User Bulk Load into SAS Viya Custom Groups

jwward65 · ‎09-22-2020

There currently is not a way to bulk load user IDs into a custom group in SAS Viya. We use Active Directory (LDAP) groups to get access to the SAS Viya system, but use custom groups to control access to specific reports.

However, other than selecting them one at a time in the SAS Environment Manager GUI or doing one line at a time using the sas-admin add-member CLI tool is not the most efficient way to do this. This is especially true in our environment where we could have 1000+ users that need to be added to one of the custom groups. Having the functionality to be able to import a list of user IDs would be a HUGE help in this process!

GeoffreyTindall · ‎12-01-2020

Although there is not a SAS tool available to perform this, bulk load of user IDs into a custom group in SAS Viya could be performed using a script.

The script below will add users in a given file to a specified group.
It requires the sas-admin CLI be installed and configured with a profile able to connect
to the environment.

Please try the script and share your feedback.

The script is provided 'as-is'.

#!/bin/bash
# This script will add users in a given file to a specified group.
# It requires sas-admin CLI be installed and configured with a profile able to connect
# to the environment.
# This script is provided 'as-is'.
# Define a usage function to explain how to use the script.
function usage {
    echo ""
    echo "Usage: bulk_member_add.sh [OPTIONS]..."
    echo "Script logs into the supplied sas-admin cli profile and adds each line in the supplied file"
    echo "to the the specified custom group."
    echo ""
    echo "Options:"
    echo "  -g, --custom-group  Specify to which group id (not group name) you would like to add the users"
    echo "  -f, --user-file     Specify the file containing the users to add to the group (one per line)"
    echo "  -p, --profile       Specify the sas-admin CLI profile you would like to use"
    echo "  -c, --admin-cli     Specify the path to the sas-admin CLI if it is not /opt/sas/viya/home/bin/sas-admin"
    echo "  -h, --help          Display this usage page."
}

## First, evaluate the options provided. ##

# If no arguments are supplied, return the help page and terminate with a non-zero return code.
if [ "$1" = "" ]
    then 
    usage
    exit 1
fi

# Read in the arguments provided and store them to environment variables.
while [ "$1" != "" ]
    do
    case $1 in
    -p | --profile )            shift
                                profile=$1
                                ;;
    -g | --custom-group )       shift
                                group=$1
                                ;;
    -f | --user-file )          shift
                                file=$1
                                ;;
    -c | --admin-cli )          shift
                                admincli=$1
                                ;;    
    -h | --help )               usage
                                exit
                                ;;
    * )                         echo "Option $1 is not valid."
                                usage
                                exit 1
    esac
    shift
done

## Validation Function Definitions ##
# Define a function "jqcheck" to confirm that jq is installed/run-able.
function jqcheck {
    echo "NOTE: Checking if jq is installed."
    RPMV=$(jq --version)
    RC=$?
    if [ $RC != "0" ] 
        then
        echo "ERROR: This script requires the jq package."
        exit 2
    fi
    echo "jq is installed, continuing..."
}

# Define a function "sasadmcheck" to set admincli to the default path if it isn't supplied, and confirm it is executable.
function sasadmcheck {

    if [ -z "$admincli" ]
        then admincli=/opt/sas/viya/home/bin/sas-admin
    fi

    if [ ! -x "$admincli" ]
        then
        echo "ERROR: $admincli is not a valid executable. Use --admin-cli to specify the path to the sas-admin binary."
        exit 2
    fi
}
# Define a function "profilecheck" to check if a profile is in the admin CLI's list of profiles.
# If it is, run authcheck against it to confirm we have a valid ticket and if not, log in.
function profilecheck {
    RC=$($admincli profile list | grep -o $profile )
    if [ -z "$RC" ]
        then
        echo "ERROR: Profile $profile is not defined. Use $admincli -p $profile profile init to set it up, or specify a different profile."
        exit 2
    fi
    authcheck
}

# Define a function "authcheck" to check if we have a valid authentication token in sasadmin for a given profile.
# If not, login.
function authcheck {
    # only log in if our access token has expired.
    expire=$(jq .${profile} ~/.sas/credentials.json | jq -r '."expiry"')

    declare -i intexpire=$(date -d $expire +%s)
    declare -i intnow=$(date +%s)

    if [ $intexpire -le $intnow ]
        then 
        # Authenticate using the supplied profile.
        echo "Current token for sas-admin CLI on profile $profile is expired."
        $admincli -p $profile auth login
        RC=$?

       if [ "$RC" != "0" ]
           then 
               echo "ERROR: Authentication failed. RC=$RC"
               exit 2
       fi
    fi
}

# Define a function "varcheck" to check if a supplied variable is defined. Needs $var to be set as the variable to check.
# If the variable is in the case list it will provide more detailed information on how to correct it.
function varcheck {
    if [ -z "${!var}" ]
        then
        case $var in
        profile )       echo "ERROR: Profile is not defined, use --profile to set this value."
                        exit 2
                        ;;
        group )         echo "ERROR: Custom group is not defined, use --custom-group to set this value."
                        exit 2
                        ;;
        file )          echo "ERROR: User file is not defined, use --user-file to set this value."
                        exit 2
                        ;;
        * )             echo "ERROR: $var is not defined."
                        exit 2
                        ;;
        esac
        usage
        exit 2
    fi
}

# Confirm jq is installed
jqcheck

# Check all the necessary variables are defined.
var=profile; varcheck
var=group; varcheck
var=file; varcheck

# Confirm the file is readable
if [ ! -r "$file" ]
then
    echo "ERROR: File $file is not readable."
    exit 2
fi

# Confirm sas-admin is available and executable
sasadmcheck

# Confirm the supplied profile is valid
profilecheck

# Get the base URL and access token from the profile.
token=$(jq .${profile} ~/.sas/credentials.json | jq -r '."access-token"')
baseurl=$(jq .${profile} ~/.sas/config.json | jq -r '."sas-endpoint"')

# Encode the group name in case it has special characters
groupenc=$(jq -nr --arg v "$group" '$v|@uri')

# Confirm the custom group exists
rc=$(curl -s -o /dev/null -I -w "%{http_code}" "$baseurl/identities/groups/$groupenc" --header "Authorization: Bearer $token")

if [ $rc -ne 200 ]
then
    echo "ERROR: Group $group does not appear to be a valid group ID."
    echo "NOTE: Be sure to use the group ID, and not the group display name."
    exit 2
fi

# Read in the list of users
IFS=$'\n'
users=( $(cat $file) )

# For each user:
for user in ${users[@]}
do
    # Encode the group name in case it has special characters
    userenc=$(jq -nr --arg v "$user" '$v|@uri')
    # Confirm the user exists
    rc=$(curl -s -o /dev/null -I -w "%{http_code}" "$baseurl/identities/users/$userenc" --header "Authorization: Bearer $token")
    if [ $rc -ne 200 ]
    then
        echo "ERROR: $user does not appear to be a valid user ID."
        continue
    fi
    # Add them to the group
    rc=$(curl -s -o /dev/null --request PUT -w "%{http_code}" "$baseurl/identities/groups/$groupenc/userMembers/$userenc" --header "Authorization: Bearer $token")
    if [ $rc -eq 409 ]
    then
        echo "NOTE: User $user is already in the group $group."
    elif [ $rc -ne 201 ]
    then
        echo "ERROR: Failed to add user $user to group $group."
    fi    
done