SAS Security Design Best Practices, Validation and Monitoring

Similar documents
SAS Metadata Security 201: Security Basics for a New SAS Administrator

Test for Success: Automated Testing of SAS Metadata Security Implementations Paul Homes Metacoda

Best Practices with SAS 9 Metadata Security

SAS 9.4 Management Console: Guide to Users and Permissions

Hands-Off SAS Administration Using Batch Tools to Make Your Life Easier

SAS 9.4 Management Console: Guide to Users and Permissions

SAS Metadata Security Journey prepare to be audited!

SAS and all other SAS Institute Inc. product or service names are registered trademarks or trademarks of SAS Institute Inc. in the USA and other

SAS 9.2 Intelligence Platform. Security Administration Guide

Platform Overview and What s New in SAS 9.4 Architecture

Time Series Studio 12.3

Time Series Studio 13.1

What s New in Enterprise Jeff Simpson Sr. Systems Engineer

Certkiller.A QA

Grant permissions sql server Grant permissions sql server 2008.zip

Using Metadata Queries To Build Row-Level Audit Reports in SAS Visual Analytics

Best Practice for Creation and Maintenance of a SAS Infrastructure

NTFS File and Folder Permissions. Windows Server Ins and Outs of NTFS permissions in Windows Server 2012.

SAS Model Manager 2.3

What's New - Technical in Microsoft Dynamics AX 2012 for Implementation Course 80165A: 1 Day; Instructor-Led

SAS Viya 3.3 Administration: Identity Management

Intelligence for the connected world How European First-Movers Manage IoT Analytics Projects Successfully

TREENO ELECTRONIC DOCUMENT MANAGEMENT. Administration Guide

How to Host WebEx Meetings

Microsoft SharePoint Server 2013 Plan, Configure & Manage

SAS STUDIO. A pretty big deal! Copyr i g ht 2012, SAS Ins titut e Inc. All rights res er ve d.

Content Modeling for Administrators

12/05/2017. Geneva ServiceNow Custom Application Development

Using Zoom. Hosting a Live Classroom

SAS Intelligence Platform

Web Site Guidelines. University of Texas at El Paso. Prepared by: The Office of Information Resources and Planning. November 16, 2004.

SAS Forecast Server 3.1. Administrator s Guide to Installation and Configuration

One of the primary features of 5-Star Students is the ability to capture and store attendance data during school events.

Making do with less: Emulating Dev/Test/Prod and Creating User Playpens in SAS Data Integration Studio and SAS Enterprise Guide

Creating a Departmental Standard SAS Enterprise Guide Template

Policy Manager in Compliance 360 Version 2018

SharePoint 2016 Site Collections and Site Owner Administration

MU2a Authentication, Authorization & Accounting Questions and Answers with Explainations

WebEx Training Center Tutorial for Cornell Faculty

SAS Forecast Server 3.1. Administrator s Guide to Report Administration Tasks

Microsoft Core Solutions of Microsoft SharePoint Server 2013

CTC BIM Suites Installation and Configuration Guide

GUIDE TO STORAGE CHARGEBACKS WITH DATADVANTAGE

Nortel Quality Monitoring Search and Replay Guide

Enterprise Data Access Management in a Multi-Tenant SAS BI environment

WHAT IS THE CONFIGURATION TROUBLESHOOTER?

AN INTRODUCTION TO OUTLOOK WEB ACCESS (OWA)

Oracle User Productivity Kit 11 Implementation Consultant Essentials - Exam Study Guide

AWS Service Catalog. User Guide

SharePoint User Manual

SAS Model Manager 2.2. Tutorials

Setting Up Jive for SharePoint Online and Office 365. Introduction 2

20331B: Core Solutions of Microsoft SharePoint Server 2013

Project management integrated into Outlook

Administering SAS Enterprise Guide 4.2

Using the Calendar. Microsoft Outlook Web App. University Information Technology Services. Learning Technologies, Training & Audiovisual Outreach

Crystal Enterprise. Overview. Contents. Installation FAQ: Crystal Enterprise 9 & 10

