About these papers: This is a series of five papers which together present a set of recommended practices for security model design in SAS 9.4.
In this part 1 of 2, you can find the overview and the main core principles and practices paper.
In part 2 of 2, you will find papers on core artefacts, and artefacts for deployments which include SAS Data Integration Studio and SAS Visual Analytics.
The central core principles and practices paper describes concepts which are fundamental to good security model design, such as:
The other papers in the series provide a brief overview, and describe artefacts that should be included in a SAS 9.4 implementation which includes SAS Data Integration Studio or SAS Visual Analytics.
About the author: David Stern is a Principal Technical Architect in SAS’s Global Enablement and Learning (GEL) team. He focuses on platform administration, especially security model design, and promotion and migration between SAS deployments.
About the GEL Recommended SAS 9.4 Security Model Design series of papers: This and the other papers in the series are a collection of principles and practical design recommendations which were developed over several years. Considerable portions of content were developed by SAS consultants in Denmark and the wider Nordic region, with contributions from the UK, Australia, the US and Germany. These papers have been widely reviewed and distributed within SAS, and we are delighted to share them with our community of users.
Note added on 26 July 2023: In several places, these papers refer to the GEL Turbo (or to give its full name, the 'SAS Global Enablement and Learning metadata security turbo-charge scripts'). For example in the 'Core Principles and Practices' paper, the Turbo is discussed in section '3.5 Consider using the GEL Turbo'. The URL for the Turbo points to an internal-only SAS URL, and one or two readers outside SAS have asked where they can get the Turbo scripts and assets. We have not released the GEL Turbo to the general public, and have no plans to do so. I should have made that clearer wherever we refer to the Turbo tools, and especially in section '1.4 Intended Audience' of the 'Core Principles and Practices' paper, where I wrote 'Some of the documents and pages referenced within this series of papers are held on SAS internal systems (such as ToolPool), and will not be accessible to readers outside SAS.' The GEL Turbo is one such 'document' but in hindsight I should have called out the GEL Turbo in that paragraph specifically as something not accessible to readers outside SAS, as it is referenced and advocated in several places throughout the rest of the series of papers. If you are working with a SAS consultant (one who works for SAS) on your SAS 9 environment, you could discuss it with them and see what they think.
A highly resourceful series of papers @DavidStern containing a wealth of advice, tips and experience. Thanks for sharing them with the wider SAS community! Thanks also for mentioning where Metacoda software can assist.
Kind Regards,
Michelle
hi David,
great to see you got the papers out in the community!! Wondering if Michelle is sleeping with the blog under the pillow - fast update from downunder 🙂
Going out next week to visit a customer to discuss security model!
Cheers
Jan
You know me too well @HrZiller!
Looking for a way to enforce the recommended rules listed in these papers? Have a look at how Metacoda Security Testing Framework can help at https://platformadmin.com/blogs/paul/2017/06/sas-gel-security-rules-with-metacoda-security-tests/
SAS Innovate 2025 is scheduled for May 6-9 in Orlando, FL. Sign up to be first to learn about the agenda and registration!
Data Literacy is for all, even absolute beginners. Jump on board with this free e-learning and boost your career prospects.