Update 05Mar2019: The Metadata Auth Domain Reviewer discussed in this blog post is now available with the Metacoda Plug-ins 6.1 R1 release, and also includes a new Libraries tab based on feedback from customers during early-access testing.
One of the new Metacoda Security Plug-ins features arriving in version 6.1 is the Auth Domain Reviewer. Like the other reviewers, this plug-in is used for investigating, documenting and testing how a SAS metadata security feature has been used within a particular SAS platform deployment. When I’m reviewing metadata security for a SAS platform I like to look at it from several different perspectives and authentication domains is one of them. I like to see:
- What authentication domains have been added beyond the initial DefaultAuth?
- How have they been used with respect to inbound logins?
- How have they been used with respect to outbound logins and providing shared credentials for database access?
- How have they been used with respect to 3rd party database system connections?
- Are there any unused ones, possibly added by accident, that can be cleaned up?
- Are there any seemingly duplicate ones that might be consolidated?
In the past it has been time-consuming to gather this information together, so this new plug-in Continue reading “Metacoda Auth Domain Reviewer”
This tip was prompted by a SAS Communities question which I hear from time to time, essentially “How do I find out which groups a SAS user is a Portal Group Content Administrator for?” It can be answered using the Metacoda Identity Permissions Explorer but involves a few steps so I will outline them here.
To quote the SAS® 9.4 Intelligence Platform: Web Application Administration Guide, Group Content Administrator section:
A group content administrator is a user who has WriteMetadata permission for the respective group, and the group’s Portal permission tree. A group content administrator can share personal content with the group, and can edit or remove content that has been shared with the group. (Portal administrators have WriteMetadata permission for all group permission trees that are defined in metadata.)
So, to find out which groups a user is group content admin for, we need to look for all of the group portal permission trees where the user has a grant of the WM permission. This can be done quickly and easily using the Metacoda Identity Permissions Explorer. Below is a screenshot with numbered steps where we find out which groups Aaron Atkins (demoaaron), a fictitious Business Analyst, is a Portal Group Content Administrator for. Continue reading “Metacoda Plug-ins Tip: User’s Group Content Admin Permissions (Identity Permissions Explorer)”
As someone who specialises in SAS® metadata security, I spend a lot of time using the Authorization tab in SAS Management Console. I also use Linux a great deal. When I run SAS Management Console on Linux, I’ve noticed that the check box background colours on the Authorization tab don’t render correctly (for me at least). I only ever see white background check boxes when I expect to also see green and gray ones: green indicating an ACT; white indicating an ACE; and gray indicating indirect. These colours are important indicators for the source of access controls so not being able to see them is a problem!
It occurred to me that I might be able to resolve this by specifying a Java System Property in the sasmc.ini file to change the Java Look & Feel.
I first tried changing the default look & feel (using ‑Dswing.defaultlaf) but that didn’t work. What did work is changing the default system look & feel (with ‑Dswing.systemlaf). Continue reading “Java Look & Feel with SAS Management Console on Linux”
If you’re responsible for managing SAS® platform security, and you haven’t seen them yet, then I’d definitely recommend reading Five papers on Recommended SAS 9.4 Security Model Design (part 1 & part 2) as published by David Stern, Principal Technical Architect from the SAS Global Enablement and Learning (GEL) team.
These papers are an excellent resource for SAS customers and partners to use when designing security for their SAS platform implementations. Having resources like these gives new administrators the opportunity to get it right early on and not have to learn from their own mistakes. I remember the early days of SAS 9.1 when the platform was new and best practices had yet to be discovered. At that time we were learning what practices worked and what didn’t through trial and error. Now, of course, we have the benefit of SAS documentation and published papers to learn from the prior experience of others. The first of these was the Danish Golden Rules as found in the SAS Global Forum 2011 Paper 376-2011 Best Practice Implementation of SAS Metadata Security at Customer Sites in Denmark by Cecily Hoffritz & Johannes Jørgensen. There’s also Angie Hedberg’s SAS Global Forum 2017 paper: Getting Started with Designing and Implementing a SAS 9.4 Metadata and File System Security Design. With the addition of the new GEL recommended practices, the pool of SAS security best practice information has been expanded further with a content rich guide that provides lots of detail, examples, explanations of the rules, and much more. It was also lovely to see Metacoda software get a mention in the GEL papers too. :)
I was fortunate to be able to meet with David at SAS when I was in the UK last week and we spoke about the GEL recommended practices and how the Metacoda Security Testing Framework could be used to help SAS customers and partners follow these practices.
It seemed like to a good time to provide a follow up to an older 2015 blog post I wrote on Testing Recommended Practices with SAS Metadata Security. That post was focused on the Danish Golden Rules, so in this post I’ll show our Metacoda Security Testing Framework can be used to help people follow the GEL rules. Continue reading “Following SAS GEL Security Rules with Metacoda Security Tests”
In a previous post I’ve described a method for configuring Active Directory Authentication for SAS® on Linux (with realmd). One of the packages that’s installed is oddjob-mkhomedir. This package normally handles any requirement for auto-creating home directories for those AD users on Linux. Unfortunately it doesn’t seem to get used by the SAS Object Spawner. I ran into this issue again today when logging into SAS Studio 4.2 as an AD user on the SAS Viya™ 3.2 platform. I wasn’t able to login because the AD user’s Linux home directory didn’t exist and hadn’t been auto created. After manually creating the home directory the login succeeded. I would rather get auto-creation working so I wouldn’t need to manually create home directories for each SAS user that was likely to use SAS Studio. Thankfully I was able to find a solution that I’ll describe in this post. Continue reading “Auto Creation of Linux Home Directories for SAS Users”