Metacoda Security Plug-ins: Group Reviewer

The Group Reviewer is one of the components included in our Metacoda Security Plug-ins software. This component provides comprehensive whole-of-server views for group identities in your SAS® metadata security implementation.

You can use the Group Reviewer to easily and efficiently review all of your SAS metadata group identities: their members, their group memberships, their role memberships, the capabilities they provide to their members, the shared logins they provide to their members, any ACTs and ACEs they participate in, any ACTs and ACEs that have been applied to protect them, and any external identities they may be associated with.

Applications

Some of the common types of questions administrators ask, which are easily answered with the Group Reviewer, include:

• “Does the Business Analysts group have the Aaron Atkins user as a member, considering nested group memberships too?“
• “How is it that the Southern Region group has the Aaron Atkins user as a member when he is not a direct member of the group? Which nested group is providing him with the membership?“
• “Is the Business Analysts group a member of Custom Power Users role? Is it a direct membership? Is it an indirect membership through another group that it’s a member of? Which group or groups is it a member of that makes it a member of the role?”
• “How come the Business Analysts group is still a member of the Custom Admins role when it was removed as a direct member? Are there any groups it’s a member of that are still providing it with membership of the role?”
• “Does the Business Analysts group provide access to the Save Files to Local Computer capability? Is it through a direct membership of a single role, or direct membership of a multiple roles? Is it through indirect membership via heavily nested multiple group memberships? By what group and role memberships is it providing its members with the capability? How many different ways is it providing its members with the capability?”
• “We removed the General HR Users group from the Custom Power Users role but it is still providing its members with the Save Files to Local Computer capability. Where is this coming from?”
• “Do we have any groups with shared logins provided to their members? Which ones?”
• “Do we have any groups that contain themselves through circular references in nested group memberships? Which ones? Where are the loops?”
• “Which of our groups directly participate in any ACTs or ACEs? Which ACTs? Which ACEs?”
• “Have any of our groups been specifically protected with ACTs or ACEs? Which ones?”
• “Which groups are linked to Active Directory groups? Which ones aren’t?
• “We have just finished a project to re-organize the SAS metadata groups for our organization. How do we easily document the current state so that we can refer back to it at a later date if things change?”

Features

These are some of the major features in the Group Reviewer:

• Groups Table: displays a list of all groups present in metadata together with summary information and indicators for those groups. The table can be customized by hiding or showing from the set of available table columns, re-ordering or re-sizing columns, and sorting rows by any of the available columns. The filter bar allows you to quickly find a specific group of interest.
• Members Tab: shows all of the direct and nested members of the currently selected group. The filter bar allows you to quickly determine if any other group or user is a member of the selected group (regardless of the level of nesting) together with the path, or paths, by which they are a member.
• Groups Tab: shows all of the direct and nested groups the currently selected group is a member of. The filter bar allows you to quickly determine if the selected group is a member of another targeted group (regardless of the level of nesting) together with the path, or paths, by which they are a member.
• Roles Tab: shows all of the roles the currently selected group is a member of, including direct memberships and indirect memberships through nested groups. The filter bar allows you to quickly determine if the selected group is a member of a targeted role (regardless of the level of nesting) together with the path, or paths, by which they are a member.
• Capabilities Tab: shows all of the SAS application capabilities registered in metadata and an indication of whether the currently selected group provides that capability to its members. You can also see how that capability is provided including all of the role memberships paths that provide it. The filter bar allows you to search for a specific capability and find out if the selected group provides that capability to its members and how they are getting it.
• Logins Tab: shows all of the shared logins the group provides to its members.
• ACT Participation Tab: shows the details for any Access Control Templates (ACTs) where the group is directly participating in the definition of the ACT.
• ACE Participation Tab: shows the details for any Access Control Entries (ACEs), including associated object, where the group is directly participating in the ACE on the object.
• ACT Protections Tab: shows any Access Control Templates (ACTs) that may have been directly applied to the selected group to protect the group registration.
• ACE Protections Tab: shows any explicit permissions, or Access Control Entries (ACEs), that may have been directly applied to the selected group to protect the group registration.
• External Identities Tab: displays any external identities, such as Active Directory or LDAP groups, that may have been linked to the SAS group during enterprise directory identity synchronization.
• HTML Export: all of the information available in the Group Reviewer can be easily exported in HTML format for documentation, audit and troubleshooting purposes.

Screenshots

Click on the thumbnails below to view full size screenshots of the Metacoda Security Plug-ins: Group Reviewer.