Updating SAS Viya general authorization permissions using the sas-viya command line
I love it when people ask our team questions. I love it even more when we can answer them, and a few days ago a very knowledgeable colleague asked me a really good question:
Is there a way to set a permission to none using the sas-viya CLI like you can do in the GUI?
It helps enormously if you use a couple of additional command-line tools (jq and the getruleid.py pyviyatool) in addition to the sas-viya CLI, but with their assistance, yes, you can set a permission to '(none)' using the sas-viya CLI.
This is what my colleague was asking about:
Setting a permission to none using the SAS Environment Manager GUI
Select any image to see a larger version.
Mobile users: To view the images, select the "Full" version at the bottom of the page.
Read on to learn how to do this from the command line. It's not quite as simple as it looks!
Demo Preparation
To set up a folder to work with, I used to an instance of the SAS Viya environment that we provide for students attending our team's GEL SAS Viya: Administration workshops. These workshops have a set of fictitious users who are in groups, and who work for a fictitious company called GELCorp. There is a Managers group ready made with a couple of users in it. We have a ready-made folder structure in these environments, including a Viya folder called /gelcontent/GELCorp.
To prepare, I ran some sas-viya CLI statements to create a 'Managers' Viya folder under /gelcontent/GELCorp, and to grant the Managers groups some read-write permissions on that folder (targeted by --object-uri) and on its contents (targeted by --container-uri) :
Here's the command line output from that series of commands:
[cloud-user@hostname ~]$ # Create a Managers folder in /gelcontent/GELCorp
[cloud-user@hostname ~]$ /opt/sas/viya/home/bin/sas-viya --output text folders create --parent-path /gelcontent/GELCorp --name Managers
Id 84a65308-b77f-4844-814c-02fcc51221ba
Name Managers
Description
Type folder
MemberCount 0
ParentFolderUri /folders/folders/ce8f1f43-3af4-4cc9-a360-922534670eec
The folder was created successfully.
[cloud-user@hostname ~]$
[cloud-user@hostname ~]$ #Get /gelcontent/GELCorp/Managers folder id, store in $folderid
[cloud-user@hostname ~]$ folderid=$(/opt/sas/viya/home/bin/sas-viya --output json folders show --path "/gelcontent/GELCorp/Managers" | jq -r '.["id"]')
[cloud-user@hostname ~]$ echo "The Managers folder ID is" $folderid
The Managers folder ID is 84a65308-b77f-4844-814c-02fcc51221ba
[cloud-user@hostname ~]$
[cloud-user@hostname ~]$ # Grant Managers group: +RUARe,+RUDARe&
[cloud-user@hostname ~]$ echo "Granting Managers +RUARe,+RUDARe& on /gelcontent/GELCorp/Managers"
Granting Managers +RUARe,+RUDARe& on /gelcontent/GELCorp/Managers
[cloud-user@hostname ~]$ /opt/sas/viya/home/bin/sas-viya authorization grant --object-uri /folders/folders/$folderid/** --group Managers --permissions read,update,add,remove
{
"acceptItemType": "",
"acceptType": "",
"contentType": "",
"createdBy": "geladm",
"creationTimestamp": "2022-12-15T16:35:38.835Z",
"description": "",
"enabled": true,
"id": "9f585603-f29b-445a-8e19-1aba538fae8b",
"mediaType": "",
"modifiedBy": "geladm",
"modifiedTimestamp": "2022-12-15T16:35:38.835Z",
"objectUri": "/folders/folders/84a65308-b77f-4844-814c-02fcc51221ba/**",
"permissions": [
"remove",
"read",
"update",
"add"
],
"principal": "Managers",
"principalType": "group",
"reason": "",
"type": "grant",
"version": 10
}
The authorization rule has been created.
[cloud-user@hostname ~]$ /opt/sas/viya/home/bin/sas-viya authorization grant --container-uri /folders/folders/$folderid --group Managers --permissions read,update,delete,add,remove
{
"acceptItemType": "",
"acceptType": "",
"containerUri": "/folders/folders/84a65308-b77f-4844-814c-02fcc51221ba",
"contentType": "",
"createdBy": "geladm",
"creationTimestamp": "2022-12-15T16:36:23.113Z",
"description": "",
"enabled": true,
"id": "c626a6de-60dd-4798-a928-a2568f5de466",
"mediaType": "",
"modifiedBy": "geladm",
"modifiedTimestamp": "2022-12-15T16:36:23.113Z",
"objectUri": "",
"permissions": [
"remove",
"read",
"delete",
"update",
"add"
],
"principal": "Managers",
"principalType": "group",
"reason": "",
"type": "grant",
"version": 10
}
The authorization rule has been created.
[cloud-user@hostname ~]$
In SAS Environment Manager, in the Content page, the Managers group's permissions on the new folder (right-click > View Authorization) look like this:
Initial permissions set on the new Managers folder
Note that among other permissions, I have granted the Managers group 'Update' permission on the Managers folder itself.
