FAQ

These are some of the questions we get asked about our Metacoda Security Plug-ins software. If you have any other questions please contact us.
  • Our SAS metadata management has been fairly ad-hoc for some time? How can your Metadata Security Plug-ins help us?

  • It’s not uncommon for metadata environments to have developed organically over time. Our software gives you an easier way to investigate your current metadata, look for any issues and make corrections if needs be.


  • Currently, we’re administering our metadata security largely through the use of Access Control Entries (ACEs). We’d like to shift to a more robust Access Control Template (ACT) approach. Can you advise us?

  • You can use our ACE and ACT Reviewers, two of our Metacoda Security Plug-ins, to examine your current usage. You can then export HTML reports from these plug-ins to help you document this and plan your next steps.


  • I’d denied one of our users access to the Open Files from Local Computer capability, but he still seems to have it? How can I work out where his access is coming from?

  • Our Capability Reviewer lets you search to see how a specific user’s capabilities have been defined. You may find the route of this capability is through nested role membership.


  • I’m a platform administrator for a number of software products, including SAS. One of my common tasks is to bulk load identities from our Active Directory into SAS metadata. However, I really don’t have the time to learn how to write SAS code. Are you able to help with this?

  • Our Metacoda Identity Sync Plug-in allows you to do just this. Additionally, you can use the plug-in to verify your load and make any required changes. All without needing to write any code.


  • I suspect that we have some roles that aren’t being used anymore and have no members. How can I find out if this is the case?

  • You can use our Role Reviewer to tabulate all available roles, then see if any of those roles are empty.


  • How can I find all of the SAS OLAP cube dimensions that have had OLAP member-level security applied? Equally how can I find all of the Visual Analytics LASR tables that have row-level security applied?

  • Our ACE Reviewer and Protected Object Reviewer both allow you to find objects, such as SAS OLAP cube dimensions and Visual Analytics LASR tables, that have had ACEs applied to them with associated permission conditions. These permission conditions are used to implement member-level and row-level security (also known as conditional grants).


  • I’d like to see from the SAS Management Console, who has access to our Oracle database and find out whether that access had been granted through a group authorization or an individual authorization.

  • With regards to metadata, access to a database-backed library through SAS requires:

    • a database engine library (e.g. Oracle)
    • tables registered in metadata for which they have effective grants of ReadMetadata and Read
    • a database server (configured with an authentication domain) registered in metadata that this library is associated with
    • and a user who has access to an available login (user id and password) for the authentication domain of the database server.

    Our Metacoda Security Plug-ins can help you in these areas:

    • Object Permissions Explorer
      Select the database library and see every identity’s effective permissions on that library; who has access and what level of access they have.
    • User Reviewer
      Select the user and look in the Logins tab. All logins stored in metadata that the user has access to are displayed (along with authentication domain) – logins for the user themselves, logins for any direct or indirect/nested groups they are a member of, and logins on any implicit groups. Export an HTML report of all users including their accessible logins.
    • Identity Permissions Explorer
      This is an alternative to the Object Permissions Explorer if you want to focus on the user rather than the library.
    • Group Reviewer
      Export an HTML report of all groups, any shared logins they provide to their members, and a complete list of members (direct and indirect/nested).
    • Login Reviewer
      This can be used to export a list of all logins in metadata – associated identity, authentication domain, user id and a flag to indicate whether a password is stored.
    • Testing Framework
      Set up regular metadata security checks, either in batch or interactively, to look for any changes in this area.

  • I’ve been asked to create a report for each user to see what passwords they’ve been using and which databases they have had access to. Is this possible?

  • Metacoda Security Plug-ins report which databases users currently have access to and how metadata security is currently set up. Examining historical access is something that can be done by reviewing SAS server logs or using the SAS Audit, Performance and Measurement package (APM).
    If you plan to create a report detailing your users’ logins and internal SAS logins registered in metadata, you can use our Login and Internal Login Reviewers to view this and export a report to HTML.


  • Can I be sure that my SAS® metadata won’t accidentally be altered when I use Metacoda Security Plug-ins?

  • All of the reviewers and explorers in Metacoda Security Plug-ins currently only issue read-only queries to the SAS metadata server. We have deliberately not yet provided any features in the reviewers and explorers that allow you to add, update, or delete metadata (though we do get asked from time to time). The only component in Metacoda Security Plug-ins that does currently provide the ability to update SAS metadata is the Identity Sync plug-in. It will only provide metadata update access to unrestricted users and user administrators (as governed by SAS roles). Furthermore, the Identity Sync plug-in only updates metadata using the standard unmodified SAS User Import Macros (%MDU macros) that are very well-known and have been in trusted use by a significant number of SAS customers around the world for many years.