Many of the Metacoda Plug-ins have Filter Bars which provide a way to filter the contents displayed and show an interesting subset. Normally they do simple case-insensitive “contains” filtering on key attributes like name and description (the filter bar label indicates which attributes are used).
Simple text filtering, as described above, is sufficient for many needs. However, for more advanced requirements there is the ability to switch to expression-based filters which are much more flexible. To use expression-based filtering you add a #@ prefix at the beginning of the filter bar field. What follows is then an expression that can use many of the other attributes/columns available in the tables. This expression is written as a Java like expression (BeanShell to be precise) and must resolve to a boolean true/false to determine whether a row should be shown in the table. Any errors in the expression will be shown in a popup error dialog.
This will allow you to do complex expressions like this in the User Reviewer:
#@ name.toLowerCase().startsWith("r") && !title.contains("Manager") && loginCount > 1… meaning show me all users whose name starts with R (case-insensitive), that don’t have Manager in their job title (case-sensitive), and have more than 1 login available to them.
Lists of the attributes available in the various Metacoda Plug-ins and tables are given in the Metacoda Plug-ins Filter Bars documentation. This post and future ones will also provide some additional examples of expressions that can be used to highlight interesting SAS security metadata subsets.
Something things to be aware of when using expressions-based filters:
- Attribute and method names are case sensitive e.g. hasLogins not haslogins
- Use Java expression syntax i.e. string.equals(“value”) and not string = “value” nor string == “value”
- String comparisons are case sensitive so transform the value with toLowerCase() or toUpperCase() for case-insensitive comparisons e.g. string.toLowerCase().equals(“value”)
- Compound expressions can be built using parentheses, && (and) and || (or). e.g. #@ hasLogins && name.startsWith(“sas”)
- To export filtered results to HTML, CSV etc you must turn off the force-refresh preferences as described in the Metacoda Plug-ins Tip: Forced Refresh (or not) post.
To start off a series of examples on Advanced Expression-Based Filters, here are some that you may find useful to copy and paste into the filter bar in the Metacoda ACT Reviewer as starting point for finding interesting sets of SAS Access Control Templates:
Unused ACTs: shows only those ACTs which have not been applied to any objects
#@ !inUseUnprotected ACTs: shows only those ACTs that have not had any access controls applied to them
#@ accessControlCount == 0… or …
#@ !isProtectedUser ACTs: shows only those ACTs that contain permissions for users (hiding those that follow best practices and only use groups)
#@ refersToPersonRedundant ACTs: shows ACTs that have no definition – no users/groups and permissions.
#@ isRedundantNon-Foundation ACTs: shows ACTs from custom and project repositories (i.e. anything other than Foundation)
#@ !repositoryName.equals("Foundation")Deny ReadMetadata ACTs: shows any ACT that denies the ReadMetadata permissions to anyone.
#@ permissionsSummary.contains("-RM")Custom Organization ACTs: show ACTs for our fictitious Vegas Enterprises demo organization (which follows a prefixed-name standard for custom ACTs).
#@ #@ name.toUpperCase().startsWith("VEGAS")Custom Read-Access ACTs: shows read-access ACTs (when using a naming standard for ACTs with meticulous use of case and parentheses).
#@ name.contains("(Read)")The examples above all work with the current Metacoda Plug-ins 6.0 release. In the next release we are extending support for expression-based filters into more filter bars and adding more attributes to those that already support them – stay tuned!
If you have any other useful examples that you have used in the ACT Reviewer please post them as a comment below.