SAS Software – Page 21 – platformadmin.com

WriteMemberMetadata Permission

The WriteMemberMetadata (WMM) permission was a welcome addition back when SAS 9.2 was released, because it allowed an administrator to distinguish between a users ability to manage a metadata folder from their ability to manage its contents.

In SAS 9.1.3 there was only the WriteMetadata (WM) permission and, if you had the ability to manage a folders contents, then you also had the ability to manage the folder too (and that could mean being able to change its permissions as well).

Starting with SAS 9.2, if someone had an effective grant of WMM then they could add and remove items from a folder, but to rename, move, delete, or modify the permissions on a folder then they would also need an effective grant of WM too. To allow someone to manage the contents of a folder, but not the folder itself, then we just needed to ensure that person had an effective grant of WMM and an effective denial of WM. As an aside, to avoid conflicts, the effective denial would ultimately be coming from a denial to PUBLIC, in combination with grants to appropriate groups, rather than a denial to the user themselves.

WMM Permission Patterns

In explaining some common patterns in the use of the ReadMetadata (RM), WriteMetadata (WM) and WriteMemberMetadata (WMM) permissions on SAS metadata folders, I find the following “truth” table useful:

Row	Effective Permissions			Comment
Row	RM	WM	WMM	Comment
1				-RM, -WM, -WMM: Folder not visible, can’t be modified, contents can’t be modified.
2				-RM, WM, WMM: Folder not visible, any WM and WMM grants are irrelevant.
3
4
5				+RM, -WM, -WMM: Folder and contents visible, folder cannot be modified, folder contents cannot be modified.
6				+RM, -WM, +WMM: Folder and contents visible, folder cannot be modified, folder contents can be modified.
7				+RM, +WM, -WMM: Folder and contents visible, folder can be modified, but folder contents cannot be modified!
8				+RM, +WM, +WMM: Folder and contents visible, folder can be modified, folder contents can also be modified.

When planning for effective permissions the green rows are the ones I aim for. They represent the common patterns, in increasing order of ability, as:

Row 1: Folder not visible to the user
Row 5: Folder and contents visible only
Row 6: Folder contents can be modified but not the folder itself
Row 8: Folder and contents can be modified

The grey rows (2,3,4) are variations on folder-not-visible: any WM and WMM grants are irrelevant because of the RM denial. I try to aim for the row 1 version. I find it looks neater and, when I don’t see any grant ticks, I don’t have to think at all about whether or not any permission is realistically available.

The pattern to avoid is row 7 with the red background. If someone ends up with those effective permissions they are in a confusing situation because they can manipulate the folder but not the folder contents.

WMM Permission Inheritance

The way in which WM and WMM inherit from their parents is a bit different to the other permissions. I find the diagrams below useful when explaining how the RM, WM and WMM permissions are inherited down an inheritance path.

In SAS 9.1.3 it was straightforward. Each permission on a folder, unless specifically set on that folder through an ACT or ACE, would inherit from the same permission on its parent folder:

With the introduction of WMM in SAS 9.2 this changed. Whilst the RM permission continued to inherit from RM in the parent folder, the WM and WMM permissions inherit from each other:

Unless specifically overridden, WM inherits from WMM on the parent folder (except on the root folder which doesn’t have WMM) and WMM inherits from WM on the same folder. You may have noticed WMM following WM when working in the SAS Management Console authorization tab. This might seem complex at first, but when you think about it, it becomes clear why this is necessary. A common pattern for allowing someone to manage a folder’s contents, but not the folder itself, is +RM,-WM,+WMM. With this inheritance model the inherited permissions on any sub-folders created by such a user would be +RM,+WM,+WMM and allow the user to manage any sub-folders they create. However, if the inheritance model was simple, with WM and WMM inheriting from the same parent permissions, that would mean the users permissions on any sub-folders they created would be the same as the parent (+RM,-WM,+WMM). They would be able to create sub-folders but then not have the ability to manage them (delete, rename, move etc) – very strange. This makes it clear to me why the WM/WMM inheritance model needs to be the way it is in SAS 9.2.

