Author: Paul Homes

Synchronizing SAS Platform Identities

I’ve been spending lots of time lately on SAS® platform identity synchronizations. I’m fairly confident that I’ve done more Microsoft Active Directory (AD) to SAS Metadata Server synchronizations in the past few weeks, than I’ve done in my entire career working with SAS software! :) The reason for this is that we’ve been doing lots of testing and demos for a new Metacoda Identity Sync Plug-in we’ve built that makes it easier for people to get started synchronizing identities with SAS metadata. With all these tests and demos, the SAS metadata backup and restore facility has also been an invaluable feature for allowing us to easily rewind and repeat the process – I’ve done my fair share of backup/restores these past few weeks too :)

The idea for the Metacoda Identity Sync Plug-in came after years of writing and customizing SAS programs using the standard SAS User Import Macros (%MDU macros). I found I had built up a set of common practices I would choose from depending on the customers requirements: things like name/display-name prefixing/suffixing; tagging for deletion instead of deleting outright; login manipulation; audit reporting etc. This plug-in is a way of packaging those practices up, as configurable options, with both a point-and-click and a batch interface. The outcome is an ability to rapidly implement identity synchronization, for a new or existing SAS platform installation, in a matter of minutes (rather than hours or days of writing code).

It has been a very rewarding experience building this new plug-in, and the feedback we’ve had so far has been very positive. Some of the interesting challenges along the way included:

  • Making it easy to get started, but also flexible enough to handle some of the more specific requirements we see with our customers. The point and click interface includes the common options, but we also added support for customers to tweak things by dropping their own SAS code in at key points in the process too.
  • Letting people interactively visualize and review the changes before they are made, adding and removing exceptions as required, and building a configuration that can be used in batch processes too.
  • Working within AD resource limits whilst extracting reasonably large subsets of identities for synchronization with SAS. Some of our tests included pulling out many thousands of users (40K+), including groups that contained several thousand users each.
  • Providing support for encrypted connections to AD via LDAPS, or LDAP with STARTTLS.
  • Generating audit reports of the process, so you can track what changes occurred when, and with all of the information that led to those changes.
  • Writing our first commercial plug-in that updates metadata (all our other commercial plug-ins to-date have been read-only). In this plug-in we have opted to only update metadata via the standard, unmodified, well known and trusted SAS %MDU macros. Whilst we have lot of experience with the SAS metadata model, we decided to give our customers a gentle introduction to Metacoda driven metadata updates.

If you’d like to see the Metacoda Identity Sync Plug-in in action, here’s a short 10 minute screencast. I show the initial configuration, building an Identity Sync Profile, and a small initial load of AD users, driven by the selection of an initial set of AD groups. That saved profile can then be re-used for further interactive synchronizations (adding, updating and deleting identities as appropriate), as well as being used to drive regular batch synchronizations (topics for future screencasts perhaps?).

We’ve been getting some great feedback from the people we have shown so far, so I hope you’ve found this video interesting too. If you’d like to find out more about this new plug-in, or any of our other Metacoda Plug-ins, please contact me, or visit the metacoda.com web site. We’re still taking on beta testers for the the upcoming Metacoda Plug-ins 5.0 release too.

SAS Download Manager in Console Mode

SAS® 9.4 M3 is now available (as discussed by Andy Ratcliffe in his recent NOTE: blog post), so I’m downloading a new SAS depot using the SAS Download Manager. I’m downloading it onto a Linux server that happens to have X11 available, but I’m choosing to use console (text) mode, rather than the default X11 windowed mode.

Using SAS Download Manager in console mode is my preferred method because I find it more flexible. Why Console mode? I know from experience that a SAS depot download is going to take a few hours and, if I run SAS Download Manager in windowed mode, I risk losing the remote X connection if there are any network disruptions between me and the server. By running SAS Download Manager in console mode, in combination with screen over an SSH session, I can easily disconnect/reconnect as required. I can disconnect (Control-A D) when I leave the office to go home, and reconnect (screen -r) when I get home to check on progress. I can also get screen to capture a log of the session in a text file (screen -L).

Of course, I could have used a Windows or Mac version of the SAS Download Manager to download onto a laptop and then upload onto the server, but that ties the laptop to a single location for the duration of the download. Plus if I’m not near the server at the time, I’d have to download and then upload nearly 50GB of SAS depot. If I’m traveling with my 4G mobile broadband connection, the server also has a much faster and much cheaper internet connection than I do! These are some of the reasons I prefer console mode.

To run SAS Download Manager in console mode Continue reading “SAS Download Manager in Console Mode”

Testing Recommended Practices with SAS Metadata Security

If you use our Metacoda Security Testing Framework to continuously and automatically validate your SAS® platform metadata security implementations, then you’ll be interested in some new ‘recommended practice’ tests that are coming in the next release of Metacoda Plug-ins (version 5.0).

