cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
BookmarkSubscribeRSS Feed

SAS Viya Removing SCIM Users and Groups

Started ‎03-24-2021 by
Modified ‎03-24-2021 by
Views 6,103

In this blog we will finish out discussing the configuration of SCIM with SAS Viya. We have already covered considerations and requirements, SAS Viya SCIM configuration, Azure Active Directory configuration, and OKTA configuration. In this post I want to switch around and talk about removing users and groups from SAS Viya when they are provisioned through SCIM.

General Thoughts

One of the advantages of SCIM over SAML based Just in Time provisioning is that it specifically enables the de-provisioning of users and groups. This means that you can remove unnecessary users and groups from the SCIM server. So, your Identity provider can really operate as the "one true version of the truth". When users or groups are removed from the Identity provider SCIM handles the removal of these from any downstream applications.

 

Now a "grey area" is when the user or group is unassigned within the SCIM client. For example, with Azure Active Directory, when you update the SCIM client configuration to remove a user or group from the client, but they still exist in Azure Active Directory things are different. Microsoft has chosen that in this case the user or group will not be deleted from the SCIM server. Instead the SCIM client updates the user or group to flag them as inactive. Microsoft refers to this as soft delete. In fact, until the user is removed from the recycle bin in Azure Active Directory, they will not be deleted from the SCIM server.

What does this mean for SAS Viya?

In the long run this is good as Microsoft states; "It allows customers to recover when a user is accidentally disabled". When the user is deleted from SAS Viya, any content they "own" will become orphaned. However, this can cause problems when doing the initial configuration of the SCIM client. In this initial situation you might be experimenting with different selection criteria and so be mistakenly provisioning users and groups that you do not need to exist in SAS Viya. These will be valid users and groups in Azure Active Directory, and you do not want to "hard" delete them from Azure Active Directory, since this will impact other applications using Azure Active Directory. But you’ll want to remove them from SAS Viya.

Manually Deleting from SAS Viya

SAS Environment Manager does not allow you to delete users or groups; you can only delete custom groups. However, you can use the SCIM endpoints provided by the Identities microservice to delete an individual user or group. You just need to issue a HTTP DELETE request for the User or Groups endpoint. This can be done with curl, for example to delete the user WrongUser@customer.com we would use the following:

 

curl -s -X DELETE "https://viya.customer.com/identities/scim/v2/Users/WrongUser@customer.com"\
 -H "Content-Type: application/x-www-form-urlencoded" -H "Authorization: Bearer $ID_TOKEN"

 

Where $ID_TOKEN is a valid OAuth Bearer token providing access to the SCIM endpoints. It makes sense for this to be the ID Token you generated when configuring the SCIM client in SAS Viya. The value in the URL after /Users/ or /Groups/ endpoint is the ID of the user or group that you want to delete.

 

Remember: deleting users who have already created content will leave orphaned content in the system. This is only recommended for use during the initial configuration of the SCIM provisioning.

Scripting Deletion from SAS Viya

So, the approach above is enough if you only have a small number or users or groups to remove as you fine tune the SCIM provisioning selection criteria. But what if you want to remove all the users and groups that you’ve provisioned with SCIM? In this case you could simply wrap the individual delete requests in a script to walk through all the defined users and groups. For example:

 

#!/bin/bash
#
# Script to remove all SCIM users and groups
# Example output:
#   Total Number of users: 352
#   Total Number of groups: 2
#   There are now: 0 Users and 0 Groups

# WARNING: SCRIPT DOES NOT CONFIRM DELETE
# WARNING: SCRIPT WILL TAKE QUITE LONG IF THERE ARE LARGE NUMBERS OF USERS OR GROUPS

# Script leverages curl and jq

# Required Environment Information
INGRESS_SUFFIX="viya.customer.com"
NS="gelenv"
INGRESS_URL="https://${NS}.${INGRESS_SUFFIX}"

# Requies Access-Token to authenticate to SCIM endpoints
# Example here reads token value from a text file
ID_TOKEN=`cat ~/idtoken.txt`

# Fetch number of users
numUsers=`curl -s "${INGRESS_URL}/identities/scim/v2/Users" -H "Content-Type: application/x-www-form-urlencoded" -H "Authorization: Bearer $ID_TOKEN"|jq '.totalResults'`
echo "Total Number of users: ${numUsers}"

# Fetch number of groups
numGroups=`curl -s "${INGRESS_URL}/identities/scim/v2/Groups" -H "Content-Type: application/x-www-form-urlencoded" -H "Authorization: Bearer $ID_TOKEN"|jq '.totalResults'`
echo "Total Number of groups: ${numGroups}"

