cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
MRSA
‎02-26-2019
  • 9 Posts
  • 3 Likes Given
  • 0 Solutions
  • 4 Likes Received

Re: Metadata bound libraries, is it worth the administrative overhead?

by Fluorite | Level 6 in Administration and Deployment
‎01-21-2018 06:27 PM
1 Like
‎01-21-2018 06:27 PM
1 Like
@ShelleySessoms   Hi Shelley, it has indeed been nice to hear from experts on this topic. I have been working on a summary and will post it once done. Regards ... View more

Re: Metadata bound libraries, is it worth the administrative overhead?

by Fluorite | Level 6 in Administration and Deployment
‎01-04-2018 01:13 PM
‎01-04-2018 01:13 PM
@Kurt_Bremser I don't think this discussion is missing the point that you mentioned. This whole discussion is mostly about that point, i.e. whether MBL and encryption provides a robust protection (which it may not). Regarding dumping out data, at least in our implementation we have disabled copy and paste, and also export of data. Also disabled access to local desktop through EG. So they can only write to server, and only the folders they have been granted access to. ... View more

Re: Metadata bound libraries, is it worth the administrative overhead?

by Fluorite | Level 6 in Administration and Deployment
‎01-03-2018 02:50 PM
‎01-03-2018 02:50 PM
@SASKiwi I am interested to know that as well. Could we exclude the location where users are expected to store their output and results from the lockdown list and still be functional? ... View more

Re: Metadata bound libraries, is it worth the administrative overhead?

by Fluorite | Level 6 in Administration and Deployment
‎01-01-2018 10:43 PM
2 Likes
‎01-01-2018 10:43 PM
2 Likes
Thanks everyone for your comments.   @PaulHomes You mention a really good point about different server contexts. In our implementation we have disabled the ability to use stored procedures due to security concerns, i.e. users being able to invoke stored procedures that run under the context of the service account and potentially gain access to data that they normally don't have access to. I think we should investigate more how MBL can prevent such scenarios.   Apart from that, we also see a potential benefit in MBL with regards to data management, which is reducing duplication and proliferation of data sets. The users may need same cut of data for various projects, and using MBLs, provides more visibility to what is already available which could lead to less storage consumption (premium storage is of course not cheap) and a bit more collaboration among them. However as @Quentin alluded to, we are sensing some resistance from the experienced SAS programmers.   All that said, the architecture of MBL is a bit flawed IMHO which despite adding extra layers of complexity, still allows for non-compliance. I see it as SAS base engine trying really hard to act like a RDBMs engine, but still carrying the legacy of a file based database system with itself.   ... View more

Re: Metadata bound libraries, is it worth the administrative overhead?

by Fluorite | Level 6 in Administration and Deployment
‎12-31-2017 11:47 PM
‎12-31-2017 11:47 PM
This works perfectly fine and stores data set in home folder of the user. libname mylib base '~/'; data mylib.cars; set SASHELP.cars; proc freq data=mylib.cars; run; ... View more

Re: Metadata bound libraries, is it worth the administrative overhead?

by Fluorite | Level 6 in Administration and Deployment
‎12-30-2017 06:41 PM
‎12-30-2017 06:41 PM
Thanks, What would prevent the users to create a libref to a location that they have access to? ... View more

Re: Metadata bound libraries, is it worth the administrative overhead?

by Fluorite | Level 6 in Administration and Deployment
‎12-30-2017 06:10 PM
‎12-30-2017 06:10 PM
And I noticed I have been using MLB instead of MBL 🙂 ... View more

Re: Metadata bound libraries, is it worth the administrative overhead?

by Fluorite | Level 6 in Administration and Deployment
‎12-30-2017 06:08 PM
‎12-30-2017 06:08 PM
The business requirement is optimal security, i.e. the right balance of usability and security. Encryption at rest is not currently a mandatory requirement, but it may become one in the future. Even then, I don't see MLB fulfilling that requirement entirely, as we still have to watch other folders for unencrypted datasets. The set-up also has to be future proof and allow for easy integration with other SAS products and I am not sure if predefined libraries are needed for products like SAS VA (no experience with those). Some of our users are heavy SAS desktop users who are used to organizing data, scripts, and results for their projects in folders and MLB forces them to have data in libraries and obviously they don't like it. ... View more

Metadata bound libraries, is it worth the administrative overhead?

by Fluorite | Level 6 in Administration and Deployment
‎12-30-2017 03:51 AM
1 Like
‎12-30-2017 03:51 AM
1 Like
I would like to understand if there's a good case for using metadata bound libraries in general and the following set-up in particular:   SAS 9.4 on a Linux server Access to the server only through EG and SAS Studio No shell or XCMD access for users Data is primarily sorted on a database server, users will take cuts of data and store on SAS server for further analysis Users are organized in relatively large number of groups that work on one or more projects. Few users are in more than one group A group should not have access to other groups' SAS data and analysis output. Without metadata bound libraries (MLB), (almost) all we have to do is Provision users in SAS and on Linux Provision Linux groups and populate with users Create respective data and output folders on the Linux for each group with appropriate permissions In this case, the users of each group can create folders to organize their data sets and results however they wish. Essentially the SAS server storage space is used similar to a file system with only file system security in place.   With MLB, the following needs to be done: Provision users in SAS and on Linux Provision Linux groups and populate with users Create respective data and output folders on the Linux for each group with appropriate permissions Create SAS groups and populate with users Create SAS metadata folders and secure them based on the SAS groups Create SAS Secured Libraries with encryption Provision secured libraries to each group with appropriate permissions (create table, etc) Create and assign libraries that correspond to the secured libraries Do some magic with symbolic links so that users are not able to navigate the data folder, and not able to create sub-folders there, essentially preventing them to store data unencrypted Monitor the output folders to make sure SAS data files are not stored there In this case, users are not able to freely organize their data tables in folders, they only have a library to store their data. This means they have to adopt naming convention for their tables in the library and be extra careful not to overwrite each others tables. Essentially, the SAS server storage is used similar to a database schema. Administrators still need to monitor output folders to make sure data files are not stored there unencrypted. I understand the additional benefit of encryption at rest, but this seems to protect the data mainly from storage administrators. In case the SAS server is compromised, I don't think MLB provides any additional benefits as the encryption keys are maintained in metadata and someone who has come this far to gain access to the server, probably could figure out how to unencrypt the data as well.    Maybe I am missing the point of MLB. What do you think? Thanks ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎02-26-2019 07:36 PM
Likes given to
Likes from
Quick links