For many organizations, having traceability for members of staff accessing and leveraging customer data is a key requirement. There is the obvious security focus when leadership teams think about traceability, but there are additional uses for audit data within the organization:
- Using it to identify potentially broken work practices and processes
- Identifying key content from a business perspective
- Understanding which users are likely to be affected by underlying changes to data or updates and upgrades to software
For customers who use SAS Web Report Studio (WRS) 4.3 under SAS 9.3, the auditing functionality is provided out of the box. No need for administrators to make any elaborate configuration changes, it just works right away. WRS is leading from the front in terms of its of ease of use and simple set-up.
With this fact in mind, I want to show the steps to access the audit data. For more information on this topic (which is referred to as "Key User Action"), read the latest version of the SAS® 9.3 Intelligence Platform Web Application Administration Guide. The documentation provides descriptions of the key user action codes (there are currently 13) and how to set up the roll-over attributes of the key user logs.
Figure 1 and Figure 2 show typical header information and user event data found in the Key User Action logs:
Figure 1. The header information within the Key User Actions log files.
Figure 2. A snippet of the event data within the Key User Action log files.
There are three quick steps required to look inside the logs and see the audit and event related information:
- Identify the location and names of the relevant log files are kept.
- By default the directory location is \config\Lev1\Web\Logs
- The archive logs have the default name format "SASWebReportStudio4.3_KeyActions.log_yyyymmdd_hrmmss", e.g., SASWebReportStudio4.3_KeyActions.log_20130129_221231
- The live, or current, log is named SASWebReportStudio4.3_KeyActions.log
- To minimise the risk of losing the original log files, you should make a copy of the original log file.
- Copy SASWebReportStudio4.3_KeyActions.log_20130129_221231
- Rename the copy to SASWebReportStudio4.3_KeyActions31Jan2013Midday.XML
- Open up a SAS Display Manager Session which and submit the relevant code (See sample in Figure 3):
- Use a LIBNAME statement to point to the XML based data in the log.
- Create an XML table called Event (via PROC DATASETS)
- Create a SAS dataset to use in further processing.
IMPORTANT NOTE. If you are required to access a log file before it has been archived, i.e. the log file is in active use, then ensure that once you have made a copy of the log file, make sure to edit the copy to add at the bottom of the log file the closing tag . If the tag is not added, you will receive an error message when running the libname statement below.
Figure 3. The SAS code used to read the Key User Action log file.
libname myxml2 xml 'C:\sas93\config\Lev1\Web\Logs\SASWebReportStudio4.3_KeyActions31Jan2013Midday.XML'; proc datasets library=myxml2; quit; data wrsaudit31012013; set myxml2.Event; run;
With the SAS data set created, it is then possible to view the relevant information or perform further actions, for example, having the access and reporting on key user actions built into an automated process using proven data integration and business intelligence practices.
Figure 4 shows an example of the user activity available in the Key User Action log:
- The SASTRUST account being used to logon into SAS Web Report Studio at "System Start Up" time
- The users Stuart, Rob and Erwan all logged on and logged off to WRS during the course of the working day
- Stuart saved a report ProdSaleWRSReport (because Stuart only saved the report but did not open it, you may be able to infer he is actually the report creator)
- Rob saved a report CLASS_WRSReport (because Rob only saved the report but did not open it, you may be able to infer he is actually the report creator)
- Erwan opened the ProdSaleWRSReport and saved the report as ProdSaleWRSReport1.
Figure 4. A snippet of the SAS data set (wrsaudit31012013) that gets created from reading in the Key User Action log file.
I hope we will see increased use of this auditing framework on other SAS client applications (Web or desktop based).