Skip to content

platformadmin.com

Paul Homes blogging on SASĀ® platform administration topics

  • Home
  • Reading List
  • About / Contact
  • RSS Feed
  • LinkedIn
  • GitHub
  • LinkedIn (Metacoda)
  • YouTube (Metacoda)
platformadmin.com

Interesting SAS 9 Metadata Server Access Control Loggers

In my previous post on Finding Interesting SAS 9 Loggers, I highlighted 3 loggers I find useful for SAS 9 metadata access control change auditing, especially when using the new Metacoda Plug-ins 6.2 Activity Reviewer. There is also a 4th logger where you might already have trace level logging enabled, as it is configured so when you set up the SAS Environment Manager Service Architecture Audit, Performance, and Measurement (APM) component. In this post I want to go into more detail on each of those 4 loggers and explain what information they log and why I find them useful.

SAS Management Console Server Manager Logger Dialog

The loggers in question are:

  • Audit.Meta.Security.AccCtrlAdm
  • App.OMI.SecurityAdmin.SetAuthorizationsOnObj
  • App.OMI.SecurityAdmin.ApplyACTToObj
  • App.OMI.SecurityAdmin.RemoveACTFromObj

They all become interesting when they have a logging level of Trace and you are making changes to SAS9 metadata access controls, both Access Control Templates (ACTs) and Access Control Entries (ACEs, also known as explicit permissions). In the previous blog post I showed how you could temporarily enable Trace level logging for them using the SAS Management Console Server Manager plug-in Loggers tab. If you want to make this permanent then you can add the XML fragment below into the SAS Metadata Servers logging configuration file (e.g. /opt/sas94m8/config/Lev1/SASMeta/MetadataServer/logconfig.xml). The default configuration for the SAS Metadata Server, in the sasv9.cfg file, uses the logconfigloc system option to direct it to use the logging configuration in the logconfig.xml file. However, it is possible that post-installation configuration changes, such as when the SAS Environment Manager APM component is enabled, may have changed this setting to use a different logging config file. Check your sasv9*.cfg files in the MetadataServer directory and review the logconfigloc system option to confirm which log config file is in use.

<logger name="Audit.Meta.Security.AccCtrlAdm">
  <level value="trace"/>
</logger>

<logger name="App.OMI.SecurityAdmin.ApplyACTToObj">
  <level value="trace"/>
</logger>

<logger name="App.OMI.SecurityAdmin.RemoveACTFromObj">
  <level value="trace"/>
</logger>

<logger name="App.OMI.SecurityAdmin.SetAuthorizationsOnObj">
  <level value="trace"/>
</logger>

For more information about logging configuration see the SAS 9.4 Intelligence Platform: System Administration Guide and the Administering Logging for SAS Servers section.

Any changes you make to the logging configuration will take effect the next time the SAS Metadata Server is restarted (or earlier if you use proc iomoperate).

Now to look at some examples. In all of the following examples, the logging config as been modified to add (%c) so we can see which logger generated each line. There is more info on making this customization in a previous post Which logger did that SAS log message come from?

Add ACE to Metadata Folder

Ordinarily, when the sasadm@saspw user adds an ACE (PUBLIC:+RM) to the metadata folder /Test the Metadata Server log just has:

2023-09-29T15:03:48,444 INFO  [00005286] (Audit.Meta.Security.AccCtrlAdm) 4:sasadm@saspw - Access Control change on ObjectType=Tree, Name=Test, ObjId=A5TBCWBY.AA0001R5.
2023-09-29T15:03:48,460 INFO  [00005293] (Audit.Meta.Updates.PublicObjects) 4:sasadm@saspw - Audit Public Object Type=Folder Name=Test ObjId=A5TBCWBY.AA0001R5 has been updated.

You know an access control change was made to the folder, but little else.

