From SAS Viya's initial release the ability to import and export content has been restricted to members of the SAS Administrators group. The possibility of opening this functionality to other groups of users has been a much-requested feature. Now with the release of Stable 2021.1.1, this feature is available. In this blog post, I will explain how it can be used.

Why?

Membership of the SAS Administrators group in Viya bestows much power. SAS Administrators have access to all:

• functionality that is controllable through authorization rules.
• folders and all objects that the folders contain

A common request is to have a lower level of administrator for Content Management (import/export). A set of users who do not have the full power of the Viya Administrators but are allowed to manage content using SAS Environment manager, and perform import and export tasks. Starting with stable 2021.1.1 content migration functionality is available to all authenticated users, but can also be locked down to specific users or groups of users.

Access to functionality in Viya is governed by rules. For more information on how this works, you can see this blog post. The specific Viya rules that control access to Content Migration (import/export) set the CREATE permission for authenticated users on the endpoints /transfer/importJobs and /transfer/exportJobs.

Select any image to see a larger version.
Mobile users: To view the images, select the "Full" version at the bottom of the page.

The result of the application of these rules is that all users who can log on to the Viya Environment have access to import and export. While this is good news, in reality, you may want to restrict access to a subset of users.

In our Administration Viya Environment, we have three business units(BU) in the fictional "gelcorp" organization (HR, Sales, and Finance). The users in each BU are restricted from accessing the content in the other BU's content using authorization settings on the SAS Folders.

Create Migration Administrators

In this post, we will create a Migration Administrators group and restrict access to migration functionality to members of this group. We will have a member of the Migration Administrators group from each business unit so that one person from each BU can manage the content.

Update Rules

We now have a new group Migration Administrators(migrationadministrators), the next step is to update the rules that determine who can access this functionality. To achieve this we update the rules for /transfer/exportJobs and /transfer/ImportJobs to change the Principal from authenticatedUsers to Migration Administrators(migrationadministrators).

This will restrict access to import/export functionality to SAS Administrators and members of the group. You can do this in SAS Environment Manager, in the Rules view locate the /transfer/importJobs Create rule edit the rule and replace the Principal authenticatedUsers with migrationadministrators. Your updated rule should look like this:

Repeat the process for the /transfer/ExportJobs create rule. The impact of the changes is that now only members of the Migration Administrators group can access import/export functionality in SAS Environment Manager or using the sas-viya transfer CLI.

Test

A simple test will be to log on to SAS Environment Manager as a user who is not a member of the group. The user will not be able to see the import interface or the import /export buttons. We can also test using the CLI.  For example, authenticate as a non-administrator Hugh and try to import a package. Notice you get a very clear message that the user is not authorized to perform this task.

If we authenticate as Henrik we see that, as a member of the Migration Administrators group we can perform the import.

As we noted at the start Administrators in Viya have broad access to the system. When importing as an administrator existing permissions on content can be largely ignored. Now, however, non-administrators that import content will have to be aware of the permissions on Viya folders and existing content.  In general, the importing user will need the same permissions as if they were going to create the content using the Viya User interface.

To summarize the user performing Content Migration must have the correct permissions to existing folders and content.​

• Exporting must have Read access to the objects that are exported​
• Importing Write access so that objects can be created, updated, or replaced:​
  • Add permission for the target folder​
  • Update permission on content that is replaced​
  • Caslib management privileges​ if creating new global Caslibs.

Let's look at the impact of existing permissions. In this case, we have a package that contains content within the HR area of the folder structure. Only HR users have access to these folders.

Let's see what happens if we try to import it as Fiona a Finance Migration Administrator.

As we would expect with the permission enforced the import process failed because Fiona does not have the correct permissions to create content in the /gelcontent/GELCorp/HR folder path. It is great to see this much-requested feature available to Viya 4 Administrators.  Some good news for Viya 3.5 users is that there is a plan to back-port this feature to Viya 3.5 later this year.

Find more articles from SAS Global Enablement and Learning here.