Category: SAS Metadata Security

ChatGPT and SAS 9 Metadata Security

With all the news around ChatGPT lately, I thought I would see how it performed when asked questions about SAS 9 Metadata Security. This is a niche specialty with some complex rules when you get down into the details, so I was not expecting it to do very well. I was both impressed and disappointed. I was impressed with how it was quickly able to respond with confident sounding, generally correct, responses when asked high level questions on this specialized topic. I was disappointed that it provided confident sounding, incorrect, responses when asked about the details.

Here are some excerpts from my chat. It was a long chat so I have only selected some of the responses for this blog post. It’s still a long blog post though, so I will be very impressed if you make it all the way to the end!

First question:

Asking ChatGPT about SAS 9 metadata permissions

This is a good start, it mentions the SAS Metadata Server, users, groups, access control, and metadata objects, how permissions can be assigned at different levels, and how they are distinct from file system permissions. Some metadata permissions are listed, all of which do exist. I could get pedantic about Read, Write and Delete definitions but at a high level they will do. The Administer permission definition is just wrong.

Next question Continue reading “ChatGPT and SAS 9 Metadata Security”

New Permissions in SAS 9.4 M2: ManageCredentialsMetadata & ManageMemberMetadata

SAS® 9.4 M2 was released recently and included some new permissions related to identity administration. These new permissions are ManageMemberMetadata (MMM), for groups and roles, and ManageCredentialsMetadata (MCM), for users and groups. I found them documented in the SAS 9.4 Intelligence Platform: Security Administration Guide, Second Edition. They are listed in the Use and Enforcement of Each Permission section as follows:

ManageMemberMetadata (MMM): Change the membership of the Group and Role. Cannot change security or other account attributes.
ManageCredentialsMetadata (MCM): Manage accounts and trusted logins of User and Group. Cannot change security or other account attributes.

They also appear in the Permissions by Object Type section, where it reads:

Identity: User administration capabilities (from the Metadata Server: User Administration role) enable you to create, update, and delete users, groups, and roles. You can delegate management of an identity to someone who doesn’t have user administration capabilities by adding explicit or ACT grants of WriteMetadata permission in the identity’s authorization properties. An identity’s authorization properties have no effect on what that identity can do. You need ManageMemberMetadata permission to change the membership of the UserGroup and Role. ManageCredentialsMetadata enables you to manage accounts and trusted logins of User and UserGroup.

After some further exploration, I also saw that (unless otherwise specified) MMM and MCM follow the WriteMetadata (WM) permission on identities, just as WriteMemberMetadata (WMM) does with folders.

To provide support for these new permissions, Metacoda has just released an updated version of Metacoda Plug-ins 4.0 R2.

You can now see MMM and MCM in the Public Types Explorer:

New MCM and MMM permissions in SAS 9.4 M2

The new permissions are also visible in the various Metacoda Reviewers and Permissions Explorers. If you are using the Metadata Security Testing Framework, you can now export tests that include MMM and MCM, and run tests that check for them too.

I’d encourage all existing users of Metacoda Plug-ins to upgrade to 4.0 R2. This latest release can be downloaded after logging in from the Metacoda support page. If you’re not yet a Metacoda Plug-ins user then you might be interested in a free one month evaluation license where you can try them out in your own environment.

SAS Metadata Security Testing

SAS® Global Forum 2014 is now only a few days away, and I’m excited (and a little nervous) about presenting my paper Test for Success: Automated Testing of SAS® Metadata Security Implementations.

Update 03Apr2014: My paper is now available for download from the SAS Global Forum 2014 Online Proceedings.

SAS metadata security testing is a topic I’ve been contemplating for a long time now. For many organizations, metadata security is an important feature of the SAS platform. It enables them to control access to business resources described by the metadata and ensure their users can only use SAS applications to view and modify resources appropriate to their roles within the organization.

When metadata security is important, conducting security testing on a regular basis is important too. Regular testing allows an organization to feel confident in the security of their platform and to promptly detect deviations from a carefully crafted metadata security implementation. Many times I’ve seen accidental changes, or quick fixes, which had a detrimental impact on an installation’s metadata security. Without regular testing, Continue reading “SAS Metadata Security Testing”

Creating a Metadata Bound Library with SAS 9.4

One of the nice enhancements in SAS® Management Console 9.4 is the addition of a point & click method for creating a Metadata Bound Library. Metadata Bound Libraries have been available since SAS 9.3 M2 but prior to SAS 9.4 you had to write proc authlib code to set one up (see this prior post for an example).

Many of the SAS platform administrators I meet have an IT admin background, not necessarily a SAS coding background, so this addition of a point & click method in SAS 9.4 will certainly make it easier for people to take advantage of metadata bound libraries. I find it makes it easier and I do have a SAS coding background. I don’t create metadata bound libraries every day, so I haven’t committed the syntax to memory yet :). Using the point & click method can be quicker than tracking down a code example.

Starting from the Folders tab in SAS Management Console 9.4, navigate to the /System/Secured Libraries folder. Right mouse click over the Secured Libraries folder and select the New and Secured Library menu items.

Starting the process of adding a SAS 9.4 Metadata Bound Library

In the New Secured Library wizard, provide a name and description for the secured library, then click the Next button. Continue reading “Creating a Metadata Bound Library with SAS 9.4”

Protecting your Metadata Protections: Part 2

SAS Management Console 9.3 showing default non-administrative capabilities.

In a guest post on blogs.sas.com in January, I wrote about protecting your metadata protections. In that post I said that “Ideally, a SAS® metadata security plan should address both ACT permissions and access to the Authorization Manager.” and went on to explain a method for addressing Access Control Template (ACT) permissions.

In this second part, I’ll talk about reducing access to the SAS Management Console Authorization Manager plug-in as further protection for your ACTs.

Of course, for some smaller SAS sites, and those with simple security requirements, this might be overkill. However, for other possibly larger organizations, those with potentially sensitive data/content, and perhaps those with specific regulatory requirements, it might be a necessity to implement a comprehensive metadata security implementation with multi-layered protections like these.

In the default metadata security implementations for SAS 9.3 and SAS 9.2, all SAS users have the capability to access a limited set of features in the SAS Management Console. This includes access to the Authorization Manager plug-in where any accidentally unprotected ACTs could be modified. In order to be able to take advantage of this capability, and modify an ACT, a user has to be able to fulfill all of the following requirements: Continue reading “Protecting your Metadata Protections: Part 2”