When you have SAS Environment Manager APM configured, with its trace level logging for Audit.Meta.Security.AccCtrlAdm, then you will get more useful info:

2023-09-29T15:03:48,444 INFO  [00005286] (Audit.Meta.Security.AccCtrlAdm) 4:sasadm@saspw - Access Control change on ObjectType=Tree, Name=Test, ObjId=A5TBCWBY.AA0001R5.
2023-09-29T15:03:48,448 TRACE [00005286] (Audit.Meta.Security.AccCtrlAdm) 4:sasadm@saspw - Trace log showing effective permissions protecting object: OMSOBJ:Tree/A5TBCWBY.AA0001R5.
    SASAdministrators IdentityGroup Administer=AG|NG, CheckInMetadata=AG|ND, Delete=ND, Read=ND, ReadMetadata=AG|NG, Write=ND, WriteMetadata=AG|ND, WriteMemberMetadata=NG, Create=ND
    SAS System Services IdentityGroup Administer=ND, CheckInMetadata=ND, Delete=ND, Read=ND, ReadMetadata=AG|NG, Write=ND, WriteMetadata=ND, WriteMemberMetadata=ND, Create=ND
    Vegas_AU_ACT IdentityGroup Administer=ND, CheckInMetadata=ND, Delete=ND, Read=AG|ND, ReadMetadata=AG|NG, Write=ND, WriteMetadata=ND, WriteMemberMetadata=ND, Create=ND
    VegasExecs IdentityGroup Administer=ND, CheckInMetadata=ND, Delete=ND, Read=AG|ND, ReadMetadata=AG|NG, Write=ND, WriteMetadata=ND, WriteMemberMetadata=ND, Create=ND
    PUBLIC IdentityGroup Administer=ND, CheckInMetadata=ND, Delete=ND, Read=ND, ReadMetadata=EG, Write=ND, WriteMetadata=ND, WriteMemberMetadata=ND, Create=ND
    SASUSERS IdentityGroup Administer=ND, CheckInMetadata=ND, Delete=ND, Read=ND, ReadMetadata=NG, Write=ND, WriteMetadata=ND, WriteMemberMetadata=ND, Create=ND
2023-09-29T15:03:48,460 INFO  [00005293] (Audit.Meta.Updates.PublicObjects) 4:sasadm@saspw - Audit Public Object Type=Folder Name=Test ObjId=A5TBCWBY.AA0001R5 has been updated.

You can now see the trace logging from the Audit.Meta.Security.AccCtrlAdm logger where it shows effective permissions resulting from the changes. However, without a comparison to a previous state, you do not know how the access controls have been changed.

I like to add trace logging on App.OMI.SecurityAdmin.SetAuthorizationsOnObj as it gives you more detail on what was being changed:

