Tag: SAS Metadata Security

Creating a Metadata Bound Library with SAS 9.4

One of the nice enhancements in SAS® Management Console 9.4 is the addition of a point & click method for creating a Metadata Bound Library. Metadata Bound Libraries have been available since SAS 9.3 M2 but prior to SAS 9.4 you had to write proc authlib code to set one up (see this prior post for an example).

Many of the SAS platform administrators I meet have an IT admin background, not necessarily a SAS coding background, so this addition of a point & click method in SAS 9.4 will certainly make it easier for people to take advantage of metadata bound libraries. I find it makes it easier and I do have a SAS coding background. I don’t create metadata bound libraries every day, so I haven’t committed the syntax to memory yet :). Using the point & click method can be quicker than tracking down a code example.

Starting from the Folders tab in SAS Management Console 9.4, navigate to the /System/Secured Libraries folder. Right mouse click over the Secured Libraries folder and select the New and Secured Library menu items.

Starting the process of adding a SAS 9.4 Metadata Bound Library

In the New Secured Library wizard, provide a name and description for the secured library, then click the Next button. Continue reading “Creating a Metadata Bound Library with SAS 9.4”

Promoting SAS Security Metadata (in Custom Repositories)

Did you know that with SAS® 9.3 you can promote (export/import) SAS metadata packages containing users, groups, roles, and ACTs, just like you can with Jobs, Tables, Libraries, Stored Processes, Reports and Information Maps? I needed to do this myself a few weeks ago. I wanted to promote some groups, roles and ACTs from an existing SAS 9.3 M1 installation to a newer SAS 9.3 M2 installation. Security metadata can be exported and imported via a SAS package file (.spk) from special virtual folders under the top-level /System folder. These virtual folders are distinguishable from normal folders because they have white folder icons instead of yellow folder icons as shown below.

SAS Management Console Virtual Folders

You can find out more information about this feature, including a few considerations you need to be aware of, by reading the Promoting Security Objects and Server Objects sub-section of the main Promotion Details for Specific Object Types section in the SAS 9.3 Intelligence Platform: System Administration Guide, Second Edition.

My security metadata promotion was a little more complicated than normal because I was also promoting some security metadata located in a custom repository. I normally avoid using custom repositories as much as possible (preferring to store everything in the Foundation repository and partitioning content with folders and ACTs). This is especially the case for security metadata: I’ve found that security metadata in custom repositories, being less visible, tends to get forgotten until it gets rediscovered whilst troubleshooting tricky security problems. Helping a customer resolve such problems was the reason we made security metadata from custom repositories highly visible in our Metacoda Security Plug-ins. We have since needed to keep some security metadata in custom repositories for the purposes of development and testing of our software. This is the custom repository security metadata I was attempting to promote, but it took me a little while to find it in the virtual folders …. Continue reading “Promoting SAS Security Metadata (in Custom Repositories)”

Protecting your Metadata Protections: Part 2

SAS Management Console 9.3 showing default non-administrative capabilities.

In a guest post on blogs.sas.com in January, I wrote about protecting your metadata protections. In that post I said that “Ideally, a SAS® metadata security plan should address both ACT permissions and access to the Authorization Manager.” and went on to explain a method for addressing Access Control Template (ACT) permissions.

In this second part, I’ll talk about reducing access to the SAS Management Console Authorization Manager plug-in as further protection for your ACTs.

Of course, for some smaller SAS sites, and those with simple security requirements, this might be overkill. However, for other possibly larger organizations, those with potentially sensitive data/content, and perhaps those with specific regulatory requirements, it might be a necessity to implement a comprehensive metadata security implementation with multi-layered protections like these.

