cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
BookmarkSubscribeRSS Feed

SAS 9 Administration Refresher: User Administration

Started 4 hours ago by
Modified 4 hours ago by
Views 36

Before dashboards, data models, data sets, decision trees, or databases, it all starts with onboarding: taking an ordinary person at your company and giving them the superpower to log on to the SAS platform. We do that by defining user accounts for them in metadata.

 

SAS 9 runs on metadata, informing the platform about users who can log in, groups of which they are members, roles to which they belong, resources they can access… the list goes on. The Metadata server keeps records of all these metadata definitions.

 

You can treat a metadata reference as a pointer to something external to the metadata. For identity elements like users? They point to the accounts that these individuals use to log on.

 

 

Metadata Users need External IDs

 

SAS users have two main parts of identity information to them: A uniquely named metadata definition and an external ID used to logon. The external account ID could be any account that is known to the Metadata Server node (this could be from LDAP, from Active Directory, Windows accounts, or host accounts.) The metadata definition that you create will be associated with groups and roles, determining what that individual can do in the SAS system. Together, these two components create a SAS identity for a given user. And it is often a place where new administrators can sometimes have issues when troubleshooting user access.

 

01_EP_Screenshot-2026-05-08-210826.png

Select any image to see a larger version.
Mobile users: To view the images, select the "Full" version at the bottom of the page.

 

 

You should create these metadata identities for each person who will use the SAS 9 platform. It allows you as the administrator to control and audit their access to data, content, and functionality through security on metadata resources.

 

A few notes:

 

  • An administrator does not need to store the password for these external account IDs, just the ID itself. Authentication will be handled separately by an authentication provider.
  • There are also internal accounts used mainly by SAS Administrators, and they use the @saspw suffix to denote that they are special, and don’t match to external account IDs.

 

User Administration tasks may be performed either through SAS Management Console or SAS Environment Manager’s Administration page; they both modify the same SAS 9 metadata.

 

02_EP_Screenshot-2026-05-08-213310.png

 

 

Automated Identity Management with User Import Macros

 

As an alternative to managing users and groups manually, you can bulk load and manage identity information programmatically. SAS provides sample code and User Import Macros to connect with an identity provider like Active Directory, LDAP, or other formats like the UNIX host or your own data sets. You adapt the sample code to define connection parameters and attributes you want to import.

 

The batch processes read information from your identity provider and builds tables that store user and group information. A similar process does the same for identities stored in SAS Metadata. Next, the data from the two sources is compared. They are matched using a keyid value stored within the “External Identities” tab of SAS Management Console or SAS Environment Manager Administration. The changes are validated and then any additions, updates, or removal operations and performed in the metadata. The batch processes can be retained and modified for periodic synchronization after the initial bulk import.

 

You can specify which user and groups identities to import by specifying a Distinguished name in the identity provider from which to begin the search. Only identities that exist below that Distinguished Name in Active Directory or LDAP tree would be extracted. Additionally, you can filter on specific groups, and also have the ability to manually make changes to the import tables before importing.

 

03_EP_Screenshot-2026-05-09-102436.png

 

 

Additional Resources on the User Import Macros

 

Sample Code for bulk loading and synchronization can be found here: SAS Help Center: User Import Macros

 

A detailed explanation of the sections in importad.sas can be found here: SAS Support - Automating the addition of users and groups to a SAS® Metadata Repository

 

My coworker David Stern wrote about nesting imported groups as protection for your security model here: Shadow Groups for LDAP Synchronisation - SAS Support Communities

 

Thanks for reading!

 

 

Find more articles from SAS Global Enablement and Learning here.

0 Likes
Contributors
Version history
Last update:
4 hours ago
Updated by:
SAS Employee

Viya Copilot Motion Graphic.gif

Ready to see what SAS Viya Copilot can do?

Visit the Tips & Tricks page for setup guidance, demos, and practical examples that show how Copilot supports your workflows.

Get Started →

SAS AI and Machine Learning Courses

The rapid growth of AI technologies is driving an AI skills gap and demand for AI talent. Ready to grow your AI literacy? SAS offers free ways to get started for beginners, business leaders, and analytics professionals of all skill levels. Your future self will thank you.

Get started

Article Labels
Article Tags