Did you know that with SASĀ® 9.3 you can promote (export/import) SAS metadata packages containing users, groups, roles, and ACTs, just like you can with Jobs, Tables, Libraries, Stored Processes, Reports and Information Maps? I needed to do this myself a few weeks ago. I wanted to promote some groups, roles and ACTs from an existing SAS 9.3 M1 installation to a newer SAS 9.3 M2 installation. Security metadata can be exported and imported via a SAS package file (.spk) from special virtual folders under the top-level /System folder. These virtual folders are distinguishable from normal folders because they have white folder icons instead of yellow folder icons as shown below.
You can find out more information about this feature, including a few considerations you need to be aware of, by reading the Promoting Security Objects and Server Objects sub-section of the main Promotion Details for Specific Object Types section in the SAS 9.3 Intelligence Platform: System Administration Guide, Second Edition.
My security metadata promotion was a little more complicated than normal because I was also promoting some security metadata located in a custom repository. I normally avoid using custom repositories as much as possible (preferring to store everything in the Foundation repository and partitioning content with folders and ACTs). This is especially the case for security metadata: I’ve found that security metadata in custom repositories, being less visible, tends to get forgotten until it gets rediscovered whilst troubleshooting tricky security problems. Helping a customer resolve such problems was the reason we made security metadata from custom repositories highly visible in our Metacoda Security Plug-ins. We have since needed to keep some security metadata in custom repositories for the purposes of development and testing of our software. This is the custom repository security metadata I was attempting to promote, but it took me a little while to find it in the virtual folders ….
I started out by looking for my custom repository user groups in the normal /System/Security/User Groups folder but they weren’t there. I initially thought it might be because I needed to use the repository selector in the plug-ins tab to switch repository:
… after all, that’s how I would have located them in the User Manager plug-in. I still couldn’t find them.
Then it hit me and I realized what I was doing wrong. Where would I normally find custom repository folder content (in SAS 9.3)? Under a top level folder with the same name as the custom repository of course! I went looking there instead: my custom repository was named TestingCustom …
… and there they were: the folder /TestingCustom/System/Security/User Groups with the user groups I had been looking for. It’s obvious when you think about it. I exported them into an spk file, and then imported them into my SAS 9.3 M2 installation.
You might notice that the /TestingCustom/System/Security folder only has sub-folders for Access Control Templates, Roles and User Groups, whereas the normal /System/Security folder for the Foundation repository also has Authentication Domains and Users. That’s because, as of SAS 9.2, Authentication Domains and Users should only exist in the Foundation repository so there are no custom repository virtual folders for them.
Have you promoted security metadata (for Foundation or custom repositories) in your own SAS 9.3 installations? How did you find it? Do you have any tips that might help others? If so, please leave a comment below. If you have any stories about tracking down security problems related to custom repository security metadata I’d love to hear about them too.