cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
BookmarkSubscribeRSS Feed

SAS Viya CLI with Group-Managed Service Accounts

Started ‎07-25-2024 by
Modified ‎07-25-2024 by
Views 421

The concept of group-managed service accounts was introduced with the release of SAS Viya 2023.07 and the changes to Run As authentication. We discussed the new model in a previous post. With the release of SAS Viya 2024.05 the credentials for the group-managed service accounts can now be managed with the SAS Viya CLI.

 

Performing Actions in SAS Environment Manager

 

Prior to the SAS Viya 2024.05 release you needed to use SAS Environment Manager to store the credentials for the group-managed service account. This is detailed in the SAS documentation.

 

As a reminder there are steps that must be completed as a member of the SAS Administrators group, and other steps that must be completed as the group-managed service account itself. These steps are summarized in the picture below.  

 

01_SR_SAS-Viya-4_-Authentication-Views-Scheduling-Jobs.png

Select any image to see a larger version.
Mobile users: To view the images, select the "Full" version at the bottom of the page.

 

A member of the SAS Administrators group needs to setup the following:

 

  1. Adds the group-managed service account, that must exist in the external Identity Provider, to the automatically created Service Account Users for Schedule custom group.
  2. Creates a new custom group and adds the end-users who share the responsibility for executing, scheduling, and monitoring jobs and job flows to the group.

 

A user with access to the credentials for the group-managed service account needs to do the following to prepare the group-managed service account for use:

 

  1. Creates a new Token Authentication Domain. This Token Authentication Domain will be used to store the credentials for the group-managed service account. This needs to be created by the group-managed service account to ensure that account can update the credential in future. From SAS Viya 2023.08 and later either the SAS Viya CLI or SAS Environment Manager can be used to create the Token Authentication Domain.
  2. Store a credential for the group-managed service account in the new Token Authentication Domain and allow access to this credential by the custom group containing the users who will schedule jobs and flows as the group-managed service account. To work with the Jobs and Flows feature, the Restrict applications check box must be selected when adding the credential. Until the SAS Viya 2024.05 release, this task had to be completed in SAS Environment Manager as the group-managed service account.

 

This last step, completed as the group-managed service account, is essentially authorizing the members of the custom group to run jobs and flows as the group-managed service account.

 

Performing Actions in SAS Viya CLI

 

With the release of SAS Viya 2024.05 all these steps can now be completed using the SAS Viya CLI. Which is covered in the SAS documentation.

 

A member of the SAS Administrators role can add the group-managed service account to the automatically created Service Account Users for Schedule custom group, with a command like the following:

 

/opt/sas/viya/home/bin/sas-viya identities add-member --group-id ScheduleServiceAccountUsers -user-member-id GMSA1

 

Where GMSA1 is the userID of the group-managed service account.

 

The users which will schedule jobs and jobs flows as the group-managed service account need to be given access to the stored credential for the group-managed service account. This is best performed by giving access to the credential to a custom group. As such, a member of SAS Administrators will need to create custom groups and place users into these custom groups. This can be performed with commands like the following:

 

/opt/sas/viya/home/bin/sas-viya identities create-group --id SchedulingUsers_HR --name "Scheduling Users HR" --description "Group for Scheduling Users in HR" 
/opt/sas/viya/home/bin/sas-viya identities add-member --group-id SchedulingUsers_HR -user-member-id Delilah

 

This will create the custom group Scheduling Users HR and, in our example, add the user Delilah to that group.

 

Now that the group-managed services account has been added to the Service Account Users for Schedule custom group, and any further custom groups have been created, the credentials for the group-managed service account can be stored. First, we need to create the Token Authentication Domain and then we need to store a credential for the group-managed service account in the previously created Token Authentication Domain.

 

For this we need to authenticate the SAS Viya CLI as the group-managed service account. This could be with a username and password, or by logging in through the browser by using the loginCode option.

 

You can then use the SAS Viya CLI to create the new Token Authentication domain with a command like the following:

 

/opt/sas/viya/home/bin/sas-viya credentials domains create --domain-id Scheduling_HR_TokenAuth --type oauth2.0

 

Remember it must be defined with the type of oauth2.0.

 

Finally, the credential can be stored for the group-managed service account and access given to the custom group containing users which will schedule jobs and jobs flows as the group-managed service account. This can be done with a command like the following:

 

/opt/sas/viya/home/bin/sas-viya credentials groups create --domain-id Scheduling_HR_TokenAuth --identity-id SchedulingUsers_HR\
 --allowed-client sas.scheduler --allowed-client sas.jobExecution --allowed-client sas.jobFlowScheduling

 

Where:

 

  • The domain-id defines the Token Authentication domain,
  • The identity-id defined the custom group which will have access to the credential,
  • The allowed-client option specifies the application (client) IDs that are required for Jobs and Flows. You must include sas.scheduler, sas.jobExecution, and sas.jobFlowScheduling.

 

Specifying the allowed-client option is essentially the same as selecting the Restrict applications check box in SAS Environment Manager.

 

Conclusion

 

The release of SAS Viya 2024.05 brings improvements to the SAS Viya CLI that allows for all steps you need to complete to correctly configure group-managed service accounts to be performed with the SAS Viya CLI. So now, you are able to either use the SAS Viya CLI or SAS Environment Manager to complete this configuration.

 

 

Find more articles from SAS Global Enablement and Learning here.

Version history
Last update:
‎07-25-2024 12:17 PM
Updated by:
SAS Employee
Contributors

SAS Innovate 2025: Call for Content

Are you ready for the spotlight? We're accepting content ideas for SAS Innovate 2025 to be held May 6-9 in Orlando, FL. The call is open until September 25. Read more here about why you should contribute and what is in it for you!

Submit your idea!

Free course: Data Literacy Essentials

Data Literacy is for all, even absolute beginners. Jump on board with this free e-learning  and boost your career prospects.

Get Started

Article Labels
Article Tags