In the default metadata security implementations for SAS 9.3 and SAS 9.2, all SAS users have the capability to access a limited set of features in the SAS Management Console. This includes access to the Authorization Manager plug-in where any accidentally unprotected ACTs could be modified. In order to be able to take advantage of this capability, and modify an ACT, a user has to be able to fulfill all of the following requirements: Continue reading “Protecting your Metadata Protections: Part 2”

Testing Direct Access to SAS Metadata Bound Libraries and Tables

A little while ago, as part of the work on our recent Metacoda Plug-ins 3.0 R2 release, I used SAS® 9.3 M2 to set up a metadata bound library by following the useful instructions in the Setting Up a Metadata-Bound Library section of the SAS® 9.3 Guide to Metadata-Bound Libraries document. This post is about verifying that, post-setup, I no longer had direct access to the tables in the library.

Metadata bound libraries allow you to force clients to visit the SAS Metadata Server first, before they can gain access to the contents of the tables in the library. This gives the metadata server the opportunity to verify appropriate metadata access permissions. Direct access to those secured libraries and tables from Base SAS, without a visit to the metadata server, will be blocked. I first heard about metadata bound libraries at the SAS Global Forum in April this year and had been looking forward to trying them out. If you’re interested in them as well I recommend reading the documentation. Andy Ratcliffe wrote a NOTE: blog post about them recently too. If you don’t yet read Andy’s NOTE: blog I’d definitely recommend adding it to your RSS reader, and he also wrote a post last week about RSS in How Do You Read?.

This is the code I use to configure the metadata bound library (not the real pwencoded password):

libname hr '/opt/sas93m2/config/Lev3/SASApp/Data/HR';
proc authlib library=hr;
create
   securedfolder='/System/Secured Libraries/HR Secured Data'
   securedlibrary='HR Library'
   pw='{SAS002}ABCABCABCABCABCABCABCABC'
   ;
run;

After configuring the metadata bound library I wanted to verify that it had worked and that I hadn’t missed any steps. I wanted to check that the physical tables had been modified in such a way to prevent direct access from SAS processes that attempted to bypass the metadata server and go direct to the tables themselves. Continue reading “Testing Direct Access to SAS Metadata Bound Libraries and Tables”

Sneak Peek at our new Effective Permissions Explorers

Update 16Apr2015: The Effective Permissions Explorers discussed in this blog post were first made available in Metacoda Plug-ins V3.0 and further enhanced in Metacoda Plug-ins V4.0. Details of additional improvements coming in the next release, including export to HTML and CSV, are discussed in this more recent blog post: Getting Ready for SASGF15

Update 08Aug2012: The Effective Permissions Explorers discussed in this blog post are now available for testing. More information is available in this Metacoda blog post: Metacoda Plug-ins V3.0 BETA2 (with free Metadata Explorer & ACT Reviewer!)

This post is a sneak peek at a couple of effective permissions explorers that we are putting into the next version of our Metacoda Security Plug-ins. We’ll also be demoing these at the SAS Global Forum 2012 in Orlando next week, so if you’re attending please pop by and visit us.

One of the most common requests we had been hearing at Metacoda was about providing extra information for effective permissions with SAS® metadata security. Effective permissions will tell you exactly what permissions are granted or denied for a particular user on a particular object, taking into account all of the factors such as Access Control Templates (ACTs), Access Controls Entries (ACEs or explicit permissions), object inheritance paths and identity hierarchies. Effective permissions give you this information without you having to understand all of the rules that SAS software follows to work them out. Of course, I still think an understanding of the rules is essential knowledge for SAS platform administrators to help with planning and impact awareness but that’s another story. Attending the SAS Platform Administration: Fast Track course from SAS Institute is a great way to learn these rules.

Why Another Effective Permissions Tool?

Effective permissions can already be seen in SAS Management Console 9.2 & 9.3 through the Explore Authorizations tab (accessible to administrators via the Advanced button on any objects Authorization tab). This is a great feature and I can’t recommend it enough to people who are troubleshooting metadata permissions on a single object. What we were hearing was Continue reading “Sneak Peek at our new Effective Permissions Explorers”