Exam Questions Demo Microsoft. Exam Questions Windows Server Administration Fundamentals

AvePoint Cloud Governance. Release Notes

SAS Platform Strategy Prepared for FANS usergroup. Mike Frost, Director, Product Management Fiona McNeill, Global Product Marketing

Faculty of Engineering Computer Engineering Department Islamic University of Gaza Network Lab # 7 Permissions

Lasso Your Business Users by Designing Information Pathways to Optimize Standardized Reporting in SAS Visual Analytics

Practical Introduction to SharePoint 2007

Course 55197A: Microsoft SharePoint Server 2016 for the Site Owner/Power User

TAS Self Service Reporting Overview

Planning and Administering SharePoint 2016

"Charting the Course... MOC A: SharePoint 2016 Site Collections and Site Owner Administration. Course Summary

Oracle Application Express: Administration 1-2

My SAS Grid Scheduler

Implementing Data Models and Reports with Microsoft SQL Server Exam Summary Syllabus Questions

Microsoft Dynamics CRM 2011 Customization and Configuration

ITaP Confluence Guide. Instructions for Getting Started with Confluence a Purdue

SharePoint 2016 Site Collections and Site Owner Administration

Outrun Your Competition With SAS In-Memory Analytics Sascha Schubert Global Technology Practice, SAS

EMC Documentum Composer

55035: Microsoft SharePoint Server 2013 for the Site Owner/Power User

Access Control. Steven M. Bellovin September 13,

SAS Inventory Optimization 5.1

HORTICOPIA Professional

Voyant Connect User Guide

Module 4: Access Control

BEST PRACTICES ARCHIVE in contentaccess

Options for managing Shared Folders

OVERVIEW OF THE SAS GRID

RWT Network System Installation Guide

ITaP Confluence Guide. Instructions for Getting Started with Confluence a Purdue

VMware AirWatch Database Migration Guide A sample procedure for migrating your AirWatch database

Windows Server 2008 Active Directory Resource Kit

Tzunami Deployer Confluence Exporter Guide

Business Requirements Document (BRD) Template

Microsoft Dynamics CRM Online Deployment (MB2-706)

AppDev StudioTM 3.2 SAS. Migration Guide

SAS Enterprise Miner 14.1

DataFlux Web Studio 2.5. Installation and Configuration Guide

Course Content. This is the second in a sequence of two courses for IT Professionals and is aligned with the SharePoint 2016 IT Pro certification.

Tzunami Deployer Confluence Exporter Guide

SAS Studio 3.7: Administrator s Guide

DocAve. Release Notes. Governance Automation Online. Service Pack 8

Episerver CMS. Administrator User Guide

General Access Control Model for DAC

Transcription:

SAS Security Design Best Practices, Validation and Monitoring Today s event will begin at 3:00 PM ET. Audio will remain muted until the event begins. When we begin, audio will be heard through your computer speakers. To access audio by phone, dial the number below followed by the access code and #: US Toll-free: +1 866 282 7366 Toll/International: +1 210 606 9466 Access Code: 595 023 290 # If you experience any technical difficulties, please contact WebEx Technical Support at +1-866-229-3239. Copyright SAS Institute Inc. All rights reserved.

SAS Security Design Best Practices, Validation and Monitoring Copyright SAS Institute Inc. All rights reserved.

Presenters Michelle Homes Founder and Business Development Manager, Metacoda Angie Hedberg Technical Consulting Manager, SAS Shelley Sessoms Community Manager, SAS External Communications Copyright SAS Institute Inc. All rights reserved.

SAS Administration & Deployment Community Online. Everyday. Communities.sas.com/deployment Copyright SAS Institute Inc. All rights reserved.