2023-09-29T15:03:23,053 TRACE [00005282] (App.OMI.SecurityAdmin.SetAuthorizationsOnObj) 4:sasadm@saspw - IOM CALL {compRef:7f86e8057ce0}->OMI::SetAuthorizationsOnObj():
 TransContext=0000000000000012
 resource_spec=OMSOBJ:Tree/A5TBCWBY.AA0001R5
 flags=0
 authorizations=[0..0,0..4]
  [0,0]=IdentityGroup
  [0,1]=PUBLIC
  [0,2]=G
  [0,3]=ReadMetadata
  [0,4]=
2023-09-29T15:03:23,053 TRACE [00005282] (App.OMI.SecurityAdmin.SetAuthorizationsOnObj) 4:sasadm@saspw - IOM RETURN 0={compRef:7f86e8057ce0}->OMI::SetAuthorizationsOnObj():
2023-09-29T15:03:48,444 INFO  [00005286] (Audit.Meta.Security.AccCtrlAdm) 4:sasadm@saspw - Access Control change on ObjectType=Tree, Name=Test, ObjId=A5TBCWBY.AA0001R5.
2023-09-29T15:03:48,448 TRACE [00005286] (Audit.Meta.Security.AccCtrlAdm) 4:sasadm@saspw - Trace log showing effective permissions protecting object: OMSOBJ:Tree/A5TBCWBY.AA0001R5.
    SASAdministrators IdentityGroup Administer=AG|NG, CheckInMetadata=AG|ND, Delete=ND, Read=ND, ReadMetadata=AG|NG, Write=ND, WriteMetadata=AG|ND, WriteMemberMetadata=NG, Create=ND
    SAS System Services IdentityGroup Administer=ND, CheckInMetadata=ND, Delete=ND, Read=ND, ReadMetadata=AG|NG, Write=ND, WriteMetadata=ND, WriteMemberMetadata=ND, Create=ND
    Vegas_AU_ACT IdentityGroup Administer=ND, CheckInMetadata=ND, Delete=ND, Read=AG|ND, ReadMetadata=AG|NG, Write=ND, WriteMetadata=ND, WriteMemberMetadata=ND, Create=ND
    VegasExecs IdentityGroup Administer=ND, CheckInMetadata=ND, Delete=ND, Read=AG|ND, ReadMetadata=AG|NG, Write=ND, WriteMetadata=ND, WriteMemberMetadata=ND, Create=ND
    PUBLIC IdentityGroup Administer=ND, CheckInMetadata=ND, Delete=ND, Read=ND, ReadMetadata=EG, Write=ND, WriteMetadata=ND, WriteMemberMetadata=ND, Create=ND
    SASUSERS IdentityGroup Administer=ND, CheckInMetadata=ND, Delete=ND, Read=ND, ReadMetadata=NG, Write=ND, WriteMetadata=ND, WriteMemberMetadata=ND, Create=ND
2023-09-29T15:03:48,460 INFO  [00005293] (Audit.Meta.Updates.PublicObjects) 4:sasadm@saspw - Audit Public Object Type=Folder Name=Test ObjId=A5TBCWBY.AA0001R5 has been updated.

In this case a Grant (G) on ReadMetadata to PUBLIC. You do need to be aware of timing with this, as the App.OMI.SecurityAdmin.SetAuthorizationsOnObj IOM CALL line happens after ticking the permission box in the Authorization tab, but it is possible that those changes may not have been saved (they could have been cancelled). In all likelihood the changes were saved because of what the subsequent Audit.Meta.Security.AccCtrlAdm lines show. Combining them all together gives a more complete picture of what happened, but you do need to be aware the App.OMI.SecurityAdmin.SetAuthorizationsOnObj lines are unsaved changes at the time they are logged.

For more info on SetAuthorizationsOnObj see the SAS Open Metadata Interface: Reference and Usage: SetAuthorizationsOnObj page which provides the meanings for the SetAuthorizationsOnObj parameters i.e.

  • [0,2]=G means Grant
  • [0,2]=D means Deny
  • [0,2]=R means Remove

Remove ACE from Metadata Folder

This is me removing the same ACE I added above:

