We’re delighted to announce the BETA version of Metacoda Plug-ins 5.0 is now available for those who are interested in testing it out and getting an early look; it includes our much anticipated Metacoda Identity Sync Plug-in. We demonstrated this new plug-in at SAS® Global Forum 2015 in April; and have incorporated much of the great feedback we received.
We’ve also had some questions from SAS customers, asking about V5, particularly how they can benefit from using the Metacoda Identity Sync Plug-in. Here are the answers to your most popular questions.
How can the Metacoda Identity Sync Plug-in help me with identity synchronization?
The Metacoda Identity Sync Plug-in provides an easy way for SAS platform administrators to keep a targeted subset of identities (users, groups and roles) for their SAS environment in-sync with enterprise directories such as Microsoft’s Active Directory (AD). The friendly, point and click, interface allows you to very rapidly visualize, review and apply identity changes to your metadata; without needing to write any SAS code. You can read more about it in our recent Metacoda Identity Sync Plug-in blog post.
How does the Metacoda Identity Sync Plug-in run the initial bulk load of identities?
Running the initial bulk load of identities into the SAS metadata server from an enterprise directory can be a daunting prospect. The plug-in makes this process much easier by providing a point and click interface with a number of additional customization options.
The initial run will be interactive, allowing you to adjust any options as required. You can then run the plug-in regularly in batch to perform the synchronization between the enterprise directory and your SAS metadata server. Audit reports of changes are generated, and if any errors or issues are detected, you can use the point and click plug-in again to identify, troubleshoot and correct them.
Does the Metacoda Identity Sync Plug-in work with the standard SAS %MDU macros?
Behind the scenes, the SAS %MDU macros are still making the changes to metadata. The plug-in provides you with a point and click interface to these macros as well as guided identity extraction and a series of process customization options. Also, you don’t need to be able to write SAS code to use the interface.
Can I customize the Metacoda Identity Sync Plug-in?
Based upon our experience helping SAS platform administrators, we’ve included a large number of point-and-click driven customization options, which will be ideal for many sites. If you have requirements beyond the built-in options, we’ve also included the ability for SAS admins with coding experience to add code to tweak the process at a number of key points. If you have any very specific requirements not covered by the current options, please contact us.
SAS metadata groups may follow a different naming convention to groups specified in an enterprise directory. Can the Metacoda Identity Sync Plug-in accommodate this?
The plug-in supports group name mapping by providing simple prefix and suffix support for user and group names and display names. This is often all that is required to avoid name clashes with existing SAS identities. Additionally, the plug-in gives you some options to help handle logins.
To handle more complex mapping we’ve also included the ability to use code hooks to allow pre and post processing at key points during the synchronization procedure. This combines the benefits of using our guided identity extraction process with the flexibility of being able to insert your own custom code at key points if you need to.
How does the Metacoda Identity Sync Plug-in deal with group exclusions?
The plug-in is primarily group driven. You specify the initial set of groups by inclusion or exclusion. An exclusion list may be suitable for smaller sites where most AD groups need to become SAS groups. We expect most sites will prefer an inclusion list where you choose a subset of groups to start with. All the members of the resulting groups will be synchronized (including users, groups and nested groups). We have also make sure our extraction process works within AD resource limits to ensure support for very large groups.
Beyond the initial extraction, you can also exclude specific users and groups from the process with the standard exception table used by the SAS %MDUCMP macro. The plug-in provides a point and click interface to this exception table allowing you to manipulate the contents as well as to pre-populate it with some standard SAS users and groups. If you need to exclude based upon a specific prefix or suffix in the group name, you can also insert the required where clause filter into the XML configuration file.
I’d like to export SAS metadata reports to CSV files. Is this possible?
We’ve received requests to add an option to export SAS metadata reports to CSV files from the Reviewers and Explorers. SAS platform administrators have told us that this feature will be particularly helpful when being asked for metadata security reports by managers and auditors. So, in V5, we’ve added this function to the ACT, ACE, User, Group, Role, Capability, Login and Internal Login Reviewers; as well as the Identity Permissions, Object Permissions and Metadata Explorers. It is also possible to now export to HTML and Metadata Security Test XML from the Identity and Object Permissions Explorers.
I’m using the Metacoda Testing Framework and need to export test results when using the interactive plug-in. Is this possible?
We’ve made a number of upgrades to our testing framework; including the ability to export text results to HTML and CSV files from the interactive Test Runner Plug-in. The batch testing interface still generates HTML reports as it did in the prior version.
Can the Metacoda Testing Framework help me to enforce the ‘Golden Rules’ of SAS metadata security?
We’ve introduced some new tests in V5 to help with recommended practices such as limiting the use of Access Control Entries (ACEs or explicit permissions) and following recommendations for Access Control Templates (ACTs), permissions and groups. You can read more about some of these new tests in Paul Homes’ blog post Testing Recommended Practices with SAS Metadata Security.
I’m working in SAS Management Console, and need to check on a workspace server; can your plug-ins help me?
Our new Workspace Inspector allows you to quickly check your SAS workspace server environment by running small code fragments, reviewing the SAS log, and viewing assigned libraries and tables directly within SAS Management Console.
How will Metacoda Plug-ins 5.0 and Metacoda Identity Sync Plug-in be licensed?
If you already have a license for Metacoda Security Plug-ins you’ll automatically receive V5 and the Metacoda Identity Sync Plug-in. For new customers, we’ll offer three license levels; Starter, Basic and Enterprise. You can also register for a 30 day free evaluation license.
Last chance to be a Metacoda Plug-ins 5.0 BETA tester!
In this blog we’ve answered the most common questions we’ve had over the last few months. If you’re excited about the benefits that our new release will bring, and would like to try them out for yourself, there’s still time to become one of our BETA testers, please contact us for details.
Have a look at the video below to see how quick and easy it is to set up identity synchronization between Microsoft Active Directory and SAS software using the Metacoda Identity Sync plug-in. Also check out Paul Homes’ platformadmin.com blog for some technical insight on the plug-in.
If you have any more questions, or would like to learn more about how Metacoda Plug-ins can help you with your SAS metadata security management, please get in touch.