Tag: SAS 9.4

New Permissions in SAS 9.4 M2: ManageCredentialsMetadata & ManageMemberMetadata

SAS® 9.4 M2 was released recently and included some new permissions related to identity administration. These new permissions are ManageMemberMetadata (MMM), for groups and roles, and ManageCredentialsMetadata (MCM), for users and groups. I found them documented in the SAS 9.4 Intelligence Platform: Security Administration Guide, Second Edition. They are listed in the Use and Enforcement of Each Permission section as follows:

ManageMemberMetadata (MMM): Change the membership of the Group and Role. Cannot change security or other account attributes.
ManageCredentialsMetadata (MCM): Manage accounts and trusted logins of User and Group. Cannot change security or other account attributes.

They also appear in the Permissions by Object Type section, where it reads:

Identity: User administration capabilities (from the Metadata Server: User Administration role) enable you to create, update, and delete users, groups, and roles. You can delegate management of an identity to someone who doesn’t have user administration capabilities by adding explicit or ACT grants of WriteMetadata permission in the identity’s authorization properties. An identity’s authorization properties have no effect on what that identity can do. You need ManageMemberMetadata permission to change the membership of the UserGroup and Role. ManageCredentialsMetadata enables you to manage accounts and trusted logins of User and UserGroup.

After some further exploration, I also saw that (unless otherwise specified) MMM and MCM follow the WriteMetadata (WM) permission on identities, just as WriteMemberMetadata (WMM) does with folders.

To provide support for these new permissions, Metacoda has just released an updated version of Metacoda Plug-ins 4.0 R2.

You can now see MMM and MCM in the Public Types Explorer:

New MCM and MMM permissions in SAS 9.4 M2

The new permissions are also visible in the various Metacoda Reviewers and Permissions Explorers. If you are using the Metadata Security Testing Framework, you can now export tests that include MMM and MCM, and run tests that check for them too.

I’d encourage all existing users of Metacoda Plug-ins to upgrade to 4.0 R2. This latest release can be downloaded after logging in from the Metacoda support page. If you’re not yet a Metacoda Plug-ins user then you might be interested in a free one month evaluation license where you can try them out in your own environment.

SAS Metadata Security Testing

SAS® Global Forum 2014 is now only a few days away, and I’m excited (and a little nervous) about presenting my paper Test for Success: Automated Testing of SAS® Metadata Security Implementations.

Update 03Apr2014: My paper is now available for download from the SAS Global Forum 2014 Online Proceedings.

SAS metadata security testing is a topic I’ve been contemplating for a long time now. For many organizations, metadata security is an important feature of the SAS platform. It enables them to control access to business resources described by the metadata and ensure their users can only use SAS applications to view and modify resources appropriate to their roles within the organization.

When metadata security is important, conducting security testing on a regular basis is important too. Regular testing allows an organization to feel confident in the security of their platform and to promptly detect deviations from a carefully crafted metadata security implementation. Many times I’ve seen accidental changes, or quick fixes, which had a detrimental impact on an installation’s metadata security. Without regular testing, Continue reading “SAS Metadata Security Testing”

Providing User Access to the SAS® BI Lineage Plug-in

I was asked yesterday whether it was possible to use the SAS® Management Console BI Lineage plug-in to provide non-administrators with the ability to review BI Lineage scans (as previously run by administrators). The BI Lineage plug-in can be used to do impact analysis for BI content (reports, information maps etc.) in a similar way that SAS Data Integration Studio provides impact analysis for DI content (jobs, tables, etc).

I’d never needed to do this before, so I did a little research. It didn’t take long to find the Granting Users Permission to View Scan Results section of the Using the BI Lineage Plug-in page in the SAS® 9.4 Intelligence Platform: System Administration Guide, Second Edition. That page explains how to open up access to the BILineage custom repository so that normal non-administrative users can get access to the scans (which are otherwise only available to unrestricted users). The document doesn’t get into explaining how to provide normal users with access to the BI Lineage plug-in itself so in this blog post I’m going to outline the steps required, with screenshots, to show the entire process. The end result of this process will be a BI Lineage Users group. You can then add normal non-administrative users as members of this group to provide them with access to both the BI Lineage plug-in and the scans in the BILineage repository.

The first step is to create the BI Lineage Users group. Continue reading “Providing User Access to the SAS® BI Lineage Plug-in”

Removing Custom Task Capability Metadata

Yesterday I saw a question on the SAS® Communities site from Nick about Registering Custom Tasks and managing the capability metadata that’s used for role based access control on those custom tasks. I found Nick’s question especially interesting because we have some free Metacoda Custom Tasks and those techniques can also be used to control access to them.

Nick had mentioned how he used SAS® Enterprise Guide® to register the capability metadata for some custom tasks, was asking about doing the same for the SAS Add-In for Microsoft Office, and also about how one would go about removing the capability metadata. Chris Hemedinger later replied with a response that I found very useful. There was a link to one of his prior blog posts on the topic (Controlling access to custom tasks in SAS Enterprise Guide – The SAS Dummy) and some information on using RegAddin.exe to get the capability metadata populated for use by the Add-In. Chris also mentioned there was not a way to remove the custom task capability metadata short of the potentially dangerous technique of using the SAS Open Metadata Interface’s DeleteMetadata facility.

Having already registered the custom task metadata myself, I now needed a way to remove it so I could repeat the process for future documentation and testing purposes. I used the DeleteMetadata method. This is the main topic for this blog post and it serves 2 purposes: the first is that I wanted to document how I did it so I could do it again later; the second is that it was an opportunity for me to use the SAS Management Console XML Metadata Interface and capture a few screenshots along the way. I rarely use the SAS Management Console XML Metadata Interface and it’s always a journey of re-discovery every time I do. This time I wanted a permanent memory of the steps so I could refer to them again in future. I also ran into an interesting unknown-public-type issue that initially prevented me from deleting the capability metadata, so I’ll show how I resolved that too. Continue reading “Removing Custom Task Capability Metadata”

Creating a Metadata Bound Library with SAS 9.4

One of the nice enhancements in SAS® Management Console 9.4 is the addition of a point & click method for creating a Metadata Bound Library. Metadata Bound Libraries have been available since SAS 9.3 M2 but prior to SAS 9.4 you had to write proc authlib code to set one up (see this prior post for an example).

Many of the SAS platform administrators I meet have an IT admin background, not necessarily a SAS coding background, so this addition of a point & click method in SAS 9.4 will certainly make it easier for people to take advantage of metadata bound libraries. I find it makes it easier and I do have a SAS coding background. I don’t create metadata bound libraries every day, so I haven’t committed the syntax to memory yet :). Using the point & click method can be quicker than tracking down a code example.

Starting from the Folders tab in SAS Management Console 9.4, navigate to the /System/Secured Libraries folder. Right mouse click over the Secured Libraries folder and select the New and Secured Library menu items.

Starting the process of adding a SAS 9.4 Metadata Bound Library

In the New Secured Library wizard, provide a name and description for the secured library, then click the Next button. Continue reading “Creating a Metadata Bound Library with SAS 9.4”