About PaulHomes

PaulHomes · ‎06-27-2012

Hi John, When you create the new role to limit access to the User Manager plug-in, watch out for the "Management Console: Content Management" role which has SASUSERS as a member by default. Unless you remove the SASUSERS membership from that role, your restricted user administrators will still get access to the User Manager, Authorization Manager, Data Library Manager, Folder tab & Search tab. I did a blog post a while back which discussed multiple access paths to a capability. However, removing SASUSERS from the content management role will also impact any existing non-administrative users of SAS Management Console (maybe DI developers), so you may want to add those user's group(s) back as members of the role to ensure continued access. Will your restricted user administrators be managing Portal Group Content Administrators? If so then they will also need access to the Authorization Manager plug-in to be able to set appropriate permissions on portal permission trees. I'm assuming you have also considered identity synchronization with Active Directory, LDAP or other sources of user, group and membership information. That can significantly reduce the requirement for manual identity management in SAS Management Console by help desk staff. If you haven't already seen them, I'd recommend reading the follow resources too: SAS® Management Console: Guide to Users and Permissions SAS® Intelligence Platform: Security Administration Guide SAS Global Forum 2010 Paper 324-2010 "Be All That You Can Be: Best Practices in Using Roles to Control Functionality in SAS® 9.2" by Kathy Wisniewski Cheers Paul

PaulHomes · ‎06-19-2012

Hi Matt, You didn't mention which web application server you are using so I'll assume JBoss for now. Whilst I haven't implemented that specific config, I would suggest you have a read of the following resources: Configuring JBoss Application Server 4.3 and 5.1 for Web Authentication with SAS® 9.3 Web Applications JAAS Integration - CAS Clients - Jasig Wiki The first link explains how to configure SAS & JBoss for web authentication (via JAAS) and the second link discusses the CasLoginModule - a JAAS module that can be used for configuring CAS authentication in JBoss. I would start with this info when trying to stitch the various parts together. I hope this helps. It certainly sounds like a fun project. Cheers Paul

PaulHomes · ‎06-06-2012

I have experienced this very same error myself. I had previously changed the SAS configuration for my Linux platform to non-unicode rather than the default unicode (UTF-8), by having sas linked to sas_en rather than sas_u8. This was to work around an issue I was having with SAS/ACCESS to ODBC with the MySQL ODBC driver on Linux. When I switched back to having unicode servers I no longer got the transcode error you also saw. When I ran your sample code I noticed that it extracted metadata for the SAS provided sample stored processes which themselves include metadata with unicode characters in them for a variety of languages. I think you could overcome this error by reconfiguring your servers, if appropriate for your site, to be unicode servers (-encoding UTF-8), or perhaps try adding conditions to your XMLSelect to exclude the SAS sample stored processes which return UTF-8 characters. For more info have a look at the SAS 9.3 Intelligence Platform: Application Server Administration Guide under Encoding and Locale Information

PaulHomes · ‎06-02-2012

Hi nickb, I'm not quite sure what you meant by "can't get it to work" because it was working for me with little change. Were you getting error messages, or just not the results you expected? I took your code as a starting point and made a few changes. I have attached the variation as a .sas file to this reply. I noticed that you had templates in your request but were not using the OMI_TEMPLATE (4) flag. You did have OMI_ALL (1) so were getting everything you needed anyway. I've added in the OMI_TEMPLATE flag and the missing <Trees/> association and <Tree /> template I was able to get it to report a test stored process that I created with a numeric prompt with a maximum value of 3. This was the GroupInfo value for that test prompt for me: <PromptGroup promptId="PromptGroup_1338612866026_660069" version="1.0"> <DefinitionsAndSubgroups> <IntegerDefinition max="3" min="0" name="TestPrompt" promptId="PromptDef_1338612866027_580598"> <Label> <Text xml:lang="en-AU">Test Prompt</Text> </Label> </IntegerDefinition> </DefinitionsAndSubgroups> <Label> <Text xml:lang="en-AU">Parameters</Text> </Label> </PromptGroup> Since the filter is a 'contains' into a large XML string in the GroupInfo variable for the prompt I am not sure how robust it would be and might potentially find the value in other text or descriptions in the XML string. Here's an example of the GroupInfo value for such a situation where the filter string is in the description too: <PromptGroup promptId="PromptGroup_1338612866026_660069" version="1.0"> <DefinitionsAndSubgroups> <IntegerDefinition max="3" min="0" name="TestPrompt" promptId="PromptDef_1338612866027_580598"> <Label> <Text xml:lang="en-AU">Test Prompt</Text> </Label> <Description> <Text xml:lang="en-AU">A prompt for testing max="3" filter.</Text> </Description> </IntegerDefinition> </DefinitionsAndSubgroups> <Label> <Text xml:lang="en-AU">Parameters</Text> </Label> </PromptGroup> It's a bit of a contrived example I guess it's unlikely (but possible) that this might happen for real. If necessary you could look into using SXLE again to parse each GroupInfo value specifically for the max attribute using the SXLE XPath '/PromptGroup/DefinitionsAndSubgroups/IntegerDefinition/@max'. I hope this helps. Cheers Paul

