During a recent class on SAS Viya Platform Administration, I was asked, if there was a way to put SAS Viya into "admin mode". Meaning only the SAS Administrators should have access, all other users would not be able to use the SAS Viya environment. I guess the question originated from the fact, that this is possible in SAS9.4 with pausing a metadata server for Administration.

So lets look at a way of doing this in SAS Viya.

How to approach this

The general authorization system controls all access to applications, services and SAS Content (folders, reports etc.). It uses a set of rules that determine the individual access for a user. So we start here.

The general authorization system is based on these principles:

• implicitly disallow any access that is not granted
• a Prohibit always wins

A rule has these basic elements:

So we need to find a rule that affects everything, all applications, services etc. Looking at the documentation we will find this:

The rule to control all access

You might try to create a new rule with the following elements:

But wait, SAS Administrators are Authenticated Users too, so this rule would also block access for SAS Administrators. So nobody would be able to use the system. Never do this. Please read on to find a better way to control access, with conditional prohibit.

Using a conditional prohibit, we can set the setting based on a condition. We only want to apply the Prohibit if the requesting user is not a member of the of the SAS Administrators group. So our new rule would have the following elements:

Conditions are written using the Spring Expression Language (SpEL). Special functions are available like the groupsForCurrentUser(). You will find more functions in the documentation. Let's look at the condition in detail:

When using conditions in a rule this will happen:

• A rule that has a condition that evaluates to true for a particular access request is applied in the authorization decision process for that access request.
• A rule that has a condition that evaluates to false for a particular access request is ignored in the authorization decision process for that access request.

So any user that is not a member of the SAS Administrators or the sasapp group, the rule will apply.

Create the actual rule

The rule can be created using the Rules page in the SAS Environment Manager or the sas-viya command line interface. We are going to use the sas-viya authorization create-rules command together with a file. This has the following advantages:

• we can specify a rule-id for easier handling afterwards
• we can specify the state of the rule to be disabled, so it does not have an immediate effect

The file content looks like this, note the id and enabled keys and values:

[ 
   { 
     "op": "add", 
     "value": { 
       "objectUri": "/**", 
       "principalType": "authenticatedUsers", 
       "type": "prohibit", 
       "condition": "!(groupsForCurrentUser().contains('SASAdministrators') || groupsForCurrentUser().contains('sasapp'))", 
       "permissions": [ 
         "read" 
       ], 
       "description": "disallow access except for SASAdministrators, sasapp groups", 
       "id": "offline-mode-sasadministrators-only", 
       "reason": "SAS Viya only available to SAS Administrators", 
       "enabled": false 
     } 
  } 
 ]

This JSON format is documented under Patch authorization rules. Please note the id uses 3 hyphens in the name, this is important as otherwise the rule will not be found.

To create this rule we use this command: sas-viya authorization create-rules --file offline-mode.json The result of the command will tell us, that 1 rule has been created.

To check the rule just created, we use this command: sas-viya --output fulljson authorization show-rule --id offline-mode-sasadministrators-only. Note the --output fulljson to get back the complete JSON structure.

Enable the rule

Since we created the rule as disabled, it will not have any immediate effect. To enable it we use the following command:

sas-viya authorization enable-rule --id offline-mode-sasadministrators-only

The response looks like this:

Select any image to see a larger version.
Mobile users: To view the images, select the "Full" version at the bottom of the page.

Now every user that is not part of the groups SAS Administrators or sasapp will no longer have any access to any of the applications, services etc. If a user wants to access a SAS Application the following message is displayed in the browser:

Likewise, if you want to access any of the SAS Viya API's you will receive this response:

{
  "version": 2,
  "httpStatusCode": 403,
  "message": "Forbidden",
  "details": [
    "Unauthorized",
    "path: /folders/folders/@myFolder",
    "correlator: adcd63b3-55b4-4caa-b65d-c2e57cec9b9f"
  ]
}

The HTTP status code 403 stands for Forbidden.

A user can still authenticate to SAS Viya but then no further access is possible

Disable the rule

To disable the rule use the following command:

sas-viya --yes-to-all authorization disable-rule --id offline-mode-sasadministrators-only

All users can now work as before.

Summary

We have seen that by using a specific rule with a condition in the general authorization system we can block non administrator users from working with SAS Viya. This rule can easily be enabled or disabled as needed. Always be very careful when using Prohibit together with the Authenticated User principal as this will include any SAS administrator as well.

Find more articles from SAS Global Enablement and Learning here.