2023-09-29T15:15:59,935 TRACE [00005382] (App.OMI.SecurityAdmin.SetAuthorizationsOnObj) 4:sasadm@saspw - IOM CALL {compRef:7f86e8057ce0}->OMI::SetAuthorizationsOnObj():
 TransContext=0000000000000013
 resource_spec=OMSOBJ:Tree/A5TBCWBY.AA0001R5
 flags=0
 authorizations=[0..0,0..4]
  [0,0]=IdentityGroup
  [0,1]=PUBLIC
  [0,2]=R
  [0,3]=ReadMetadata
  [0,4]=
2023-09-29T15:15:59,936 TRACE [00005382] (App.OMI.SecurityAdmin.SetAuthorizationsOnObj) 4:sasadm@saspw - IOM RETURN 0={compRef:7f86e8057ce0}->OMI::SetAuthorizationsOnObj():
2023-09-29T15:16:03,026 INFO  [00005387] (Audit.Meta.Security.AccCtrlAdm) 4:sasadm@saspw - Access Control change on ObjectType=Tree, Name=Test, ObjId=A5TBCWBY.AA0001R5.
2023-09-29T15:16:03,029 TRACE [00005387] (Audit.Meta.Security.AccCtrlAdm) 4:sasadm@saspw - Trace log showing effective permissions protecting object: OMSOBJ:Tree/A5TBCWBY.AA0001R5.
    SASAdministrators IdentityGroup Administer=AG|NG, CheckInMetadata=AG|ND, Delete=ND, Read=ND, ReadMetadata=AG|NG, Write=ND, WriteMetadata=AG|ND, WriteMemberMetadata=NG, Create=ND
    SAS System Services IdentityGroup Administer=ND, CheckInMetadata=ND, Delete=ND, Read=ND, ReadMetadata=AG|NG, Write=ND, WriteMetadata=ND, WriteMemberMetadata=ND, Create=ND
    Vegas_AU_ACT IdentityGroup Administer=ND, CheckInMetadata=ND, Delete=ND, Read=AG|ND, ReadMetadata=AG|NG, Write=ND, WriteMetadata=ND, WriteMemberMetadata=ND, Create=ND
    VegasExecs IdentityGroup Administer=ND, CheckInMetadata=ND, Delete=ND, Read=AG|ND, ReadMetadata=AG|NG, Write=ND, WriteMetadata=ND, WriteMemberMetadata=ND, Create=ND
    PUBLIC IdentityGroup Administer=ND, CheckInMetadata=ND, Delete=ND, Read=ND, ReadMetadata=ND, Write=ND, WriteMetadata=ND, WriteMemberMetadata=ND, Create=ND
    SASUSERS IdentityGroup Administer=ND, CheckInMetadata=ND, Delete=ND, Read=ND, ReadMetadata=NG, Write=ND, WriteMetadata=ND, WriteMemberMetadata=ND, Create=ND
2023-09-29T15:16:03,042 INFO  [00005394] (Audit.Meta.Updates.PublicObjects) 4:sasadm@saspw - Audit Public Object Type=Folder Name=Test ObjId=A5TBCWBY.AA0001R5 has been updated.

Add ACT to Metadata Folder

These loggers become even more useful with ACTs. Without the addition of the trace level loggers discussed in this post, when the sasadm@saspw user applies an ACT to the metadata folder /Test the Metadata Server log would ordinarily only log the following:

2023-09-29T15:31:01,763 INFO  [00004855] (Audit.Meta.Updates.PublicObjects) 4:sasadm@saspw - Audit Public Object Type=Folder Name=Test ObjId=A5TBCWBY.AA0001R5 has been updated.

This tells you the folder was modified but there is no indication of any access control change. This is also the case with SAS Environment Manager APM configured, as the Audit.Meta.Security.AccCtrlAdm logger does not seem to log anything about applying or removing ACTs from objects.

However, by turning on trace level logging with the App.OMI.SecurityAdmin.ApplyACTToObj you can get more information:

2023-09-29T15:34:58,760 TRACE [00004837] (App.OMI.SecurityAdmin.ApplyACTToObj) 4:sasadm@saspw - IOM CALL {compRef:7f86e8057ce0}->OMI::ApplyACTToObj():
 TransContext=0000000000000011
 resource_spec=OMSOBJ:Tree/A5TBCWBY.AA0001R5
 flags=0
 ACTresource_spec=OMSOBJ:AccessControlTemplate/A5TBCWBY.AO000008
2023-09-29T15:34:58,761 TRACE [00004837] (App.OMI.SecurityAdmin.ApplyACTToObj) 4:sasadm@saspw - IOM RETURN 0={compRef:7f86e8057ce0}->OMI::ApplyACTToObj():
2023-09-29T15:35:01,759 INFO  [00004850] (Audit.Meta.Updates.PublicObjects) 4:sasadm@saspw - Audit Public Object Type=Folder Name=Test ObjId=A5TBCWBY.AA0001R5 has been updated.

