SAS Platform Object Framework MakeFolder Metadata Utility

Back in July last year I posted MKDIRMD Macro: Creating Tree Folders in Metadata about a SAS macro I wrote to create tree folders in a SAS metadata repository using the SAS Open Metadata API. Just recently I discovered an alternative method using a utility already present in a SAS 9.2 installation: MakeFolder.

I stumbled on MakeFolder in passing whilst looking in the SASPlatformObjectFramework directory (which is /usr/local/SAS/SASPlatformObjectFramework/9.2 on my Linux machine). If you haven’t seen it before, that directory contains a number of tools such as the Batch Export and Import tools for batch migration/promotion of metadata and the ValidateServer utility mentioned in SAS Usage Note 42523: ValidateServer utility to check availability of SAS® 9.2 Business Intelligence servers. I noticed the SASPlatformObjectFramework directory contained a few other utilities too, including MakeFolder which sounded very much like it might, well, make a folder! Since there are already operating system commands to make file system folders I guessed it would probably make metadata folders and so be worth a closer look.

I couldn’t find any documentation for MakeFolder. A search on support.sas.com yielded nothing. The other SASPlatformObjectFramework utilities documented –help parameters so I thought I would try that out first. It displayed the following nice usage message: 

userid@host:~$ /usr/local/SAS/SASPlatformObjectFramework/9.2/MakeFolder --help
usage: MakeFolder [options...] folderPath
options include:
 -profile <profile>     Metadata server connection profile.  Can be used in
                        place of the -host, -port, -user, and -password options.
 -user <userID>         User login identity. Required if -profile is not set or
                        if the profile does not contain connection credentials.
 -password <password>   User login password. Required if -profile is not set or
                        if the profile does not contain connection credentials.
 -host <hostname>       Metadata server host. Required if -profile is not set.
 -port <port>           Metadata server port. Required if -profile is not set.
 -?,--help              Print help information.
 -domain <domain>       User authentication domain
 -log <log-file>        Log file or directory.
 -makeFullPath          create intermediate folders if necessary

It all looked quite straightforward, so I tried it out in a development environment. Firstly to create a simple top level folder (/testsimple):

userid@host:~$ /usr/local/SAS/SASPlatformObjectFramework/9.2/MakeFolder -host localhost -port 8563 -user adminpaul@saspw -password thesecretpassword /testsimple
INFO  *** Make Folder started on 26/05/2011 ***
INFO  Server localhost:8563, user adminpaul@saspw.
INFO  Folder /testsimple created.
MakeFolder has completed.

That worked fine and looking in the SAS Management Console Folders tab I could see the folder had been created.

There was also a -makeFullPath to create intermediate parent folders too. I first tried it out without -makeFullPath:

userid@host:~$ /usr/local/SAS/SASPlatformObjectFramework/9.2/MakeFolder -host localhost -port 8563 -user adminpaul@saspw -password thesecretpassword /test/multiple/levels
INFO  *** Make Folder started on 26/05/2011 ***
INFO  Server localhost:8563, user adminpaul@saspw.
ERROR Parent folder /test/multiple/ does not exist.
MakeFolder has completed.

As expected, that produced an error message since I didn’t already have the /test/multiple parent folders. I ran it again, this time with the -makeFullPath parameter:

userid@host:~$ /usr/local/SAS/SASPlatformObjectFramework/9.2/MakeFolder -host localhost -port 8563 -user adminpaul@saspw -password thesecretpassword -makeFullPath /test/multiple/levels
INFO  *** Make Folder started on 26/05/2011 ***
INFO  Server localhost:8563, user adminpaul@saspw.
INFO  Folder /test/ created.
INFO  Folder /test/multiple/ created.
INFO  Folder /test/multiple/levels created.
MakeFolder has completed.

The folder and its parents were all created successfully.

MakeFolder indeed looks very useful. However, since I haven’t seen any official SAS documentation for it, I would err on the conservative side and, unless I hear otherwise, assume it’s not currently supported. Perhaps if someone from SAS Institute is reading they might be able to provide a bit more info about its status.

So now I know two ways to script the creation of metadata folders.

Which logger did that SAS log message come from?