PaulHomes · ‎05-30-2012

Hi Scott, New in SAS 9.3, there's a "Hide from user" tick box when you register the stored process specifically for this type of thing (chaining stored processes). There's more info on this in the SAS 9.3 Stored Processes: Developer's Guide on the Registering the Stored Process Metadata page. Specifically it says: Hide from user enables you to hide the stored process from the folder view and search results in a client application. The stored process is hidden only in clients that support this feature. The stored process is hidden from all users, even unrestricted users. The stored process is not hidden in SAS Management Console. I'm guessing you might be on 9.2 and I'm not sure if there are any alternative techniques to handle this scenario in 9.2. Hopefully someone else might know some neat tricks for this. As you know, metadata permissions (i.e. effective denial of RM) won't help here because then your users wouldn't be able to run those secondary stored processes at all! Cheers Paul

PaulHomes · ‎04-17-2012

Hi Bob, That's a great question. I have pondered this type of thing myself a number of times in the past (in my case with EG, where the EG users had their own dedicated app server for running their projects). My first choice was to use metadata access controls to effectively hide the SASApp server from the EG users by denying RM to PUBLIC and granting it back to SAS admins, SAS services and those other groups who should see it. The SAS EG users couldn't see it by exclusion. Then the other app server (SASEG) was made visible only to the SAS EG users by denying RM to PUBLIC and granting it back to SAS admins, SAS services and the EG user groups. Whilst that worked fine for EG usage, being purely identity based security, it meant that those EG users couldn't see or use the SASApp server in other SAS clients (in my case it caused issues in their use of the SAS web apps), so I ended up abandoning that approach. I did set a default application server for EG but since the users could easily/accidentally switch over to SASApp, confusion arose, and assistance was required to help them switch back again, when their projects failed because they were trying to use resources not available on that app server. If you do get an answer to your question I would be keen to hear about it. I would love to know if there is already a way of robustly implementing this type of client/application level partitioning. If not, something I'd be interested to see in a future version of SAS would be client/application level security too. Perhaps where SAS clients, in addition to users, have to be authorized to use servers/resources. Perhaps EG can see a server where EM can't and vice versa. Maybe a user could access a library in one client but not in another. If not security, I have also wondered whether clients could be made to query extended attributes on resources to find out whether it is appropriate for that client to use those resources. I could imagine a setting that tells EG or EM that the server is unavailable for use by EG or EM. I know EG already queries the AssignMode attribute on libraries to determine how it should assign them, so this could be something similar: i.e 'EG (or EM) please ignore this server and don't show it to any EG (or EM) users'. Cheers Paul

PaulHomes · ‎04-17-2012

Hi, If you place the Oracle credentials in metadata on the user identity, or a group that they are a member of, with a specific authentication domain (e.g. OracleAuth) you can then refer to that authentication domain in your SQL Pass Through code. SAS will then look up the credentials for the current metadata identity from metadata using the specified authentication domain when connecting to Oracle. proc sql; connect to oracle(authdomain="OracleAuth" ... There's more info on this in the following SAS usage notes: SAS Problem Note 31103: The SQL procedure's Pass-Through facility cannot manage metadata credentials SAS Usage Note 38204: Using the AUTHDOMAIN= option with SAS/ACCESS® 9.2 engines Cheers Paul

PaulHomes · ‎02-02-2012

Hi Henry, I don't think there's any difference in the requirements, but I've never yet needed to run the spawner with a different service account. For further clarification have a look at Windows Privileges in the SAS(R) 9.3 Intelligence Platform: Security Administration Guide. It states: Note: In most cases, an object spawner on Windows runs as a service under the local system account. If the spawner instead runs under some other account, that account must be a Windows administrator on the spawner's host and have the Windows user rights Adjust memory quotas for a process and Replace a process level token. These user rights assignments are part of the local security policy for the Windows computer that hosts the spawner. Other than that I would suggest trying it out and/or following up with SAS tech support. Cheers Paul

PaulHomes · ‎02-02-2012

Hi Henry, Have a look at Defining User Accounts in the SAS(R) 9.3 Intelligence Platform: Installation and Configuration Guide. It states (in part) ... ... the user account that runs the object spawner must meet the following requirements on the object spawner machine: be the administrator or a member of the Windows Administrator's group have the following Windows local user rights: Adjust memory quotas for a process Replace a process level token Cheers Paul

PaulHomes · ‎01-31-2012

Hi, Although you mention you only have 1 machine you later mention that compute work is done on one and metadata is available on another. That sounds like a 2 machine config with dedicated app and metadata servers. With that type of config I would confirm with your sysadmin that when they reboot the servers the app server doesn't get started until the metadata server machine has started and the metadata server has fully initialized. You may or may not have a Java app server depending on the SAS products you have. Do you use any of SAS Web Report Studio, SAS Information Delivery Portal, SAS BI Dashboard? It would be handy to know which log file contains the error so you know which service is failing. This is a command I can use on my Linux server to grep all the logs for a specific day looking for the word error but also printing out the name of the file it occurs in and the line number. Not sure if your UNIX flavor supports all these options but, if not, the man pages might have alternatives. find /opt/sas92/ebiedieg/Lev1 -name '*2012-01-28*.log' -exec grep -Hni error {} \; Cheers Paul

PaulHomes · ‎01-30-2012

Hi, I wonder if there's an issue with the start up ordering of the various SAS services. Can you provide a bit more info? Are your SAS services all on the 1 machine or spread over multiple machines? How have the SAS services been configured by the UNIX sysdmin to start during server boot - a call to the sas.servers script or calls to individual service scripts (metadata server, object spawner, olap server etc)? When/how is your Java app server started in relation to the SAS services? If spread over multiple machines, how are they being coordinated to start in the correct order? In which particular SAS service log file are you looking where you see this error? Is your metadata server really on host myserver1 and port 1234 or was that changed to anonymize the log? Cheers Paul

PaulHomes · ‎01-26-2012

Hi Bob, Sounds like an interesting scenario. If you don't get any better suggestions from SAS tech support and others, I would suggest you look at the possibility of converting the workspace server to SAS token authentication. That way the initial connection to the metadata server will be done using the password derived from the SecurID token, but then subsequent connections to the object spawner to launch workspace servers will not use cached credentials but SAS tokens (a trust mechanism based on the fact that the metadata server has already authenticated the user). A potential downside to this (which may or may not be an issue for you) is that the spawned SAS processes will then run as an operating system service/proxy account (like sassrv) instead of the requesting user and this needs to be considered in relation to file system access controls. It will also apply to all users of that workspace server in other applications too. Another consideration might be to have a dedicated application server with its own workspace server configured for SAS token auth specifically for SAS EM clients. Cheers Paul

