BookmarkSubscribeRSS Feed

SAS Administrators only, or how to put SAS Viya into offline mode for others

Started ‎07-01-2024 by
Modified ‎07-01-2024 by
Views 1,388

During a recent class on SAS Viya Platform Administration, I was asked, if there was a way to put SAS Viya into "admin mode". Meaning only the SAS Administrators should have access, all other users would not be able to use the SAS Viya environment. I guess the question originated from the fact, that this is possible in SAS9.4 with pausing a metadata server for Administration.

 

So lets look at a way of doing this in SAS Viya.

 

How to approach this

 

The general authorization system controls all access to applications, services and SAS Content (folders, reports etc.). It uses a set of rules that determine the individual access for a user. So we start here.

 

The general authorization system is based on these principles:

  • implicitly disallow any access that is not granted
  • a Prohibit always wins

A rule has these basic elements:

 

Element Description
Target Can be a service, application, individual object etc. The target is represented as an URI (Uniform Resource Identifier).
Principal The user, group or custom group to which the rule is assigned.
Permission Specifies the type of access, such as read, create, update, delete, add, remove, and secure.
Setting Determines whether access is provided (grant) or not allowed (prohibit). The setting can be conditional, using a constraint expression.

 

So we need to find a rule that affects everything, all applications, services etc. Looking at the documentation we will find this:

 

Rule's Target URI Rule's Relevance
/** Relevant to all requests.

 

The rule to control all access

 

You might try to create a new rule with the following elements:

 

Element Content
Target /**
Principal Authenticated Users
Permission Read
Setting Prohibit

 

But wait, SAS Administrators are Authenticated Users too, so this rule would also block access for SAS Administrators. So nobody would be able to use the system. Never do this. Please read on to find a better way to control access, with conditional prohibit.

 

Using a conditional prohibit, we can set the setting based on a condition. We only want to apply the Prohibit if the requesting user is not a member of the of the SAS Administrators group. So our new rule would have the following elements:

 

Element Content
Target /**
Principal Authenticated Users
Permission Read
Setting Conditional Prohibit
Condition

!(groupsForCurrentUser().contains('SASAdministrators') ||

groupsForCurrentUser().contains('sasapp'))

 

Conditions are written using the Spring Expression Language (SpEL). Special functions are available like the groupsForCurrentUser(). You will find more functions in the documentation. Let's look at the condition in detail:

 

Element Description
! Stands for NOT
( Start of a group
groupsForCurrentUser().contains('SASAdministrators') check if current user is member of the SASAdministrators group
|| Stands for OR
groupsForCurrentUser().contains('sasapp') check if current user is member of the sasapp group. This is needed for internal users.
) End of a group

 

When using conditions in a rule this will happen:

  • A rule that has a condition that evaluates to true for a particular access request is applied in the authorization decision process for that access request.
  • A rule that has a condition that evaluates to false for a particular access request is ignored in the authorization decision process for that access request.

 

So any user that is not a member of the SAS Administrators or the sasapp group, the rule will apply.

 

Create the actual rule

 

The rule can be created using the Rules page in the SAS Environment Manager or the sas-viya command line interface. We are going to use the sas-viya authorization create-rules command together with a file. This has the following advantages:

 

  • we can specify a rule-id for easier handling afterwards
  • we can specify the state of the rule to be disabled, so it does not have an immediate effect

The file content looks like this, note the id and enabled keys and values:

[ 
  {
    "op": "add",
    "value": {
      "objectUri": "/**",
      "principalType": "authenticatedUsers",
      "type": "prohibit",
      "condition": "!(groupsForCurrentUser().contains('SASAdministrators') || groupsForCurrentUser().contains('sasapp'))",
      "permissions": [
        "read"
      ],
      "description": "disallow access except for SASAdministrators, sasapp groups",
      "id": "offline-mode-sasadministrators-only",
      "reason": "SAS Viya only available to SAS Administrators",
      "enabled": false
    }
  }
]

 

This JSON format is documented under Patch authorization rules. Please note the id uses 3 hyphens in the name, this is important as otherwise the rule will not be found.