SAS Restricted Options on UNIX

In a tweet by Gordon Cox last month, I was reminded of the restricted options facility available with SAS® software on UNIX platforms. This is capability where an administrator can set mandatory SAS system options at multiple levels of granularity: globally, per-group, and/or per-user. The reason for this post is that I don’t look at the documentation for this very often and every time I do it takes me a while to track it down. I always think its going to be in the UNIX companion in the Base SAS area… but it’s not! That gets me every time. Instead it’s tucked away in the Configuration Guide for SAS 9.2 Foundation for UNIX Environments (PDF) in Chapter 2 – Restricted Options. You can find this document in the Install Center section of support.sas.com under SAS Installation Note 36467: Documentation for a SAS® 9.2 installation on UNIX.

The context of the tweet was that the restricted options facility is another mechanism whereby a default setting of the NOXCMD option for SAS platform servers could be overridden for a subset of trusted users or groups in a SAS platform installation. The NOXCMD option is discussed in an earlier post: NOXCMD: NO eXternal CoMmanDs!

A quick summary of restricted options:

SAS Systems Options under UNIX set by an administrator, that cannot be changed by a user
Processed in the order global, group, then user. The last instance of an option is the one that wins.
Global restrictions are read from the file !SASROOT/misc/rstropts/rsasv9.cfg
Group restrictions are read from the file !SASROOT/misc/rstropts/groups/<groupname>_rsasv9.cfg
User restrictions are read from the file !SASROOT/misc/rstropts/users/<userid>_rsasv9.cfg

On Linux (at least) I can use the command “id -gn <userid>” to find out the effective group name for a user, given their user id. For example, “id -gn sassrv” might generate “sas“.

In my SAS 9.2 installation on Linux, whilst everyone else is still constrained by the NOXCMD option, I can ensure that the SAS Enterprise Guide user Bob Baxter, who has a user id of bob, can still use operating system commands in the SAS programs he runs on the SASApp server, by creating the file /usr/local/SAS/SASFoundation/9.2/misc/rstropts/users/bob_rsasv9.cfg with the following contents:

-xcmd

Of course, this only applies to SAS processes launched and run as the requesting user. Whilst it can be used to override NOXCMD for specific users/groups using a standard workspace server, it cant be used to distinguish between different users on the same stored process server, since all users will share SAS stored process server processes running under a shared identity (like sassrv). In that situation directing the users to separate SAS application servers would be more appropriate. There is an example of this in Jim Fenton & Robert Ladd’s SAS Global Forum 2010 paper 311-2010: A Practical Approach to Securing a SAS® 9.2 Intelligence Platform Deployment

Thanks to Gordon for reminding me about the restricted options facility.

Desktop Files for Launching SAS Apps on Ubuntu

Whilst I often use the command line on Linux, it’s also nice to have icons in the menus to start SAS® applications like SAS Management Console and SAS Display Manager. These days I mostly use GNOME Do as an application launcher (its a bit like Quicksilver for Mac OS X). Naturally I like to be able to launch SAS apps from GNOME Do too. One day soon I’ll give Ubuntu Unity another try, and when I do eventually make the switch I probably wont use GNOME Do any more (but I’ll remember it as good friend), so then I’ll want to launch SAS apps from Unity. Thankfully I can use the same custom .desktop files in all of these situations.

Originally I used to point and click my way through editing the menus to add a custom launchers for SAS apps, but I soon tired of that. I’m a programmer too. Pointing and clicking doesn’t stay fun for long ;)

I found out about .desktop files after delving into what happened behind the scenes when I was editing the menus using point and click methods. There’s a GNOME Dev Center tutorial on it “Desktop files: putting your application in the desktop menus“. The freedesktop.org site also has a list of the Recognized desktop entry keys that can go into a .desktop file.

