In a recent question on communities.sas.com, someone asked whether it is possible to limit the users or groups a user can see. The API for the identities service, that provides this information is not public. However any user could make use of the sas-viya CLI to list this information. Depending on the setup, phone numbers or addresses etc. might be shown.  This might not be something you want.

In this post we will look at configuration settings that allow an administrator to control what non-administrative users can see when they make use of the sas-viya CLI identities plugin to list users and groups or show details about a user.

Topics we will look into

• Overview of properties
• Example for each configuration property
• Are there any side effects
• How to set the properties using the sas-viya CLI

Overview of properties

The following table, from the documentation,  shows the configuration properties of the Identities service that will change what the non-administrative users can see. These options are available since LTS 2023.10. Note that by default none of the properties are enabled.

You can find these settings in the SAS Environment Manager -> Configuration page

Please note, there is a new checkmark icon beside the pencil icon that indicates whether the default is used or it has been modified (no checkmark icon).

Example for each configuration property

We will look at the effect each property has.

Please note: there is a delay from enabling the property to it being applied, allow for 10-20 seconds before checking the result.

Impact of endpoints.secured.users

When this configuration property is enabled a non-administrative user will only see itself when asking for a list of users.

See here a screenshot with disabled / enabled results. The sas-viya command shown in the screenshots uses the profile eric (-p eric), this means all the commands run as user eric.

When enabled you can no longer show detailed information for another user. Example:

By enabling the endpoints.secured.users property, you prevent non-administrative users from seeing details of other users, or even that other users exist. In the above example we can see that eric can view the user eric (himself), but he can not view the information for another user (christine). This might already be all you need.

Impact of endpoints.secured.groups

When this property is disabled (default) a non-administrative user will see all the groups when using a command like this:

sas-viya -p eric identities list-groups

When this property is enabled only the groups the user is a member of, either directly or through group membership, are displayed:

In the example above the user eric has the following group memberships:

Impact of endpoints.secured.members

So far we have seen the impact of the endpoints.secured.users and endpoints.secured.groups properties. The user can still list all members of a group he belongs to. Example:

When endpoints.secured.members is enabled, the same command will only list the user that makes the request:

Impact of endpoints.secured.memberships

The sas-viya CLI identities plugin has a command list-memberships that allows to either provide a user (--user-id) or a group (--group-id) to list their memberships. When this property is enabled (all others are disabled) a non-administrative user can only see groups:

• of which the current user and the given user (--user-id) are both members
• of which the current user and the given group (--group-id) are both members

Example:

• The first command is run as eric requesting to see memberships of user delilah. Only the group NestedGroup01 is displayed since delilah is a direct member of NestedGroup01 and eric is a member of NestedGroup02 which is a member of NestedGroup01.
• The second command is run as SAS administator so all groups where delilah is a member of are displayed.

In other words, when the endpoints.secured.memberships property is enabled, the current user can only see groups which a named user or group is in, where the current user is also a member of those groups. So if the named user or group is a member of one or more groups that the current user is not a member of, the current user cannot see that the named user or group is a member of those other groups.

Are there any side effects

Will the above settings have any side effects. Yes they will! Below are some examples of functionality impacted.

• Can I still share SAS Content objects like a Visual Analytics report? Yes this is possible.
• Can I still distribute a Visual Analytics report to other users? No!
  Since you no longer can read specific user information for other users, it is not possible to read for instance the email address from another user, so you will get an error as shown below.
  

   

  This is not a complete list of side effects. This is the reason, why these configuration properties are not enabled by default. You have to decide what will work for you and which side effects you can live with, when enabling these configuration properties.

   

   

  How to set the properties using the sas-viya CLI

   

  Configuration properties can be set using the Configuration page in SAS Environment Manager. But often it is desirable to do this using a scipt. See here for the steps necessary to do this.

   

   

  Read the mediatype for what we want to change and store it in an environment variable

   

  MEDIATYPE=$(sas-viya configuration configurations download -d sas.identities | jq -r '.items[]["metadata"]["mediaType"] ')

   

   

  Next create a JSON file with the properties we want to change

   

  tee /tmp/update_identities_settings.json > /dev/null << EOF
  {
  "name": "identities configurations",
  "items": [
  {
  "metadata": {
  "isDefault": false,
  "mediaType": "${MEDIATYPE}"
  },
  "endpoints.secured.users": true,
  "endpoints.secured.groups": true,
  "endpoints.secured.members": true,
  "endpoints.secured.memberships": true
  }
  ]
  }
  EOF

   

   

  Update the configuration instance

   

  sas-viya configuration configurations update --file /tmp/update_identities_settings.json

   

   

  Verify the settings

   

  CFG_ID=$(sas-viya configuration configurations download -d sas.identities | jq -r '.items[]["id"] ')
  
  sas-viya configuration configurations show --id $CFG_ID
  

   

  The output looks like this:

   

  sas-viya configuration configurations show --id $CFG_ID
  id : 0da33450-35e0-4b23-bbe1-3fa78a042ab1
  metadata.isDefault : false
  metadata.mediaType : application/vnd.sas.configuration.config.sas.identities+json;version=5
  metadata.services : [identities]
  cache.cacheRefreshInterval : 12h
  cache.enabled : true
  cache.providerPageLimit : 1000
  defaultProvider : local
  endpoints.secured.groups : true
  endpoints.secured.members : true
  endpoints.secured.memberships : true
  endpoints.secured.users : true
  identifier.disableGids : false
  identifier.disallowedUids : 1001
  identifier.generateGids : false
  identifier.generateUids : false
  identifier.homeDirectoryPrefix : /home

   

   

  Summary

   

  By default any user can get a list of all users and groups. Any user can display the details about another user, or list the members of a specific group. By enabling the named properties the administrator can restrict the access for a non-administrative user to only himself and the groups he is a member of (direct or indirect). Some functionality within SAS applications might be affected.

   

   

  Find more articles from SAS Global Enablement and Learning here.