Synkronisering av AD-brukere med SAS Metadataserver

Abul Ahsan Md Mahmudul Haque

Helse Nord IKT

abul.haque@hn-ikt.no

November 12, 2014

Abul Ahsan Md Mahmudul Haque (HNIKT) AD-synkronisering =⇒ SAS Metadataserver November 12, 2014 1 / 18

Overview

Introduces Active Directory & SAS Metadata ServerMajor features of the synchronization applicationChallenges in Synchronization ProgramLimitations/Further Work

Abul Ahsan Md Mahmudul Haque (HNIKT) AD-synkronisering =⇒ SAS Metadataserver November 12, 2014 2 / 18

Introduction (1 of 4)

At present we have more than 1000 users including about 50 analysts whodepend on SAS for their analytic and reporting needs; to provide security &confidentiality we need to do the following:

Load SAS user identities into the metadata repository

Assign identities to groups based on their job function (for example,User or HR-User, Analytekere-HR-USER)

Maintain the identity metadata to reflect the current state of thesite’s SAS user

Abul Ahsan Md Mahmudul Haque (HNIKT) AD-synkronisering =⇒ SAS Metadataserver November 12, 2014 3 / 18

Introduction (2 of 4)

Figure 1: User groups in SAS Environment

Abul Ahsan Md Mahmudul Haque (HNIKT) AD-synkronisering =⇒ SAS Metadataserver November 12, 2014 4 / 18

Introduction (3 of 4)

“One size does not fit all; — two or three sizes don’t fit alleither.”

Microsoft Active Directory is the most popular tool for managing userauthentication

SAS macros can extract user accounts from AD and create useraccounts in SAS metadata.

By default, these macros import and synchronize all accounts fromActive Directory

SAS metadata server must use host authentication against the sameAD.

Abul Ahsan Md Mahmudul Haque (HNIKT) AD-synkronisering =⇒ SAS Metadataserver November 12, 2014 5 / 18

Introduction (4 of 4)

Figure 2: Overview of SAS Metadata services

Abul Ahsan Md Mahmudul Haque (HNIKT) AD-synkronisering =⇒ SAS Metadataserver November 12, 2014 6 / 18

Initial Metadata Repository Identity Load (1 of 2)

Active directory identity extraction

SAS provides LDAP call rotines; minor modifications required for ownsites.Two seperate data steps required for users and groups.The elements stored in the resulting data set were user first name, userlast name, e-mail...etc; can modify

Load master canonical tables

SAS recommended; normalized data sets.

Populate metadata repository with canonical table data

%MDUIMPL converts the SAS canonical data sets into representativeXML data files, which are imported into the repository by theMETADATA procedure

Abul Ahsan Md Mahmudul Haque (HNIKT) AD-synkronisering =⇒ SAS Metadataserver November 12, 2014 7 / 18

Initial Metadata Repository Identity Load (2 of 2)

Figure 3: Overview of Initial Load Process

Abul Ahsan Md Mahmudul Haque (HNIKT) AD-synkronisering =⇒ SAS Metadataserver November 12, 2014 8 / 18

User Import Macros from SAS Foundation

The following activities are needed to import and synchronize useraccounts from AD to SAS metadata:

%MDUIMPC , %MDUIMPLB , %MDUEXTR , %MDUCMP ,%MDUCHGV , %MDUCHGLB

Located in: “[SAS Home]\SASFoundation \9.2\core\sasmacro”

SAS Foundation also ships with a sample program calledIMPORTAD.SAS

Located in: “[SAS Home]\SASFoundation \9.2\core\sample”

Abul Ahsan Md Mahmudul Haque (HNIKT) AD-synkronisering =⇒ SAS Metadataserver November 12, 2014 9 / 18

User Properties

Figure 4: User added manuallyFigure 5: User Identity imported fromAD

Abul Ahsan Md Mahmudul Haque (HNIKT) AD-synkronisering =⇒ SAS Metadataserver November 12, 2014 10 / 18

Macros in Synchronization program (1 of 2)

Figure 6: Code block from the synchronization program

Masterspecifies the location of the master tables, here “adir”

Targetspecifies the location of the target tables that contain informationextracted from the metadata, here “meta”

Abul Ahsan Md Mahmudul Haque (HNIKT) AD-synkronisering =⇒ SAS Metadataserver November 12, 2014 11 / 18

Macros in Synchronization program (2 of 2)

CHANGE

specifies the location for the change tables, here “updates”xxx add: contains users, groups, and roles to be added to the targettables to make them look like the master tablesxxx update: contains users, groups, and roles to be modified in thetarget tables to make them look like the master tablesxxx delete: contains users, groups, and roles to be deleted from thetarget tables to make them look like the master tables

Figure 7: Code block from the synchronization program

Abul Ahsan Md Mahmudul Haque (HNIKT) AD-synkronisering =⇒ SAS Metadataserver November 12, 2014 12 / 18

Example 1

Figure 8: Initial Load Example

Abul Ahsan Md Mahmudul Haque (HNIKT) AD-synkronisering =⇒ SAS Metadataserver November 12, 2014 13 / 18

Example 2

Figure 9: Initial Load Example

Abul Ahsan Md Mahmudul Haque (HNIKT) AD-synkronisering =⇒ SAS Metadataserver November 12, 2014 14 / 18

Example 3

Figure 10: Initial Load Example

Abul Ahsan Md Mahmudul Haque (HNIKT) AD-synkronisering =⇒ SAS Metadataserver November 12, 2014 15 / 18

Challenges in Synchronization Program

Norwegian character encoding

Use correct encoding utf-8 or no

“” in any of the field in AD

Check error log and generated xml file

LDAP search returns 1000 users

Use modular search filter so that AD returns less than 1000 users

Frequent OU changes in AD for synchronized users

Change external identities value in metadata

Abul Ahsan Md Mahmudul Haque (HNIKT) AD-synkronisering =⇒ SAS Metadataserver November 12, 2014 16 / 18

Limitations/Further Work

No GUI for end users

User selection from a group is not available

Manually added users must include “ExternalIdentity” value forfurther synchronization

Detailed log for all groups are not included

Abul Ahsan Md Mahmudul Haque (HNIKT) AD-synkronisering =⇒ SAS Metadataserver November 12, 2014 17 / 18

The End

Abul Ahsan Md Mahmudul Haque (HNIKT) AD-synkronisering =⇒ SAS Metadataserver November 12, 2014 18 / 18