Set a permission to none using the sas-viya CLI
Let's suppose a few days have passed, and I notice that Managers (such as the user 'Helena') in our workshop environment have permission to rename the Managers folder!
Helena can rename the Managers folder!
Oops! That was not my intention.
Helena can rename the Managers folder because I 'accidentally' granted Managers (a group she belongs to) the Update permission on the folder (she already had Update permission on its parent folder, /gelcontent/GELCorp).
I want to remove that grant - in other words, to set the permission to '(none)'. It's easy to do in the SAS Environment Manager GUI's Edit Authorization dialog, but how can we do it using the sas-viya CLI? There isn't exactly a sas-viya CLI syntax that will set a permission to '(none)'.
What we need to do is update the rule that grants the read, update, add and remove permissions on the Managers folder to members of the Managers group, so that it only grants read, add and remove permissions - and not update any more.
We can do this with the sas-viya authorization update-rule command. But the catch is that it requires a rule ID, which I don't know. The commands that created the new general authorization rules that represent the permissions I granted did not include the rule IDs in their output, and in any case, let's assume some time passed since I created it and I wouldn't remember them even if the rule IDs were output at the time. And short of looking up the rule in SAS Environment Manager, which defeats the purpose of using the sas-viya CLI, we need a way to find the rule ID using CLI commands.
I spent a while trying to do this using the sas-viya CLI, with the sas-viya authorization list-rules command and jq. I think it should be possible. However, after a while, I remembered I wrote a getruleid.py pyviyatool for just this sort of purpose! My colleague @GerryNelson wrote a blog post explaining how to install and use the pyviyatools in 2018, but it's still correct and relevant, and there are more useful tools in the set now too!
That made it much easier, as getruleid.py only requires a folder ID and a identity principal (a user or a group), and returns all the details of the rule - including its id - in JSON, CSV or a simple multiline name-value format.
So, the following code will do the trick - first, it uses the sas-viya CLI and jq to get the folder ID. Next, it uses getruleid.py and awk to get the rule ID. Finally, it uses the sas-viya authorization update-rule command to change the permissions that the rule grants, reducing them from 'read,update,add,remove' to just 'read,add,remove', which effectively sets the 'update' permission to '(none)'.
Here's the command line output from that series of commands:
[cloud-user@hostname ~]$ #Get /gelcontent/GELCorp/Managers folder id, store in $folderid
[cloud-user@hostname ~]$ folderid=$(/opt/sas/viya/home/bin/sas-viya --output json folders show --path "/gelcontent/GELCorp/Managers" | jq -r '.["id"]')
[cloud-user@hostname ~]$ echo "The Managers folder ID is" $folderid
The Managers folder ID is 84a65308-b77f-4844-814c-02fcc51221ba
[cloud-user@hostname ~]$
[cloud-user@hostname ~]$ # Get the id of the rule targeting that folder for Managers, and parse the output a bit to keep just the rule ID
[cloud-user@hostname ~]$ ruleid=`/opt/pyviyatools/getruleid.py -u /folders/folders/$folderid/** -p "Managers" -o simple | grep "id = " | awk '{print $3}'`
[cloud-user@hostname ~]$ echo "The rule ID is" $ruleid
The rule ID is 9f585603-f29b-445a-8e19-1aba538fae8b
[cloud-user@hostname ~]$
[cloud-user@hostname ~]$ # Reduce the permissions that Managers have on the folder, keeping just 'Read', 'Add' and 'Remove', which effectively removes the unwanted 'Update' permission:
[cloud-user@hostname ~]$ /opt/sas/viya/home/bin/sas-viya authorization update-rule --id $ruleid --grant --group "Managers" --permissions read,remove,add
{
"acceptItemType": "",
"acceptType": "",
"contentType": "",
"description": "",
"enabled": true,
"id": "9f585603-f29b-445a-8e19-1aba538fae8b",
"mediaType": "",
"modifiedBy": "geladm",
"modifiedTimestamp": "2022-12-15T17:19:16.495Z",
"objectUri": "/folders/folders/84a65308-b77f-4844-814c-02fcc51221ba/**",
"permissions": [
"remove",
"read",
"add"
],
"principal": "Managers",
"principalType": "group",
"reason": "",
"type": "grant",
"version": 10
}
The rule has been modified.
[cloud-user@hostname ~]$
If you look at the command output closely (and scroll down), you can see that this rule now only grants the smaller set of permissions we asked for. Here are how the Managers group's permissions on the Managers folder look after this correction:
Corrected Managers folder permissions
The Managers group no longer has the 'Update' permission granted directly on the Managers folder. Since nothing else grants Managers this permission, the effective permission decision for the 'Update' permission for 'Managers' on the Managers folder is 'denied'. In the absence of an grant, permissions in the SAS Viya general authorization system are denied by default.
As a result, the Helena can no longer rename the Managers folder:
Helena can no longer rename Managers folder
Job done. My thanks to my colleaque Bruno Muller for asking a really good question, with a not-so-straightforward answer. And I hope you will find this useful in your projects!
See you next time!
