Metadata och Säkerhet i SAS miljön
Metadata och Säkerhet i SAS miljön Frida Säfström Copyright © 2015, SAS Institute Inc. All rights reserved. Authentication: Vem är du Authorization: Vilken behörighet har du Skillnaden mellan Authentication & Authorization Copyright © 2015, SAS Institute Inc. All rights reserved. Autentisering och identifiering till SAS Metadata Server Copyright © 2015, SAS Institute Inc. All rights reserved. 3 Behörighet i olika lager Metadata WebDAV Database System Operating System Copyright © 2015, SAS Institute Inc. All rights reserved. Behörighet Det är 3 delar som spelar in för behörigheten • Hur sätts behörigheten • Var sätts behörigheten • Till vem sätts behörigheten Copyright © 2015, SAS Institute Inc. All rights reserved. Hur sätts behörigheten Copyright © 2015, SAS Institute Inc. All rights reserved. Var sätts behörigheten Copyright © 2015, SAS Institute Inc. All rights reserved. Till vem sätts behörigheten Copyright © 2015, SAS Institute Inc. All rights reserved. Behörighet Copyright © 2015, SAS Institute Inc. All rights reserved. 9 Metadata-Bound Libraries and Tables Copyright © 2015, SAS Institute Inc. All rights reserved. Planera för säkerhet • • • • • • • • Metadata användare och grupper Användare och grupper på OS/AD/LDAP Folderstruktur och behörighet i metadata Folderstruktur och behörighet på OS Repository ACT och övriga ACTer Behörighet på servrar och ACTer Roller Gör alltid en backup innan större förändringar Copyright © 2015, SAS Institute Inc. All rights reserved. 1 1 Metadata Säkerhet i SAS® – Paketerad tjänst • Metadata säkerhet i SAS – Steg för steg • En enkel struktur för at förstå och underhålla behörigheter i metadata. • Inleds med en workshop för att bestämma struktur • Dokument som beskriver hur det skall implementeras Copyright © 2015, SAS Institute Inc. All rights reserved. Grupper i metadata • Användare och grupper standard från konfig • Standardgrupper som oftast behövs • Grupper som behövs för denna inplementering • Fastställ vilka användare och grupper som ska synkas med AD/LDAP. Copyright © 2015, SAS Institute Inc. All rights reserved. Skapa sammanställning av grupper och färgsätt dem SMC DI Developers Users working with all tasks relevant for data management/data integration who are not unrestricted. Data Management folders SMC SASBatch User for deploying jobs in a change managed environment and scheduling them. All folders SMC Analysts Users who are specialists working with statistical Specialist folders analysis. SMC Report Creators Super users who work with reporting. Business User folders SMC Report Consumers End users. Business User folders SMC SubjectArea1+2 Users from organizational group or working on a specific subject area. Business User folders Copyright © 2015, SAS Institute Inc. All rights reserved. Foldrar i metadata SAS Folders SASProject SASInstitute_UI_Applications Analytics SubjectArea1 SubjectArea2 Analytical_Marts SubjectArea1 SubjectArea2 Data_Marts SubjectArea1 SubjectArea2 General_Reporting SubjectArea1 SubjectArea2 Reporting SubjectArea1 SubjectArea2 Copyright © 2015, SAS Institute Inc. All rights reserved. Alternativ foldrar i metadata SAS Folders SASProject SASInstitute_UI_Applications SubjectArea1 Analytics Analytical_Marts Data_Marts General_Reporting Reporting SubjectArea2 Analytics Analytical_Marts Data_Marts General_Reporting Reporting Copyright © 2015, SAS Institute Inc. All rights reserved. SASProject SASProject Data 00_Control_Data 01_Source_Data System1 System2 02_Staging 03_Detail_Data_Store 04_Data_Marts_Staging 05_Data_Marts *1) 05_Analytical_Marts *1) 90_Utilities Documentation Jobs 00_Control_Data 01_Source_Data System1 System2 02_Staging 03_Detail_Data_Store 