• Home
• SAS Consultancy
• SAS Technical Services
• SAS Training Courses
• About Us

Metacoda Security Plug-ins Components

Metacoda Security Plug-ins consists of all the following components:

• ACT Reviewer
• ACE Reviewer
• User Reviewer
• Group Reviewer
• Role Reviewer
• Capability Reviewer
• Protected Object Reviewer
• Login Reviewer
• Internal Login Reviewer

ACT Reviewer

You can use the ACT Reviewer to easily and efficiently review all of the Access Control Templates in your metadata: how they have been defined, where they have been applied, and how they may have been protected.

 Applications

 Some of the common types of questions administrators ask, which are easily answered with the ACT Reviewer, include:

• "We have a number of ACTs in our metadata. How do we find out where they have been used?"
•  "We have heard that ACTs need to be protected to ensure that they can't be modified by non-administrators attempting to elevate their own permissions. How do we easily find all of the ACTs where someone has forgotten to protect them with access controls?"
• "We are doing some housekeeping on our ACTs. Do we have any ACTs that have not been applied to any objects at all and remain unused? Do we have any empty ACTs that, even though they have been applied to objects, are redundant and are not actually doing anything useful?"
• "We would like to follow best practices with our ACTs by using only groups and eradicating references to individual users. How we easily find ACTs that refer to individual users?"
• "We have just finished a project to implement a new metadata security plan. How do we easily document the current implementation to verify against our plan. How do we document the implementation again at a later date to compare with the plan and see what has changed since the initial implementation?"

Features

These are some of the major features in the ACT Reviewer:

• ACTs Table: displays a list of all ACTs present in metadata together with summary information and indicators for those ACTs. The table can be customized by hiding or showing from the set of available table columns, re-ordering or re-sizing columns, and sorting rows by any of the available columns. The filter bar allows you to quickly find a specific ACT of interest.
• Permissions Tab: provides a definition view for the selected ACT: the group and/or user identities and the various permissions granted or denied.
• Objects Tab: displays a list of all of the objects that have been protected through the direct application of the selected ACT.
• ACT Protections Tab: shows any ACTs that may have been directly applied to the selected ACT in order to protect it.
• ACE Protections Tab: shows any explicit permissions, or Access Control Entries (ACEs), that may have been directly applied to the selected ACT in order to protect it.
• HTML Export: all of the information available in the ACT Reviewer can be easily exported in HTML format for documentation, audit and troubleshooting purposes.

ACE Reviewer

You can use the ACE Reviewer to easily and efficiently review all of the Access Control Entries in your metadata: the objects they have been applied to, and the permissions they impart.

Applications

Some of the common types of questions administrators ask, which are easily answered with the ACE Reviewer, include:

• "In the past our SAS metadata security has been managed in a very ad-hoc fashion using ACEs. Now that we know more about SAS metadata security, we would prefer to use a methodical approach based on ACTs. How do we find all of the ACEs that have previously been applied so we can work on removing or replacing them?"
• "Our SAS metadata security model is based on a combination of both general purpose ACTs and specific ACEs. We want to ensure all of our ACEs are based on groups rather than individual users. How can we find any and all existing ACEs which refer to individual users?"
• "How do we find all of the OLAP member level security permission conditions that have been applied in our SAS metadata?"

 Features

These are some of the major features in the ACE Reviewer:

• ACEs Table: displays a list of all ACEs present in metadata together with information about associated protected objects, participating user and group identities, and the explicit permissions granted or denied. Various columns provide details and indicators relating to object folder paths, identities, permissions and permission conditions. The table can be customised by hiding or showing from the set of available table columns, re-ordering or re-sizing columns, and sorting rows by any of the available columns. The filter bar allows you to quickly find a specific ACE protected object of interest.
• Exclusions: a customizable exclusion list allows you to hide ACEs on objects in specific folder locations or under specific folder branches. The exclusion list contains an initial set of folder locations, such as private user folders, where SAS applications automatically manage ACEs. By excluding these ACEs you can focus on those administrator managed ACEs instead.
• HTML Export: all of the information available in the ACE Reviewer can be easily exported in HTML format for documentation, audit and troubleshooting purposes. 

User Reviewer

You can use the User Reviewer to easily and efficiently review all of your SAS metadata user identities: their group identity hierarchy, their role memberships, the capabilities they have access to, all of their accessible logins, any associated internal logins, any ACTs and ACEs they participate in, any ACTs and ACEs that have been applied to protect them, and any external identities they may be associated with.

