We’re smarter together. Learn from this collection of community knowledge and add your expertise.

Q&A from SAS Security Design Best Practices, Validation and Monitoring SUGA Meeting

by Community Manager ‎09-15-2017 11:02 AM - edited ‎09-15-2017 11:04 AM (2,255 Views)

Were you able to attend our Sept. 12 webinar? If not, you can view it at your leisure via the on-demand link.


Michelle and Angie were able to answer some of the questions during the event, but have compiled the outstanding questions into this one article. The slides are also attached below.


We hope you found this webinar helpful. If you have suggestions for future webinars, please feel free to comment.


Q: Can you use AD NT security groups?
A: Yes you can use AD security groups as long as they are synchronized into SAS metadata. There is SAS sample code available that uses the %MDU macros that you can customize to do this. Alternatively, you can use the point and click Metacoda Identity Sync Plug-in. A SUGA webinar on SAS Metadata Identities was presented last year and the recording, Q&A and slides can be seen at https://communities.sas.com/t5/SAS-Communities-Library/Q-amp-A-from-quot-SAS-9-4-Metadata-Server-Env...

Q: Deny Broadly and Grant ... and the last best practice rule - don't they contradict each other?
A: Rule #5 Deny Broadly and Grant Specifically and Rule #7 Apply Permissions at the Highest Object Level Possible work very well together. Be aware that these two rules apply to two different hierarchies. One is the identity hierarchy for group memberships and the other is object inheritance hierarchies such as folder paths. If you grant broadly (instead of denying broadly) you may end up finding people have more access than they should, as shown in the demonstration.

Q: It seems SAS is headed in the direction of moving SAS Admin task to a web application.  How does Metacoda fit into that plan? Is Metacoda planning to move its tool to the web app SAS Admin tool set?
A: Most Metacoda customers still predominantly use SAS Management Console. As SAS Environment Manager encompasses more of the SAS Management Console functionality those customers may move over to it. When they need a web version of Metacoda Plug-ins we will provide one. We're not aware of a public API for plugging into SAS Environment Manager that is as rich as the one for SAS Management Console, so at this stage it will need to be a stand-alone web application.

Q: We are a healthcare IT company and deal with sensitive data, so it is important to our internal security policies that we be able to actively report on who accesses that data. We recently acquired SAS Visual Analytics and have been struggling a bit to set.
A: Have a look at the documentation available for SAS Environment Manager Service Architecture framework. It has details on how to enable the ETL processing to populate data marts with this information and provide a feed into SAS Visual Analytics. You can read more about it at http://support.sas.com/documentation/cdl/en/evug/69029/HTML/default/viewer.htm#n11z5dl1car9w4n17i8b4... You may also be interested in this Auditing in SAS Visual Analytics SAS Global Forum 2017 paper by Elena Muriel from Amadeus http://support.sas.com/resources/papers/proceedings17/1076-2017.pdf

Q: Is Metacoda a separate component to buy because I don't see Metacoda in our management console?
A: Metacoda, a SAS Silver Alliance partner, provides third-party plug-ins to the SAS Management Console. There are both free and commercial plug-ins available. For more information about Metacoda, please visit the website at https://www.metacoda.com/

Q: If there is a conflict deny and allow then what will take precedence?

A: It depends. Are they at the same level in the identity hierarchy? Are they on the same object? Are they the same type of access control?  ie/ ACE+ACE, ACT+ACT, ACE+ACT. To find out review the Authorization Decision rules in the SAS Security Administration Guide http://support.sas.com/documentation/cdl/en/bisecag/69827/HTML/default/viewer.htm#p0gtni3mrspnd9n1is... Personally, we find the flowchart in the SAS 9.2 Security Administration Guide really useful for this http://support.sas.com/documentation/cdl/en/bisecag/61133/HTML/default/viewer.htm#a002977119.htm

Q: Do the batch processes also create log files in case a batch job fails?

A: The Metacoda batch process creates log files, the results report, and can also send an email alert (for failure and/or success).

Q: What does SAS VA encryption protocol entail?
A: Have a look at the Encryption in SAS® 9.4 document: http://support.sas.com/documentation/cdl/en/secref/69831/HTML/default/viewer.htm#titlepage.htm, as well as the Encryption model used in the SAS platform in the SAS Security Administration Guide http://support.sas.com/documentation/cdl/en/bisecag/69827/HTML/default/viewer.htm#p049657zy4z7own1fm... The SAS Visual Analytics Administration Guide may also help http://support.sas.com/documentation/cdl/en/vaag/69958/HTML/default/viewer.htm#titlepage.htm

Q: Do you have any links for helpdesk installs? and application troubleshooting?
A: There is a great SAS Administration landing page to assist in these areas is https://support.sas.com/en/sas-administrators.html

Q: How much are the Metacoda utilities?

A: There are free Metacoda utilities available at https://www.metacoda.com/en/products/utility-plug-ins/ and for the Metacoda commercial software, have a look at the licensing options at https://www.metacoda.com/en/products/licensing/ and contact Metacoda to discuss further as there are several ways to license the software.

Q: Does SAS Technical Support support this 3rd party Metacoda Plug-in?
A: Metacoda provides direct support to customers who use Metacoda Plug-ins. SAS Technical Support in South East Asia license Metacoda software to help them support their customers and they sometimes recommend customers license it directly where appropriate. There is a press release about this at http://www.sas.com/offices/asiapacific/sp/news/releases/SAS_Australia_use_Metacoda.html Other SAS support teams around the world also let SAS customers know about Metacoda software if they think it will help them with their security related needs.

by Trusted Advisor
on ‎09-15-2017 10:57 PM

Thanks for your questions and attendance. @angieh and I enjoyed presenting. If you have any further questions, please add them below or send us a private message.


Kind Regards,


Your turn
Sign In!

Want to write an article? Sign in with your profile.

Looking for the Ask the Expert series? Find it in its new home: communities.sas.com/askexpert.