Below are some of the .desktop files that I use to launch SAS applications on my Ubuntu installation. I have only tested these on Ubuntu using GNOME but, since they are standard freedesktop files, I imagine they should also work in KDE and other Linux distros.

If you place the .desktop files into the ~/.local/share/applications directory (e.g. /home/userid/.local/share/applications) they will only be available to that single user. Alternatively, if they are placed into the /usr/share/applications directory then they will be available to all users.

The nice thing I have found about editing .desktop files is, so far at least, the changes have shown up in the menus immediately (i.e. without having to logout/login). In my installation the menu entries for these .desktop files can be found in the Ubuntu Applications > Other menu. They show up in GNOME Do too.

Here are the .desktop files I use:

SAS Management Console 9.2

This is a sas-mc-92.desktop file that I use to launch SAS Management Console 9.2 on Ubuntu.

#!/usr/bin/env xdg-open

[Desktop Entry]
Encoding=UTF-8
Version=1.0
Type=Application
Terminal=false
Name=SAS Management Console 9.2
Icon=/usr/local/SAS/SASManagementConsole/9.2/SMCApplication.ico
Exec=/usr/local/SAS/SASManagementConsole/9.2/sasmc

SAS 9.2 Display Manager

This is a sas-dms-9.2.desktop file that I (sometimes) use to launch the old SAS Display Manager System (DMS) interface on Ubuntu. If you’ve used DMS on Linux you’ll probably understand why I only use it sometimes ;). I’d love to have a native SAS Enterprise Guide like interface to SAS on Linux (without having to start Windows in VirtualBox). I know, given the numbers, it’s unlikely to ever happen, but I can’t help wishing nonetheless :).

#!/usr/bin/env xdg-open

[Desktop Entry]
Encoding=UTF-8
Version=1.0
Type=Application
Terminal=false
Name=SAS Display Manager 9.2
Icon=/usr/local/SAS/sas-logo-48x48.png
Exec=/usr/local/SAS/SASFoundation/9.2/sas

You wont find the /usr/local/SAS/sas-logo-48×48.png file in your installation so you should substitute that with the path to an appropriate icon available in your installation.

SAS Management Console 9.1

This is a sas-mc-913.desktop file that I use to launch SAS Management Console 9.1 on Ubuntu.

#!/usr/bin/env xdg-open

[Desktop Entry]
Encoding=UTF-8
Version=1.0
Type=Application
Terminal=false
Name=SAS Management Console 9.1
Icon=/usr/local/SAS/SASManagementConsole/9.1/SMCApplication.ico
Exec=/usr/local/SAS/SASManagementConsole/9.1/sasmc

If you are a SAS user on Linux then I hope you find these useful too. If you have any info/experiences to share regarding .desktop files launching SAS apps in other desktop environments (KDE, Xfce etc.) or other distros (RHEL, Fedora etc.) then please leave a comment.

NOXCMD: NO eXternal CoMmanDs!

SAS® platform administrators can get quite familiar with the SAS NOXCMD option, usually when someone asks why their programs that used to work (in a different SAS version or execution environment) are now failing. Perhaps the programs ran ok with SAS Enterprise Guide 4.1 using a SAS 9.1.3 server but now fail with SAS Enterprise Guide 4.2 using a SAS 9.2 server. Maybe they were developing some code using SAS Display Manager (I know it’s no longer de rigueur but us old-timers will still confess to using it from time to time – some even quite proudly as a badge of honour!). When that code gets deployed in a stored process on a SAS 9.2 server it then starts failing (hmmm perhaps we should have been developing and testing it in SAS Enterprise Guide or SAS Data Integration Studio after all ;)). You may have seen logs with this error:

1          filename lscmd pipe 'ls -al /tmp';
ERROR: Insufficient authorization to access PIPE.
ERROR: Error in the FILENAME statement.