04_Data_Marts_Staging 05_Data_Marts *1) 05_Analytical_Marts *1) 06_General_Reporting 07_Reporting 97_Job_Status 98_Deployed 99_Flows Macros User_Written_Transformations Formats Utilities SASInstitute_UI_Applications Copyright © 2015, SAS Institute Inc. All rights reserved. Detaljerad folderstruktur Analytics Data Formats Jobs ModelLifeCycle Source_data Staging_Data Utilities Analytical_Marts Data Formats Jobs Reports Macros Utilites Data_Marts Data Formats Jobs Reports Macros Utilites Copyright © 2015, SAS Institute Inc. All rights reserved. Detaljerad folderstruktur General_Reporting SubjectArea1 BI_Dashboards Data Formats Jobs Reports Utilities Reporting SubjectArea2 Data Formats Jobs Reports Utilities Copyright © 2015, SAS Institute Inc. All rights reserved. Skapa ACTer för att tilldela behörighet • Designa ACTer utifrån folderstruktur och dess krav på behörighet • Tilldela behörigheten med ACTer • Lägg till ACTer enlig metod Copyright © 2015, SAS Institute Inc. All rights reserved. 6 gyllene regler • #1: Designa och dokumentera innan implementering • #2: Applisera Access Control Templates (ACTs) på objekten • #3: Lägg enbart in grupper i ACTer Copyright © 2015, SAS Institute Inc. All rights reserved. 6 gyllene regler • #4: ACTer med grupper (ej PUBLIC och SASUSERS) ha bara grant på behörigheter, inga deny • #5: Applisera ACTer som sätter grant för grupper tillsammans med ACTer som gör deny för PUBLIC/SASUSERS • #6: Applisera alltid ACTn för Administratörer där SASUSERS/PUBLIC har satts till deny på rättigheter Copyright © 2015, SAS Institute Inc. All rights reserved. ACTer SAS Administrator Settings SMC DI Developers ACT SMC BI Developers ACT SMC BI Developers Server ACT SMC Analysts ACT SMC Report Creators ACT SMC Report Consumers ACT SMC PUBLIC and SASUSERS Denied ACT SMC SASUSERS Read Only ACT SMC SASBatch ACT SMC SubjectArea1 ACT SAS Administrators G: RM WM WMM CM A SAS System Services G: RM SMC DI Developers G: RM WM CM WMM R W C D A S I U Create Table Drop Table Alter Table SMC BI Developers G: RM WMM R W C D S SMC BI Developers G: RM WM SMC Analysts G: RM WMM R W C D S SMC Report Creators G: RM WMM R S SMC Report Consumers G: RM R S PUBLIC D: ALL SASUSERS D: ALL SASUSERS G: RM R S D: WM WMM CM W C D A SMC SASBatch G: RM WM CM WMM R W C D A S I U Create Table Drop Table Alter Table SMC SubjectArea1 G: RM R S Copyright © 2015, SAS Institute Inc. All rights reserved. Applicera ACTer på foldrar Analytics SAS Administrator Settings SMC DI Developers ACT SMC Analysts ACT SMC SASBatch ACT SMC PUBLIC and SASUSERS Denied ACT Data Formats Jobs ModelLifeCycle Source_data Staging_Data Utilities Inherited settings Inherited settings Inherited settings Inherited settings Inherited settings Inherited settings Inherited settings Copyright © 2015, SAS Institute Inc. All rights reserved. Copyright © 2015, SAS Institute Inc. All rights reserved. Säkerhetsrapporter Copyright © 2015, SAS Institute Inc. All rights reserved. Auditing findstr /c:"Access Control change" *.log | findstr /c:"ObjectType=SASLibrary" SASMeta_MetadataServer_2015-05-22_swl1236_3100.log:2015-05-22T13:10:36,732 INFO [00037506] 334:swefhe@EUROPE - Access Control change on ObjectType=SASLibrary, Name=Frida Data, ObjId=A58H97NG.B5000006. 2015-05-22T09:42:12,628 INFO [00013642] :swefhe@EUROPE - New client connection (334) accepted from server port 8561 for user swefhe@EUROPE. Encryption level is Credentials using encryption algorithm SASPROPRIETARY. Peer IP address and port are [::ffff:127.0.0.1]:54697 for APPNAME=SASManagementConsole 904200. Copyright © 2015, SAS Institute Inc. All rights reserved. Tack för mig! Frida Säfström [email protected] Copyright © 2015, SAS Institute Inc. All rights reserved.
© Copyright 2024