SAS Management Console – Page 10

Authorization Manager Plug-in and Custom Metadata Permissions

Something I’ve only noticed recently, which I haven’t seen in the SAS® 9.2 What’s New documentation, is an apparent change relating to support for custom, or user-defined, metadata permissions in the SAS Management Console Authorization Manager plug-in.

I hadn’t noticed this change before because I’ve not yet had a need for custom metadata permissions myself. I don’t think they are used very much and personally I’ve only heard of a single site that has used them in a custom application.

A while back someone asked me about support for custom permissions in our Metacoda Security Plug-ins product. It was this request that originally alerted me to the custom permissions feature in SAS 9.1.3. Whilst planning a new release of our plug-ins, I had been thinking about ways to add support for them, but when I went looking for custom permissions in SAS 9.2 they appeared to have vanished.

Below is a screenshot fragment of the SAS Management Console 9.1 Authorization Manager plug-in. Notice the Permissions folder where, with a right click, you can create your own custom permissions.

Compare that with this next screenshot fragment for the Authorization Manager plug-in from SAS Management Console 9.2. Notice there is no longer a Permissions folder.

It looks like the ability to add custom permissions has been removed – at least via SAS Management Console anyway. Considering all of the many metadata security improvements in SAS 9.2 relating to applicable permissions, effective permissions and changes in inheritance paths, I think I can understand why. To provide support for custom permissions in the SAS Management Console Authorization tab in SAS 9.2 would require gathering much more information about how the custom permission should be handled than the simple name and description collected in SAS 9.1.3 would provide – you would have to consider what objects types it applies to and how the permission should be inherited from object to object.

So, for now, it looks like we won’t be needing to add support for custom permissions in our Metacoda Security Plug-ins product. However, if you have any information about the potential for custom metadata permissions in SAS 9.2 and/or would like to see them supported in our plug-ins then please let me know. I’d also be interested in hearing from anyone who might have used custom metadata permissions in SAS 9.1.3 and finding out about your experiences in migrating your custom applications that used them to SAS 9.2.

You can find more information about custom metadata permissions in the SAS Management Console 9.1.3 User’s Guide > Managing Authorizations > Managing Permissions

Self-Service Account/Login Management with the SAS Personal Login Manager

Recently I was talking to someone about how users can manage their own logins in metadata using the SAS Personal Login Manager client application. I wanted to show them what it looks like but, to my surprise, I couldn’t find any screenshots of it on the SAS support site, and I didn’t have an installation to hand.

If you are not familiar with it, the SAS Personal Login Manager provides a self-service facility for SAS platform users to manage any of their own accounts/logins (user id and password) stored in metadata. It is available for both SAS 9.1.3 and SAS 9.2. It’s particularly useful when users need to update any of their own passwords that have to be stored in metadata. Of course, as platform administrators we strive to limit the number of passwords stored in metadata, but sometimes it can’t be avoided and so, in those instances, we also need a way to allow users to manage them for themselves.

In most cases we can take advantage of cached credentials, SAS token authentication, and Integrated Windows Authentication (IWA) to help us provide transparent authentication for our users with no requirement for passwords to be stored in metadata. Unfortunately in some cases we need to have passwords in metadata though: providing transparent access to an Oracle database is one example. Of course, as soon as we have passwords stored in metadata they have to be maintained, and security policies often require those passwords to be changed on a regular basis.

As a platform administrator we can see the presence of saved credentials (except the password) for an individual by using the SAS Management Console User Manager Plug-in to review the user’s Accounts tab (in SAS 9.2) or Logins tab (in SAS 9.1.3). Here is a screenshot showing a demo user with his inbound (identifying) login and a few outbound logins used to provide access to other servers.

So for those passwords that have to be stored in metadata for individual users (as opposed to shared logins for groups), how do we go about allowing the users to update them when they need to be changed?