Copyr i g ht 2015, SAS Ins titut e Inc. All rights res er ve d. SAS, VALIDATION, AND MONITORING

SAS SECURITY DESIGN BEST PRACTICES INTRODUCTION Key highlights for today s presentation: SAS Metadata Security Design Best Practices Validation and monitoring techniques using Metacoda to ensure adherence to metadata security best practices File System Security Design Best Practices Based on security design best practices used within U.S. SAS Consulting SAS Global Forum 2017 Paper: Getting Started with Designing and Implementing a SAS 9.4 Metadata and File System Security Design (Authors: Angie Hedberg and Phil Hopkins) http://support.sas.com/resources/papers/proceedings17/sas0709-2017.pdf Assumption that attendees have basic knowledge of SAS security framework

METADATA #1: DEFINE AND IMPLEMENT PERSONAS Categorize all users in your organization based on their job function and usage of SAS software Define tasks that each persona will perform within SAS and list all SAS client applications that each persona may use Define functional security requirements for each persona For example: Administrators, Developers, Analysts, Report Creators, Consumers

METADATA #1: DEFINE AND IMPLEMENT PERSONAS For example: Administrators: Administrators will have full access to the SAS environment. They will perform user management, configure security, apply software upgrades and hotfixes, monitor the system, and troubleshoot end user issues. Administrators have full access to all SAS client applications. Developers: Developers will use a wide variety of SAS tools to create data, perform adhoc analysis and reporting, and generate data or reports to share with others. SAS client applications used by this persona might include: SAS Data Integration Studio, SAS Enterprise Guide, SAS Studio, and SAS Visual Analytics. Consumers: Consumers are read-only users that will consume web-based reports created by Developers. Consumers cannot create reports. Consumers will use the following SAS applications: SAS Visual Analytics and SAS Mobile BI.

METADATA #2: CREATE CUSTOM GROUPS AND ROLES FOR SIMPLICITY Default SAS groups and roles are typically narrowly focused on individual applications Create custom metadata groups that map to defined personas Create a custom role for each persona Assign capabilities across all relevant applications for each custom role Role object Group assigned to Role ROLE: Developer Developers Assign capabilities across applications

METADATA #2: CREATE CUSTOM GROUPS AND ROLES FOR SIMPLICITY Benefits: Simplifies the onboarding process of a new user by adding them to a single group which then grants all privileges they need in the system Allows SAS Administrators the ability to see all capabilities for a given persona by viewing a single role Note: there are some required roles with implicit capabilities, such as the Metadata Server roles. These roles must be included in your security design as well.

METADATA #3: USE ACTS INSTEAD OF ACES Access Control Entries (ACEs): explicit permission for some identity applied to some object Access Control Templates (ACTs): collection of ACEs saved as a pattern of permissions which can be applied to multiple objects The use of ACEs can be unmanageable, and lead to confusion or incorrect effective permissions due to user error ACTs are easier to design, implement, understand, and manage over time

METADATA #3: USE ACTS INSTEAD OF ACES Inherited Permission Directly applied via ACT X Directly applied via ACE

METADATA #4: ONLY USE GROUPS FOR ACTS Only identity groups should be used for building the rules within ACTs, never individual users This is a common best practice in any security model, but it is an important best practice and worth noting Allows for users to be easily added and removed from the system without impacting security implementation

METADATA #5: DENY BROADLY AND GRANT SPECIFICALLY ACTs should be defined by denying permissions to the broadest identity level possible and granting permissions more precisely to the groups that require access Implemented by denying PUBLIC or SASUSERS, then granting permissions selectively to groups Avoids potential permission conflicts and unintended effective permissions caused by user error Don t forget to grant back permissions to privileged identities

METADATA #5: DENY BROADLY AND GRANT SPECIFICALLY If your deployment requires access for PUBLIC users, then always broadly deny access to the PUBLIC identity in ACTs If your deployment does not allow any PUBLIC users, and PUBLIC users are denied all permissions on the Default ACT, or removed altogether from the Default ACT, then SASUSERS can be used for broad denial of permissions in ACTs

METADATA #6: IDENTIFY BUSINESS ACCESS PATTERNS AND DEFINE ACTS TO ENCAPSULATE THE PATTERNS Define business access patterns and build ACTs to implement the pattern For example: Private pattern, Write pattern, Register pattern, Update pattern By encapsulation, this means to define all permissions for all groups within a single ACT that are required to implement the access pattern The name of the ACT should clearly identify the access pattern

METADATA #6: IDENTIFY BUSINESS ACCESS PATTERNS AND DEFINE ACTS TO ENCAPSULATE THE PATTERNS Private Pattern: used to restrict read access to a specific group of users PUBLIC or SASUSERS: deny ReadMetadata, deny Read (d-rm, d-r) <Business Group>: grant ReadMetadata, Read (RM, R) SAS Administrators: grant ReadMetadata, Read (RM, R) SAS System Services: grant ReadMetadata, Read (RM, R) Write Pattern: enables full write access to objects PUBLIC or SASUSERS: deny WriteMetadata, deny Write, deny Create, deny Delete, and deny Administer (d-wm, d-w, d-c, d-d, d-a) <Functional Business Group>: grant WriteMetadata, Write, Create, Delete, and Administer (WM, W, C, D, A) SAS Administrators: grant Write, Create, Delete, and Administer (WM, W, C, D, A) SAS System Services: grant WriteMetadata (WM)

METADATA #6: IDENTIFY BUSINESS ACCESS PATTERNS AND DEFINE ACTS TO ENCAPSULATE THE PATTERNS Register Pattern: enables users to add ( register ) new objects into a metadata folder, but not update the folder itself PUBLIC or SASUSERS: deny WriteMetadata (d-wm) <Functional Business Group>: grant WriteMemberMetadata (WMM) SAS Administrators: grant WriteMetadata (WM) SAS System Services: grant WriteMetadata (WM) Update Pattern: enables users to modify metadata objects PUBLIC or SASUSERS: deny WriteMetadata (d-wm) <Functional Business Group>: grant WriteMetadata (WM) SAS Administrators: grant WriteMetadata (WM) SAS System Services: grant WriteMetadata (WM)

METADATA #6: IDENTIFY BUSINESS ACCESS PATTERNS AND DEFINE ACTS TO ENCAPSULATE THE PATTERNS SAS Administrators Update ACT PUBLIC or SASUSERS: deny WriteMetadata (d-wm) SAS Administrators: grant WriteMetadata (WM) SAS System Services: grant WriteMetadata (WM) Used to secure: Access Control Templates Groups and Roles Server components SAS Folders root metadata folder

METADATA #7: APPLY PERMISSIONS AT THE HIGHEST OBJECT LEVEL POSSIBLE ACTs should be applied on the highest object level possible to achieve the desired restrictions Define the metadata folder structure with this best practice in mind For example, apply ACT on a Reports folder and have those permissions inherit down to all reports created within the folder versus applying ACTs on each individual report object

METADATA #7: APPLY PERMISSIONS AT THE HIGHEST OBJECT LEVEL POSSIBLE Apply Hotels Private ACT Apply Hotels Marketing Private ACT Apply Hotels Marketing Developers Write ACT Apply Hotels Marketing Developers Register ACT

METADATA SUMMARY OF METADATA SECURITY BEST PRACTICES Define and Implement Personas Create Custom Groups and Roles for Simplicity Use ACTs instead of ACEs Only use Groups for ACTs Deny Broadly and Grant Specifically Identify Business Access Patterns and Define ACTs to Encapsulate the Patterns Apply Permissions at the Highest Object Level Possible

METADATA Monitoring and Validation of Metadata Security Design Best Practices

Where Metacoda helps SAS Apps SAS Metadata Server SAS Metadata Authorization Layer SAS Resources Metacoda helps here DB Auth Layer DB Resources Op Sys Auth Layer File / Other Resources

ABOUT METACODA. since 2007 Provide add-ons to SAS Software for enhanced metadata visibility and exploitation Metacoda Identity Sync Metacoda Security Plug-ins Metacoda Testing Framework Metacoda Utility Plug-ins - free Custom Tasks (for SAS Enterprise Guide & AMO) - free Goals: Improve your productivity through enhanced metadata visibility Helping to keep your SAS platform secure

BUSINESS PROBLEMS WE SOLVE Keeping SAS Users & Groups in sync with Active Directory Including large & complex directories all without code! Metacoda Identity Sync Knowing/documenting your SAS Metadata Security Easily showing an Auditor what someone has access to who has access to something Metacoda Security Plug-ins Verifying & proving to an Auditor your SAS Metadata Security is still intact and you can quickly detect and act on changes Metacoda Testing Framework

METADATA SECURITY TESTING: WHY? Over time we get changes from various user roles Production (Lev1) is it still adequately secured? tomorrow? next week? next month?

METADATA SECURITY TESTING: WHY? Test for consistency across multiple environments Production (Lev1) Test (Lev2) Development (Lev3) Test

METADATA SECURITY TESTING: WHY? Test for consistency during SAS version upgrades SAS 9.2 (Lev1) SAS 9.3 (Lev1) SAS 9.4 (Lev1) Test Test

TESTING A SINGLE ENVIRONMENT: TEST & REPEAT Tomorrow, Next Week, Next Month: Compare current state to desired state using previously exported Metadata Security Test XML files

CONSISTENCY TESTING DIFFERENT ENVIRONMENTS Export Metadata Security Test XML files from source environment to test for consistency in target environment.

TESTING FOR RECOMMENDED SECURITY PRACTICES Metacoda Security Testing Framework includes tests to help sites follow recommended security practices Choose from recommended practice tests you want to follow Adjust ignores list / exclusions (if necessary) Example provides in the Batch Interface package metacoda-plugins-batch\examples\sectest-run-tasks\metacoda-recommended-practices.xml

METADATA Demonstration

MULTIPLE AUTHORIZATION LAYERS There are multiple authorization layers in a SAS environment SAS Metadata Layer File System Layer Database Layer Each has its own authorization facility and permissions to consider

FILE SYSTEM #1: UNDERSTAND TOUCHPOINTS BETWEEN SAS METADATA AND THE FILE SYSTEM Not all metadata objects have a corresponding physical file, and not all files on the file system have a corresponding metadata object Administrators need to understand the associations between metadata objects and files so that you can intelligently define and properly secure the file system directory structure

FILE SYSTEM #1: UNDERSTAND TOUCHPOINTS BETWEEN SAS METADATA AND THE FILE SYSTEM Content Type Metadata Object File System File SAS Visual Analytics Report or Exploration SAS Enterprise Miner Project X X SAS Enterprise Guide Project maybe on client file system or SAS server file system SAS Data Set maybe X X SAS Program File (or Macro code) Custom Format X X SAS Data Integration Studio Job X maybe (if code deployed)

FILE SYSTEM #2: MIMIC THE METADATA FOLDER STRUCTURE At a high level, the metadata folder structure and the file system directory structure should mirror one another For example, if the metadata folder structure is organized by Business Units and Departments, the same organizational hierarchy should be used to define the file system directory structure Subfolders defined in metadata for specific object types might not all map to subdirectories on the file system, and vice versa for physical files that do not exist in metadata In addition, permissions should be similar between metadata and the file system This simplifies the end user experience and allows for a consistent navigation path

FILE SYSTEM #2: MIMIC THE METADATA FOLDER STRUCTURE Mimic the Metadata folder structure on the file system X /enterprise /hotels X /shared /shared /marketing /data /data /macros /formats /data /data_integration /em_projects /formats /programs /scheduled_jobs /storedprocesses

FILE SYSTEM #3: DEFINE SERVICE ACCOUNTS BASED ON THE REQUIRED SECURITY GRANULARITY Define multiple service accounts according to the security granularity required For example, you can implement a unique service account per Tenant or Business Unit Service accounts are commonly used for: Scheduled jobs Stored Process Server File system directory owner (on UNIX)

FILE SYSTEM #4: USE SETGID PERMISSION ON DIRECTORIES (FOR UNIX) To facilitate file sharing on UNIX systems, specify the setgid permission on directories Ensures all new files created within the directory will inherit the same group owner as the parent directory The setgid permission will also inherit down to newly created subdirectories Greatly improves the end-user experience

FILE SYSTEM PULLING THE FILE SYSTEM BEST PRACTICES TOGETHER Directory Owner Group Owner Permissions Root Directory Subdirectories Description sas sas 755 /sasdata Root directory for SAS permanent data and code parks_srv parks 2750 /parks Line of Business specific root directory parks_srv parks 2770 /data Parks: SAS data or views parks_srv parks 2770 /data_integration Parks: DI root directory for code, data, deployed jobs parks_srv parks 2770 /em_projects Parks: shared SAS Enteprise Miner projects parks_srv parks 2770 /formats Parks: custom formats parks_srv parks 2770 /programs Parks: SAS program (code) files parks_srv parks 2770 /scheduled_jobs Parks: deployed jobs for scheduling parks_srv parks 2770 /storedprocesses Parks: stored process code files hotels_srv hotels 2750 /hotels Line of Business specific root directory hotels_srv hotels 2770 /data Hotels: SAS data or views hotels_srv hotels 2770 /data_integration Hotels: DI root directory for code, data, deployed jobs hotels_srv hotels 2770 /em_projects Hotels: shared SAS Enteprise Miner projects hotels_srv hotels 2770 /formats Hotels: custom formats hotels_srv hotels 2770 /programs Hotels: SAS program (code) files hotels_srv hotels 2770 /scheduled_jobs Hotels: deployed jobs for scheduling hotels_srv hotels 2770 /storedprocesses Hotels: stored process code files sas sas 755 /sasusers Root directory for individual personal user folders <user> sas 700 /<user> Implicit "SASUSER" library configured to this path

FILE SYSTEM SUMMARY OF FILE SYSTEM SECURITY BEST PRACTICES Understand Touchpoints between SAS Metadata and the File System Mimic the Metadata Folder Structure Define Service Accounts based on Required Security Granularity Use SETGID Permission on Directories (for UNIX)

REFERENCES PULLING METADATA AND FILE SYSTEM TOGETHER TO BUILD A SECURITY MODEL 10-Step Process for creating a SAS security model SAS Global Forum 2017 Paper: Getting Started with Designing and Implementing a SAS 9.4 Metadata and File System Security Design http://support.sas.com/resources/papers/proceedings17/sas0709-2017.pdf Additional SAS Security Resources: SAS 9.4 Intelligence Platform: Security Administration Guide http://support.sas.com/documentation/cdl/en/bisecag/69827/html/default/viewer.htm Five Papers on SAS 9.4 Security Model Design (Author: David Stern) https://communities.sas.com/t5/sas-communities-library/five-papers-on-recommended-sas-9-4-security- Model-Design-part-1/ta-p/361569 (part 1) https://communities.sas.com/t5/sas-communities-library/five-papers-on-recommended-sas-9-4-security- Model-Design-part-2/ta-p/361575 (part 2)

REFERENCES POSTS AND PAPERS ON METACODA METADATA TESTING FRAMEWORK Blog: Following SAS GEL Security Rules with Metacoda Security Tests http://platformadmin.com/blogs/paul/2017/06/sas-gel-security-rules-with-metacodasecurity-tests/ Blog: Testing Conditional Grants in SAS Visual Analytics http://platformadmin.com/blogs/paul/2015/09/testing-conditional-grants-sas-va/ Blog: Testing Recommended Practices with SAS Metadata Security http://platformadmin.com/blogs/paul/2015/06/testing-recommended-practices/ Blog: SAS Metadata Security Testing http://platformadmin.com/blogs/paul/2014/03/sas-metadata-security-testing/ SAS Global Forum 2014 Paper http://support.sas.com/resources/papers/proceedings14/1761-2014.pdf

Any questions? Please use the Q&A panel to submit questions. Copyright SAS Institute Inc. All rights reserved.

@SASSoftware SAS Software, SASUsersgroup SASSoftware SAS, SAS Users Group communities.sas.com blogs.sas.com/content Copyright SAS Institute Inc. All rights reserved.

Director+ attend for free Students attend for free (Academic Faculty = 50% off) Early Bird Discount until July 31! Register Today! C opyr i g ht 2017, SAS Ins titut e Inc. All rights res er ve d.

Thank you! sas.com Copyright SAS Institute Inc. All rights reserved.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback