The “Best Practices with SAS® 9 Metadata Security” presentation that I did at the SAS New South Wales User Group (SNUG) meeting in Sydney last week can be found on the SNUG web site at http://www.sas.com/offices/asiapacific/sp/usergroups/snug/archive/2010/presentations/PaulHomesQ22010.pdf.
In my presentation on Best Practices with SAS® 9 Metadata Security I mention a number of useful resources for more information. I don’t have enough time and space to list all of them in the presentation so I will list them here for those who are interesting in finding out more.
Resources for SAS 9.2
- SAS® 9.2 Intelligence Platform Security Administration Guide
- Available from http://support.sas.com/documentation/cdl/en/bisecag/61133/PDF/default/bisecag.pdf
- SAS® 9.2 Management Console Guide to Users and Permissions
- Available from http://support.sas.com/documentation/cdl/en/mcsecug/61708/PDF/default/mcsecug.pdf
- Be All That You Can Be: Best Practices in Using Roles to Control Functionality in SAS® 9.2
SAS Global Forum 2010 Paper 324-2010
- Available from http://support.sas.com/resources/papers/proceedings10/324-2010.pdf
- A Practical Approach to Securing a SAS® 9.2 Intelligence Platform Deployment
Jim Fenton & Robert Ladd
SAS Global Forum 2010 Paper 311-2010
- Available from http://support.sas.com/resources/papers/proceedings10/311-2010.pdf
Resources for SAS 9.1.3
- SAS® 9.1.3 Intelligence Platform: Security Administration Guide, Second Edition
- Available from http://support.sas.com/documentation/configuration/bisecag.pdf
- Best Practices for SAS®9 Metadata Server Change Control
- Available from http://support.sas.com/resources/papers/MetadataServerchngmgmt.pdf
- TS-760 Metadata Security and the DefaultACT in SAS®9
- Available from http://support.sas.com/techsup/technote/ts760.pdf
- TS-750 Securing SAS®9 Business Intelligence Content Managed in Metadata
- Available from http://support.sas.com/techsup/technote/ts750.pdf
I will make sure that all of these are also in my Reading List.
I saw this SAS usage note today “Usage Note 36547: A host name that includes an underscore or other unreserved characters causes problems for SAS BI Web applications” at http://support.sas.com/kb/36/547.html. I don’t remember ever using an underscore in a host name before, but I will certainly avoid it from now on.
Every now and then I need to update the version of the ExcelXP tagset for a SAS® 9.1.3 platform installation.
SAS programmers use the SAS Output Delivery System (ODS) and ExcelXP tagset to generate good looking multi-sheet Microsoft Excel files (in XML format). This tagset has gone through a number of versions so the version you have installed could be an old one. The installation I saw today had v1.28 whereas the latest available version is v1.86 (as of today).
The options available for updating the version of the ExcelXP tagset are documented in SAS Usage Note 32394: Installing and Storing Updated Tagsets for ODS MARKUP at http://support.sas.com/kb/32/394.html.
I usually modify the main SASHELP.TMPLMST so the updated version is available for the entire SAS platform installation. This involves manually downloading the latest ExcelXP tagset PROC TEMPLATE code from http://support.sas.com/rnd/base/ods/odsmarkup/excltags.tpl and then running the downloaded code using a small %include wrapper as shown in the usage note.
Today it occurred to me that I could combine the steps, modifying the %include wrapper to automatically download and execute the latest tagset code from the SAS web site using the URL access method.
Here is the code I used to automate the tagset update process:
filename xlxpurl url "http://support.sas.com/rnd/base/ods/odsmarkup/excltags.tpl";
ods path sashelp.tmplmst(update);
ods path reset;
filename xlxpurl clear;
Further information about the URL access method (for SAS 9.1.3) can be found in the SAS OnlineDoc page for the FILENAME Statement, URL Access Method at http://support.sas.com/onlinedoc/913/getDoc/en/lrdict.hlp/a000223242.htm.
Whilst this code removes the manual step of downloading the code and providing the download location in the %include wrapper, there are a few things you might want to consider before using it:
- Automatically downloading and running code from an internet site using the URL access method with %INCLUDE is potentially very dangerous. Whilst the URL in the code above currently points to a valid SAS web site location for the latest ExcelXP tagset code this may not always be the case. Consider what you might be %include-ing if the ExcelXP tagset code is ever moved (a 404 error page?) or the code at that location changes (such as in an unlikely worst case scenario where your providers DNS is compromised and support.sas.com is directed elsewhere!). Of course these concerns also exist with manually downloaded code but with manually downloaded code you do have the opportunity to review the code before it is executed – assuming you take that opportunity :)
- The server or workstation you run the code on needs to have internet access. If you need to use a proxy server you will need to specify additional options on the initial filename statement.
- Are you sure the version you are downloading and installing is the version that is required (and has been tested with any existing ODS code)?
After having read the caveats above you might decide that although this might have been an interesting exercise, it may not be appropriate for you to use. I fully understand any such reservations. Although I will probably use this code again myself, I will only do so after first checking the URL provides valid ExcelXP tagset code from the machine it is going to run on.
Finally, if you want to find out which version of the tagset you have installed you can use the following code:
filename xlxptmp temp;
ods tagsets.excelxp file=xlxptmp;
ods tagsets.excelxp close;
filename xlxptmp clear;
After I had run the automated update the version check code generated the following log fragment:
NOTE: This is the Excel XP tagset (SAS 9.1.3, v1.86, 04/15/08). Add options(doc='help') to the ods
statement for more information.
As I mentioned in a previous post, I will be doing a presentation at SAS Forum Australia & New Zealand 2010 titled Best Practices with SAS® 9 Metadata Security. The abstract for this presentation is as follows:
SAS® 9 metadata security is becoming increasingly more important as SAS® 9 platform installations continue to grow and evolve. With more content, larger user communities and a wider variety of application interfaces, time-poor SAS platform administrators are looking for better ways to manage security with their organisations valuable metadata and data resources.
Knowledge and use of current SAS® 9 metadata security best practices can be a key differentiator between stressed platform administrators and well organised administrators. One group might spend their time applying ad-hoc quick fixes and tracking down authorisation conflicts, whereas the other group will plan ahead to reduce day-to-day overheads and minimise the impact of change.
This paper will provide an outline of some of the key SAS® 9 metadata security best practices together with information on where to go to find out more.
Of course this is a large topic for the time available, and so the presentation will provide an overview with a few examples. My plan is that this blog will act as a companion to the presentation. I will post articles here that provide further information with links to online materials that should be useful to other platform administrators wanting to find out more about the topic.