… or maybe this one:

ERROR: Shell escape is not valid in this SAS session.
1          %sysexec mkdir /tmp/test;

… these are the common error messages seen when trying to run external operating systems in a NOXCMD constrained environment.

If you do a Google search for these messages you might find these resources:

Chris Hemedinger’s blog post “Using the X and SYSTASK commands from SAS Enterprise Guide” from Nov 2009, where he also explained how to overcome it with a single workstation installation of SAS Enterprise Guide and Foundation SAS.
SAS Problem Note 41058: Unable to submit X commands from SAS® Enterprise Guide® connecting to a SAS® Metadata Server when running SAS® 9.2 or later. I noticed at the end of this SAS note it says “… the commands will execute on the metadata server and not on your local PC“. Whilst this would be the case if it were the SASMeta – Workspace Server (a workspace server restricted to metadata administrators that runs on the metadata server machine), it would only be the case for the SASApp – Workspace Server if the workspace server happened to be on the same machine as the metadata server. In many of the installations I see, the metadata server runs on its own dedicated machine, and so this is often not the case. To clarify, it runs the commands on the host machine that the SASApp – Workspace Server is configured to run on.

In the rest of this post I am going to provide some more info, from the platform administrator’s perspective, and try to offer some suggestions and pointers to additional resources that help you with the goal of trying to work with the NOXCMD option. Ideally we want to try to retain the security benefits by not turning it off for the entire user base, in a shared platform environment, when a subset of your users encounter it and perhaps try to persuade you to turn XCMD back on!

The NOXCMD option disables a number of SAS language features that allow the execution of operating system commands such as:

the use of PIPE in the FILENAME statement (SAS documentation links for Windows and UNIX)
the CALL SYSTEM routine
the X command (SAS documentation links for Windows and UNIX)
the %SYSEXEC macro statement
the SYSTASK statement (SAS documentation links for Windows and UNIX)

The SAS documentation for NOXCMD can be found under its positive alternative, the XCMD system option. Here are links to the relevant documentation for Windows and UNIX.

We have become more familiar with NOXCMD in recent years because the the SASApp – Workspace Server, SASApp – Pooled Workspace Server and SASApp – Stored Process Server in SAS 9.2 installations commonly have the XCMD option disabled (i.e. NOXCMD). This is the default setting in newly installed SAS 9.2 deployments for its security benefits. To allow the general SAS user community (such as SAS Enterprise Guide users) to execute operating system commands on the servers, a SAS platform administrator has to make a conscious decision to enable XCMD, preferably after careful consideration of the potential security consequences ;). Here is a screenshot fragment showing where XCMD can be turned on in the server’s Launch Properties tab. You get to this tab using the SAS Management Console 9.2 Server Manager plug-in via the Advanced Options button on the Options tab in the server’s properties dialog.

While you are in the SAS Management Console, you might also notice that the SASMeta – Workspace Server is different in that it has XCMD enabled by default. Normal SAS users can’t use the SASMeta – Workspace Server because metadata access controls make it visible only to metadata administrators (members of the SAS Administrators group).

If you schedule SAS jobs to run in batch you might also want to check the NOXCMD status of the batch servers: SASApp – SAS DATA Step Batch Server, SASMeta – SAS DATA Step Batch Server and any others you may have. The XMCD/NOXCMD setting for these servers are specified not in metadata but in the batch server scripts. On Linux, my batch server scripts are in /usr/local/SAS/ebiedieg/Lev1/SASApp/BatchServer/sasbatch.sh and /usr/local/SAS/ebiedieg/Lev1/SASApp/BatchServer/sasbatch.sh. The SASApp one has -noxcmd whereas the SASMeta one has -xcmd. These are the default settings for batch server deployments in recent SAS 9.2 releases. If you have an older SAS 9.2 release (pre M2), you might find that the SASMeta one is also -noxcmd. The NOXCMD constrained SASMeta – SAS DATA Step Batch Server in older SAS 9.2 releases caused problems with scheduled metadata backups as described in SAS Problem Note 34923: A metadata backup that is scheduled to run by using the SAS DATA Step Batch Server might fail to copy the configuration files and the journal files

