Author: Paul Homes

SAS Deployment Manager 9.3

I noticed the user interface for the SAS® Deployment Manager 9.3 has changed slightly.

Here is a screenshot from my “old” SAS 9.2 M3 installation:

… and here’s the screenshot from my new SAS 9.3 installation:

I’m guessing that the new hierarchical folder structure is going to allow for more tools to added.

Interestingly there’s a new Apply Hot Fixes item at the bottom of the list of tools. This new tool is also mentioned in the SAS 9.3 hotfixes area under Important Changes to Hot Fixes. Initially I wondered if this was going to replace the SAS92HFADD tool, but then I saw there’s a SAS 9.3 Hot Fix Analysis, Download and Deployment Tool (SAS93HFADD) that’s currently marked as Under Development. I really liked SAS92HFADD (I did a couple of posts about my experiences with it here and here), so I’ll be interested to see SAS93HFADD when it’s available.

The documentation for the updated SAS Deployment Manager is in the SAS Deployment Wizard and SAS Deployment Manager 9.3: User’s Guide which is available from a link at the bottom of the SAS 9.3 Install Center Documentation page. This is one of those documents that I don’t refer to often enough to always remember where to find it. I hope it makes it onto the very useful, all-in-one page SAS 9.3 Documentation by Title.

All Systems Go with SAS 9.3

Over the past few weeks I must have done about half a dozen SAS® 9.3 installations and deployments (mainly Linux 64-bit server and Windows 7 32-bit client). Not because of any problems really, just trying out a variety of options. My experiences have been very good. I must say the SAS installation and migration process is getting really streamlined now. Refreshingly easy actually. I even repeated a couple of installs because it would be easier to change some items during install than manually modify them in the new installation (something I wouldn’t have done with SAS 9.1.3). Of course, whilst SAS installations/migrations are getting more straightforward, I’d still recommend getting SAS Professional Services or one of the SAS partners to help – being businesses that install, migrate and configure SAS software on a daily basis they are very efficient and have extensive support resources at their disposal. I can’t imagine how it could be cost effective for SAS customers to acquire those skills when it’s something they might only do once or twice every few years.

My first impressions of SAS 9.3 have been very good. The installs and migrations went very smoothly. At Metacoda our installations are based on standard deployment plans and used for development and testing of our Metacoda Security Plug-ins software. Whilst our SAS installations are not very complex, we do have deployments with lots of carefully constructed, weird and wacky metadata security configurations. Deployments that, were you to see them in real-life, would have you wondering what was that administrator thinking! They are perfect for developing and testing our Metacoda Security Plug-ins software though! With SAS Migration Utility (SMU) based migrations our Lev1 and Lev2 security metadata came over perfectly from SAS 9.2 to SAS 9.3. We also did a clean empty Lev3 deployment too. I’m hoping that in future, with virtual folders in SAS 9.3, and the ability to easily export ACTs, users, groups, and roles, we could switch to using package exports and imports to promote this security metadata from SAS 9.3 to SAS 9.4 and beyond.

From our perspective SAS 9.3 seems to be very compatible with SAS 9.2 too. We were very pleasantly surprised to find our Metacoda Security Plug-ins ran in SAS Management Console 9.3 almost without change. A few minor modifications based on underlying changes in the SAS metadata model (the Login object changed its parent from SecondaryType to PrimaryType) and now we are running our plug-ins in SAS Management Console 9.3. We are so happy with it that our V2 release currently in beta will support both SAS 9.2 and SAS 9.3 when it goes live soon.

I have heard some people say they are hesitant about upgrading from SAS 9.2 to SAS 9.3 based on their experiences with SAS 9.1.3 to SAS 9.2. Personally I remember the move from SAS 9.1.3 to SAS 9.2 seemed more like a major version upgrade than a point release. I always wondered why SAS 9.2 was not SAS 10 ;). In contrast, the move from SAS 9.2 to SAS 9.3 does feel more like a point release upgrade to me. Whilst there may have been lots of improvements under the covers and a several welcome new additions, as a SAS platform administrator it still feels very similar to SAS 9.2. No huge learning curve and the users get to use almost the same clients they were using with SAS 9.2 M3 too.

I’ll certainly be recommending upgrades from SAS 9.2 to SAS 9.3 and for those currently on 9.1.3 it makes much more sense to me to go straight to 9.3 – the direct migration path is supported and why do two migrations and two rounds of testing when you can do one?

