Metacoda Security Plug-ins: User Reviewer
The User Reviewer is one of the components included in our Metacoda Security Plug-ins software. This component provides comprehensive whole-of-server views for user identities in your SAS® metadata security implementation.
You can use the User Reviewer to easily and efficiently review all of your SAS metadata user identities: their group identity hierarchy, their role memberships, the capabilities they have access to, all of their accessible logins, any associated internal logins, any ACTs and ACEs they participate in, any ACTs and ACEs that have been applied to protect them, and any external identities they may be associated with.
Some of the common types of questions administrators ask, which are easily answered with the User Reviewer, include:
- “Is the Aaron Atkins user a member of the Business Analysts group considering nested group memberships too?“
- “How is it that the Aaron Atkins user is a member of the Southern Region group when he is not a direct member of the group? Which nested group is providing him with the membership?“
- “Is the Aaron Atkins user a member of Custom Power Users role? Is it a direct membership? Is it an indirect membership through a group he is a member of? Is it a membership through the implicit PUBLIC or SASUSERS groups? Which group or groups is he a member of that makes him a member of the role?”
- “How come the Aaron Atkins user is still a member of the Custom Admins role when he was removed as a direct member? Are there any groups he’s a member of that are still providing him with membership of the role?”
- “Does the Eve Evans user have access to the Save Files to Local Computer capability? Is it through a direct membership of a single role, or direct membership of a multiple roles? Is it through indirect membership via heavily nested multiple group memberships? Is it through implicit membership of the SASUSERS and PUBLIC groups? By what group and role memberships is she provided the capability? How many different ways is she provided this capability?”
- “We removed the Eve Evans user from the Custom Power User role but she is still provided the Save Files to Local Computer capability. Where is this coming from?”
- “Do we have any users without logins and therefore can’t possibly login? Which ones?”
- “What are all of the logins that the Eve Evans user has access to? Include her own private logins as well as all of the shared logins she has access to from her nested group memberships. Does she have access to the shared Oracle login in the Oracle Users group?”
- “Do any of our users directly participate in any ACTs or ACEs? Which users? Which ACTs? Which ACEs?”
- “Have any of our users been specifically protected with ACTs or ACEs? Which ones?”
- “Which users are associated with Active Directory identities? Which ones aren’t?
- “We have just finished a project to re-organize the SAS metadata user group memberships for our organization. How do we easily document the current state so that we can refer back to it at a later date if things change?”
These are some of the major features in the User Reviewer:
- Users Table: displays a list of all users present in metadata together with summary information and indicators for those users. The table can be customized by hiding or showing from the set of available table columns, re-ordering or re-sizing columns, and sorting rows by any of the available columns. The filter bar allows you to quickly find a specific user of interest.
- Groups Tab: shows all of the direct and nested groups the currently selected user is a member of. The tree view shows the identity hierarchy for the currently selected user. The filter bar allows you to quickly determine if the selected user is a member of a targeted group (regardless of the level of nesting) together with the path, or paths, by which they are a member.
- Roles Tab: shows all of the roles the currently selected user is a member of including direct memberships, indirect memberships through nested groups and and the implicit SASUSERS and PUBLIC groups. The filter bar allows you to quickly determine if the selected user is a member of a targeted role (regardless of the level of nesting) together with the path, or paths, by which they are a member.
- Capabilities Tab: shows all of the SAS application capabilities registered in metadata and an indication of whether the currently selected user is provided that capability. You can also see how that capability is acquired including all of the memberships paths that provide it. The filter bar allows you to search for a specific capability and find out if the selected user has the capability and how they are getting it.
- Logins Tab: shows all of the logins the user has access to. This includes private logins for the selected user together with any shared group logins the user has access to by virtue of their group memberships.
- Internal Logins Tab: shows details of any internal SAS account/login that might have been created for the selected user.
- ACT Participation Tab: shows the details for any Access Control Templates (ACTs) where the user is directly participating in the definition of the ACT.
- ACE Participation Tab: shows the details for any Access Control Entries (ACEs), including associated object, where the user is directly participating in the ACE on the object.
- ACT Protections Tab: shows any Access Control Templates (ACTs) that may have been directly applied to the selected user to protect the user registration.
- ACE Protections Tab: shows any explicit permissions, or Access Control Entries (ACEs), that may have been directly applied to the selected user to protect the user registration.
- External Identities Tab: displays any external identities, such as Active Directory or LDAP accounts, that may have been linked to the user during enterprise directory identity synchronization.
- HTML Export: all of the information available in the User Reviewer can be easily exported in HTML format for documentation, audit and troubleshooting purposes.
Click on the thumbnails below to view full size screenshots of the Metacoda Security Plug-ins: User Reviewer.
For More Information…
If you’d like to find out more about the User Reviewer, or Metacoda Security Plug-ins in general, then please contact us with any further questions you might have. Additionally, you can also request a free one month evaluation license to try the software out for yourself with your own SAS metadata.
Paul Homes provided a more in-depth look at the use of the User Reviewer in his March 2011 platformadmin.com blog post User Reviewer V2: Sneak Peek.