Tag: Metadata Security Testing

Interesting SAS 9 Metadata Server Access Control Loggers

In my previous post on Finding Interesting SAS 9 Loggers, I highlighted 3 loggers I find useful for SAS 9 metadata access control change auditing, especially when using the new Metacoda Plug-ins 6.2 Activity Reviewer. There is also a 4th logger where you might already have trace level logging enabled, as it is configured so when you set up the SAS Environment Manager Service Architecture Audit, Performance, and Measurement (APM) component. In this post I want to go into more detail on each of those 4 loggers and explain what information they log and why I find them useful.

SAS Management Console Server Manager Logger Dialog

The loggers in question are:

  • Audit.Meta.Security.AccCtrlAdm
  • App.OMI.SecurityAdmin.SetAuthorizationsOnObj
  • App.OMI.SecurityAdmin.ApplyACTToObj
  • App.OMI.SecurityAdmin.RemoveACTFromObj

Continue reading “Interesting SAS 9 Metadata Server Access Control Loggers”

Metacoda Plug-ins Tip: Replaceable Tokens

This is a tip for those who use the Metacoda Security Plug-ins Batch Interface for scheduled automation of SAS® metadata security reporting, testing and identity synchronization. You will find this tip useful if you are using the same configuration values in multiple batch configuration or Identity Sync Profile (IDSP) XML files and would like a way to specify these values in a single places rather than maintain them in multiple locations.

An enhancement that was added in Metacoda Plug-ins 6.1 R3 (Feb 2020) included Continue reading “Metacoda Plug-ins Tip: Replaceable Tokens”

Following SAS GEL Security Rules with Metacoda Security Tests

If you’re responsible for managing SAS® platform security, and you haven’t seen them yet, then I’d definitely recommend reading Five papers on Recommended SAS 9.4 Security Model Design (part 1 & part 2) as published by David Stern, Principal Technical Architect from the SAS Global Enablement and Learning (GEL) team.

These papers are an excellent resource for SAS customers and partners to use when designing security for their SAS platform implementations. Having resources like these gives new administrators the opportunity to get it right early on and not have to learn from their own mistakes. I remember the early days of SAS 9.1 when the platform was new and best practices had yet to be discovered. At that time we were learning what practices worked and what didn’t through trial and error. Now, of course, we have the benefit of SAS documentation and published papers to learn from the prior experience of others. The first of these was the Danish Golden Rules as found in the SAS Global Forum 2011 Paper 376-2011 Best Practice Implementation of SAS Metadata Security at Customer Sites in Denmark by Cecily Hoffritz & Johannes Jørgensen. There’s also Angie Hedberg’s SAS Global Forum 2017 paper: Getting Started with Designing and Implementing a SAS 9.4 Metadata and File System Security Design. With the addition of the new GEL recommended practices, the pool of SAS security best practice information has been expanded further with a content rich guide that provides lots of detail, examples, explanations of the rules, and much more. It was also lovely to see Metacoda software get a mention in the GEL papers too. :)

I was fortunate to be able to meet with David at SAS when I was in the UK last week and we spoke about the GEL recommended practices and how the Metacoda Security Testing Framework could be used to help SAS customers and partners follow these practices.

It seemed like to a good time to provide a follow up to an older 2015 blog post I wrote on Testing Recommended Practices with SAS Metadata Security. That post was focused on the Danish Golden Rules, so in this post I’ll show our Metacoda Security Testing Framework can be used to help people follow the GEL rules. Continue reading “Following SAS GEL Security Rules with Metacoda Security Tests”

Testing Conditional Grants in SAS Visual Analytics

If you use conditional grants in SAS® Visual Analytics for row level security, then you might be interested in one of the enhancements available in our recent Metacoda Plug-ins 5.0 release. This new release adds support for automated metadata security testing of the permission conditions behind conditional grants. Conditional grants, sometimes known as row-level permissions or row-level security, allow you to grant limited access to a subset of data based on an expression. If someone is in a constrained group then they only get to see the rows where the expression evaluates to true.

If you’re using conditional grants to restrict certain groups of users to specific subsets of data then you’d probably be keenly interested in making sure those conditional grants remain in place. You wouldn’t want to discover at some future time that, due to unexpected changes in the permission conditions, those groups of users have been getting much broader access to data than should have been allowed.

We’ve enhanced Metacoda Plug-ins in version 5 to help people maintain the integrity of their permission conditions in the following areas: Continue reading “Testing Conditional Grants in SAS Visual Analytics”

Testing Recommended Practices with SAS Metadata Security

If you use our Metacoda Security Testing Framework to continuously and automatically validate your SAS® platform metadata security implementations, then you’ll be interested in some new ‘recommended practice’ tests that are coming in the next release of Metacoda Plug-ins (version 5.0).

Are you are a fan of the Danish Golden Rules for SAS metadata security? Several of our new recommended practice tests can also help you enforce those rules for your SAS platform installations. The six golden rules can be found in SAS Global Forum 2011 paper 376-2011 “Best Practice Implementation of SAS® Metadata Security at Customer Sites in Denmark” by Cecily Hoffritz and Johannes Jørgensen from SAS Institute Denmark. It’s excellent paper that I often recommend to other SAS platform administrators. By following the golden rules presented in that paper you’ll find SAS metadata security much easier to understand and manage.

You might also notice that some of these recommended practice tests look like test-based alternatives to the recommend practice indicators currently available in Metacoda Security Plug-ins. These new recommended practice tests are a little bit smarter and also allow for exclusions – where you know a recommended practice is not being followed but have a good reason for doing so. While the indicators require someone to regularly look for them, the recommended practice tests can be scheduled to email an alert to someone whenever deviations from the practices are detected.

Here are some details and examples of the new recommended practices tests that will be available in Metacoda Security Plug-ins 5.0. I also point out which tests will help with enforcing the Danish Golden Rules. Continue reading “Testing Recommended Practices with SAS Metadata Security”