BookmarkSubscribeRSS Feed
🔒 This topic is solved and locked. Need further help from the community? Please sign in and ask a new question.
ShelleySessoms
Community Manager

As administrators, ensuring your users have the right tools to get their jobs done is what drives your day to day. So how do you know if you should be using SAS 9.4 or SAS Viya – or both?

 

Join us for a complimentary webinar on Tuesday, Oct. 9, at 2-3 p.m. ET.

 

We'll cover common management tasks like:

  • SAS Visual Analytics reports from SAS®9 to SAS Visual Analytics 7.4 to SAS Viya.
  • New enhancements in authorization.
  • Managing users in SAS Viya.

 

Register for the live and on-demand event.

1 ACCEPTED SOLUTION

Accepted Solutions
ShelleySessoms
Community Manager

Thanks to everyone who joined us for the live event.

 

The recording can be found here. And the slides are attached as a PDF.

 

There were two questions that Darrell answered at the conclusion of the event:

 

Q: ­Can you speak about SAS Viya and high availability. Which components can have a secondary server.­

A. Refer to this paper from SAS Global Forum this year:

https://www.sas.com/content/dam/SAS/support/en/sas-global-forum-proceedings/2018/1835-2018.pdf 

 

Q: ­Is there an unrestricted user in Viya?­

A. The closest you get is the members of the SAS Administrators Custom Group and sasboot.  However, they will be under control of the General Authorization.  Their access to content and functionality is controlled using rules.

 

 

View solution in original post

6 REPLIES 6
ShelleySessoms
Community Manager

Thanks to everyone who joined us for the live event.

 

The recording can be found here. And the slides are attached as a PDF.

 

There were two questions that Darrell answered at the conclusion of the event:

 

Q: ­Can you speak about SAS Viya and high availability. Which components can have a secondary server.­

A. Refer to this paper from SAS Global Forum this year:

https://www.sas.com/content/dam/SAS/support/en/sas-global-forum-proceedings/2018/1835-2018.pdf 

 

Q: ­Is there an unrestricted user in Viya?­

A. The closest you get is the members of the SAS Administrators Custom Group and sasboot.  However, they will be under control of the General Authorization.  Their access to content and functionality is controlled using rules.

 

 

JuanS_OCS
Amethyst | Level 16

Hi @ShelleySessoms,

 

thank very much for sharing. This is a good follow up of the SASAdmin session hosted by SAS Canada 🙂

 

I wonder if I could raise a question to Darrel, otherwise I would just post in the communities as usual.

 

What are the best practices for working and setting Rules in Viya? By default Viya is really open, and all Authorized Users have too many permissions to the different URIs. To work with the GUI for Rules in Environment Manager is hardly workable: way too many URIs and permissions. And the list is not exportable.

 

So more specific questions would be:

- how to make a proper list of default and custom rules?

- best way to edit/set rules? I guess some CLI command, or Rest API. Any (editable) script for power building some defaults?

- best practices used for now (that would be enough) proposed by SAS, for setting permissions? 

 

Thank you in advance!

 

ShelleySessoms
Community Manager

Hi @JuanS_OCS, I have forwarded your questions on to Darrell. I'll post his answers here for you and everyone else to learn from.

 

Thanks for being such a great admin community member!

 

Best,

Shelley

JuanS_OCS
Amethyst | Level 16

Hi @ShelleySessoms,

 

excellent, thanks in advance for that! And thanks again to you, for helping and promoting us 🙂

 

Best,

Juan

ShelleySessoms
Community Manager

Hi @JuanS_OCS,

 

Here is the information, as provided by Darrell. Hope it helps!

 

What are the best practices for working and setting Rules in Viya? By default Viya is really open, and all Authorized Users have too many permissions to the different URIs. To work with the GUI for Rules in Environment Manager is hardly workable: way too many URIs and permissions. And the list is not exportable.

It’s hard to establish best practices for permission policies because each organization has different priorities.  You seem to want to control access to the applications.  That’s accomplished using the CLI and UI as discussed in the other responses to your questions.  If you are not happy with the access given to Authenticated Users for the various applications then certainly modify the rules to manage access to the functionality.  You can use the CLI with the authorization plug-in to manage things programmatically or the Environment Manger UI.  Here’s the CLI help.

$ /opt/sas/viya/home/bin/sas-admin authorization --help

NAME:

   sas-authorization

 

USAGE:

   sas-admin authorization command [command options] [arguments...]

 

COMMANDS:

   authorize, grant, create-rule                Creates an authorization rule to grant privileges to the specified principal.

   create-rules                                 Create a set of authorization rules.

   disable-guest-access                         Disables guest access.

   enable-guest-access, facilitate-guest        Enables guest access.

   explain                                      Shows the explanations of a target object URI.  For example:  --target-uri /SASHome/**

   get-rules-file                               Show the JSON file used to produce guest access.

   help, h                                      Shows a list of commands or help for one command.

   list-rules                                   Lists the authorization rules that are defined for the SAS environment.

   prohibit                                     Creates an authorization rule to prohibit privileges for the specified principal.

   remove-rule, revoke                          Removes a specific authorization rule.

   remove-rules                                 Removes a set of authorization rules.

   show-rule                                    Shows a specific authorization rule.

   update-rule                                  Modifies a specified authorization rule.

 

Just filter on the rules (pipe the CLI output to the grep command to filter using the CLI, $ /opt/sas/viya/home/bin/sas-admin authorization list-rules | grep -i visual)  and make changes to meet your needs.  I demonstrated filtering on the rules in the UI during my session.

 

So more specific questions would be:

- how to make a proper list of default and custom rules?

Not sure how to separate default vs. custom, but you can use the CLI to get them all...

/opt/sas/viya/home/bin/sas-admin --output text authorization list-rules > ViyaRules.txt

 

- best way to edit/set rules? I guess some CLI command, or Rest API. Any (editable) script for power building some defaults?

This is totally user choice.  In most cases I would use SAS Environment Manager and the Rules page.  You can certainly use the CLI with the grant, prohibit, update-rule, etc. to manage the rules.  See help above.

JuanS_OCS
Amethyst | Level 16

Hello @ShelleySessoms,

 

the info is useful indeed; unfortunately, I am getting empty lists.

 

I will open a new thread, that will reference this post and this other one https://communities.sas.com/t5/Administration-and-Deployment/How-to-grant-or-restrict-user-access-in...

 

 

SAS Innovate 2025: Save the Date

 SAS Innovate 2025 is scheduled for May 6-9 in Orlando, FL. Sign up to be first to learn about the agenda and registration!

Save the date!

Discussion stats
  • 6 replies
  • 3574 views
  • 10 likes
  • 2 in conversation