Occasionally you might want to generate a custom SAS log file, perhaps to be parsed and analysed to generate a custom report. You want to focus on a specific subset of messages and already know that you can modify the logging configuration file and attach the logger that generates the message to an appender to write the messages to your custom log file. The only thing you don’t know is which logger in particular is generating the messages you want to capture. You can see the messages you want already in the main log file but don’t know which logger is generating them. Is it App.Meta, Audit.Meta.Security, Audit.Authentication or something else? How do you find out which logger you need?

In situations like this I temporarily modify the logging configuration file (usually logconfig.xml) to add the conversion character %c to the ConversionPattern setting. This adds the logger name into the message. Restart the server in question and then look for the source of the interesting messages. Normally I only do this on a development server so I might leave the change in place so I can easily find the right logger next time.

Here’s an example of the ConversionPattern param in the SAS metadata server logging configuration file before the change:

<param name="ConversionPattern" value="%d %-5p [%t] %X{Client.ID}:%u - %m"/>

… and here’s the same param after adding in a “(%c)”:

<param name="ConversionPattern" value="%d %-5p [%t] (%c) %X{Client.ID}:%u - %m"/>

… and finally here’s a SAS metadata server log file fragment showing the result of the change:

2011-05-19T16:34:31,524 INFO  [00000004] (Admin.Operations) :sas - SAH011001I SAS (9.2) Metadata Server (8562), State, starting
2011-05-19T16:34:31,754 INFO  [00000008] (App.Meta) :sas - OMACONFIG option OMA.SASSEC_LOCAL_PW_SAVE found with value 1 and processed.
2011-05-19T16:34:31,755 INFO  [00000008] (App.Meta) :sas - Unable to load AES encryption algorithm. Using SASPROPRIETARY for password storage.
2011-05-19T16:34:31,755 INFO  [00000008] (App.Meta) :sas - Using SASPROPRIETARY for password fetch.
2011-05-19T16:34:31,760 INFO  [00000008] (Audit.Meta.Security) :sas - SAS Metadata Authorization Facility Initialization.
2011-05-19T16:34:31,761 INFO  [00000008] (Audit.Meta.Security) :sas - SAS is an adminUser.
2011-05-19T16:34:31,769 INFO  [00000008] (Audit.Meta.Security) :sas - SASTRUST@SASPW is a trustedUser.
2011-05-19T16:34:31,771 INFO  [00000008] (Audit.Meta.Security) :sas - SASADM@SASPW is an unrestricted adminUser.
...
2011-05-19T16:35:42,227 INFO  [00000164] (Audit.Authentication) :sasadm@saspw - New client connection (8) accepted from server port 8562 for user sasadm@saspw.  Encryption level is Credentials using encryption algorithm SASPROPRIETARY.  Peer IP address and port are [127.0.0.1]:52947.

Now I can see where the messages are coming from. Perhaps the Audit.Authentication message is the one I want.

You can find out more about conversion characters and configuring custom logging by reading the document SAS® 9.2 Logging Configuration and Programming Reference available from support.sas.com (PDF, HTML).

Update 20May2011: I forgot to mention that if you are generating a custom log file for the purposes of audit or performance logging, you might want to look first at the SAS 9.2 Enterprise Business Intelligence Audit and Performance Measurement instrumentation package. It might already provide what you need and if not then you might be able to make some small customisations rather than start from scratch.

Capability Reviewer Preview: who has access to a capability and how?

The next version of the Metacoda Security Plug-ins includes a new Capability Reviewer. This new feature provides the ability to review who has access to a specific capability and by what paths a user, group or role acquires that capability.

As an example of how this is useful I’ll step through a scenario where we want to assess what needs to be done to avoid granting a specific capability to a specific user. If you have ever tried to make sure a user doesn’t have a particular capability then I’m sure you have seen this type of scenario. Lets say Bob Baxter is our user and he has the Drill to Detail capability in SAS® Web Report Studio 4.3 but he shouldn’t have.

We have to find all the roles that provide that capability directly to him and make sure he isn’t a direct member of the role. We need to remember that capability acquisition is cumulative and capabilities can’t be denied. It only takes 1 role to provide him the capability for him to have it. He can also get access to the capability through his, possibly nested, group memberships if those groups are members of a role that provides the capability. He can also get access through capability contributions, from contributing roles, to a role he is a member of directly or indirectly.

