Recently I’ve been working on using the Metacoda Identity Sync Plug-in to synchronize SAS platform identities (users and groups) with their counterparts from multiple Microsoft Active Directory (AD) Domains contained within a single Forest. In a future post I’ll talk about extending this to multiple domains from multiple trusted forests.
In the recent Metacoda Plug-ins 5.0 R5 release there have been a few enhancements to make it easier to sync with multiple domains (and avoid using custom code hooks):
Members of “Included Groups” are followed into other domains within the same forest.
You can opt to prefix the SAS User and Group names with the NetBIOS domain name. You might choose to do this if you have any users or groups in different domains with the same sAMAccountName and want to avoid non-unique user/group name validation errors when they get to the SAS platform.
There are more user login options available to help appropriately qualify the inbound login for the SAS user using the domain of the Active Directory user.
Have you ever wanted to restart a single SAS® web application without having to wait for the entire stack of SAS Web Application Servers to restart? Well, SAS Environment Manager provides the ability to do this, and I think that’s fantastic. I needed to restart the SAS Logon Manager several times the other day, and by using SAS Environment Manager I was able to save at least an hour of my time in repeatedly restarting the individual app rather than the entire app server. This post shows the steps involved in restarting a single web app with SAS Environment Manager. I’m saving these steps because each time I’ve needed to do it, it has taken me a while to find the right place (because there’s so much to see in SAS Environment Manager!).
I used the SAS Management Console Configuration Manager plug-in to add the ServiceUrl.Allowed advanced parameter to SAS Application Infrastructure. The next step was to restart SAS Logon Manager to pick up the change. After logging into SAS Environment Manager, I knew that the SAS Logon Manager web app was in the SAS Web App Server instance named SASServer1_1, so I searched for that by typing in sasserver1_1 and selecting Servers from the drop down:
If you use conditional grants in SAS® Visual Analytics for row level security, then you might be interested in one of the enhancements available in our recent Metacoda Plug-ins 5.0 release. This new release adds support for automated metadata security testing of the permission conditions behind conditional grants. Conditional grants, sometimes known as row-level permissions or row-level security, allow you to grant limited access to a subset of data based on an expression. If someone is in a constrained group then they only get to see the rows where the expression evaluates to true.
If you’re using conditional grants to restrict certain groups of users to specific subsets of data then you’d probably be keenly interested in making sure those conditional grants remain in place. You wouldn’t want to discover at some future time that, due to unexpected changes in the permission conditions, those groups of users have been getting much broader access to data than should have been allowed.
Some time has passed since I wrote the original post, and a few things have changed. I’m now running SAS 9.4 M3, but this post should equally apply to SAS 9.4 M2. I have also switched the Linux distribution from Debian to CentOS 7.1. I am also using a much simpler method of joining the Linux server to the AD domain, using the realmd package (previously there were lots of individual steps using the underlying packages but realmd automates most of this). In this post I’m going to outline the simpler method using realmd of course.
I’ve been spending lots of time lately on SAS® platform identity synchronizations. I’m fairly confident that I’ve done more Microsoft Active Directory (AD) to SAS Metadata Server synchronizations in the past few weeks, than I’ve done in my entire career working with SAS software! :) The reason for this is that we’ve been doing lots of testing and demos for a new Metacoda Identity Sync Plug-in we’ve built that makes it easier for people to get started synchronizing identities with SAS metadata. With all these tests and demos, the SAS metadata backup and restore facility has also been an invaluable feature for allowing us to easily rewind and repeat the process – I’ve done my fair share of backup/restores these past few weeks too :)
The idea for the Metacoda Identity Sync Plug-in came after years of writing and customizing SAS programs using the standard SAS User Import Macros (%MDU macros). I found I had built up a set of common practices I would choose from depending on the customers requirements: things like name/display-name prefixing/suffixing; tagging for deletion instead of deleting outright; login manipulation; audit reporting etc. This plug-in is a way of packaging those practices up, as configurable options, with both a point-and-click and a batch interface. The outcome is an ability to rapidly implement identity synchronization, for a new or existing SAS platform installation, in a matter of minutes (rather than hours or days of writing code).
It has been a very rewarding experience building this new plug-in, and the feedback we’ve had so far has been very positive. Some of the interesting challenges along the way included:
Making it easy to get started, but also flexible enough to handle some of the more specific requirements we see with our customers. The point and click interface includes the common options, but we also added support for customers to tweak things by dropping their own SAS code in at key points in the process too.
Letting people interactively visualize and review the changes before they are made, adding and removing exceptions as required, and building a configuration that can be used in batch processes too.
Working within AD resource limits whilst extracting reasonably large subsets of identities for synchronization with SAS. Some of our tests included pulling out many thousands of users (40K+), including groups that contained several thousand users each.
Providing support for encrypted connections to AD via LDAPS, or LDAP with STARTTLS.
Generating audit reports of the process, so you can track what changes occurred when, and with all of the information that led to those changes.
Writing our first commercial plug-in that updates metadata (all our other commercial plug-ins to-date have been read-only). In this plug-in we have opted to only update metadata via the standard, unmodified, well known and trusted SAS %MDU macros. Whilst we have lot of experience with the SAS metadata model, we decided to give our customers a gentle introduction to Metacoda driven metadata updates.
If you’d like to see the Metacoda Identity Sync Plug-in in action, here’s a short 10 minute screencast. I show the initial configuration, building an Identity Sync Profile, and a small initial load of AD users, driven by the selection of an initial set of AD groups. That saved profile can then be re-used for further interactive synchronizations (adding, updating and deleting identities as appropriate), as well as being used to drive regular batch synchronizations (topics for future screencasts perhaps?).
We’ve been getting some great feedback from the people we have shown so far, so I hope you’ve found this video interesting too. If you’d like to find out more about this new plug-in, or any of our other Metacoda Plug-ins, please contact me, or visit the metacoda.com web site. We’re still taking on beta testers for the the upcoming Metacoda Plug-ins 5.0 release too.