This indicates that the sasadm user applied an ACT with id A5TBCWBY.AO000008 to a metadata folder (Tree object) with id A5TBCWBY.AA0001R5. Whilst it is not readily apparent which ACT and which folder, these can both be looked up by their id values. When using the Metacoda Activity Reviewer plug-in to view the related log lines, you can right mouse and select Advanced Properties to open a dialog with information about the objects.

As with the App.OMI.SecurityAdmin.SetAuthorizationsOnObj logger, the App.OMI.SecurityAdmin.ApplyACTToObj IOM CALL line gets logged after closing the ACTs dialog, but before the changes are saved to the object, so once again it is possible the changes could have been cancelled. However, the subsequent Audit Public Object lines do suggest the ACT changes were likely saved, but is not guaranteed. If you do want to be sure about changes relating the the application or removal of ACTs on objects, I would of course recommend using the Metacoda Security Testing Framework as it can be scheduled to check that the current definition and application of ACTs matches the before-state represented when the tests it runs were exported. For example you could batch export overnight and run the tests the following night. Any test failures will be ACT changes remaining after that 24 hour period. The logs can then be used to trace when the changes were made and by whom.

For more info on ApplyACTToObj see the SAS Open Metadata Interface: Reference and Usage: ApplyACTToObj page.

Remove ACT from Metadata Folder

This is me removing the same ACT I added above:

2023-09-29T15:38:36,865 TRACE [00004701] (App.OMI.SecurityAdmin.RemoveACTFromObj) 4:sasadm@saspw - IOM CALL {compRef:7f86e8057ce0}->OMI::RemoveACTFromObj():
 TransContext=0000000000000010
 resource_spec=OMSOBJ:Tree/A5TBCWBY.AA0001R5
 flags=0
 ACTresource_spec=OMSOBJ:AccessControlTemplate/A5TBCWBY.AO000005
2023-09-29T15:38:36,866 TRACE [00004701] (App.OMI.SecurityAdmin.RemoveACTFromObj) 4:sasadm@saspw - IOM RETURN 0={compRef:7f86e8057ce0}->OMI::RemoveACTFromObj():
2023-09-29T15:38:39,240 INFO  [00004714] (Audit.Meta.Updates.PublicObjects) 4:sasadm@saspw - Audit Public Object Type=Folder Name=Test ObjId=A5TBCWBY.AA0001R5 has been updated.

In this case it is a different logger, App.OMI.SecurityAdmin.RemoveACTFromObj, that is logging the as-yet-unsaved removal of the ACT from the object followed by Audit.Meta.Updates.PublicObjects lines that show the object was modified.

For more info on RemoveACTFromObj see the SAS Open Metadata Interface: Reference and Usage: ApplyACTToObj page.

I hope you found this post useful for tracing access control changes in SAS metadata. Please post any comments about any other SAS 9 loggers you have found interesting or useful in your work.

Author Paul HomesPosted on 24 October 202329 December 2024Categories GeneralTags Audit, Logging, Metacoda Plug-ins, Metacoda Security Plug-ins, Metadata Security Testing, SAS, SAS 9.4, SAS Configuration, SAS Metadata Security

Post navigation

Previous Previous post: Finding Interesting SAS 9 Loggers
RSS Feed Follow me on Mastodon View my LinkedIn® profile Send me a message   Vertical separator   Visit the Metacoda web site