So now lets say Bob has been removed as a direct member of any roles that provided the capability but he still has the capability. Chances are he has acquired the capability indirectly through one of the groups that he is a member of (either directly or indirectly through nested group members, or implicitly through SASUSERS or PUBLIC). That means we need to track down how those groups have the capability and either remove him from the group or remove the group from the role (taking into account removing him from the group and/or removing the group from the role could have significant impacts elsewhere).

So where do we start with this? How do you find out which users, groups and roles have access to a specific capability and how they have access to that capability? This is where the Capability Reviewer in the upcoming V2 release of our Metacoda Security Plug-ins shines. The following screenshots show how we can use the Capability Reviewer to find this information.

The first screenshot below shows the initial view of the Capability Reviewer. It shows a list of all capabilities. Clicking on a capability shows all of the users, groups and roles that have access to that capability. This is presented in a tree format on the left and a table format on the right. The tree shows the various paths from the capability, through the roles, to the groups and users (including nested groups and contributing roles). The screenshots in this post are quite small, but you can click on any of them to view them full size.

We are interested in a specific capability, so we type drill in the filter bar to limit the display to those capabilities that include the text drill in their path/name or description. The result is shown in the next screenshot …

In the screenshot above (click it to view full size) we can see the filter bar has been used to find the Drill to Detail capability in SAS® Web Report Studio 4.3. The capability has been selected and we can see in the tree and table below it who has access to that capability. There are quite a few identities listed, but we are interested in a specific user (Bob). The next screenshot shows how we can look specifically at Bob’s access to that capability …

In the screenshot above (click it to view full size) we can see the filter bar within the Roles & Members tab, has been used to find Bob. By default the tree and table only show the shortest path by which the user acquires that capability, but if we want to ensure a user doesn’t have a capability we need to find and eliminate all capability access paths for that user, so we also click the “Show Duplicates” button on the filter bar. The table then shows all 3 paths by which Bob acquires the Drill to Detail capability:

  1. Bob Baxter is a member of the implicit PUBLIC group which is a member of the Web Report Studio: Report Viewing role which has been granted the capability.
  2. Bob Baxter is a member of the implicit PUBLIC group which is a member of the Web Report Studio: Report Creation role which has been granted the capability.
  3. Bob Baxter is a member of the Vegas Enterprises: Executives group which is a member of the Vegas Enterprises: Report Consumers group which is a member of the Vegas Enterprises: Report Consumer Role which has Web Report Studio: Report Viewing as a contributing role which has been granted the capability.

As you can see the Capability Reviewer allows us to find exactly how Bob acquires the capability through all of the potential paths. To make sure he doesn’t have the capability we need to ensure he is not in any of these paths. How that is done for you will depend on how you have set up your groups, roles and capabilities within your SAS platform installation. The simplest way will be to either remove Bob from the relevant roles and/or groups, or remove the capability from the relevant role(s). However, we also need to bear in mind that, depending on the changes you make, this can have significant impacts to roles, capabilities and access controls elsewhere. A more realistic outcome from a requirement to effectively remove a capability for a user is that the roles & capabilities implementation needs to be re-assessed and re-planned. Roles & capabilities needs careful planning but that’s a bigger story than we have time for here.

Our other Metacoda Security Plug-ins reviewers can help you assess the potential impact of any changes you might plan to make. For example: the Role Reviewer can help you find out what other users and groups might be affected by changes to a role’s capability set; the Group Reviewer can help you find out what other users and groups are direct or indirect members of a group you might want to change role memberships for.

If you’d like to find out more about the Capability Reviewer, or evaluate a beta version when it becomes available soon, then you can either send me a message or contact us via the Metacoda contact form.

If you are attending SAS Global Forum 2011 in Las Vegas this week then you can also see the Capability Reviewer in action by visiting us at the Metacoda booth (#106) in the demo area.

Updated 08Sep2011: Metacoda Security Plug-ins V2.0, and the new Capability Reviewer, is now available to customers and evaluators. If you would like to try it out you can request a evaluation from the Metacoda web site.

User Reviewer V2: Sneak Peek

If you’re a SAS platform administrator who manages a SAS metadata security implementation then you might be interested in this sneak peek of some of the enhancements in the next version of our Metacoda Security Plug-ins (custom plug-ins that can be installed into the SAS Management Console). We’ve been hard at work updating our plug-ins to provide enhanced views of the great new metadata security improvements in SAS® 9.2 like roles and capabilities.

