We’re smarter together. Learn from this collection of community knowledge and add your expertise.

Q & A from "SAS 9.4 Metadata Server Environment” Virtual Event

by SAS Super FREQ on ‎12-14-2016 10:27 AM - edited 4 weeks ago by Community Manager (2,019 Views)

Thank you to all who attend our recent webinar. Paul Homes and I were able to answer some questions during the event, but we weren’t able to cover all of them. So, I have provided the Q&A here for all who attended and the slides are attached to this article.

 

Question: What does it mean “SAS Management Console is a single point of control”? How do we administer Hadoop and Grid?

Answer: Instead of using separate administration tools for each application and for each machine where SAS is installed, SAS Management Console is a single tool to perform the administration tasks required to create and maintain your SAS environment across multiple platforms.

 

Hadoop and HP Risk are administered in SAS Management Console as well, as they are using data that has been registered in Metadata. Hadoop is no different than any other database when it comes to library creation in metadata.

 

For further information, please see

Overview of SAS Management Console

Administering SAS Management Console

 

Other administration tools available to you are:

SAS Environment Manager
Aside from offering great monitoring features, this tool also provides you with some of the same tasks SAS Management Console offers you.

SAS Deployment Manager
With the SAS Deployment Manager, you can change passwords, renew license files, install hot fixes, rebuild and redeploy, and more

SAS Web Administration Console
Central location for activities such as monitoring user log-in, viewing audit reports, managing web-layer authorization, and more.

 

For details about these admin tools, please see Overview of the Administration Tools

 

­Q: Is there a way to access the postgres database used by the SAS environment manager using SQL?

A: The SAS Environment Manager’s SQL database sole purpose is to store datamarts. All information gathered by the Environment Manager’s agents, running on each of your machines, are being stored in these datamarts.


You cannot access this SQL data base. You have to have SAS/Access to SQL licensed in order to access SQL. Excerpt from the documentation about how the database is used in SAS Environment Manager:

 

(…)
The database is a repository for all of the information that is known about all of the resources known to SAS Environment Manager. It uses PostgreSQL, and uses the SAS Web Infrastructure Platform Data Server when that server is configured to use PostgreSQL. After resources are discovered and added to your inventory, the database stores data collected from the agents about the resources.
(…)

 

Resource:
SAS® Environment Manager 2.5, User’s Guide
Page 6, Chapter 1 / Introduction to SAS Environment Manager

 

Q: Can we schedule a daily refresh of the identity sync?

A: You can schedule any program using a scheduler, either within SAS or scheduled via OS scheduler.
It is important that you decide whether identities to be deleted/updated, should actually be deleted, or tagged for deletion.  It is important to be very precise when using synchronization, as – worst case – your metadata identities could be overwritten.

 

For Metacoda, the plug-ins have a batch interface where various features such as identity sync, HTML export, security test export and security testing can be run in batch using a scheduler of your choice.

 

Important
Whenever you make any changes, or whenever you run or schedule code that makes changes to your environment, to your metadata, you ought to run a backup every time. Backups can be scheduled as well, and it could be timed to run right before a synchronization.

 

It is of the utmost important to run daily backups, and even more so, when making any changes to your environment. Please see About Backups and Restores for details.

 

The following SAS Note provides you with example code for automation:
Usage Note 40628: Automating the addition of users and groups to a SAS® Metadata Repository

 

 

Q: How can I unlock an internal account?

A: The following link provides you with step-by-step instructions for unlocking internal accounts: 
Unlock an Internal Account

 

­Q: What is the difference between Name and Display Name input box?

­A: The Name has to be unique across all users. Usually the value for name is the same as the OS, LDAP/AD user name. So a user id Jane Doe would have the Name Jane Do in Metadata. This makes it very easy to identify your users.

 

As a Best Practice, avoid spaces or special characters.

 

The Display Name can simply be an alternate name. If you do not enter a Display Name, SAS uses the Name as the Display Name.

 

­Q: How can we export and import users/groups across upgraded versions of SAS?

A: Depending on the version of SAS you are running, you can either use the example code provided in the Sample 42251: Partial Promotion of User and Group Metadata, or, for version SAS 9.3 and higher, you can use the Promotion Tools in SAS Management Console.

 

Q: How can users change their password­s?

A: You can change passwords in SAS Enterprise Guide or SAS Management Console.

 

For SAS Enterprise Guide:
In EG, go to TOOLS, ENTERPRISE GUIDE EXPLORER, FILE, Manage Login

 

As a best practice: do not store passwords in metadata.

 

Permissions required for User & Group management in SAS Management Console:
http://support.sas.com/documentation/cdl/en/mcsecug/64770/HTML/default/viewer.htm#n1onkjqqkpz6fin1k0...

