SAS administrators tip: Keeping track of SAS users

23
I also recommend: SAS administrators tip: Automatically deleting old SAS logs

If you are a SAS Administrator who is tasked with managing SAS users including adding and removing SAS users in the SAS Management Console, assigning (or re-assigning) them to Groups and Roles, maintaining their General information and user Accounts, then you know that when number of users grow, at some point things can get messy.

SAS Users Definition in the Metadata

Suppose, you have multiple SAS users defined in the SAS Management Console as in the following example:

1 - General tab:

SAS users - Metadata General Property

2 - Groups and Roles tab:

SAS users - Metadata Groups and Roles

3 - Accounts tab:

SAS users - Metadata Accounts

After adding a couple dozen (or hundred) users to SAS Metadata using the User Manager plug-in of the SAS Management Console you will start dreaming of some “push-a-button” report that will show  a listing of all your SAS users with all the relevant information (name, title, description, e-mail, groups, user id, etc.) in a plain view.

Luckily, SAS provides you with a little-known, but well-documented macro that makes such SAS users reporting a snap.

%MDUEXTR Macro

This macro is documented in the SAS Intelligence Platform: Security Administration Guide and it is one of the several User Import Macros that you get with SAS Business Intelligence or SAS Visual Analytics installation. When invoked, it extracts SAS user identity information from the SAS metadata and creates several canonical tables:

SAS metadata users - canonical tables

SAS Users Report Implementation

Having the above tables at your fingertips, you can easily combine them in any way you need to generate a report you want. Here is the code example:

/* Connect to the SAS metadata server */
options metaserver = "a123.us.company.com"
        metaport = 8561
        metauser = "sasadm@saspw" 
        metapass = "{SAS002}1D57933958C580064BD3DCA81A33DFB2"
        metarepository = Foundation
        metaprotocol = bridge
    ; 

/* Extract user information from the SAS metadata */
%mduextr(libref=work);

/* Combine data from multiple tables */
data work.metadata_users (drop=keyid);
  merge  
    work.person (keep=keyid name DisplayName title description in=user)
    work.logins (keep=keyid UserID)
    work.groupmempersons_info (keep=memid name rename=(name=groupname memid=keyid))
    work.email (keep=keyid emailAddr)
    ;
  by keyid;
  if user;
run;

proc sort data=work.metadata_users;
  by name groupname;
run;

/* Blank out duplicate information */
data work.metadata_users_ready;
  set work.metadata_users;
  by name;
  array a [*] name DisplayName title description emailAddr UserID;
  if not first.name then
  do i=1 to dim(a);
    a[i] = '';
  end;
run;

/* Specify output file location */
filename fout 'C:\PROJECTS\_BLOG_SAS\sas-admin-keeping-track-of-sas-users\user-roster.html';

/* Generate report on SAS metadata users and their groups */
ods html file=fout;
title "SAS Metadata Registered Users (as of %sysfunc(putn(%sysfunc(datetime()),datetime19.)))";
proc print data=work.metadata_users_ready noobs label;
  var name DisplayName title description emailAddr UserID groupname;
  label
    name = 'User Name'
    DisplayName = 'Display Name'
    title = 'Job Title'
    description = 'Description'
    emailAddr = 'Email Address'
    UserID = 'User ID'
    groupname = 'Member of Group'
    ;
run;
ods html close;

SAS Metadata Users Report Output

Here is a fragment of the SAS Users report output in HTML format produced by the above code (you may click on the image below to see the report in a web browser):

SAS Metadata Users report sample

Note

In the above implementation, we assumed for simplicity that each user has a single user id. If that is not the case, you would need to modify the code section denoted as Blank out duplicate information.

 

I also recommend: SAS administrators tip: Automatically deleting old SAS logs
Share

About Author

Leonid Batkhan

Leonid Batkhan, Ph.D. in Computer Science and Automatic Control Systems, has been a SAS user for more than 25 years. He came to work for SAS in 1995 and is currently a Senior Consultant with the SAS Federal Data Management and Business Intelligence Practice. During his career, Leonid has successfully implemented dozens of SAS applications and projects in various industries. All posts by Leonid Batkhan >>>

Related Posts

23 Comments

  1. Hello Leonid,

    interesting example to readout sas metadata with some simple steps.
    It`s quite a good way to document the user / group structure.

    kind regards
    Marius

  2. I am a sas administrator and I need help with permission access. I am trying to delete a user name where the write metadata for the user is marked deny instead of granted. Is there a way to reverse the permission access for a user name? Currently I do not have access to change the permission or delete the user id.

  3. Hello -

    This program is very useful as there are hundreds of users in my organization. Can we add when a user last logged in?

    In short I need to know when a user last connected to SAS server using SAS EG or PC-SAS.

    Appreciate your quick response.

    • Leonid Batkhan

      Thank you, Praveen, for your comment.
      This blog post is written around %MDUEXTR macro that is limited to information on users' registration in the metadata. Tracking users' connection can be done by parsing SAS metadata log (see in Lev1/SASMeta/MetadataServer/Logs). You may also find useful the following discussion Metadata user activities.

  4. Very helpful macro code. If I'm not mistaken, this is a similar report that is generated from within SAS Environment Manager (Report Center) ? Assuming you have all the pre-requisites (APM enabled, log sharing..) configured for the Environment Manager 2.5..

  5. I want to rename group. I tried to update name by keeping same keyid in idgrps but it is updating displayname instead..any idea how to fix this.

  6. Clinton Tull on

    Love the script, we have three different metadata systems on different hosts and need to concatenated them to provide for linux user accounts. This got me all the details I needed!

  7. Is there a way i can find out and generate a metrics report on how many users use sas everyday from the mainframe side

      • Thanks Leonid.

        Also had a question i know this is not the right discussion but was curious if you or anyone can help me with some document on maintenance upgrade for sas9.4

  8. Thanks very much for this wonderful code.
    I have been looking for this long time ago. I am implementing solution that route work for each user in certain group.
    As a workaround I created table in database and inserted all users in it.
    But now I used your code to use meta data instead.
    Thanks again. You made my day.

  9. Hi,

    Can I please get the last login details of the user in SAS from metadata? From the other blogs, I use the Metadata server logs. But unfortunately it contains only the login details of few super users but not the details of all the users.

    Help on this request is appreciated. Thanks!

  10. El código es excelente, en mi caso me esta dando el siguiente error. Soy nuevo en esta area.

    RROR: IOM call failed because of a data conversion error.
    ERROR: Fallos al transcodificar los datos de la codificación U_UTF8_CE a U_LATIN1_CE porque contenían caracteres que no permiten en
    la codificación de la sesión SAS. Revise las opciones del Sistema SAS encoding= y locale= para garantizar que pueden acomodarse a
    los datos que desea procesar. Una parte de esta cadena de origen, en representación hexadecimal es:
    NOTE: 7f74f267a130: 3c 47 65 74 4d 65 74 61 64 61 74 61 4f 62 6a 65 |A00|
    ERROR: Some code points did not transcode.

    • Chris Hemedinger
      Chris Hemedinger on

      This error can occur if the data you access contains characters aren't part of the character set in the SAS session encoding. The best way to fix this is to use SAS with ENCODING=utf8. This is a SAS startup option that an admin needs to set.

  11. Hi Leonid, nice blog. I'm trying to extract user identities from SAS VIYA server using metadata functions. I'm not sure if its supported in SAS VIYA?? In SAS 9.4 i have used open metadata interface for metadata management. What would you recommend to extract user identities in SAS Viya platform or in general what technique to use for metadata management in SAS VIYA? thanks , much appreciated

Leave A Reply

Back to Top