 

To create this rule we use this command: sas-viya authorization create-rules --file offline-mode.json The result of the command will tell us, that 1 rule has been created.

 

To check the rule just created, we use this command: sas-viya --output fulljson authorization show-rule --id offline-mode-sasadministrators-only. Note the --output fulljson to get back the complete JSON structure.

 

Enable the rule

 

Since we created the rule as disabled, it will not have any immediate effect. To enable it we use the following command:

sas-viya authorization enable-rule --id offline-mode-sasadministrators-only

 

The response looks like this:

01_bm-enable-offline-mode.png

Select any image to see a larger version.
Mobile users: To view the images, select the "Full" version at the bottom of the page.

 

Now every user that is not part of the groups SAS Administrators or sasapp will no longer have any access to any of the applications, services etc. If a user wants to access a SAS Application the following message is displayed in the browser:

02_bm-site-can-not-be-reached-1.png

 

Likewise, if you want to access any of the SAS Viya API's you will receive this response:

 

{
  "version": 2,
  "httpStatusCode": 403,
  "message": "Forbidden",
  "details": [
    "Unauthorized",
    "path: /folders/folders/@myFolder",
    "correlator: adcd63b3-55b4-4caa-b65d-c2e57cec9b9f"
  ]
}

 

The HTTP status code 403 stands for Forbidden.

 

A user can still authenticate to SAS Viya but then no further access is possible

 

 

Disable the rule

 

To disable the rule use the following command:

 

sas-viya --yes-to-all authorization disable-rule --id offline-mode-sasadministrators-only

 

All users can now work as before.

 

Summary

 

We have seen that by using a specific rule with a condition in the general authorization system we can block non administrator users from working with SAS Viya. This rule can easily be enabled or disabled as needed. Always be very careful when using Prohibit together with the Authenticated User principal as this will include any SAS administrator as well.

 

 

Find more articles from SAS Global Enablement and Learning here.

Comments

@BrunoMueller thank you very much for this post, we have been looking for this option as there are always users who start to use the SAS Viya platform before it is ready after the update. Is there also a way to adjust the message displayed to users to a customized one when putting Viya into offline mode? regards Karolina T

@touwen_k  glad this helps you. I am not aware of a way to display a different message. As you can see in the example, there is a field called "reason" but it is not surfaced to the user.

@BrunoMueller Thank you for this useful post which can serve as a perfect introduction to CLI rules handling on Viya ! Using the viya-cli authorization plugin (version 1.22.5) I was unable to get the rule _current_ enablement status : enabled = True/False. Oddly enough, the corresponding information cas be surfaced using the Rest API get/Rule operation whic provides the *enabled* field :

https://developer.sas.com/rest-apis/authorization-v8/getRule

Extracting the last activation/deactivation upon this rule from the audit records is feasible but tedious.

@ronan It is important to add the option --output fulljson to the command to see the enabled information. If this does not help, I recommend to update the sas-viya command and all the plugins to the latest version. To update the plugins you can use 
sas-viya plugins install --repo SAS all

@BrunoMueller Thank you for this correction ! I usually configure 'text' as default output mode and forces 'json' value specifically when needed. Now thanks to your tip, I'll use 'fulljson' as well :-). With 'fulljson' output, the activation status becomes indeed retrievable using the enabled (true/false) property. 🙂

Version history
Last update:
‎07-01-2024 05:06 AM
Updated by:
Contributors

SAS Innovate 2025: Register Now

Registration is now open for SAS Innovate 2025 , our biggest and most exciting global event of the year! Join us in Orlando, FL, May 6-9.
Sign up by Dec. 31 to get the 2024 rate of just $495.
Register now!

Free course: Data Literacy Essentials

Data Literacy is for all, even absolute beginners. Jump on board with this free e-learning  and boost your career prospects.

Get Started

Article Tags