 

­Q: For the ID Sync plugin, is it necessary to have domain admin credentials?  What if I can see the users/groups in AD Users and Computers, but cannot edit them?  Read-only, e.g.?

A: No, you don't have to be a domain admin, and it is recommended that you don't run the process using domain admin credentials. Access to AD is done read-only. Often, any normal AD user can extract the required information from AD (no passwords hashes are extracted). We use standard AD users in our demos and testing. We would recommend you talk to your domain admins about getting a specific normal-privileged service account setup for the AD query process.

 

Q: ­Is the Metacoda app available on Windows only or Linux as well? How does it differ from the bulk user load and ADSync scripts gone over in 9.4 admin and security guides­?

­A: SAS Management Console and the Metacoda Plug-ins run on both Windows and Linux.­ The Identity Sync plug-in also includes support for large installations (>1000 users, groups with >1500 members) and multiple AD domains and several other value-add features.­

 

Q: ­Is Metacoda plugin a default plugin in SMC 9.4

A: No, SAS Management Console per default comes without the Metacoda plug-ins. The Metacoda plug-ins are a separate product that would have to be licensed. The licensed plug-ins then plugin easily into SAS Management Console­‑


Q: Is it possible to sync with AD so that it can update our metadata and alert us as to who is terminated or no longer active in AD?­

A: Yes, Metacoda Identity Sync provides audit reports that detail all of the changes made to metadata including users that have been deleted from SAS because they have been removed from AD. There is also an option to control what you want to do with accounts that have been disabled in AD: delete, tag-delete or retain.


For a specific email about just those accounts that have been removed there is support for code hooks. Metacoda Identity Sync does the primary work of extracting the necessary info out of AD into SAS tables, and small code hooks can be used for any additional processing you want to do, such as email a custom report of just the deleted users.


Additionally, you can also email a report of the deleted users if you write your own custom code using the SAS provided sample code.

Q: ­Is the Metacoda plug-ins licensed separately? How do you configure the Metacoda to an existing installation?­

A: Metacoda plug-ins are separately obtained and licensed from Metacoda (www.metacoda.com). It is a very simple installation into an existing SAS Management Console deployment (either on a client or a server). You don't have to install it on the server unless you want to.

 

Q: Does using Metacoda overwrite already existing groups in metadata?

A: Yes, it will update existing groups in metadata but only if those groups have been previously synchronized and so have had their AD key registered in metadata (this is external identity metadata).
Any groups in SAS that were manually added, and do not have external identity metadata for their corresponding AD groups, will not be overwritten. You will not be able to apply changes if there are any such group clashes until you decide to either exclude/ignore those groups (so they are not modified in SAS) or update them in SAS metadata, adding the required external identity key for the AD group, so any changes to those AD groups can be applied to SAS metadata.

Q: How do we get Metacoda?

A: Contact Metacoda via their web site at https://www.metacoda.com/en/contact-us/ or any of their social media accounts listed at https://www.metacoda.com/en/social/ or register for an account at https://www.metacoda.com/en/evaluation/.


They can provide you with a free evaluation license so you can try their commercial plug-ins for 30 days in your own SAS environment. They also have a few free plug-ins as described in this blog post at https://www.metacoda.com/en/2015/07/free-sas-metadata-tools/

Q: So metacoda is an add-on to assist with administering your sas meta with external security provider.  It is licensed through our SAS licensing or is this a product that needs purchased separately?

A: Metacoda Plug-ins are normally purchased separately from Metacoda, or through one of their partners (see https://www.metacoda.com/en/about-us/partners/ for more info on partners).
 They are not generally available via SAS Institute through your SAS licensing, however if you are enrolled in SAS Institute Australia's remote administration service you may have access to Metacoda Plug-ins as part of that service (see http://www.sas.com/en_au/news/media-coverage/2013/february/sas-australia-use-metacoda.html for more info). If you would prefer to obtain Metacoda Plug-ins from your local SAS office please contact them to find out if they can offer this to you.

For further details see the answer to "How do we get Metacoda?" above.

Q: Is Metacoda similar to SiteMinder?

A: Not as far as I am aware but they can be used in a complementary fashion.

CA SiteMinder can be used as part of a single-sign-on (SSO) configuration for the SAS platform,  and Metacoda Identity Sync can be used to help populate SAS metadata with SAS identities synchronized with Active Directory to support those SiteMinder based SSO logins.

Contributors
Your turn
Sign In!

Want to write an article? Sign in with your profile.


Looking for the Ask the Expert series? Find it in its new home: communities.sas.com/askexpert.