As administrators it is possible, but not recommended, for us to update the password on behalf of the user, but that would mean they would have to 1) tell us their password and 2) it would become a burden for us very quickly.
Alternatively we could allow users to manage their own logins by providing them with access to SAS Management Console. There are some downsides to this too. From a security perspective you might not want those users to have access to the SAS Management Console at all. With SAS 9.1.3 we rarely gave others access to SAS Management Console, but with the addition of roles and capabilities in SAS 9.2 we can now do so and limit their access (visibility) to the other plug-ins to make it more palatable. However, even with access to the SAS Management Console they will need to be able to navigate to the User Manager plug-in, find their own identity, bring up its properties dialog and find the appropriate tab. This sounds like a recipe for lots of support calls.
If your users have SAS Enterprise Guide available to them, it can also be used use to manage their accounts/logins stored in metadata.
If your users don’t or shouldn’t have access to SAS Management Console or SAS Enterprise Guide then this is where the SAS Personal Login Manager shines. It does one thing and one thing only – it lets people manage their own logins using a very simple interface. You might think of it as providing a user with direct access to the contents of their own Accounts tab (or Logins tab for SAS 9.1.3) from SAS Management Console.

Here is a screenshot of the initial view of the SAS Personal Login Manager application immediately after the demo user Nate has logged in. He sees all of his own accounts/logins and can add, remove and edit any of them. That’s it. Nice and simple.

The following is a screenshot of him changing the password for his Oracle login.

Whilst this application can be used for managing an individual users own accounts/logins it can’t be used for managing shared accounts/logins for groups. Those shared logins have to be managed from the SAS Management Console and so if you want to delegate the management of those accounts/logins to group administrators then they will need to have access to the SAS Management Console. In SAS 9.2 you can however limit access to the rest of SAS Management Console via roles and capabilities.

The SAS Personal Login Manager is a desktop application and so requires the client software to be installed on, or be accessible from, the individuals workstation. You might use something like Citrix, VMware ACE or automated software deployment to help manage this. I don’t know of any web based apps from SAS Institute that allow users to manage their own logins, but if you do then please let me know.

Farewell to the SAS 9.2 Replication Wizard

It looks like the SAS® 9.2 Replication Wizard has recently been deprecated. I spotted a new SAS usage note about it the other day: Usage Note 40834: The Replication Wizard in SAS® 9.2 has been deprecated.

The Replication Wizard is, or perhaps I should now say was, a feature available in the SAS 9.2 Management Console (via Metadata Manager > Metadata Utilities > Replication) that could be used to completely replicate metadata from a source environment into a target environment (such as Development to Test , Lev3 to Lev2 etc). The alternative to replication is to promote selected subsets of metadata using the import/export wizards and SAS package (.SPK) files. This selective promotion method is sometimes known as partial promotion. Although replication might sound tempting initially, in practice the import/export methods are much more versatile (as long as they support the metadata you want to promote – significant improvements with SAS 9.2).

Unlike import/export where you promote a subset of metadata, with replication you were promoting all of the metadata in one hit (with optional substitution of things like host names, ports, paths etc), completely discarding any existing metadata in the target environment. You had to configure a fair bit of infrastructure in order to use replication, perform a few manual steps and then manually promote any associated physical (non-metadata) content. It seemed like a lot of work (and knowledge) for something you would probably only ever use once or twice (if ever), so I think it’s understandable why SAS Institute would retire this feature. I don’t imagine it got used enough to warrant continued development and testing. I suspect that most people used import/export (partial) promotion almost exclusively, even for the initial promotion into a newly installed environment.

I was always a little bit worried with replication that someone might accidentally get the 2 environments reversed and totally wipe out their source environment, overwriting it with metadata from their old or empty target environment! Another good reason to backup both environments before replicating :)

One of the benefits to replication was that it allowed you to promote portal pages (which are not currently supported with import/export as far as I know). Although it sounds like a good reason to use replication, you could only ever realistically use it once due to the all-or-nothing nature of replication. After the first replication any portal changes in the target environment (e.g. Production/Lev1) would be lost on subsequent replications. I had heard a rumour that promotion of portal pages was in the pipeline but haven’t heard anything more since. Does anyone reading this know what the current status of support for portal promotion is?

I personally hope that the list of supported metadata objects for the import/export promotion facility is extended in future to include things like ACTs, Users, Groups, Roles, Servers and Portal Pages – things that don’t reside in folders. That would round it out very nicely I think.