So what can you do if your security plan doesn’t allow you to enable XCMD for the general SAS user community, but some of your users, or batch processes, are failing to run operating system commands because of it? A couple of possible options include:

using/suggesting native SAS language alternatives to operating system commands where possible;
creating a new special purpose application server and associated workspace and/or stored process servers that are restricted in visibility (via metadata access controls) to a subset of trusted users/developers. There is a good example of this approach in Jim Fenton & Robert Ladd’s SAS Global Forum 2010 paper 311-2010: A Practical Approach to Securing a SAS® 9.2 Intelligence Platform Deployment

I’ll try to suggest some native SAS language alternatives to operating system commands in future blog posts. If you have any favourites yourself feel free to leave a comment.

I hope this post has helped you find out more about the NOXCMD option and that you don’t always have to turn it off at the first sign of trouble. Remember people tasked with managing security have a reputation to uphold: when it comes to security the first answer is almost always “no”, or perhaps the more pragmatic “no, but how about this alternative more secure method instead…” ;)

Favourite Platform Admin Papers from SAS Global Forum 2011

These are some of my favourite papers from SAS Global Forum 2011. As a platform administrator and metadata fan I am obviously biased to a specific subset of papers. I’m sure there were many other great papers at the conference, but these are the ones that I liked the most based on my own interests. :)

Best Practice Implementation of SAS® Metadata Security at Customer Sites in Denmark Cecily Hoffritz & Johannes Jørgensen SAS Global Forum 2011 Paper 376-2011: PDF available from http://support.sas.com/resources/papers/proceedings11/376-2011.pdf
Single Sign-On Configuration and Troubleshooting for SAS® 9.2 Enterprise BI Web Applications Stuart J Rogers & Heesun Park SAS Global Forum 2011 Paper 365-2011: PDF available from http://support.sas.com/resources/papers/proceedings11/365-2011.pdf
Using SAS® on UNIX with Multiple Active Directories as Authentication Providers Jan Bigalke SAS Global Forum 2011 Paper 369-2011: PDF available from http://support.sas.com/resources/papers/proceedings11/369-2011.pdf
Understanding the Anatomy of a SAS® Deployment: What’s in My Server Soup? Mark Schneider, Donna Bennett, & Connie Robison SAS Global Forum 2011 Paper 363-2011: PDF available from http://support.sas.com/resources/papers/proceedings11/363-2011.pdf
Configuration and Tuning Guidelines for SAS®9 in Microsoft Windows Server 2008 Margaret Crevar SAS Global Forum 2011 Paper 370-2011: PDF available from http://support.sas.com/resources/papers/proceedings11/370-2011.pdf
Considerations for Implementing a Highly Available or Disaster Recovery Environment Diane Hatcher & Jochen Kirsten SAS Global Forum 2011 Paper 358-2011: PDF available from http://support.sas.com/resources/papers/proceedings11/358-2011.pdf

I’ll definitely be recommending these papers in my SAS platform admin consulting and training work, and have done so a number of times already. They offer a great supplement to the standard SAS documentation and provide lots of additional background info for some of the common types of platform admin related questions I hear like:

“How can I find out more about SAS architecture, what all the components are, and how they fit together?”
“What’s involved in setting up single sign-on for SAS installations?”
“What do we need to know about optimizing the performance of SAS software?”
“How do we secure our SAS content, what are the recommendations, and what should we watch out for?”
“What happens if we get a hardware failure on our SAS Metadata Server? What things do we need to consider in disaster recovery planning?”

I’ve also added these papers to my reading list so I can find them easily when I need to point someone at them.

Thanks to all the authors for taking the time to prepare, present and publish them to share with the SAS community.