Some of the main administration oriented improvements I’m keen to look at in detail include:

  • Integrated scheduled SAS metadata hot backups. Now everyone gets scheduled metadata backups out of the box with no down time for the metadata server.
  • Easy SAS metadata restores with roll-forward recovery.
  • SAS Management Console virtual folders for exporting and importing users, groups, ACTs etc.
  • New SAS Management Console Search tab.
  • Enhancements to pre-assigned libraries.
  • IWA support for UNIX servers.

Keep an eye out for a few more posts from me on SAS 9.3. I’m hoping I get some time to document some of my 9.3 experiences as I investigate further.

Update 30Aug2011: Andy Ratcliffe mentions this post in his blog post NOTE: Upgrading to SAS 9.3 where he also makes some good recommendations about obtainining pre-installation architecture plans and post-installation implementation documentation.

WriteMemberMetadata Permission

The WriteMemberMetadata (WMM) permission was a welcome addition back when SAS 9.2 was released, because it allowed an administrator to distinguish between a users ability to manage a metadata folder from their ability to manage its contents.

In SAS 9.1.3 there was only the WriteMetadata (WM) permission and, if you had the ability to manage a folders contents, then you also had the ability to manage the folder too (and that could mean being able to change its permissions as well).

Starting with SAS 9.2, if someone had an effective grant of WMM then they could add and remove items from a folder, but to rename, move, delete, or modify the permissions on a folder then they would also need an effective grant of WM too. To allow someone to manage the contents of a folder, but not the folder itself, then we just needed to ensure that person had an effective grant of WMM and an effective denial of WM. As an aside, to avoid conflicts, the effective denial would ultimately be coming from a denial to PUBLIC, in combination with grants to appropriate groups, rather than a denial to the user themselves.

WMM Permission Patterns

In explaining some common patterns in the use of the ReadMetadata (RM), WriteMetadata (WM) and WriteMemberMetadata (WMM) permissions on SAS metadata folders, I find the following “truth” table useful:

Row Effective Permissions Comment
RM WM WMM
1 Deny RM Deny WM Deny WMM -RM, -WM, -WMM: Folder not visible, can’t be modified, contents can’t be modified.
2 Deny RM Deny WM Grant WMM -RM, *WM, *WMM: Folder not visible, any WM and WMM grants are irrelevant.
3 Deny RM Grant WM Deny WMM
4 Deny RM Grant WM Grant WMM
5 Grant RM Deny WM Deny WMM +RM, -WM, -WMM: Folder and contents visible, folder cannot be modified, folder contents cannot be modified.
6 Grant RM Deny WM Grant WMM +RM, -WM, +WMM: Folder and contents visible, folder cannot be modified, folder contents can be modified.
7 Grant RM Grant WM Deny WMM +RM, +WM, -WMM: Folder and contents visible, folder can be modified, but folder contents cannot be modified!
8 Grant RM Grant WM Grant WMM +RM, +WM, +WMM: Folder and contents visible, folder can be modified, folder contents can also be modified.

When planning for effective permissions the green rows are the ones I aim for. They represent the common patterns, in increasing order of ability, as:

  • Row 1: Folder not visible to the user
  • Row 5: Folder and contents visible only
  • Row 6: Folder contents can be modified but not the folder itself
  • Row 8: Folder and contents can be modified

The grey rows (2,3,4) are variations on folder-not-visible: any WM and WMM grants are irrelevant because of the RM denial. I try to aim for the row 1 version. I find it looks neater and, when I don’t see any grant ticks, I don’t have to think at all about whether or not any permission is realistically available.

The pattern to avoid is row 7 with the red background. If someone ends up with those effective permissions they are in a confusing situation because they can manipulate the folder but not the folder contents.

WMM Permission Inheritance

The way in which WM and WMM inherit from their parents is a bit different to the other permissions. I find the diagrams below useful when explaining how the RM, WM and WMM permissions are inherited down an inheritance path.

