdministrators --grant Delete
/opt/sas/viya/home/bin/sas-admin cas caslibs add-control --server cas-shared-default --caslib salesdl --group SASAdministrators --grant AlterTable
/opt/sas/viya/home/bin/sas-admin cas caslibs add-control --server cas-shared-default --caslib salesdl --group SASAdministrators --grant AlterCaslib
/opt/sas/viya/home/bin/sas-admin cas caslibs add-control --server cas-shared-default --caslib salesdl --group SASAdministrators --grant ManageAccess

 

It's the most tedious part of the solution scripts from the 'Securing CAS Data' section of our GEL Viya 3.4 administration workshop, and we need a LOT more than just these access controls to secure even a small workshop deployment.

 

But now, with sas-admin cas caslibs add-controls and remove-controls, there is a better option, documented in the SAS Viya 3.5 Administration Guide, under Security > Authorization > CAS Authorization > How To (CLI).... We can now make a JSON file like this, named e.g. controls.json (formatted here for readability - you can format your JSON however you like):

 

{
    "items": [
        {
            "identity": "SASAdministrators",
            "identityType": "group",
            "permission": "readInfo",
            "type": "grant",
            "version": 1
        },
        {
            "identity": "SASAdministrators",
            "identityType": "group",
            "permission": "select",
            "type": "grant",
            "version": 1
        },
        {
            "identity": "SASAdministrators",
            "identityType": "group",
            "permission": "limitedPromote",
            "type": "grant",
            "version": 1
        },
        {
            "identity": "SASAdministrators",
            "identityType": "group",
            "permission": "promote",
            "type": "grant",
            "version": 1
        },
        {
            "identity": "SASAdministrators",
            "identityType": "group",
            "permission": "createTable",
            "type": "grant",
            "version": 1
        },
        {
            "identity": "SASAdministrators",
            "identityType": "group",
            "permission": "dropTable",
            "type": "grant",
            "version": 1
        },
        {
            "identity": "SASAdministrators",
            "identityType": "group",
            "permission": "deleteSource",
            "type": "grant",
            "version": 1
        },
        {
            "identity": "SASAdministrators",
            "identityType": "group",
            "permission": "insert",
            "type": "grant",
            "version": 1
        },
        {
            "identity": "SASAdministrators",
            "identityType": "group",
            "permission": "update",
            "type": "grant",
            "version": 1
        },
        {
            "identity": "SASAdministrators",
            "identityType": "group",
            "permission": "delete",
            "type": "grant",
            "version": 1
        },
        {
            "identity": "SASAdministrators",
            "identityType": "group",
            "permission": "alterTable",
            "type": "grant",
            "version": 1
        },
        {
            "identity": "SASAdministrators",
            "identityType": "group",
            "permission": "alterCaslib",
            "type": "grant",
            "version": 1
        },
        {
            "identity": "SASAdministrators",
            "identityType": "group",
            "permission": "manageAccess",
            "type": "grant",
            "version": 1
        }
    ]
}

 

That done, we can run this single command, which only takes 2 seconds:

 

sas-admin cas caslibs add-controls --server cas-shared-default --caslib salesdl --source-file controls.json

 

And even better, we can do the same for another caslib that also needs SAS Administrators to have full control in another 2 seconds:

 

sas-admin cas caslibs add-controls --server cas-shared-default --caslib hrdl --source-file controls.json

 

I'd never update multiple CAS access controls on the same caslib or table any other way, now. And if you need to remove these access controls (if you can add something, you should know how to remove it, if you create something you should know how to delete it), the command to do that is equally simple:

 

sas-admin cas caslibs remove-controls --server cas-shared-default --caslib salesdl --source-file controls.json

 

This prompts you to confirm you really want to continue with the operation, which is sensible as it is potentially a little bit destructive. But as my colleague @GerryNelson showed me yesterday, there is a Linux package called yes which can help with that if you want to do this non-interactively in a script:

 

yes y | sas-admin cas caslibs remove-controls --server cas-shared-default --caslib salesdl --source-file controls.json

 

I've been omitting the /opt/sas/viya/home/bin path in some of my examples above, so let's finish with an example of this from a real machine, showing that path in the command. The remove-controls command did not wait for input because the 'yes' command output piped to it took care of that: 

 

Figure 1 – Screenshot showing sas-admin cas caslibs add-controls and remove-controls. Click to enlarge.Figure 1 – Screenshot showing sas-admin cas caslibs add-controls and remove-controls. Click to enlarge.

Select any image to see a larger version.
Mobile users: To view the images, select the "Full" version at the bottom of the page.

 

Sometimes the little things can make a huge difference to our end-user experience. Well done to whoever added this feature. See you next time!

 

Search for more content from our group: SAS Global Enablement & Learning.

 

 

Version history
Last update:
‎04-03-2020 11:24 AM
Updated by:
Contributors

SAS Innovate 2025: Save the Date

 SAS Innovate 2025 is scheduled for May 6-9 in Orlando, FL. Sign up to be first to learn about the agenda and registration!

Save the date!

Free course: Data Literacy Essentials

Data Literacy is for all, even absolute beginners. Jump on board with this free e-learning  and boost your career prospects.

Get Started

Article Tags