cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
BookmarkSubscribeRSS Feed

SAS Viya Identity Management

Started ‎01-09-2019 by
Modified ‎01-09-2019 by
Views 1,739

Your identity to a computer system is one of the key factors that determine what you can and cannot do, or what you are "authorized" to do. In this article we will look at identity management in SAS Viya visual deployments (programing only deployments are different).

 

My colleague Stuart Rogers has covered in detail the authentication aspects of SAS Viya, how you get in. In this article we will look at how your identity determines what you can do once you have authenticated.

 

SAS Viya Visual deployments establish a user's identity by reading user and group information from an identity provider. For SAS Viya 3.2 LDAP based identity providers are supported, including Microsoft Active Directory, OpenLDAP or Apache Directory Server. Access to the identity provider can be configured in two ways:

  • During deployment by entering the LDAP configuration information in SiteDefault.yml
  • Post-deployment interactively with SAS Environment Manager

Learn more about how to configure the connection to the identity provider.

 

There are no users stored in SAS Viya, but a key feature is the ability within SAS Viya to create custom groups. Custom groups can be created that exist in SAS Viya and not in the authentication provider. This provides great flexibility in creating groups to manage access to resources within SAS Viya.

 

There are 4 pre-defined custom groups in SAS Visual Analytics on SAS Viya.

 

SAS Viya Pre-defined Custom Groups

 

viya_identity1_1a.png

 

In addition to the four pre-defined groups authenticated users is an implicit group to which all users who can authenticate to the system belong.

 

To slightly complicate things the CAS server also has group-like structures called roles. There is a CAS administrator (or super user ) role and a Data administrator role.

  • CAS Roles determine the level of administrative access for CASLIB, table, column and action administration and authorization
  • Custom groups determine the level of administrative access in SAS Environment Manager for general administration and authorization

CAS Roles and SAS Viya groups are related. By default in SAS Viya the SAS Administrator pre-defined group is included in the CAS Administrator role. Resulting in all SAS Administrators also being CAS Administrators.

 

CAS Roles and Role Membership in CAS Server Monitor

 

viya_identity1_1.png

 

The table below shows the initial setup of the 4 SAS Viya pre-defined custom groups and what functionality they can access.

 

viya_identity1_2.png

 

The SAS Administrators group is a special group called an assumable group. This means that a user can opt into that group to gain its elevated privileges.  In SAS Environment Manager if you opt into the SAS administrators group at logon you may also assume the CAS administrator(or super user) role to administer the CAS server. My colleague Scott McCauley covered assumable groups in a previous article.

 

What a user or group can do (and see) is controlled by rules.  A rule is a composite of authorization elements including:

  • Target: a resource for example a folder or report
  • Principal: user or group
  • Permissions: type of access for example read or write
  • Setting: indication of whether access is provided, for example grant or prohibit.

SAS provides an initial set of rules to control your users’ access to resources.  These rules determine what the pre-defined custom groups can do and see. The screenshot below shows the default rules for the SAS Visual Analytics and SAS Visual Data Builder applications.

 

It shows that Authenticated Users (principal) can access SAS Visual Analytics (target) because Read (permission) is Granted (setting).

 

The DataBuilders pre-defined custom group(prinicpal) can access SAS Visual Data Builder(target) because Read (permission) is Granted (setting).

 

viya_identity1_3.png

 

The general authorization system in SAS Viya implements a default deny to resources. A user cannot access a resource unless permissions is granted. For that reason, with the rules above applied, only members of the DataBuilders group can access the SAS Visual Data Builder application.

 

I hope this brief introduction to users and groups in SAS Viya will prove useful. In a follow up article I will go into more detail on rules, and show how you can create new groups and rules to change a user's access to functionality.

Version history
Last update:
‎01-09-2019 07:21 AM
Updated by:
SAS Super FREQ
Contributors

Ready to join fellow brilliant minds for the SAS Hackathon?

Build your skills. Make connections. Enjoy creative freedom. Maybe change the world. Registration is now open through August 30th. Visit the SAS Hackathon homepage.

Register today!

Free course: Data Literacy Essentials

Data Literacy is for all, even absolute beginners. Jump on board with this free e-learning  and boost your career prospects.

Get Started

Article Labels
Article Tags