Managing Complex SAS Metadata Security Using Nested Groups to Organize Logical Roles

Similar documents
Guide Users along Information Pathways and Surf through the Data

SAS Enterprise Case Management 2.1. Administrator s Guide

SAS Integration Technologies Server Administrator s Guide

RSA Authentication Manager 7.1 Migration Guide

SAS Enterprise Case Management 2.2. Administrator s Guide

Tips and Tricks for Organizing and Administering Metadata

Microsoft SharePoint Server 2013 Plan, Configure & Manage

SAS IT Resource Management 3.8: Reporting Guide

SAS Web Infrastructure Kit 1.0. Administrator s Guide

TECHNICAL OVERVIEW OF NEW AND IMPROVED FEATURES OF EMC ISILON ONEFS 7.1.1

SAS Metadata Security 201: Security Basics for a New SAS Administrator

SailPoint IdentityIQ Integration with the BeyondInsight Platform. Providing Complete Visibility and Auditing of Identities

Time Series Studio 13.1

A Practical Step-by-Step Guide to Managing Cloud Access in your Organization

IBM FileNet Business Process Framework Version 4.1. Explorer Handbook GC

Time Series Studio 12.3

Approaches for Upgrading to SAS 9.2. CHAPTER 1 Overview of Migrating Content to SAS 9.2

WMI log collection using a non-admin domain user

SAS Contextual Analysis 14.3: Administrator s Guide

Lasso Your Business Users by Designing Information Pathways to Optimize Standardized Reporting in SAS Visual Analytics

Windows Server 2008 R2 64-bit (x64) SP1. The SAS Workspace Servers can run on any platform that is supported by SAS 9.4 (TS1M3 or TS1M4).

ControlPoint. Managing ControlPoint Users, Permissions, and Menus. February 05,

Two-Machine Deployment of SAS Office Analytics 7.4

Release Notes. Last Updated: March 2018

Introduction With the move to the digital enterprise, all organizations regulated or not, are required to provide customers and anonymous users alike

METADATA FRAMEWORK 6.3 AND CYBERARK AIM INTEGRATION

DEPLOYMENT GUIDE DEPLOYING F5 WITH ORACLE ACCESS MANAGER

SAS. Installation Guide Fifth Edition Intelligence Platform

OpenIAM Identity and Access Manager Technical Architecture Overview

SAS Clinical Data Integration 2.6

HP Database and Middleware Automation

Data Insight Feature Briefing Box Cloud Storage Support

Policy Manager in Compliance 360 Version 2018

Nuance Management Center

SAS Profitability Management 1.3. Installation Instructions

Storage Considerations for VMware vcloud Director. VMware vcloud Director Version 1.0

Git with It and Version Control!

DocAve 6 SharePoint Migrator

Best Practice for Creation and Maintenance of a SAS Infrastructure

Setting Up Resources in VMware Identity Manager. VMware Identity Manager 2.8

DataFlux Web Studio 2.5. Installation and Configuration Guide

SAS Contextual Analysis 13.2: Administrator s Guide

SAS Clinical Data Integration 2.4

Configuring SAS Web Report Studio Releases 4.2 and 4.3 and the SAS Scalable Performance Data Server

Vector Issue Tracker and License Manager - Administrator s Guide. Configuring and Maintaining Vector Issue Tracker and License Manager

SAS 9.4 Management Console: Guide to Users and Permissions

Nuance Management Center

Mobility best practice. Tiered Access at Google

Service Manager. Installation and Deployment Guide

1 Copyright 2011, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 7

The SAS Workspace Servers can run on any platform that is supported by SAS 9.3.

Oracle Data Integrator 12c: Integration and Administration

Product Documentation. ER/Studio Portal. User Guide 2nd Edition. Version 2.0 Published January 31, 2013

SAML-Based SSO Solution

WHAT IS THE CONFIGURATION TROUBLESHOOTER?

Exchange Pro 4.4. User Guide. March 2017

McAfee Enterprise Security Manager. Authentication Content Pack Documentation

A SAS Data Integration Development

Microsoft Core Solutions of Microsoft SharePoint Server 2013

Configuring EMC Isilon

Service Manager. Ops Console On-Premise User Guide

Centrify Infrastructure Services

Privileged Identity App Launcher and Session Recording

Avanan for G Suite. Technical Overview. Copyright 2017 Avanan. All rights reserved.

