In a previous post I talked about logging access to SAS data sets using the Audit.Data.Dataset logger. I concentrated on collecting all the information available on the SAS data set being accessed.

In this post you will learn about how to get information on the user that did the access to the SAS data set. By default, the user that runs the compute server is readily available.  But what about a compute server running under a shared identity. In this situation you need both the user running the pod, the shared identity, as well as the user that logged in to SAS Viya. This post will explain how to get to this information, so that it can be used within a log message.

Topics discussed

• Using the Audit.Data.Dataset logger to include the process owner in the log message
• Change the autoexec of a compute server to create an environment variable for the authenticated user
• Use of the environment variable in a custom log message

This post relies on knowledge you gained from reading Keep track of who accessed SAS data sets in a compute server. We build on the logconfig created in this post.

Using the Audit.Data.Dataset logger to include the process owner in the log message

If you are using the SAS Viya Monitoring for Kubernetes observability project, the information on the process owner is present in the log entries collected. The following example is using the getlogs.py utility to extract log messages. The log message is formatted as explained in my previous post. The command:

python3 getlogs.py -pf -n edu --logsource compsrv --search libref=SUGUS --start 2025-02-03 13:00:00 --fields @timestamp properties.logger level message kube.labels.launcher_sas_com/username --format json

creates this output:

Select any image to see a larger version.
Mobile users: To view the images, select the "Full" version at the bottom of the page.

As we have specified which fields we want to see (option --fields @timestamp properties.logger level message kube.labels.launcher_sas_com/username), only those fields are returned. The information on the user is taken from a label that is assigned to the pod executing this compute server, it is provided by SAS Viya Monitoring for Kubernetes. Let's say we want to add the user information to the actual log message in case we only have the log message available without any additional information. The conversion character %u will give us this information.

Using the FilteringAppender we can change the layout of the log message to include the %u.

<appender name="ConsoleAudit" class="FilteringAppender">
  <appender-ref ref="Console"/>
  <layout>
    <param name="ConversionPattern" value="username=%u action=%E{Audit.Dataset.Action} libref=%E{Audit.Dataset.Libref} engine=%E{Audit.Dataset.Engine} member=%E{Audit.Dataset.Member} memtype=%E{Audit.Dataset.Memtype} newmember=%E{Audit.Dataset.NewMember} openmode=%E{Audit.Dataset.Openmode} path=%E{Audit.Dataset.Path} status=%E{Audit.Dataset.Status} sysmsg=%E{Audit.Dataset.Sysmsg} sysrc=%E{Audit.Dataset.Sysrc}"/>
  </layout>
  <param name="PropagateLayout" value="true"/>
</appender>

Allow the compute service to restart and reset your SAS Studio session. Now run some code that will read a SAS data set.

The log message includes the username (it has been shortened for readability purposes) :

"message": "username=christine action=OPEN libref=SUGUS engine=V9 member=MYCARS_123 ..."

Change the autoexec of a compute server to create an environment variable for the authenticated user

If we run the same program on a compute server that runs under a shared account the log message looks like this:

"message": "username=student action=OPEN libref=SUGUS engine=V9 member=MYCARS_123 ..."

As we can see the %u is no longer christine, since %u is the user under which this compute server is running and not the user that we used to login to SAS Studio. Currently there is no direct way or conversion character or function to give the logged in user in this use case. As there is a way to include values of environment variables in the log message, lets create one that represents the user that logged in.

Similar to how we can specify a common logconfig for all compute servers, we can specify an autoexec that will be used by all compute servers.

Click on the pencil icon to add the following SAS program. Please run the code first in a SAS Studio session to verify it works. Only a SAS Administrator will be able to make the change.

%macro xset_auth_user;
  %local auth_user viya_url;
  %let viya_url=%sysfunc(getoption(servicesbaseurl));
  filename _getuser temp;

  proc http method=get
    url="&viya_url/identities/users/@currentUser"
    out=_getuser
    oauth_bearer=sas_services
  ;
  run;

  %if %symexist(SYS_PROCHTTP_STATUS_CODE) = 1 %then %do;

    %if &SYS_PROCHTTP_STATUS_CODE ne 200 %then %do;
      %put WARNING: &sysmacroname &=SYS_PROCHTTP_STATUS_CODE &=SYS_PROCHTTP_STATUS_PHRASE;
      %return;
    %end;
  %end;
  %else %do;
    %put ERROR: &sysmacroname an error has occured, check log for more details;
    %return;
  %end;

  proc cas;
    set stdjson;
  run;
    whoami = readfile("_getuser");
    whoamiDict = json2casl(whoami);
    symputx("auth_user", whoamiDict.id, "L");
  run;
  quit;
  filename _getuser clear;
  %put NOTE: &sysmacroname &=auth_user;
  options set=auth_user "&auth_user";
%mend;

%xset_auth_user

This program uses the identities REST API to get the id of the current user. Please note this API is currently not documented on developer.sas.com. It then uses Proc CAS and functions of CASL to read the JSON returned by the API, convert it to a CASL dictionary and then create a macro variable used later to create the environment variable.

After this change all new compute servers will use this code as part of there autoexec processing.

Use of the environment variable in a custom log message

Next we will change the layout of the custom log message to include the value of the environment variable auth_user. To do this we can use the conversion character %S{OSENV.auth_user}.

<appender name="ConsoleAudit" class="FilteringAppender">
  <appender-ref ref="Console"/>
  <layout>
    <param name="ConversionPattern" value="username=%u authuser=%S{OSENV.auth_user} action=%E{Audit.Dataset.Action} libref=%E{Audit.Dataset.Libref} engine=%E{Audit.Dataset.Engine} member=%E{Audit.Dataset.Member} memtype=%E{Audit.Dataset.Memtype} newmember=%E{Audit.Dataset.NewMember} openmode=%E{Audit.Dataset.Openmode} path=%E{Audit.Dataset.Path} status=%E{Audit.Dataset.Status} sysmsg=%E{Audit.Dataset.Sysmsg} sysrc=%E{Audit.Dataset.Sysrc}"/>
  </layout>
  <param name="PropagateLayout" value="true"/>
</appender>

The log message includes now the process owner (username) as well as the user that logged in (authuser).

"message": "username=student authuser=christine action=OPEN libref=SUGUS engine=V9 member=MYCARS_123 ..."

For a default compute server username= and authuser= will have the same value.

Summary

We have seen how we can create an environment variable that contains the userid that logged into SAS Viya, so that it can be used to make up a custom log message. The custom log message was used for a specific logger, Audit.Data.Dataset, but the techniques shown can be used for all the log messages generated by a compute server. Whenever you make changes to the logconfig or autoexec configuration instances of the compute service, it will restart automatically. After the restart is complete new compute servers will use these new definitions.

Find more articles from SAS Global Enablement and Learning here.