# Fetch all usernames into an array
# Second jq command ensures that output is URL encoded
allUsers=`curl -s "${INGRESS_URL}/identities/scim/v2/Users?startIndex=1&count=${numUsers}" -H "Content-Type: application/x-www-form-urlencoded" -H "Authorization: Bearer $ID_TOKEN"|jq -r '.Resources[].id'|jq -Rr '@uri'`

# Fetch all groups into an array
# Second jq command ensures that output is URL encoded
allGroups=`curl -s "${INGRESS_URL}/identities/scim/v2/Groups?startIndex=1&count=${numGroups}" -H "Content-Type: application/x-www-form-urlencoded" -H "Authorization: Bearer $ID_TOKEN"|jq -r '.Resources[].id'|jq -Rr '@uri'`

# Delete all users
for u in ${allUsers[@]}; do
  curl -s -X DELETE "${INGRESS_URL}/identities/scim/v2/Users/${u}" -H "Content-Type: application/x-www-form-urlencoded" -H "Authorization: Bearer $ID_TOKEN"
done

# Delete all groups
for g in ${allGroups[@]}; do
  curl -s -X DELETE "${INGRESS_URL}/identities/scim/v2/Groups/${g}" -H "Content-Type: application/x-www-form-urlencoded" -H "Authorization: Bearer $ID_TOKEN"
done

# Report
finalUsers=`curl -s "${INGRESS_URL}/identities/scim/v2/Users" -H "Content-Type: application/x-www-form-urlencoded" -H "Authorization: Bearer $ID_TOKEN"|jq '.totalResults'`
finalGroups=`curl -s "${INGRESS_URL}/identities/scim/v2/Groups" -H "Content-Type: application/x-www-form-urlencoded" -H "Authorization: Bearer $ID_TOKEN"|jq '.totalResults'`
echo "There are now: ${finalUsers} Users and ${finalGroups} Groups"

 

This example script will require:

  • Both curl and jq command-line utilities
  • Details of the URL to access the SAS Viya Identities microservice, this assumes you are using SAS Viya 2020.1 (and later)
  • The OAuth Bearer token with correct authorization to access the SCIM endpoints of the Identities microservice

The script then does the following:

  1. Calls the /Users endpoint and uses jq to fetch the total number of users.
  2. Calls the /Groups endpoint and uses jq to fetch the total number of groups.
  3. Calls the /Users endpoint and uses jq to fetch all usernames into an array, this call uses the total number of users as the limit on the request. Also, jq is used a second time to ensure the returned text is URL encoded.
  4. Calls the /Groups endpoint and uses jq to fetch all group names into an array, this call uses the total number of groups as the limit on the request. Also, jq is used a second time to ensure the returned text is URL encoded.
  5. Walks through the array of usernames to issue the DELETE HTTP request for users.
  6. Walks through the array of group names to issue the DELETE HTTP request for groups.
  7. Finally checks the total number of users and groups after the DELETE HTTP requests have completed.

So, this example script will delete all the SCIM provisioned users and groups from the SAS Viya environment. However, you should be aware that if there are many users or groups it could take quite a long time to complete. This should make it easier to then change the selection criteria in the SCIM client and ensure the correct users and groups are provisioned into the SAS Viya environment. In fact, if you ensure this is completed before you configure either SAML or OpenID Connect for the SAS Viya environment you can be certain that no end-users have accessed the environment and started creating content.

 

Remember: deleting users who have already created content will leave orphaned content in the system. This is only recommended for use during the initial configuration of the SCIM provisioning.

Conclusion

This is the last post in the series looking at SCIM configuration with SAS Viya. We have discussed how SCIM is better than Just-in-Time provisioning since it enables automatic de-provisioning. We have also highlighted the cases where the limitations of de-provisioning might hamper the initial setup of SCIM provisioning. Then we have shown how you can use the SCIM endpoints of the Identities microservice to delete the users and groups from SAS Viya.

Version history
Last update:
‎03-24-2021 10:05 AM
Updated by:
SAS Employee
Contributors

Ready to join fellow brilliant minds for the SAS Hackathon?

Build your skills. Make connections. Enjoy creative freedom. Maybe change the world. Registration is now open through August 30th. Visit the SAS Hackathon homepage.

Register today!

Free course: Data Literacy Essentials

Data Literacy is for all, even absolute beginners. Jump on board with this free e-learning  and boost your career prospects.

Get Started

Article Labels
Article Tags