ArcGIS for Server: Security

Using the Cisco NAC Profiler Endpoint Console

COURSE OUTLINE MOC : PLANNING AND ADMINISTERING SHAREPOINT 2016

Best Practices in Enterprise Data Governance

Product Documentation. ER/Studio Portal. User Guide. Version Published February 21, 2012

Lotus Learning Management System R1

Remove complexity in protecting your virtual infrastructure with. IBM Spectrum Protect Plus. Data availability made easy. Overview

Vision Project Connect User Guide. Release 1.5. Administrator Guide

20331B: Core Solutions of Microsoft SharePoint Server 2013

271 Waverley Oaks Rd. Telephone: Suite 206 Waltham, MA USA

vrealize Operations Manager Customization and Administration Guide vrealize Operations Manager 6.4

Endpoint Protection with DigitalPersona Pro

SAS Studio 3.4: Administrator s Guide, Second Edition

Using SAS Enterprise Guide with the WIK

Policy Manager for IBM WebSphere DataPower 7.2: Configuration Guide

LT Auditor Installation Guide

ABSTRACT MORE THAN SYNTAX ORGANIZE YOUR WORK THE SAS ENTERPRISE GUIDE PROJECT. Paper 50-30

SAS. Information Map Studio 3.1: Creating Your First Information Map

Data Validation Option Best Practices

Centrify for Dropbox Deployment Guide

Running Effective Projects In Office 365. June 1, 2017

SharePoint Management

IBM Tivoli Identity Manager V5.1 Fundamentals

SharePoint Document Management

VMware Workspace ONE Quick Configuration Guide. VMware AirWatch 9.1

SAS Factory Miner 14.2: User s Guide

SAS 9.3 Intelligence Platform

Microsoft Office Groove Server Groove Manager. Domain Administrator s Guide

Business Intelligence Launch Pad User Guide SAP BusinessObjects Business Intelligence Platform 4.1 Support Package 1

Your Data Visualization Game Is Strong Take It to Level 8.2

Horizon Workspace Administrator's Guide

NETWRIX PASSWORD EXPIRATION NOTIFIER

Transitioning from Batch and Interactive SAS to SAS Enterprise Guide Brian Varney, Experis Business Analytics, Portage, MI

Netwrix Auditor for Active Directory

VMware AirWatch Integration with F5 Guide Enabling secure connections between mobile applications and your backend resources

SAS 9.4 Management Console: Guide to Users and Permissions

Transcription:

Paper 1789-2018 Managing Complex SAS Metadata Security Using Nested Groups to Organize Logical Roles ABSTRACT Stephen Overton, Overton Technologies SAS Metadata security can be complicated to setup and cumbersome to maintain over time. Often times organizations need to manage many itemized groups and roles across multiple logical roles, especially with some industry-specific SAS solutions. In some cases, user groups and roles have no standards or framework to follow, which forces SAS administrators to guess to get an initial security model and process in place. To make matters even more complicated, permissions could be mutually inclusive across logical roles. This paper will present a scalable methodology to manage any number of itemized groups and roles within SAS metadata by providing a standardized template and approach using nested groups which roll up into customizable logical roles. This approach can be scaled for larger organizations by layering more nested groups as the number of users and group grow. Once deployed, the SAS administrator will only need to place SAS user accounts in top-level groups based on logical roles versus managing many groups. INTRODUCTION Security is critical to every environment as well as the process to maintain over time. In the SAS Intelligence Platform, the SAS Metadata Server is used to manage security for the environment. It is composed of many small pieces of security controls to manage every major aspect including data access, metadata folder access, component access, users, groups, roles, and functionality within individual tools of the environment. Having many small pieces to define becomes challenging for business users and IT, even with general communication of capabilities desired versus delivered. The targeted reader of this paper is the SAS Platform Administrator as well as the Solution Architect looking to effectively manage the complexity of many small security pieces to manage. This paper will describe key concepts that can be leveraged for simple or complex environments. SAS Management Console is the primary thickclient tool leveraged by the SAS Platform Administrator. The two important deliverables of the methodology described in this paper is a security model to implement within the User Manager of SAS Management Console and a conceptual process to follow to manage other areas of SAS metadata. The User Manager is shown in Figure 1. Further details on managing the SAS Intelligence Platform can be found through SAS Support documentation provided in the References section of this paper. AUTHENTICATION VERSUS AUTHORIZATION Figure 1: User Manager in SAS Management Console. Understanding the conceptual difference between authentication and authorization is important. Authentication is the process which makes the simple binary decision if a user is active or not. Authorization is the process which decides what a user can access and perform in the environment. By default, the SAS Intelligence Platform relies on the host operating system for user authentication and SAS Metadata for user authorization. Common systems that are used for host authentication are Microsoft Active Directory, PAM, or UNIX password file structure. Other technologies can be leveraged such as direct LDAP authentication. See SAS Intelligence Platform Customer documentation for further details on configuring SAS for host authentication. 1

