Recently I was talking to someone about how users can manage their own logins in metadata using the SAS Personal Login Manager client application. I wanted to show them what it looks like but, to my surprise, I couldn’t find any screenshots of it on the SAS support site, and I didn’t have an installation to hand.
If you are not familiar with it, the SAS Personal Login Manager provides a self-service facility for SAS platform users to manage any of their own accounts/logins (user id and password) stored in metadata. It is available for both SAS 9.1.3 and SAS 9.2. It’s particularly useful when users need to update any of their own passwords that have to be stored in metadata. Of course, as platform administrators we strive to limit the number of passwords stored in metadata, but sometimes it can’t be avoided and so, in those instances, we also need a way to allow users to manage them for themselves.
In most cases we can take advantage of cached credentials, SAS token authentication, and Integrated Windows Authentication (IWA) to help us provide transparent authentication for our users with no requirement for passwords to be stored in metadata. Unfortunately in some cases we need to have passwords in metadata though: providing transparent access to an Oracle database is one example. Of course, as soon as we have passwords stored in metadata they have to be maintained, and security policies often require those passwords to be changed on a regular basis.
As a platform administrator we can see the presence of saved credentials (except the password) for an individual by using the SAS Management Console User Manager Plug-in to review the user’s Accounts tab (in SAS 9.2) or Logins tab (in SAS 9.1.3). Here is a screenshot showing a demo user with his inbound (identifying) login and a few outbound logins used to provide access to other servers.
So for those passwords that have to be stored in metadata for individual users (as opposed to shared logins for groups), how do we go about allowing the users to update them when they need to be changed?
- As administrators it is possible, but not recommended, for us to update the password on behalf of the user, but that would mean they would have to 1) tell us their password and 2) it would become a burden for us very quickly.
- Alternatively we could allow users to manage their own logins by providing them with access to SAS Management Console. There are some downsides to this too. From a security perspective you might not want those users to have access to the SAS Management Console at all. With SAS 9.1.3 we rarely gave others access to SAS Management Console, but with the addition of roles and capabilities in SAS 9.2 we can now do so and limit their access (visibility) to the other plug-ins to make it more palatable. However, even with access to the SAS Management Console they will need to be able to navigate to the User Manager plug-in, find their own identity, bring up its properties dialog and find the appropriate tab. This sounds like a recipe for lots of support calls.
- If your users have SAS Enterprise Guide available to them, it can also be used use to manage their accounts/logins stored in metadata.
- If your users don’t or shouldn’t have access to SAS Management Console or SAS Enterprise Guide then this is where the SAS Personal Login Manager shines. It does one thing and one thing only – it lets people manage their own logins using a very simple interface. You might think of it as providing a user with direct access to the contents of their own Accounts tab (or Logins tab for SAS 9.1.3) from SAS Management Console.
Here is a screenshot of the initial view of the SAS Personal Login Manager application immediately after the demo user Nate has logged in. He sees all of his own accounts/logins and can add, remove and edit any of them. That’s it. Nice and simple.
The following is a screenshot of him changing the password for his Oracle login.
Whilst this application can be used for managing an individual users own accounts/logins it can’t be used for managing shared accounts/logins for groups. Those shared logins have to be managed from the SAS Management Console and so if you want to delegate the management of those accounts/logins to group administrators then they will need to have access to the SAS Management Console. In SAS 9.2 you can however limit access to the rest of SAS Management Console via roles and capabilities.
The SAS Personal Login Manager is a desktop application and so requires the client software to be installed on, or be accessible from, the individuals workstation. You might use something like Citrix, VMware ACE or automated software deployment to help manage this. I don’t know of any web based apps from SAS Institute that allow users to manage their own logins, but if you do then please let me know.