Creating SAS Viya authorization from SAS 9.4 Metadata

4 Likes

In a previous article, New functionality for transitioning from Visual Analytics on 9.4 to Viya, I discussed promotion of content from SAS 9.4 to Viya. The Viya promotion tools, by default, include authorization settings in the package when you export folders and content. What if you want to export the authorization separate from the content, and then selectively apply that authorization? The good news is the SAS 9.4 and Viya provide us with the tools to take an alternate approach.

In this post I will look at how this can be accomplished. Recall that there are two authorization systems in SAS Viya. The General Authorization system applies to folders, content and functionality and the CAS authorization applies to data in CAS. Since the new authorization systems are very different from metadata authorization in SAS 9.4, the promotion tools attempt to translate the 9.4 settings to Viya settings.

General Authorization (Folders and Content)

Promotion will attempt to convert SAS 9.4 authorization to rules in the General authorization system. During the process:

Access Control Templates are not promoted
Explicit Access Control Entries are converted to SAS Viya Rules
Access Control Entries with denials are discarded

CAS Authorization (CASLIBs and Data)

Promotion will attempt to convert SAS 9.4 authorization to access controls in the CAS authorization system. During the process:

Access Control Templates are not promoted
Access Control Entries are not promoted unless they are applied directly to a library or table
Access Control Entries are converted to CAS access controls
Row-level permissions are preserved
If an object exists in the target environment no authorization settings are imported.

Why would we want to selectively promote authorization? Well there are a number of reasons. Instead of a big bang maybe we want to take a more incremental approach to the transition. Perhaps our 9.4 security model relied heavily on ACT's which are currently not supported. Maybe we want to change the way our content is structure and reapply security after that process is completed.

Fortunately we do have the tools available selectively promote authorization from 9.4 to Viya and at the same time include ACT's. There are three steps:

Read SAS 9.4 authorization settings: this can be accomplished using the SAS 9.4 security reporting macros.
Translate SAS 9 authorization to Viya: this can be accomplished using SAS data step and procedures and the mapping of SAS 9 permissions to Viya permissions in the Viya administration guide.
Apply the Viya authorization settings: this can be accomplished using the sas-admin command-line interface.

General Authorization

The authorization plug-in of the sas adminstration cli's support the creation and update of rules in bulk. The create-rules command accepts a JSON file as input. For example the command below will add rules based on the content of the json file:

sas-admin authorization create-rules --file addrules.json

In the JSON file you define the details of the rules including the target folder, the principal the type of rule (grant or deny) and the permissions. So if we can create a json file from the 9.4 metadata we can export rules from SAS 9.4 and import to Viya.

This SAS macro will read 9.4 effective authorization for a folder and a set of identities, translate it, and output a json file of Viya rule definitions. It accepts as parameters:

Metadata Folder
Name of a json file to output
A folder id for a Viya folder (optional)
A list of identities
A matching list of identity types

Using the parameters the macro:

Uses the SAS 9.4 security reporting macros to read the authorization settings for the folder and write them to a SAS table.
Post processes the SAS table to map a SAS 9.4 permission to a Viya permissions (using the mappings provided in the Viya administration guide)
Reads the resultant SAS table and uses proc json (introduced in 9.4 M4 ) to create a json file with the Viya authorization rule definition.

For example, say we want to set permissions for a folder in Viya /gelcorp/sales with the same settings we had for a related folder /gelcorp/salescontent.

Firstly, we can optionally determine the folder id of the target folder in Viya.

sas-admin folders show -path /gelcorp/salescontent

Next, in SAS 9.4, execute the macro to export the authorization settings from SAS 9.4. The macro will extract the settings for one folder and can retrieve effective permissions for multiple groups on the folder. If you do not know the uri of the target folder you can leave it blank and edit the json at a later time.

%export_folder_auth(metadata_folder=/gelcorp/salescontent,
                    output_file=c:\temp\gelcorpsales.json,
                    folder_id=%nrstr(eacf2e97-caf5-43d0-9b66-f1e0b5f7de5c),
                    identity=%nrstr(Sales,Sales Content Developers, Sales Data Managers),
                    identitytype=%nrstr(IdentityGroup,IdentityGroup,IdentityGroup),);

The macro is included as an attachment.

The resulting JSON is shown below. If anything is incorrect in the JSON you can edit it now, the macro assumes initially that the groups exist with the same id in Viya. However, you can edit the json before you apply it to fix an issues such as different identity information or folder id.

To apply the permissions, use the authorization plug-in of the sas-admin CLI.

sas-admin authorization create-rules --file c:\temp\gelcorpsales.json

The result is new rules are created in Viya. You can view the rules in Rules Manager by filtering on the objectUri and/or containerUri and view the impact of the rules on the folders permissions in the content area.

The macro is deliberately written to do one folder at a time. The differences between 9.4 and Viya authorization make a bulk approach without any review dangerous. Doing the export one folder at a time means the new rules can be thoroughly reviewed prior to importing to Viya.

CAS Authorization

CAS Authorization has a similar bulk load facility. The command below will replace the existing access controls on a caslib with the ones defined in the json file.

sas-admin cas tables replace-controls --server cas-shared-default --caslib mycaslib --table tableA --source-file accesscontrol.json

This is not quite what we need because we want to add controls to the CASLIB and keep the existing ones. To add controls you use the add-control command.

Our macro this time works in the same way to read and translate the authorization settings from 9.4 to Viya. However, instead of generating a JSON file. It generates a series of CAS add-control cli calls in a script that will apply the permissions.

The macro this time accepts as parameters the:

SAS Library metadata name
Output file for the script
Target caslib name
A list of identities
A matching list of identity types

%export_library_auth(library_name=Financial Data,
                     output_file=c:\temp\mylibrules.bat,
                     caslibname=Financial Data,
                     identity=%nrstr(Finance Content Developers, Finance Data Managers,Finance),
                     identitytype=%nrstr(IdentityGroup,IdentityGroup,IdentityGroup));

The macro is included as an attachment.

The output is a script file (Windows or LINUX) containing add-control requests for the groups and caslibs included in the macro call. The script can be executed by a CAS administrator to set caslib permissions.

The result can be viewed in the data area of SAS Environment Manager.

Simple as that! I hope the approach described in this article will be useful to those wishing to move to Viya and translate their 9.4 security model. Here are some useful resources:

I would like to thank my colleague David Stern for his valuable input to this post.