Update 16Apr2015: The Effective Permissions Explorers discussed in this blog post were first made available in Metacoda Plug-ins V3.0 and further enhanced in Metacoda Plug-ins V4.0. Details of additional improvements coming in the next release, including export to HTML and CSV, are discussed in this more recent blog post: Getting Ready for SASGF15
Update 08Aug2012: The Effective Permissions Explorers discussed in this blog post are now available for testing. More information is available in this Metacoda blog post: Metacoda Plug-ins V3.0 BETA2 (with free Metadata Explorer & ACT Reviewer!)
This post is a sneak peek at a couple of effective permissions explorers that we are putting into the next version of our Metacoda Security Plug-ins. We’ll also be demoing these at the SAS Global Forum 2012 in Orlando next week, so if you’re attending please pop by and visit us.
One of the most common requests we had been hearing at Metacoda was about providing extra information for effective permissions with SAS® metadata security. Effective permissions will tell you exactly what permissions are granted or denied for a particular user on a particular object, taking into account all of the factors such as Access Control Templates (ACTs), Access Controls Entries (ACEs or explicit permissions), object inheritance paths and identity hierarchies. Effective permissions give you this information without you having to understand all of the rules that SAS software follows to work them out. Of course, I still think an understanding of the rules is essential knowledge for SAS platform administrators to help with planning and impact awareness but that’s another story. Attending the SAS Platform Administration: Fast Track course from SAS Institute is a great way to learn these rules.
Why Another Effective Permissions Tool?
Effective permissions can already be seen in SAS Management Console 9.2 & 9.3 through the Explore Authorizations tab (accessible to administrators via the Advanced button on any objects Authorization tab). This is a great feature and I can’t recommend it enough to people who are troubleshooting metadata permissions on a single object. What we were hearing was that SAS platform administrators wanted fast and easy access to even more information about effective permissions including multiple users and multiple objects. Essentially it came down to 2 types of request:
- I want to choose a single user and, in a single view, see all their effective permissions across a large collection of objects: folders, libraries, tables, servers, stored processes, information maps, reports etc.
- I want to select a single object, a folder, library, table, server, stored process, information map, report etc., and then, in a single view, see all the effective permissions on that object for a large collection of users.
We took those requirements and created 2 new additions to our existing plug-ins:
- Identity Permissions Explorer: find an identity (user or group) and review it’s effective permissions on multiple objects.
- Object Permissions Explorer: browse or search for an object and review the effective permissions on it for multiple identities.
At the same time we also wanted to make it easier to quickly scan the effective permissions, get an idea of someones access level without looking at all of the individual permissions, and be able to sort/group by access level to see who has the most access and who has the least access. Of course the individual effective permissions give you the precise answer, but it does take a little extra brain power on every object/user you are looking at, and it was hard to sort them in a meaningful way. We found they tended to fall into common patterns of permissions, so we took those common patterns and converted them into sortable access levels that could be more readily and quickly scanned. The access levels are available as a visual badge or icon displayed next to the object. It doesn’t take long before you recognize the badges themselves, but to help with the process, a longer text description can be displayed in tables and is visible in tooltips too.
Here are some of the more commonly seen access level badges (in highest to lowest access level order):
- Essentially full control. Can update metadata, update data and administer (where applicable).
- Almost full control, can update metadata, update data but can’t administer (where applicable).
- Can update metadata but can only view data (where applicable).
- Can update metadata but cannot view data (where applicable).
- Only seen on folders, can manage folder contents but not the folder itself. Has update access to data (where applicable).
- Only seen on folders, can manage folder contents but not the folder itself. Can view but not update data (where applicable).
- Only seen on folders, can manage folder contents but not the folder itself. Cannot view data (where applicable).
- Can view metadata and update data (where applicable).
- Can view metadata and only view data (where applicable).
- Can view metadata but has no access to data (where applicable).
- Hidden from the user. Has no access to metadata.