Roles and capabilities in SAS 9.2 let you control, via the SAS metadata server, user access to functionality and features in SAS client applications such as SAS Enterprise Guide, SAS Add-in to Microsoft Office, SAS Web Report Studio and SAS Management Console. For an excellent overview of roles and capabilities I’d definitely recommend reading Kathy Wisniewski’s SAS Global Forum 2010 paper “Be All That You Can Be: Best Practices in Using Roles to Control Functionality in SAS® 9.2“.

We’re improving our Metacoda Security Plug-ins User Reviewer by adding Roles and Capabilities tabs that provide extended information about the roles and capabilities for a user. This screenshot (click the thumbmail to view the full size image in a new window) shows a preview of our new Roles tab:

In the screenshot you can see that I have tracked down a particular user and am looking at all of the roles he is associated with. It shows:

  • direct role associations, where a user is a member of the role directly
  • indirect role associations, where the user is a member of a group (possibly nested) and that group is a member of the role
  • implicit role associations, where the user is associated with the role through the one of the implicit groups (SASUSERS and PUBLIC)
  • contributed role associations, where the user is associated with a role indirectly through that roles contribution to another role the user is associated with

Essentially this new Roles tab allows you to answer the question: is a user associated with a particular role, and if so, by what means are they associated?

Another question administrators want to answer for a given user is what capabilities do they have or not have, and why? That’s where our new User Reviewer Capabilities tab helps. Here is another screenshot (once again click the thumbnail to enlarge):

This screenshot shows the Capabilities tab where you can see a list of all the capabilities and whether or not the user has been granted access to them. If the user has been granted access to a capability it also shows which role is providing them with the capability and the membership path from the user to the role. If you’ve ever tried to track down why a user has an unexpected capability then I’m sure you’ll appreciate how useful this is.

That’s it for this sneek peak, but if you are going to SAS Global Forum 2011 in Las Vegas this year, and you’d like to find out more, then please pop by and visit us in the SAS Alliance Cafe for a demo – we’ll be in booth #106.

BTW if anyone out there is interested in trying out a beta version then we’re looking for a few more beta testers. If you have a SAS metadata server in a development, test, or sandpit environment and would like to test drive our plug-ins then let me know. You can contact me through this blog, Twitter, my LinkedIn profile, the Metacoda web site or even in person at the SAS Global Forum in a few weeks time :)

Q&A Resources for SAS® Software

In addition to SAS Technical Support, there are a number of community support resources available for SAS users too. I have compiled a list below of the sites I know of that use a Q&A or discussion format where SAS users and platform administrators can post questions and review or provide answers.

  1. SAS Discussion Forums: provided by SAS Institute and hosting a number of different forums relating to specific aspects of SAS software. This is one of my favourites – it has a high degree of activity and relevance, lots of useful questions, and answers provided by both SAS users and employees alike.
  2. SAS Professionals Discussion Forums: provides a number of different discussion forums including a forum dedicated to Platform Administrators
  3. run;submit: a site dedicated to Q&A related to SAS software. It looks like a StackExchange site but, as far as I know, I don’t think it is affiliated with StackExchange (it’s not in the StackExchange sites list).
  4. Stack Overflow (SAS tag): a collaborative Q&A site from StackExchange dedicated to programmer’s questions. This is a link to the SAS tag that filters the questions to those about SAS software.
  5. SAS-L / comp.soft-sys.sas: SAS-L has been around for a long time and has a loyal following. Unfortunately it does also contain spam and inappropriate content too so beware.
  6. Super User (SAS tag): a collaborative Q&A site from StackExchange dedicated to computer enthusiast’s questions. This is a link to the SAS tag which includes some questions relating to SAS software (not as many as found on Stack Overflow) mixed in with questions about Serial Attached SCSI (SAS) disk drives and I/O controllers – seems like there is a tag name clash.

All of the Q&A sites above provide RSS feeds so you can monitor them from an RSS reader without having to keep visiting them individually.

LinkedIn members will also find many SAS software related groups with discussion boards. There are too many to list here individually, but if you are interested you will find some of them listed on my LinkedIn public profile. You can also find those groups and others by searching for LinkedIn groups using the SAS keyword.

If you are aware of any other Q&A sites for SAS users then please let me know by leaving a comment.