User Synchronization

Scope of the Synchronization Process

Who Participates?

By default, the synchronization process includes all identities that were originally imported into the metadata (because by default only those identities have an external identity in the metadata). You can modify participation in these ways:
  • To include an identity that was manually created, add an external identity on the General tab of that user, group, or role definition.
  • To exclude an identity that has an external identity in the metadata, define an exception in the %MDUCMP macro.

What Information Is Updated?

The synchronization process affects the metadata for participating identities as follows:
  • Any identities that have been added to your authentication provider are added.
  • Any new logins that have been added to your authentication provider are added. If passwords are extracted from your authentication provider, those passwords are included in the new logins.
    Note: It is typically not possible to extract passwords from an authentication provider.
    Note: Most logins do not need to include a password.
  • Any participating identities that are not found in your authentication provider are deleted.
  • By default, only logins that meet all of these criteria are deleted:
    • The login belongs to a participating identity.
    • The login does not exist in your authentication provider.
    • The login is in an authentication domain that exists in your authentication provider.
    Note: Logins in authentication domains that don't exist in your authentication provider are preserved by default.
  • If the synchronization includes groups (or roles), memberships for participating SAS identities are updated to match the memberships in your authentication provider. A change in the input grpType value (which determines whether an object is a group or a role) does not cause any update to the metadata.
  • Locations, telephone numbers, and e-mail addresses for participating identities are updated. Use exceptions to prevent updates to contact information that is added interactively.
  • New authentication domains are added. By default, no authentication domains are removed.
These constraints apply to updates:
  • When combined with information that already exists in the metadata, the change data must meet all of the metadata server's uniqueness requirements.
  • In order to add a user, group, or role, only a name and one external identity value (keyid) is required. However, each user should also have at least one login in order to establish an individual SAS identity.

How to Synchronize Identities

Note: It is a good practice to run a backup before you perform a synchronization (at least until your program is proven).
To synchronize identity information:
  1. If you want to include identities that weren't originally imported, use SAS Management Console to add a correct external identity value on the General tab of each such identity.
  2. If you want to exclude identities or attributes from the update, create an exceptions data set.
    CAUTION:
    If you used SAS Management Console to make updates to imported identities, those updates are not automatically preserved during batch synchronization.
    To preserve such information, define exceptions in the %MDUCMP macro.
  3. In the operating system, set up three directories: an enterprise extract directory, a metadata extract directory, and a change tables directory. For example:
    example directory structure
  4. In the SAS Program Editor, adapt the sample synchronization code to create your own program. See Sample Code for User Synchronization.
  5. Submit the code and review the log. To address any errors, make changes in the source tables, the exceptions tables, or the metadata. For details about the errors, examine the errorsds table. After making corrections, run the synchronization program again.
    Note: An alternative method for dealing with errors is to re-execute the %MDUCMP macro with EXCEPTIONS=ERRORSDS. This recreates the change tables without the offending entries. If an exceptions data set is already being used, you can append the content of the ERRORSDS data set to that data set.
  6. In the User Manager plug-in in SAS Management Console, verify that the metadata reflects the changes that you expect to see.
    Note: To ensure that current information is displayed, right-click User Manager and select Viewthen selectRefresh.