Recently I was talking to someone about how users can manage their own logins in metadata using the SAS Personal Login Manager client application. I wanted to show them what it looks like but, to my surprise, I couldn’t find any screenshots of it on the SAS support site, and I didn’t have an installation to hand.
If you are not familiar with it, the SAS Personal Login Manager provides a self-service facility for SAS platform users to manage any of their own accounts/logins (user id and password) stored in metadata. It is available for both SAS 9.1.3 and SAS 9.2. It’s particularly useful when users need to update any of their own passwords that have to be stored in metadata. Of course, as platform administrators we strive to limit the number of passwords stored in metadata, but sometimes it can’t be avoided and so, in those instances, we also need a way to allow users to manage them for themselves.
In most cases we can take advantage of cached credentials, SAS token authentication, and Integrated Windows Authentication (IWA) to help us provide transparent authentication for our users with no requirement for passwords to be stored in metadata. Unfortunately in some cases we need to have passwords in metadata though: providing transparent access to an Oracle database is one example. Of course, as soon as we have passwords stored in metadata they have to be maintained, and security policies often require those passwords to be changed on a regular basis.
As a platform administrator we can see the presence of saved credentials (except the password) for an individual by using the SAS Management Console User Manager Plug-in to review the user’s Accounts tab (in SAS 9.2) or Logins tab (in SAS 9.1.3). Here is a screenshot showing a demo user with his inbound (identifying) login and a few outbound logins used to provide access to other servers.
So for those passwords that have to be stored in metadata for individual users (as opposed to shared logins for groups), how do we go about allowing the users to update them when they need to be changed?
- As administrators it is possible, but not recommended, for us to update the password on behalf of the user, but that would mean they would have to 1) tell us their password and 2) it would become a burden for us very quickly.
- Alternatively we could allow users to manage their own logins by providing them with access to SAS Management Console. There are some downsides to this too. From a security perspective you might not want those users to have access to the SAS Management Console at all. With SAS 9.1.3 we rarely gave others access to SAS Management Console, but with the addition of roles and capabilities in SAS 9.2 we can now do so and limit their access (visibility) to the other plug-ins to make it more palatable. However, even with access to the SAS Management Console they will need to be able to navigate to the User Manager plug-in, find their own identity, bring up its properties dialog and find the appropriate tab. This sounds like a recipe for lots of support calls.
- If your users have SAS Enterprise Guide available to them, it can also be used use to manage their accounts/logins stored in metadata.
- If your users don’t or shouldn’t have access to SAS Management Console or SAS Enterprise Guide then this is where the SAS Personal Login Manager shines. It does one thing and one thing only – it lets people manage their own logins using a very simple interface. You might think of it as providing a user with direct access to the contents of their own Accounts tab (or Logins tab for SAS 9.1.3) from SAS Management Console.
Here is a screenshot of the initial view of the SAS Personal Login Manager application immediately after the demo user Nate has logged in. He sees all of his own accounts/logins and can add, remove and edit any of them. That’s it. Nice and simple.
The following is a screenshot of him changing the password for his Oracle login.
Whilst this application can be used for managing an individual users own accounts/logins it can’t be used for managing shared accounts/logins for groups. Those shared logins have to be managed from the SAS Management Console and so if you want to delegate the management of those accounts/logins to group administrators then they will need to have access to the SAS Management Console. In SAS 9.2 you can however limit access to the rest of SAS Management Console via roles and capabilities.
The SAS Personal Login Manager is a desktop application and so requires the client software to be installed on, or be accessible from, the individuals workstation. You might use something like Citrix, VMware ACE or automated software deployment to help manage this. I don’t know of any web based apps from SAS Institute that allow users to manage their own logins, but if you do then please let me know.
Paul, I think you alluded to this in your post, but here’s a clarification. You can also manage your logins with SAS Enterprise Guide by:
– Select Tools->SAS Enterprise Guide Explorer. The SAS Enterprise Guide Explorer windows appears.
– Select File->Manage Logins. The Login Manager window appears.
The Login Manager window works very similarly to the Personal Login Manager application.
Hi Chris,
Thanks for providing more info on how to access the login management facility within SAS Enterprise Guide.
Cheers
Paul
How do you use the account information in SAS Personal Login Manager in a program?
Hi Charles,
It depends on how you want to use it. Can you be a bit more specific?
From an admin perspective, reporting on logins (without using any encrypted stored credentials), you can use the standard SAS %MDUEXTR macro to extract the login data (among other things) into a SAS table. Metacoda also provides a %metacodaIdentityLoginExtract macro in the idsync-utils github project that extracts some extra attributes (and also handle long UTF-8 strings).
From a user perspective to use the (outbound login) credentials to get access to third party systems look for authentication domain support in the SAS feature you are using. For example SAS/ACCESS AUTHDOMAIN= LIBNAME Option.
Cheers
Paul
I can’t seem to find the login manager in SAS EG 8.1 after the upgrade recently.
I need to set the password for the DefaultAuth.
Hi Gary,
Can you see the SAS Enterprise Guide Explorer? If not it may be that your group and role memberships do not provide access to the “Access SAS Enterprise Guide Explorer” capability. Talk to your SAS platform admins about whether you are running with a restricted set of capabilities in SAS EG. Our Metacoda Security Plug-ins are great for troubleshooting roles and capabilities so let me know if you’d like an eval to investigate further.
Alternatively, you can use the SAS Personal Login Manager app to manage logins.
I might also ask the question why you need to set the password for your DefaultAuth login in metadata? Most sites leave this blank for users and rely on in-memory cached credentials from the initial login to the metadata server. This avoids having to maintain an up to date password in metadata and the problems that come with that. This is not always possible, of course, and yours may be one of those situations, but I ask because I have seen people unnecessarily maintaining DefaultAuth login passwords in metadata when they could have just use cached credentials with well aligned auth domains.
Cheers
Paul