In SAS 9.1.3 it was straightforward. Each permission on a folder, unless specifically set on that folder through an ACT or ACE, would inherit from the same permission on its parent folder:

With the introduction of WMM in SAS 9.2 this changed. Whilst the RM permission continued to inherit from RM in the parent folder, the WM and WMM permissions inherit from each other:

Unless specifically overridden, WM inherits from WMM on the parent folder (except on the root folder which doesn’t have WMM) and WMM inherits from WM on the same folder. You may have noticed WMM following WM when working in the SAS Management Console authorization tab. This might seem complex at first, but when you think about it, it becomes clear why this is necessary. A common pattern for allowing someone to manage a folder’s contents, but not the folder itself, is +RM,-WM,+WMM. With this inheritance model the inherited permissions on any sub-folders created by such a user would be +RM,+WM,+WMM and allow the user to manage any sub-folders they create. However, if the inheritance model was simple, with WM and WMM inheriting from the same parent permissions, that would mean the users permissions on any sub-folders they created would be the same as the parent (+RM,-WM,+WMM). They would be able to create sub-folders but then not have the ability to manage them (delete, rename, move etc) – very strange. This makes it clear to me why the WM/WMM inheritance model needs to be the way it is in SAS 9.2.

SAS Restricted Options on UNIX

In a tweet by Gordon Cox last month, I was reminded of the restricted options facility available with SAS® software on UNIX platforms. This is capability where an administrator can set mandatory SAS system options at multiple levels of granularity: globally, per-group, and/or per-user. The reason for this post is that I don’t look at the documentation for this very often and every time I do it takes me a while to track it down. I always think its going to be in the UNIX companion in the Base SAS area… but it’s not! That gets me every time. Instead it’s tucked away in the Configuration Guide for SAS 9.2 Foundation for UNIX Environments (PDF) in Chapter 2 – Restricted Options. You can find this document in the Install Center section of support.sas.com under SAS Installation Note 36467: Documentation for a SAS® 9.2 installation on UNIX.

The context of the tweet was that the restricted options facility is another mechanism whereby a default setting of the NOXCMD option for SAS platform servers could be overridden for a subset of trusted users or groups in a SAS platform installation. The NOXCMD option is discussed in an earlier post: NOXCMD: NO eXternal CoMmanDs!

A quick summary of restricted options:

  • SAS Systems Options under UNIX set by an administrator, that cannot be changed by a user
  • Processed in the order global, group, then user. The last instance of an option is the one that wins.
  • Global restrictions are read from the file !SASROOT/misc/rstropts/rsasv9.cfg
  • Group restrictions are read from the file !SASROOT/misc/rstropts/groups/<groupname>_rsasv9.cfg
  • User restrictions are read from the file !SASROOT/misc/rstropts/users/<userid>_rsasv9.cfg

On Linux (at least) I can use the command “id -gn <userid>” to find out the effective group name for a user, given their user id. For example, “id -gn sassrv” might generate “sas“.

In my SAS 9.2 installation on Linux, whilst everyone else is still constrained by the NOXCMD option, I can ensure that the SAS Enterprise Guide user Bob Baxter, who has a user id of bob, can still use operating system commands in the SAS programs he runs on the SASApp server, by creating the file /usr/local/SAS/SASFoundation/9.2/misc/rstropts/users/bob_rsasv9.cfg with the following contents:

-xcmd

Of course, this only applies to SAS processes launched and run as the requesting user. Whilst it can be used to override NOXCMD for specific users/groups using a standard workspace server, it cant be used to distinguish between different users on the same stored process server, since all users will share SAS stored process server processes running under a shared identity (like sassrv). In that situation directing the users to separate SAS application servers would be more appropriate. There is an example of this in Jim Fenton & Robert Ladd’s SAS Global Forum 2010 paper 311-2010: A Practical Approach to Securing a SAS® 9.2 Intelligence Platform Deployment

Thanks to Gordon for reminding me about the restricted options facility.

Some PlatformAdmin.com Milestones …

My platformadmin.com blog has seen a few milestones of late:

  1. It had 1st birthday recently (boy that year went quickly!)
  2. … then, thanks to mentions from Waynette Tubs in the June edition of the SAS® Technical Report, and Andrew Ratcliffe in his excellent NOTE: blog, it saw a fair bit of extra traffic this month. The unique monthly visitor count for platformadmin.com topped 1000 visitors for the first time! I got especially geeky excited when I saw it hit 1024.
  3. … and finally, in a lesser milestone, the number of total spam comments deleted over the past year topped 1000 too – would have been happy not to have seen that milestone, but I guess it’s probably peanuts compared to what other blogs get :)

Thanks to all the readers out there, and special thanks to those that comment, tweet, retweet and say nice things about platformadmin.com on other sites/blogs too.

Happy SAS platform admin-ing to all.

Cheers
Paul