You can probably see a pattern by now. In terms of colours, greens indicate update access, yellow/olive indicates read access and white indicates no access. The main body of the badge indicates metadata and the bar on the badge indicates data. There are a few variations on that but it covers the bulk of it. For DI developers there are also some variants to indicate update metadata only via check-in too. There are even a few other, hopefully, less commonly seen badges, including a few that have a some splashes of red to indicate potentially odd combinations that could do with further investigation (such as a grant of WM and a denial of WMM).
Now let’s take a look at some examples showing the use of these 2 new effective permissions explorers.
Identity Permissions Explorer
Here’s a screenshot and scenario where the Identity Permissions Explorer can be used. The screenshot is quite large, so you can also click on it to display a larger version.
In this scenario we want to see what Ian Irons, an HR consultant in our fictitious organization, has access to in SAS metadata. These are the steps we take:
- Click on the Identity Permissions Explorer item in the SAS Management Console Plug-ins tab.
- There’s a long list of users and groups, so type ian into the filter bar and press enter
- Click on the row for Ian Irons so that he will be used when displaying effective permissions in all of the various tabs below for finding objects of interest.
- We want to browse the metadata folder tree and see what Ian has access to so we click on the Folders tab. All of the folders in the tree have access level badges, so we can immediately see there are a few folders that are hidden from him (), many folders where he can see metadata but not data () and a few ‘greener’ HR folders where he has more access. With the main HR folder he can manage the contents of the folder but can’t modify the folder itself () i.e. he can’t rename/delete/move the folder or change permissions. For all of the sub-folders under HR he has almost full control (). For more info on the members of the HR folder we click the HR folder in the tree.
- Now we see the HR folder members in more detail, including the individual effective permissions for Ian and the longer text description for the access level badges. This particular folder only contains other folders, but here we might see other objects such as libraries, tables, stored processes, information maps, reports etc.
Objects Permissions Explorer
This next screenshot and scenario show how the Objects Permissions Explorer can be used. Once again, click on the screenshot to view a larger version.
In this scenario we want to see who has access to the HR Library and at what level. These are the steps we take:
- Click on the Object Permissions Explorer item in the SAS Management Console Plug-ins tab.
- We know where our library is in the metadata folder tree so use the Folders tab and navigate down to the HR area and click on the Data folder which we know contains our HR Library.
- The folder members table on the right now shows the contents of the HR/Data folder including the HR Library we are looking for so we select it.
- After selecting the HR Library object, the table in the lower half of the screen updates to show us all of the identities and their individual effective permissions on the selected library. If we’re interested in a particular identity we could search for them, but in this case we want to see every user and the level of access they have. We are only interested in users (not groups), so we turn off groups by clicking the group icon in the filter bar. We then click on the access level badge column header to sort by the access level. We can then see that there are a few administrators that have full control (), a few DI developers and HR users that can update metadata and data (), a couple of executives that can view metadata and data (), a service account which can only view metadata not data (), and everyone else who cannot see the library at all ().
What’s not immediately apparent in the screenshots above is that the various ticks and crosses, as would be expected, also show the source of the effective permissions as ACT, ACE or indirect. It just so happens that in the examples above we were looking at lower level objects and individual users which would not ordinarily have ACTs or ACEs applied to them. This means that all the permissions are indirect (tick/cross on a gray circle background). Where the permissions originate directly from ACTs or ACEs applied on the object for the user or group then you might also see ticks and crosses on yellow background circles (for ACEs) and green background circles (for ACTs). The tooltip for the image provides a description too. Here’s a fragment of another effective permissions table that shows this (it actually comes from the metadata root folder ‘SAS Folders‘):
I hope you like what we have been working on. If you’d like to find out more about these new permission explorers, or evaluate a beta version when it becomes available later, then you can either send me a message or contact us via the Metacoda contact form. If you are attending the SAS Global Forum 2012 in Orlando next week don’t forget to stop by the Metacoda stand. We’ll be in the SAS Alliance Café area of the SAS Support and Demo Area.