Tag: ACT

Duplicating or Copying SAS Access Control Templates

When working with SAS® 9 metadata security, I often want to create an Access Control Template (ACT) which is very similar to an existing ACT. It may be that it will have a similar definition or permission pattern. It will usually have the same access controls applied to it for its own protection. It might occasionally be applied to protect the same set of objects as the original ACT.

Duplicating or copying SAS metadata security objects, such as ACTs, users, groups, and roles, has been a common request from Metacoda customers too. For this reason we added duplication support in Metacoda Plug-ins 6.1 R3. In the ACT, User, Group, and Role Reviewer plug-ins you will find a new Duplicate… action in the the context menu seen when right-mouse clicking over an object. A pop-up dialog then gives you some options to control what is duplicated.

The ability to duplicate objects via this facility is limited to SAS administrators via membership of one the standard SAS metadata server roles (i.e. “Metadata Server: Unrestricted“, “Metadata Server: User Administration“, or “Metadata Server: Operation“). Of course you also need permission to view the object you are duplicating. Continue reading “Duplicating or Copying SAS Access Control Templates”

Metacoda Plug-ins Tip: Advanced Expression-Based Filters (Protected Object Reviewer)

This post continues a series of examples on Advanced Expression-Based Filters for Metacoda Plug-ins, in this case for the Protected Object Reviewer.

Here are some expressions that you may find useful to copy and paste into the filter bar of the Metacoda Protected Object Reviewer as a starting point for finding interesting sets of SAS metadata objects that have had access controls, Access Control Templates (or ACTs) and/or Access Control Entries (ACEs or explicit permissions), applied to them:

Protected Tree Branch Objects: show folders and objects, underneath the /Vegas Enterprises metadata tree branch, that have had any ACTs or ACEs applied to them.

#@ path.startsWith("/Vegas Enterprises")

ACT Protected Tree Branch Objects: show folders and objects, underneath the /Vegas Enterprises metadata tree branch, that have had ACTs applied (and optionally ACEs). Continue reading “Metacoda Plug-ins Tip: Advanced Expression-Based Filters (Protected Object Reviewer)”

Metacoda Plug-ins Tip: Advanced Expression-Based Filters (ACT Reviewer)

Many of the Metacoda Plug-ins have Filter Bars which provide a way to filter the contents displayed and show an interesting subset. Normally they do simple case-insensitive “contains” filtering on key attributes like name and description (the filter bar label indicates which attributes are used).

Metacoda Plug-ins Filter Bar

Simple text filtering, as described above, is sufficient for many needs. However, for more advanced requirements there is the ability to switch to expression-based filters which are much more flexible. To use expression-based filtering you add a #@ prefix at the beginning of the filter bar field. What follows is then an expression that can use many of the other attributes/columns available in the tables. This expression is written as a Java like expression (BeanShell to be precise) and must resolve to a boolean true/false to determine whether a row should be shown in the table. Any errors in the expression will be shown in a popup error dialog.

This will allow you to do complex expressions like this in the User Reviewer: Continue reading “Metacoda Plug-ins Tip: Advanced Expression-Based Filters (ACT Reviewer)”

Promoting SAS Security Metadata (in Custom Repositories)

Did you know that with SASĀ® 9.3 you can promote (export/import) SAS metadata packages containing users, groups, roles, and ACTs, just like you can with Jobs, Tables, Libraries, Stored Processes, Reports and Information Maps? I needed to do this myself a few weeks ago. I wanted to promote some groups, roles and ACTs from an existing SAS 9.3 M1 installation to a newer SAS 9.3 M2 installation. Security metadata can be exported and imported via a SAS package file (.spk) from special virtual folders under the top-level /System folder. These virtual folders are distinguishable from normal folders because they have white folder icons instead of yellow folder icons as shown below.

SAS Management Console Virtual Folders

You can find out more information about this feature, including a few considerations you need to be aware of, by reading the Promoting Security Objects and Server Objects sub-section of the main Promotion Details for Specific Object Types section in the SAS 9.3 Intelligence Platform: System Administration Guide, Second Edition.

My security metadata promotion was a little more complicated than normal because I was also promoting some security metadata located in a custom repository. I normally avoid using custom repositories as much as possible (preferring to store everything in the Foundation repository and partitioning content with folders and ACTs). This is especially the case for security metadata: I’ve found that security metadata in custom repositories, being less visible, tends to get forgotten until it gets rediscovered whilst troubleshooting tricky security problems. Helping a customer resolve such problems was the reason we made security metadata from custom repositories highly visible in our Metacoda Security Plug-ins. We have since needed to keep some security metadata in custom repositories for the purposes of development and testing of our software. This is the custom repository security metadata I was attempting to promote, but it took me a little while to find it in the virtual folders …. Continue reading “Promoting SAS Security Metadata (in Custom Repositories)”

Migrating SAS Access Control Templates

I ran into a tricky issue today whilst migrating some Access Control Templates (ACTs) from an old SAS® 9.3 M0 deployment to a new SAS 9.3 M2 deployment. I’d seen it before and I initially forgot how I resolved it. It took a little while to rediscover the method that worked so I’m blogging it in the hope I won’t forget it in future. Perhaps it will help others too.

As you may know, SAS 9.3 has virtual folders that allow you to export security metadata like users, groups, roles and ACTs. It’s quite handy. We use it at Metacoda to migrate some security metadata we carry over from version to version for testing and demonstrating our Metacoda Security Plug-ins. You can find more information about migrating security metadata on the SAS web site in the Promotion Details for Specific Object Types section of the SAS 9.3 Intelligence Platform: System Administration Guide, Second Edition.

I had successfully exported a package of ACTs from my source 9.3 M0 environment, but when I tried to import them into my target 9.3 M2 environment I saw the following error message:

It was quite puzzling. It said I had to import ACTs into a specific folder, but that was the very same folder I was trying to import into. I had a feeling of deja-vu. I realized I’d seen this back when I first set up our SAS 9.3 M0 environment and was testing migration of security metadata between levels for the same SAS version. Continue reading “Migrating SAS Access Control Templates”