Metacoda - productivity through metadata visibility

Horizontal separator

Tags

  • Accounts/Logins
  • ACT
  • Active Directory
  • Base SAS
  • Best Practices
  • Blogging
  • Identity Sync
  • IWA
  • Kerberos
  • Linux
  • Logging
  • Metacoda Plug-ins
  • Metacoda Plug-ins Tip
  • Metacoda Security Plug-ins
  • Metadata API
  • Metadata Migration
  • Metadata Promotion
  • Metadata Security Testing
  • Mid-Tier
  • PAM
  • platformadmin.com
  • Roles & Capabilities
  • SAS
  • SAS 9.1
  • SAS 9.2
  • SAS 9.3
  • SAS 9.4
  • SAS Architecture
  • SAS Configuration
  • SAS Enterprise Guide
  • SAS Global Forum
  • SAS Information Delivery Portal
  • SAS Installation
  • SAS Management Console
  • SAS Metadata
  • SAS Metadata Security
  • SAS Papers
  • SAS Training
  • SAS Usage Notes
  • SAS Viya
  • SPN
  • Ubuntu
  • UNIX
  • Windows
  • Windows 2008 R2

Blog Roll [ ... and links to blog rolls]

  • [ … blogs.sas.com]
  • [ … SAS RSS Feeds]
  • NOTE: The blog of RTSL.eu
  • The SAS Dummy

Metacoda Links

  • Metacoda
  • Metacoda Security Plug-ins
  • Metacoda Support

SAS Communities

  • SAS Communities
  • Stack Overflow / SAS tag
  • Super User / SAS tag

SAS Institute Links

  • SAS
  • SAS Australia
  • SAS Customer Support

SAS User Groups

  • [ … other SAS user groups]
  • SAS Global Forum
  • SUGA

Categories

  • General
  • Guest Posts
  • Interesting SAS Usage Notes
  • Linux
  • Metacoda
  • Metacoda Custom Tasks
  • Metacoda Plug-ins
  • Metacoda Security Plug-ins
  • SAS Architecture
  • SAS Books
  • SAS Configuration
  • SAS Documentation
  • SAS Enterprise Guide
  • SAS Environment Manager
  • SAS Installation
  • SAS Management Console
  • SAS Metadata
  • SAS Metadata Security
  • SAS Open Metadata API
  • SAS Software
  • SAS Support Resources
  • SAS Training
  • SAS User Groups
  • SAS Viya
  • Solaris
  • VirtualBox
  • Windows

Archives

  • October 2023
  • September 2023
  • August 2023
  • March 2023
  • February 2023
  • March 2022
  • July 2021
  • May 2021
  • March 2021
  • October 2020
  • March 2020
  • June 2019
  • April 2019
  • March 2019
  • February 2019
  • October 2018
  • September 2018
  • August 2018
  • May 2018
  • February 2018
  • September 2017
  • August 2017
  • June 2017
  • April 2017
  • January 2017
  • July 2016
  • April 2016
  • March 2016
  • November 2015
  • September 2015
  • July 2015
  • June 2015
  • March 2015
  • February 2015
  • January 2015
  • October 2014
  • May 2014
  • March 2014
  • February 2014
  • December 2013
  • October 2013
  • September 2013
  • August 2013
  • July 2013
  • June 2013
  • May 2013
  • April 2013
  • March 2013
  • February 2013
  • January 2013
  • December 2012
  • November 2012
  • October 2012
  • August 2012
  • July 2012
  • June 2012
  • May 2012
  • April 2012
  • March 2012
  • February 2012
  • January 2012
  • December 2011
  • November 2011
  • October 2011
  • September 2011
  • August 2011
  • July 2011
  • June 2011
  • May 2011
  • April 2011
  • March 2011
  • February 2011
  • January 2011
  • December 2010
  • November 2010
  • October 2010
  • September 2010
  • August 2010
  • July 2010
  • June 2010
  • May 2010
  • April 2010
  • Home
  • Reading List
  • About / Contact
  • RSS Feed
  • LinkedIn
  • GitHub
  • LinkedIn (Metacoda)
  • YouTube (Metacoda)

Copyright © 2010-2025 Paul Homes. All rights reserved. | Legal Notices | Admin