Are you are a fan of the Danish Golden Rules for SAS metadata security? Several of our new recommended practice tests can also help you enforce those rules for your SAS platform installations. The six golden rules can be found in SAS Global Forum 2011 paper 376-2011 “Best Practice Implementation of SAS® Metadata Security at Customer Sites in Denmark” by Cecily Hoffritz and Johannes Jørgensen from SAS Institute Denmark. It’s excellent paper that I often recommend to other SAS platform administrators. By following the golden rules presented in that paper you’ll find SAS metadata security much easier to understand and manage.

You might also notice that some of these recommended practice tests look like test-based alternatives to the recommend practice indicators currently available in Metacoda Security Plug-ins. These new recommended practice tests are a little bit smarter and also allow for exclusions – where you know a recommended practice is not being followed but have a good reason for doing so. While the indicators require someone to regularly look for them, the recommended practice tests can be scheduled to email an alert to someone whenever deviations from the practices are detected.

Here are some details and examples of the new recommended practices tests that will be available in Metacoda Security Plug-ins 5.0. I also point out which tests will help with enforcing the Danish Golden Rules. Continue reading “Testing Recommended Practices with SAS Metadata Security”

Getting Ready for SASGF15

With SAS Global Forum 2015 just a few weeks away, I’m spending most of my time at the moment working on a demo version of our next Metacoda Plug-ins release. We’ll be showing this upcoming version at our Metacoda booth in The Quad (previously known as the SAS Support and Demo Area).

The next Metacoda Plug-ins release includes, among other things, the top three most requested features from our customers, namely:

  1. Export from the Object Permissions Explorer.
  2. Export from the Identity Permissions Explorer.
  3. Export from the Test Runner.

Export from the Object Permissions Explorer

After finding and selecting a metadata object in the Object Permissions Explorer you can now export a HTML report showing all of your users and/or groups, together with their effective permissions and access levels on that object.

Metacoda Object Permissions Explorer Export Feature

Our customers have told us that they regularly use this plug-in Continue reading “Getting Ready for SASGF15”

Config Notes: SAS Mid-Tier (Linux) IWA with Fallback

Update 26Sep2018: This post is now a few years old and naturally technology and security have progressed in that time. For more up to date information regarding delegation and, in particular, the requirement for constrained delegation when working with Windows Defender Credential Guard in Windows 10 and Windows Server 2016, please see Stuart Rogers’ very useful SAS Global Forum 2018 Paper: SAS 9.4 on Microsoft Windows: Unleashing Kerberos on Apache Hadoop.

Continuing on the theme of configuring a SAS 9.4 M2 platform on Linux to use Integrated Windows Authentication (IWA), in this post I’m going to jot down some notes on steps 12-15 – configuring the SAS mid-tier on a Linux server for IWA with fallback to form-based authentication (when IWA is not available). This includes delegation, so that IWA users of mid-tier apps like SAS Studio are able to get IWA access to a SAS Workspace Server (and avoid having to store their passwords in metadata or switch to using SAS Token Authentication).

If you’re wondering what happened to steps 1-11, I’ll try get to those earlier steps in future posts. I’m starting at step 12 because someone recently asked me a question about configuring an IWA mid-tier and so it seemed like a good idea to get this blog post done first. Of course, when actual implementing, it’s always good to start at the beginning, building up the foundations, and verifying those first steps are working well before moving on to the next steps. So these steps assume you already have a working implementation where SAS desktop applications (like SAS Management Console & SAS Enterprise Guide) are able to connect to the SAS metadata server using IWA, and also to get IWA access to an appropriately configured SAS Workspace Server.

I have found the best mid-tier related documentation resources for this type of configuration are these ones:

… and there are a few others listed in a previous blog post.

One of the reasons I’m writing this post is to get down some notes on a config that worked for me. The documents referenced above cover a variety of scenarios including plain basic web authentication with an XML file-based UserDatabaseRealm, an LDAP JNDIRealm, IWA (SPNEGO) without fallback, as well as fallback to form-based SAS authentication. Getting the right mix of settings, that didn’t conflict with each other, took me a long time to determine (my mid-tier takes about 20 minutes to restart whenever I want to test a modified config). Along the way I encountered pop-up basic web authentication dialogs when IWA should have worked, and infinite browser-refresh loops for the SAS Logon Manager when IWA was disabled in the browser and I was expecting fallback to SAS authentication. This post is about the final config that worked for me. I know I’ll be referring to this post again, and I hope it proves helpful to others too.

Here goes … Continue reading “Config Notes: SAS Mid-Tier (Linux) IWA with Fallback”