In a previous post I mentioned how the Accounts tab in SAS® Management Console 9.3 now displays a blank in the password field when logins don’t have a stored password, and only displays ******** when there is a stored password. Compare this to SAS 9.2 where it always displays ******** regardless of whether there’s a stored password or not.
This is a great enhancement in SAS 9.3 because it allows us to know whether a password is stored in metadata or not. Sometimes it’s necessary to store passwords in metadata, but we generally try to minimize this. Passwords stored in metadata might be wrong and can get stale when password changes are enforced.
So now thanks to SAS 9.3 we can spot stored passwords when looking at individual users and groups. At Metacoda, we also wanted to be able to see, in one view, all logins that have stored passwords, across all users and groups, and in all repositories. This would show us how prevalent stored passwords are and which users and groups have them.
We’ve just enhanced the Login Reviewer for the next version of our Metacoda Security Plug-ins software to add a Password indicator column. Here’s a screenshot of this Password indicator column shown in SAS Management Console 9.3. I’ve sorted the Password indicator column to group together all the logins with and without stored passwords.
You might notice that one of the logins above is for a group found in a custom repository. I don’t recommend this approach, it’s just there for testing purposes. When I’m reviewing security metadata, I definitely want to know if there are things like this tucked away in custom repositories :)
Finally, for completeness, here’s another similar screenshot of the Login Reviewer’s Password indicator column, but this time in SAS Management Console 9.2. With SAS 9.2, when logged in as an unrestricted user, we can’t tell if there are stored passwords or not. This is why the screenshot below shows the column full of ‘Unknown‘ values. With SAS 9.2 we can only show Yes/No values when logged in as a normal user (in which case they will only get to see their own logins and any logins for groups they are a member of).
If you’d like to try this out, along with the other enhancements we’ve got planned for our next Metacoda Security Plug-ins version, then please let me know. We’re keen to talk to anyone who’d like to try out the beta when it’s available.
2 thoughts on “Login Reviewer: Finding Accounts with Stored Passwords”
Oh … very cool!
This is a nice feature. I don’t know in 9.3 but down in 9.2, only group logins can be stored in a custom since plain users cannot be created outside the Foundation (might be due to the My Folder content location restrictions). This nevertherless allows to register so-called ‘technical groups’ for sharing system ou DMBS logins in a custom as you show above. But there another restriction applies since Authentication Domains (xxxAuth) are supported – at least in 9.2TS2M3 – only in a Foundation repository ( Try adding one in a custom with the Server Manager Plug-in and a Warning shall be displayed in the SMC). A separate registration for a given application , for instance (including authentication domain + context server + technical group) can be stored only in the Foundation for all its parts and not in a custom, of course if it is to be supported. I agree with you that a login stored in a custom might probably result from an error rather than from a deliberate choice knowing those restrictions.
Ronan aka the Pompous French ;-)
PS.: I was just googling the expression ‘Pompous French’ trying to avoid an improper use of the words in English; well, I shoulnd’t have, and now I know that I am not the only one using it in this world, let alone self-deprecatingly ;->