Updated 30Sep2010: I just spotted some information about portal content promotion in the SAS® 9.2 Intelligence Platform: Web Application Administration Guide, Third Edition. You can find it in Chapter 20 Introduction to SAS Information Delivery Portal Administration under Main Tasks for Administering the Portal in the section named Promote Portal Content. It states (in part) “Beginning with SAS Information Delivery Portal 4.3, a content promotion tool is available. This tool consists of stand-alone batch scripts, shell scripts, and metadata extraction templates.”

Updated 08Oct2010: In this SAS Discussion Forum comment Technolero mentions that it may be possible to get an early (potentially unsupported) version of the portal content promotion tool by contacting SAS Technical Support.

Updated 16Dec2010: SAS Information Delivery Portal 4.3 was recently released and the SAS documentation updated. There is a link to documentation for the new portal promotion facilities in the post Updated SAS Admin Docs (inc Portal Promotion).

Default Role / Capability Matrices for SAS® 9.2

Have you ever worked on a SAS 9.2 installation where someone has modified the capabilities of the predefined roles, and you need to reset them back to the default configuration? Or perhaps you are trying to see if there is a particular capability and want to search using a keyword, rather than manually reading through the list in SAS Management Console?

If you answered yes to any of these questions then you might want to check out the SAS® 9.2 Intelligence Platform Desktop Application Administration Guide (PDF, HTML) and the SAS® 9.2 Intelligence Platform Web Application Administration Guide, Third Edition (PDF, HTML).

Each of the SAS applications that support roles has a matrix showing the available capabilities for that application and how those capabilities map to the application’s predefined roles. If you need to reset the predefined roles then these matrices provide the information you need. Alternatively, if you want to search for a particular capability then you can use your web-browser/PDF-viewer’s find tool to look for keywords like library, OLAP or Join.

Here is a quick list of links to the specific pages containing the role/capability matrices for each application:

On a side note, if any SAS developers or product managers happen to read this post, I think it would be great if you could search/filter capabilities in SAS Management Console. There are lots of capabilities to look through and I can only imagine the list getting longer in future versions of SAS. Perhaps a reset-role-to-default-capabilities feature too? :) Perhaps I should make a SASware Ballot suggestion.

Roles (or not) in Access Controls: SAS® 9.1.3 vs SAS® 9.2

Today I noticed a difference between SAS 9.1.3 and SAS 9.2 with respect to the use of roles in metadata security access controls.

In SAS 9.1.3 it was possible, though not recommended, to use roles in access controls such as Access Control Entries (ACEs) and Access Control Templates (ACTs). Here is a screenshot of SAS Management Console 9.1 where I am in the process of adding a group to an ACT. Notice that the SAS Web Report Studio roles are available for use (I have highlighted them with a red square).

I noticed today that SAS 9.2 prevents you, at least from within SAS Management Console, from using roles in access controls. Here is an equivalent screenshot of SAS Management Console 9.2, where I am also in the process of adding a group to an ACT. This time only the normal groups are available for use, none of the roles are available.

It was good to see this enhancement in SAS 9.2, as it helps promote good practices. Roles exist to provide a container for groups of users to gain access to application functionality. It is not recommended that they be used in access controls that secure general metadata objects such as folders, servers etc. SAS 9.1.3 introduced roles, with hard-coded or implicit capabilities, where they were used only by SAS Web Report Studio as far as I am aware. The use of roles was significantly expanded in SAS 9.2, with configurable/customizable capabilities to allow administrators to control the availability of application functionality in SAS Management Console, SAS Enterprise Guide, SAS Add-In for Microsoft Office, SAS Web Report Studio and SAS BI Dashboard.

I was surprised I hadn’t noticed this improvement until today, but then I guess I am not usually inclined to use roles in access controls ;)

If you want to find out more about roles and capabilities in SAS 9.2, I would definitely recommend reading Kathy Wisniewski‘s paper Be All That You Can Be: Best Practices in Using Roles to Control Functionality in SAS® 9.2 from SAS Global Forum 2010 available from http://support.sas.com/resources/papers/proceedings10/324-2010.pdf