PaulHomes · ‎01-18-2012

Hi Jamie, For OLAP cubes you need to do the filtering at the level of the OLAP cube itself using OLAP Member Level Security. This is preferable anyway since the security is also applied when you open the cube directly without using an information map (such as from SAS Enterprise Guide). The documentation for this is also in the SAS 9.1.3 Intelligence Platform Security Administration Guide, Second Edition under OLAP Member-Level Permissions. I know in SAS 9.2 you can also use identity-driven substitutions in the MDX filter expression, but I am not sure about SAS 9.1.3. I did a blog post on this topic for SAS 9.2 a while back: SAS 9.2 OLAP Cube Identity Driven Member Level Security. The post contains a few MDX examples and there are some useful comments by others too. It has been a while since I have done OLAP Member Level Security in SAS 9.1.3 so I am not sure if identity-driven substitutions were available in SAS 9.1.3 or if they were new in SAS 9.2. I can't find any references to them for OLAP member level security in the SAS 9.1.3 docs, but who knows... it might be worth giving it a try. Perhaps someone else might be able to confirm whether SAS 9.1.3 supports this or not. Cheers Paul

PaulHomes · ‎01-17-2012

Hi Jamie, If you have a small number of relatively static companies, and have those companies users in company groups in metadata, then you could add a number of company filters in the information map and use access controls to force the use of each for its respective company group (authorization-based prefilter). If you have a larger number of companies that might also change regularly and the mapping of users to companies is readily available as a data source, then another alternative is to apply a userid based identity-driven general prefilter to a userid-company mapping table as a mandatory table joined to your main table(s) via the appropriate company key. The resulting data returned by the information will be subsetted to the company (or companies) that the logged in userid is associated with. You can find more information about this (for SAS 9.1.3) in the SAS 9.1.3 Intelligence Platform Security Administration Guide, Second Edition, Chapter 10 BI Row-Level Permissions Depending on your security requirements you may also want/need to consider the possibility of mediated data access. Whilst you might not actually need it, its still worth reading at least to determine whether it is required for your environment or not. Cheers Paul

PaulHomes · ‎11-11-2011

Hi Frank, With respect to the SAS Web Report Studio 4.3 “Allow Direct Access to Cubes” capability, the SAS® 9.2 Intelligence Platform: Web Application Administration Guide, Fourth Edition (under SAS Web Report Studio Administration > Managing SAS Web Report Studio Content and Users > Predefined Roles) at http://support.sas.com/documentation/cdl/en/biwaag/63149/HTML/default/viewer.htm#a003279136.htm has that capability granted by default to the 3 pre-defined roles: Web Report Studio: Report Viewing Web Report Studio: Report Creation Web Report Studio: Advanced I did a blog post a while back in relation to considerations for removing a capability from someone: “Capability Reviewer Preview: who has access to a capability and how?” at http://platformadmin.com/blogs/paul/2011/04/capability-reviewer-preview/ A capability can be provide via multiple paths based on a users multiple nested group memberships, membership of implicit groups and direct and indirect membership of multiple roles that provide that capability. Since it only takes 1 grant of a capability via any path for that capability to be given, then in order to prevent someone from having a capability, all access paths need to be found and eliminated. To illustrate what I mean, here is a screenshot fragment of the roles & members tree for the “Allow Direct Access to Cubes” capability in a Metacoda Security Plug-ins report I generated from a fresh SAS 9.3 EBIEDIEG installation. In an freshly installed SAS 9.3 installation (I assume it would be the same for default SAS 9.2 install but I don’t have one to hand to confirm) PUBLIC is a member of both Report Viewing and Report Creation. Since you cannot remove someone from the implicit PUBLIC group the 2 ways to resolve this are to 1) remove the capability from both roles or 2) remove PUBLIC as a member of both roles. It is not recommended to modify the capability sets for the pre-defined roles so that rules out #1 making #2 the recommended solution. Having removed PUBLIC, to grant the required capabilities back to the required people, you can either create custom roles as variations on the pre-defined ones but without the capabilities you don’t need and make PUBLIC members of those, or use more specific smaller groups as members of the pre-defined and/or custom roles as appropriate for your site. BTW there is an excellent paper on roles and capabilities by Kathy Wisniewski in SAS Global Forum 2010 Paper 324-2010 “Be All That You Can Be: Best Practices in Using Roles to Control Functionality in SAS® 9.2” available at http://support.sas.com/resources/papers/proceedings10/324-2010.pdf I hope this helps. Cheers Paul

Online Status	Offline
Date Last Visited	‎02-11-2025 08:08 PM