synkronisering av ad-brukere med sas metadataserver · synkronisering av ad-brukere med sas...
TRANSCRIPT
Synkronisering av AD-brukere med SAS Metadataserver
Abul Ahsan Md Mahmudul Haque
Helse Nord IKT
November 12, 2014
Abul Ahsan Md Mahmudul Haque (HNIKT) AD-synkronisering =⇒ SAS Metadataserver November 12, 2014 1 / 18
Overview
Introduces Active Directory & SAS Metadata ServerMajor features of the synchronization applicationChallenges in Synchronization ProgramLimitations/Further Work
Abul Ahsan Md Mahmudul Haque (HNIKT) AD-synkronisering =⇒ SAS Metadataserver November 12, 2014 2 / 18
Introduction (1 of 4)
At present we have more than 1000 users including about 50 analysts whodepend on SAS for their analytic and reporting needs; to provide security &confidentiality we need to do the following:
Load SAS user identities into the metadata repository
Assign identities to groups based on their job function (for example,User or HR-User, Analytekere-HR-USER)
Maintain the identity metadata to reflect the current state of thesite’s SAS user
Abul Ahsan Md Mahmudul Haque (HNIKT) AD-synkronisering =⇒ SAS Metadataserver November 12, 2014 3 / 18
Introduction (2 of 4)
Figure 1: User groups in SAS Environment
Abul Ahsan Md Mahmudul Haque (HNIKT) AD-synkronisering =⇒ SAS Metadataserver November 12, 2014 4 / 18
Introduction (3 of 4)
“One size does not fit all; — two or three sizes don’t fit alleither.”
Microsoft Active Directory is the most popular tool for managing userauthentication
SAS macros can extract user accounts from AD and create useraccounts in SAS metadata.
By default, these macros import and synchronize all accounts fromActive Directory
SAS metadata server must use host authentication against the sameAD.
Abul Ahsan Md Mahmudul Haque (HNIKT) AD-synkronisering =⇒ SAS Metadataserver November 12, 2014 5 / 18
Introduction (4 of 4)
Figure 2: Overview of SAS Metadata services
Abul Ahsan Md Mahmudul Haque (HNIKT) AD-synkronisering =⇒ SAS Metadataserver November 12, 2014 6 / 18
Initial Metadata Repository Identity Load (1 of 2)
Active directory identity extraction
SAS provides LDAP call rotines; minor modifications required for ownsites.Two seperate data steps required for users and groups.The elements stored in the resulting data set were user first name, userlast name, e-mail...etc; can modify
Load master canonical tables
SAS recommended; normalized data sets.
Populate metadata repository with canonical table data
%MDUIMPL converts the SAS canonical data sets into representativeXML data files, which are imported into the repository by theMETADATA procedure
Abul Ahsan Md Mahmudul Haque (HNIKT) AD-synkronisering =⇒ SAS Metadataserver November 12, 2014 7 / 18
Initial Metadata Repository Identity Load (2 of 2)
Figure 3: Overview of Initial Load Process
Abul Ahsan Md Mahmudul Haque (HNIKT) AD-synkronisering =⇒ SAS Metadataserver November 12, 2014 8 / 18
User Import Macros from SAS Foundation
The following activities are needed to import and synchronize useraccounts from AD to SAS metadata:
%MDUIMPC , %MDUIMPLB , %MDUEXTR , %MDUCMP ,%MDUCHGV , %MDUCHGLB
Located in: “[SAS Home]\SASFoundation \9.2\core\sasmacro”
SAS Foundation also ships with a sample program calledIMPORTAD.SAS
Located in: “[SAS Home]\SASFoundation \9.2\core\sample”
Abul Ahsan Md Mahmudul Haque (HNIKT) AD-synkronisering =⇒ SAS Metadataserver November 12, 2014 9 / 18
User Properties
Figure 4: User added manuallyFigure 5: User Identity imported fromAD
Abul Ahsan Md Mahmudul Haque (HNIKT) AD-synkronisering =⇒ SAS Metadataserver November 12, 2014 10 / 18
Macros in Synchronization program (1 of 2)
Figure 6: Code block from the synchronization program
Masterspecifies the location of the master tables, here “adir”
Targetspecifies the location of the target tables that contain informationextracted from the metadata, here “meta”
Abul Ahsan Md Mahmudul Haque (HNIKT) AD-synkronisering =⇒ SAS Metadataserver November 12, 2014 11 / 18
Macros in Synchronization program (2 of 2)
CHANGE
specifies the location for the change tables, here “updates”xxx add: contains users, groups, and roles to be added to the targettables to make them look like the master tablesxxx update: contains users, groups, and roles to be modified in thetarget tables to make them look like the master tablesxxx delete: contains users, groups, and roles to be deleted from thetarget tables to make them look like the master tables
Figure 7: Code block from the synchronization program
Abul Ahsan Md Mahmudul Haque (HNIKT) AD-synkronisering =⇒ SAS Metadataserver November 12, 2014 12 / 18
Example 1
Figure 8: Initial Load Example
Abul Ahsan Md Mahmudul Haque (HNIKT) AD-synkronisering =⇒ SAS Metadataserver November 12, 2014 13 / 18
Example 2
Figure 9: Initial Load Example
Abul Ahsan Md Mahmudul Haque (HNIKT) AD-synkronisering =⇒ SAS Metadataserver November 12, 2014 14 / 18
Example 3
Figure 10: Initial Load Example
Abul Ahsan Md Mahmudul Haque (HNIKT) AD-synkronisering =⇒ SAS Metadataserver November 12, 2014 15 / 18
Challenges in Synchronization Program
Norwegian character encoding
Use correct encoding utf-8 or no
“” in any of the field in AD
Check error log and generated xml file
LDAP search returns 1000 users
Use modular search filter so that AD returns less than 1000 users
Frequent OU changes in AD for synchronized users
Change external identities value in metadata
Abul Ahsan Md Mahmudul Haque (HNIKT) AD-synkronisering =⇒ SAS Metadataserver November 12, 2014 16 / 18
Limitations/Further Work
No GUI for end users
User selection from a group is not available
Manually added users must include “ExternalIdentity” value forfurther synchronization
Detailed log for all groups are not included
Abul Ahsan Md Mahmudul Haque (HNIKT) AD-synkronisering =⇒ SAS Metadataserver November 12, 2014 17 / 18