Applications

 Some of the common types of questions administrators ask, which are easily answered with the User Reviewer, include:

• "Is the Aaron Atkins user a member of the Business Analysts group considering nested group memberships too?"
• "Why is the Aaron Atkins user a member of the Southern Region group when he is not a direct member of the group? Which nested group is providing him with the membership?"
• "Is the Aaron Atkins user a member of Custom Power Users role? Is it a direct membership? Is it an indirect membership through a group he is a member of? Is it a membership through the implicit PUBLIC or SASUSERS groups? Which group or groups is he a member of that makes him a member of the role?"
• "Why is the Aaron Atkins user still a member of the Custom Admins role when he was removed as a direct member? Are there any groups he's a member of that are still providing him with membership of the role?"
• "Does the Eve Evans user have access to the Save Files to Local Computer capability? Is it through a direct membership of a single role, or direct membership of a multiple roles? Is it through indirect membership via heavily nested multiple group memberships? Is it through implicit membership of the SASUSERS and PUBLIC groups? By what group and role memberships is she provided the capability? How many different ways is she provided this capability?"
• "We removed the Eve Evans user from the Custom Power User role but she is still provided the Save Files to Local Computer capability. Where is this coming from?"
• "Do we have any users without logins and therefore can't possibly login? Which ones?"
• "What are all of the logins that the Eve Evans user has access to? Include her own private logins as well as all of the shared logins she has access to from her nested group memberships. Does she have access to the shared Oracle login in the Oracle Users group?"
• "Do any of our users directly participate in any ACTs or ACEs? Which users? Which ACTs? Which ACEs?"
• "Have any of our users been specifically protected with ACTs or ACEs? Which ones?"
• "Which users are associated with Active Directory identities? Which ones aren't? "
• "We have just finished a project to re-organise the SAS metadata user group memberships for our organisation. How do we easily document the current state so that we can refer back to it at a later date if things change?"

Features

These are some of the major features in the User Reviewer:

• Users Table: displays a list of all users present in metadata together with summary information and indicators for those users. The table can be customised by hiding or showing from the set of available table columns, re-ordering or re-sizing columns, and sorting rows by any of the available columns. The filter bar allows you to quickly find a specific user of interest.
• Groups Tab: shows all of the direct and nested groups the currently selected user is a member of. The tree view shows the identity hierarchy for the currently selected user. The filter bar allows you to quickly determine if the selected user is a member of a targeted group (regardless of the level of nesting) together with the path, or paths, by which they are a member.
• Roles Tab: shows all of the roles the currently selected user is a member of including direct memberships, indirect memberships through nested groups and and the implicit SASUSERS and PUBLIC groups. The filter bar allows you to quickly determine if the selected user is a member of a targeted role (regardless of the level of nesting) together with the path, or paths, by which they are a member.
• Capabilities Tab: shows all of the SAS application capabilities registered in metadata and an indication of whether the currently selected user is provided that capability. You can also see how that capability is acquired including all of the memberships paths that provide it. The filter bar allows you to search for a specific capability and find out if the selected user has the capability and how they are getting it.
• Logins Tab: shows all of the logins the user has access to. This includes private logins for the selected user together with any shared group logins the user has access to by virtue of their group memberships.
• Internal Logins Tab: shows details of any internal SAS account/login that might have been created for the selected user.
• ACT Participation Tab: shows the details for any Access Control Templates (ACTs) where the user is directly participating in the definition of the ACT.
• ACE Participation Tab: shows the details for any Access Control Entries (ACEs), including associated object, where the user is directly participating in the ACE on the object.
• ACT Protections Tab: shows any Access Control Templates (ACTs) that may have been directly applied to the selected user to protect the user registration.
• ACE Protections Tab: shows any explicit permissions, or Access Control Entries (ACEs), that may have been directly applied to the selected user to protect the user registration.
• External Identities Tab: displays any external identities, such as Active Directory or LDAP accounts, that may have been linked to the user during enterprise directory identity synchronisation.
• HTML Export: all of the information available in the User Reviewer can be easily exported in HTML format for documentation, audit and troubleshooting purposes.

Group Reviewer

You can use the Group Reviewer to easily and efficiently review all of your SAS metadata group identities: their members, their group memberships, their role memberships, the capabilities they provide to their members, the shared logins they provide to their members, any ACTs and ACEs they participate in, any ACTs and ACEs that have been applied to protect them, and any external identities they may be associated with. 

Applications

Some of the common types of questions administrators ask, which are easily answered with the Group Reviewer, include:

• "Does the Business Analysts group have the Aaron Atkins user as a member, considering nested group memberships too?"
• "Why does the Southern Region group have the Aaron Atkins user as a member when he is not a direct member of the group? Which nested group is providing him with the membership?"
• "Is the Business Analysts group a member of Custom Power Users role? Is it a direct membership? Is it an indirect membership through another group that it's a member of? Which group or groups is it a member of that makes it a member of the role?"
• "Why is the Business Analysts group still a member of the Custom Admins role when it was removed as a direct member? Are there any groups it's a member of that are still providing it with membership of the role?"
• "Does the Business Analysts group provide access to the Save Files to Local Computer capability? Is it through a direct membership of a single role, or direct membership of a multiple roles? Is it through indirect membership via heavily nested multiple group memberships? By what group and role memberships is it providing its members with the capability? How many different ways is it providing its members with the capability?"
• "We removed the General HR Users group from the Custom Power Users role but it is still providing its members with the Save Files to Local Computer capability. Where is this coming from?"
• "Do we have any groups with shared logins provided to their members? Which ones?"
• "Do we have any groups that contain themselves through circular references in nested group memberships? Which ones? Where are the loops?"
• "Which of our groups directly participate in any ACTs or ACEs? Which ACTs? Which ACEs?"
• "Have any of our groups been specifically protected with ACTs or ACEs? Which ones?"
• "Which groups are linked to Active Directory groups? Which ones aren't?
• "We have just finished a project to re-organise the SAS metadata groups for our organisation. How do we easily document the current state so that we can refer back to it at a later date if things change?"

 Features

These are some of the major features in the Group Reviewer:

• Groups Table: displays a list of all groups present in metadata together with summary information and indicators for those groups. The table can be customized by hiding or showing from the set of available table columns, re-ordering or re-sizing columns, and sorting rows by any of the available columns. The filter bar allows you to quickly find a specific group of interest.
• Members Tab: shows all of the direct and nested members of the currently selected group. The filter bar allows you to quickly determine if any other group or user is a member of the selected group (regardless of the level of nesting) together with the path, or paths, by which they are a member.
• Groups Tab: shows all of the direct and nested groups the currently selected group is a member of. The filter bar allows you to quickly determine if the selected group is a member of another targeted group (regardless of the level of nesting) together with the path, or paths, by which they are a member.
• Roles Tab: shows all of the roles the currently selected group is a member of, including direct memberships and indirect memberships through nested groups. The filter bar allows you to quickly determine if the selected group is a member of a targeted role (regardless of the level of nesting) together with the path, or paths, by which they are a member.
• Capabilities Tab: shows all of the SAS application capabilities registered in metadata and an indication of whether the currently selected group provides that capability to its members. You can also see how that capability is provided including all of the role memberships paths that provide it. The filter bar allows you to search for a specific capability and find out if the selected group provides that capability to its members and how they are getting it.
• Logins Tab: shows all of the shared logins the group provides to its members.
• ACT Participation Tab: shows the details for any Access Control Templates (ACTs) where the group is directly participating in the definition of the ACT.
• ACE Participation Tab: shows the details for any Access Control Entries (ACEs), including associated object, where the group is directly participating in the ACE on the object.
• ACT Protections Tab: shows any Access Control Templates (ACTs) that may have been directly applied to the selected group to protect the group registration.
• ACE Protections Tab: shows any explicit permissions, or Access Control Entries (ACEs), that may have been directly applied to the selected group to protect the group registration.
• External Identities Tab: displays any external identities, such as Active Directory or LDAP groups, that may have been linked to the SAS group during enterprise directory identity synchronization.
• HTML Export: all of the information available in the Group Reviewer can be easily exported in HTML format for documentation, audit and troubleshooting purposes.

Role Reviewer

You can use the Role Reviewer to easily and efficiently review all of your SAS metadata roles: their members, any other roles that they contribute capabilities to, any other roles that they receive capability contributions from, the capabilities they provide to their member users and group, any ACTs and ACEs that have been applied to protect them, and any external identities they may be associated with.

Applications

Some of the common types of questions administrators ask, which are easily answered with the Role Reviewer, include:

• "Does the Custom Business Analyst role provide the Open Files from Local Computer capability?"
• "How does the Custom Business Analyst role actually provide the Open Files from Local Computer capability? Is it direct or contributed? Where is it being contributed from?"
• "Is the Aaron Atkins user a member of Custom Power Users role? Are they directly a member, or are they a member because they are a member of a group which is a member? Which groups are they a member of that makes them a member of the role?"
• "Why is the Aaron Atkins user still a member of the Custom Power Users role? Which groups are they a member of that are still providing them with membership of the role?"
• "Have any of our roles been specifically protected with access controls? Which ones?"
• "Which roles have either of the PUBLIC or SASUSERS implicit groups as members and provide their capabilities to all users?"
• "Do we have any roles which have no members and are not being used? Which ones?"
• "We have just finished a project to tailor our roles and capabilities for our organisation. How do we easily document the current state so that we can refer back to it at a later date if things change?"

Features

These are some of the major features in the Role Reviewer:

• Roles Table: displays a list of all roles present in metadata together with summary information and indicators for those roles. The table can be customized by hiding or showing from the set of available table columns, re-ordering or re-sizing columns, and sorting rows by any of the available columns. The filter bar allows you to quickly find a specific role of interest.
• Members Tab: shows all of the direct and nested members of the currently selected role. The filter bar allows you to quickly determine if any user or group is a member of the selected role (regardless of the level of nesting) together with the path, or paths, by which they are a member.
• Contributions Tab: if the selected role is a contributing role for other roles, this tab will show you which roles it contributes capabilities to, including any additional nested roles that those roles in turn contribute to.
• Contributing Roles Tab: shows which other roles, if any, contribute capabilities to the currently selected role, including any further nested contributing roles.
• Capabilities Tab: shows which capabilities the selected role provides to its members with information about how the capability is provided (e.g. direct or contributed) together with any contribution paths. The filter bar allows you to search for a specific capability and find out if the selected role provides it.
• ACT Protections Tab: shows any Access Control Templates (ACTs) that may have been directly applied to the selected role to protect it.
• ACE Protections Tab: shows any explicit permissions, or Access Control Entries (ACEs), that may have been directly applied to the selected role to protect it.
• External Identities Tab: displays any external identities, such as Active Directory or LDAP accounts, that may have been linked to the role during enterprise directory identity synchronization.
• HTML Export: all of the information available in the Role Reviewer can be easily exported in HTML format for documentation, audit and troubleshooting purposes.

Capability Reviewer

You can use the Capability Reviewer to easily and efficiently review all of the SAS application capabilities as registered in your metadata: the roles that provide those capabilities and the members they provide those capabilities to, including all of the multiple nested role/group membership and contribution paths.

Applications

Some of the common types of questions administrators ask, which are easily answered with the Capability Reviewer, include:

• "Is the Open Files from Local Computer capability provided to the Custom Business Analyst role?"
• “Is the Open Files from Local Computer capability provided to the Business Analysts group?"
• “Is the Open Files from Local Computer capability provided to the Aaron Atkins user?"
• “How is the Open Files from Local Computer capability actually provided to the the Aaron Atkins user? Is it through a direct membership of a single role, or direct membership of multiple roles? Is it through indirect membership via heavily nested multiple group memberships? Is it through implicit membership of the SASUSERS and PUBLIC groups?"
• “What are all of the paths by which the Aaron Atkins user is provided the Open Files from Local Computer capability? How many different ways is he provided this capability?"
• “We removed the Aaron Atkins user from the Business Analysts group but he is still provided the Open Files from Local Computer capability? Where is this coming from?"
• “We have just finished a project to tailor our roles and capabilities for our organization. How do we easily document the current state so that we can refer back to it at a later date if things change?"

 Features

These are some of the major features in the Capability Reviewer:

• Capabilities Table: displays a list of all application capabilities registered in metadata together with summary information and indicators for those capabilities. The table can be customized by hiding or showing from the set of available table columns, re-ordering or re-sizing columns, and sorting rows by any of the available columns. The filter bar allows you to quickly find a specific capability of interest.
• Roles & Members Tab: shows all of paths by which the selected capability is provided to groups, users and other roles. It displays the roles that provide the selected capability directly to their members, together with any roles that contribute the selected capability to other roles. It shows all of groups and users, including nested memberships, that acquire the selected capability through membership of those roles. The filter bar allows you to quickly find specific roles, groups or users of interest that participate in a capability access path.
• HTML Export: all of the information available in the Capability Reviewer can be easily exported in HTML format for documentation, audit and troubleshooting purposes.

Protected Object Reviewer

You can use the Protected Object Reviewer to easily and efficiently review all of your protected objects: their locations and any ACTs and ACEs that have been applied to protect them.

Applications

Some of the common types of questions administrators ask, which are easily answered with the Protected Object Reviewer, include:

• “In the past our SAS metadata security has been managed in a very ad-hoc fashion using ACEs. Now that we know more about SAS metadata security, we would prefer to use a methodical approach based on ACTs. How do we find all of the objects that have been specifically protected with ACEs and ACTs so we can review those existing access controls, modifying, removing and/or replacing them with ACTs as appropriate?"
• “How do we find all of the SAS OLAP cube dimensions that have had OLAP member level security permission conditions applied in our SAS metadata?”
• “We have just finished a project to implement a new metadata security plan. How do we easily document the current implementation to verify against our plan. How do we document the implementation again at a later date to compare with the plan and see what has changed since the initial implementation?”

Features

These are some of the major features in the Protected Object Reviewer:

• Objects Table: displays a list of all objects present in metadata that have been specifically protected through the application of ACTs and/or ACEs. Various columns provide details and indicators relating to object folder paths, access controls and permission conditions. The table can be customized by hiding or showing from the set of available table columns, re-ordering or re-sizing columns, and sorting rows by any of the available columns. The filter bar allows you to quickly find a specific protected object of interest.
• ACT Protections Tab: shows any Access Control Templates (ACTs) that have been directly applied to the selected object .
• ACE Protections Tab: shows any explicit permissions, or Access Control Entries (ACEs), that have been directly applied to the selected object.
• HTML Export: all of the information available in the Protected Object Reviewer can be easily exported in HTML format for documentation, audit and troubleshooting purposes.

Login Reviewer

You can use the Login Reviewer to easily and efficiently review all of the logins stored in metadata, including inbound and outbound logins, private logins for individual users as well as shared logins on groups for their members.

Applications

Some of the common types of questions administrators ask, which are easily answered with the Login Reviewer, include:

• “We can't add a login for a specific user or group because it is already present in metadata. How do we found out which identity is already associated with the login we are trying to add?“
• “How can we quickly see all of the logins present in metadata in one view so we can readily spot problems like missing or incorrect domain qualifiers on user ids, incorrect authentication domains etc?”
• “How do we find and review all of the shared group logins present in metadata?”
• “How do we easily document the current state of login usage so that we can refer back to it at a later date if things change?”

Features

These are some of the major features in the Login Reviewer:

• Logins Table: displays a list of all non-internal logins/accounts registered in metadata including information such as user ids, associated authentication domains, and associated user and group identities for those logins. The table can be customized by hiding or showing from the set of available table columns, re-ordering or re-sizing columns, and sorting rows by any of the available columns. The filter bar allows you to quickly find a specific login/account of interest.
• HTML Export: all of the information available in the Login Reviewer can be easily exported in HTML format for documentation, audit and troubleshooting purposes.

Internal Login Reviewer

The Internal Login Reviewer provides information about all of the SAS internal accounts/logins that have been registered in metadata and the identities they are associated with. It makes it easy to find out which users have SAS internal accounts/logins.

Applications

Some of the common types of questions administrators ask, which are easily answered with the Internal Login Reviewer, include:

• “How widespread is the use of SAS internal logins/accounts in our SAS installation?”
• “Which of our users have SAS internal logins/accounts?”
• “Are there any inappropriate SAS internal logins/accounts, perhaps left over from prior impersonation/troubleshooting, that need to be cleaned up?”
• “We are trying to minimise the number of SAS internal accounts in our SAS installation. Which ones have not been used for a while and are likely candidates for removal?” 

Features

These are some of the major features in the Internal Login Reviewer:

• Internal Logins Table: displays a list of all SAS internal logins/accounts registered in metadata together with associated user identities, summary information and indicators for those internal accounts. The table can be customized by hiding or showing from the set of available table columns, re-ordering or re-sizing columns, and sorting rows by any of the available columns. The filter bar allows you to quickly find a specific internal account of interest.
• HTML Export: all of the information available in the Internal Login Reviewer can be easily exported in HTML format for documentation, audit and troubleshooting purposes.