The following diagram in Figure 2 provides a conceptual view of host authentication within the SAS Intelligence Platform. Figure 2: Conceptual host authentication process. The following diagram in Figure 3 provides a conceptual architecture diagram to depict where host authentication and authorization occurs in a typical tiered environment. SAS Metadata Server Host Authentication Active Directory SAS Authentication & Authorization SAS Authentication & Authorization SAS Compute Server Pooled Workspace Server Stored Process Server Host Authentication Workspace Server Pooled Workspace Server (Ex: SAS Enterprise Guide) Windows Explicit Logon DB Credentials Retrieved from SAS metadata SAS Mid Tier Server SAS Logon (Ex: Web Browser) Client PC Database Server Trusted DB Connection User Credentials - Workspace Server Proxy Credentials (Ex: sassrv) - Pooled workspace server - Stored process server Figure 3: Conceptual authentication and authorization architecture. 2

COMMON ACCESS CONTROL LAYERS IN SAS METADATA The most common components to manage in SAS metadata include access to data, what functionality a user has based on the solutions and tools available in the environment, and what metadata folders can be access on a read or read-write basis. The following section will provide conceptual definition around these common components. DATA ACCESS Data is a very critical component of a SAS environment since one of SAS s primary purposes is to analyze and present information about data so business users can make informed decisions. Data can reside in many locations. The only data that can be managed by a security model in SAS metadata is data which can be accessed by the server components of the environment which are managed by the SAS Metadata Server. Traditional relational databases are very common ways to store data, as well as file system mounts on the SAS compute tier, and other third-party systems such as Hadoop. The SAS server can act as a proxy to systems which live outside of the local file system of the SAS compute tier. Often service accounts are used by SAS to access these systems or the end user s credentials can be passed through to the source system if desired. All critical pieces to connect to any supported database can be managed within SAS Metadata. Regardless of what is defined in SAS metadata, the source data storage technology or database will almost always require some form of authentication and authorization. FUNCTIONAL CAPABILITIES It is important to separate what a user can do in terms of function versus what information a user can access in terms of data. Data and functionality are best managed as two separate but equally important layers of an environment. Managing data and functionality separately gives the most flexibility and scalability. Functionality for a SAS environment can be found in the Roles and Capabilities available through SAS Management Console s User Manager as shown in Figure 4 below. Figure 4: Roles and Capabilities in SAS Management Console. 3

METADATA FOLDER ACCESS Many components of the SAS Intelligence Platform are contained within folders of the SAS metadata repository. Folders are managed through the Folders tab of SAS Management Console. Having a welldefined model to manage both the structure and access of these folders is critical for the security and scalability of the environment. File System Folder Access Managing local file system folder or directory access is outside the scope of this paper. Like third party databases, it is still important to note that the local file system or network mounted storage of the SAS compute tier is always managed by the respective operating system of the environment. SAS libraries can be defined to access locally available filesystems within the context of Data Access, as described by the previous section, but the ultimate authentication and authorization is still managed by the source operating system. SECURITY MODEL FRAMEWORK The security model can be thought of as a framework that expands with the growth of the environment. Specific security model controls within each access control layer can grow the most frequent, while overall layers that organize specific controls will probably remain static over time. As shown in Figure 5 below, the highest level access control is the logical role which contains the necessary access controls to support the job function of the logical role in the SAS environment. [A] Logical Role [F] Functionality [Dx] Data Access [Mx] Metadata Security Other Access Control Groups Figure 5: Logical Roles contain many access control layers managed by groups in SAS metadata. DEFINING AND MANAGING LOGICAL ROLES Logical roles are organized typically by the job functions within the business user base of the SAS environment. Logical roles can have mutually inclusive capabilities that can be easily managed with a nested group structure described later in this section. Defining logical roles for a SAS environment will be an extensive process initially, but become more fluid as the environment grows and adoption of this security model framework occurs. Examples of logical roles are defined using the following naming scheme: [A] SAS Platform Administrator [A] AML Manager [A] AML Supervisor [A] AML Analyst [A] Developer The important naming standard to retain is the [A] prefix. The remainder of the group name can be the actual logical role required for the respective SAS environment. 4

MANAGING ACCESS CONTROL LAYERS THROUGH NESTED GROUPS The next level beneath logical roles provides access control layers to specific areas of the security model. This portion of the framework is organized using groups within the SAS security model. Groups can contain other groups if needed for larger organizations. Ultimately these access control groups contain atomic-level groups which regulate very specific pieces of the environment. The following outline provides a list of common access control layers to manage within SAS metadata as well as the naming prefix that will be expanded upon later in this paper: [F] Functional groups manage what actions and abilities users can perform using Roles & Capabilities defined in metadata. [Dx] Data access groups manage what data users have access to. [DR] read only connection [DW] read and write connection [Mx] Manage layers of metadata folder access [MR] read only permissions [MW] read and write permissions. [P] Portal pages within SAS Information Delivery Portal (if applicable). [SNA] SAS Social Network Analysis alert series access (if applicable). [ECM-WF] SAS Enterprise Case Management workflow access (if applicable). Specific examples will be provided in the next section of this paper for each of the conceptual access control layers listed above along with matching logical roles. NAMING STANDARDS As shown above, the use of square brackets is very prevalent. One advantage of using special characters is for the simple ability to sort the User Manager within SAS Management Console and have the security model groups appear at the top of the list. The critical naming standards defined above include the [A], [Dx], [F], and [Mx] groups. Other groups may or may not be applicable. There may be other access control layers to define depending on what functionality and products are available. As always, leverage the description fields within SAS metadata to self-document as much as possible. SPEAKING A COMMON LANGUAGE BETWEEN THE BUSINESS AND IT One big advantage to having a standardized security model is establishing a common language between business users and the IT department. This language consists both of vocabulary to use as well as how to have dialogue for securing the environment and provisioning users. This maximizes productivity over time by reducing internal meetings and making conversations efficient. COMBINING LOGICAL ROLES WITH LAYERS OF ACCESS CONTROLS After logical roles and access control layers have been defined and mapped to appropriate components of the SAS environment, the security framework can begin to take shape. The following diagram shown in Figure 6 provides an example matrix which maps top-level logical roles to more detailed access control layers along the left-hand side of the matrix. 5

[A] Administrator [A] AML Administrator [A] AML Scenario Administrator Logical Role (User Group) Inherited Group [ECM-WF] BSA Manager X X [ECM-WF] SAR Process X X X X X X [ECM-WF] CTR Process X X X X X X X [ECM-WF] Watchlist X X X X X X [ECM-WF] CDD/EDD X X X X X (F) Analyst X X X (F) Investigator X X X (F) Supervisor X X X (F) Manager X X X X (F) Report Consumer X X X X X X X X X X (F) Report Author X X X X X X X (F) Report Developer (F) ECM Developer X X (F) efiler X X X X X (F) Portal Administrator X (F) User Administrator X (F) Administrator X (F) Scenario Administrator X X (ECM-UI) Internal Employee X X X X X X X X (ECM-UI) Restricted Customers X X X X X X X X (ECM-UI) Case Assignment X X X X X X X X (ECM-UI) Scenario Admin X X X X (DR) ECM Application X X (DR) FCS Reporting X X (DR) FCF Core X X X X X (DW) FCF Core Staging X X (DR) FCF Knowedge Center X X X X X [A] ECM Developer Figure 6: Security model framework displayed as a matrix crossing logical roles with access control groups. This security matrix can serve as documentation for audit and compliance as well as operational documentation for the SAS Platform Administrator. This example, and other examples provided in this paper are meant to be starting points to be expanded upon to fit the respective organization. [A] BSA Manager [A] CTR Manager [A] SAR Manager [A] CDD/EDD Manager [A] SAR Supervisor [A] CTR Supervisor [A] CDD/EDD Supervisor [A] SAR Analyst [A] CTR Analyst [A] CDD/EDD Analyst 6

ONGOING MAINTENANCE OF THE SECURITY MODEL Regular confirmation and audit of the security model framework should be enforced on a periodic basis. Top-level logical roles should be checked to verify the proper access control groups are contained within the desired memberships. Each nested layer of groups should be followed through to the lowest level group or role. Random sampling of lowest level groups and roles and can be used to verify security from a bottom-up as well. CONCLUSION Having a solid security framework to support a SAS environment is a critical component often overlooked and under-estimated. Any size environment benefits from having a well-defined security model with easy-to-use group structures. No matter how complicated and large an organization is, leveraging nested groups in a thoughtful manner as described in this paper will provide a well-defined, solid security model which will answer the demands and rigors of business users and IT compliance. REFERENCES SAS Intelligence Platform Customer Documentation Page. SAS Institute. Accessed March 6, 2018. Available at https://support.sas.com/documentation/onlinedoc/intellplatform/index.html. CONTACT INFORMATION Your comments and questions are valued and encouraged. Contact the author at: Stephen Overton Overton Technologies (919) 341-9667 soverton@overtontechnologies.com https://www.stephenoverton.net https://www.linkedin.com/in/overton/ SAS and all other SAS Institute Inc. product or service names are registered trademarks or trademarks of SAS Institute Inc. in the USA and other countries. indicates USA registration. Other brand and product names are trademarks of their respective companies. 7

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback