%MDUCMP

Generates data sets that contain the changes that must be made to the metadata.

Used by:

User synchronization

Syntax

%MDUCMP (MASTER=libref, TARGET=libref, CHANGE=libref, EXCEPTIONS=<libref.>dataset,
<EXTERNONLY=0|1>, <AUTHDOMCOMPARE=name|keyid>);

Required Arguments

MASTER: specifies the location of the master tables (use the libref that you specify in %MDUIMPC).

TARGET: specifies the location of the target tables that contain information extracted from the metadata (use the libref that you specify in %MDUEXTR).

CHANGE

specifies the location for the change tables. These tables are created (xxx is the base name of each canonical table):

xxx_add	contains users, groups, and roles to be added to the target tables to make them look like the master tables.
xxx_update	contains users, groups, and roles to be modified in the target tables to make them look like the master tables.
xxx_delete	contains users, groups, and roles to be deleted from the target tables to make them look like the master tables.
person_summary	summarizes changes to users (Person objects).
idgrps_summary	summarizes changes to groups and roles (IdentityGroup objects).
authdomain_summary	summarizes changes to SAS authentication domains (AuthenticationDomain objects).

Optional Arguments

EXCEPTIONS: specifies a data set that contains exception values.

EXTERNONLY

defines the scope of the comparison. Unless the master data set has an ObjectId column, this option has no effect. A typical master data set does not include an ObjectId column. A master data set that is extracted from the SAS Metadata Repository (rather than from your authentication provider) does include an ObjectId column. Extraction of a master data set from the metadata repository happens in the identity synchronization processes for some solutions.

1	specifies that only identities that have an external identity value are included in the comparison. This is the default value.
0	specifies that all identities are included in the comparison.

If EXTERNONLY=1 but AUTHDOMCOMPARE=NAME, all authentication domains are compared. In other words, for authentication domains AUTHDOMCOMPARE=NAME overrides EXTERNONLY=1.

AUTHDOMCOMPARE

defines how authentication domains are compared.

NAME

compares all authentication domains by name. Prevents deletion and renaming of all authentication domains. Prevents deletion of logins in authentication domains that do not exist in the master data set. This is the default.

KEYID

compares by keyid. Can cause deletion of authentication domains that were originally imported but are not present in the master data set. Can cause renaming of authentication domains that were originally imported but have a different name in the master data set. Does not prevent deletion of logins in authentication domains that do not exist in the master data set. If you specify AUTHDOMCOMPARE=KEYID, authentication domains and logins that are interactively created might be deleted (for a standard synchronization, don't use AUTHDOMCOMPARE=KEYID).

Details

The exceptions data has these columns:

tablename

specifies the name of the canonical table to which the exception applies. Valid values are person, logins, email, phone, location, idgrps, grpmems, and authdomain.

filter

specifies a SAS WHERE clause expression (without the WHERE) to apply against the corresponding table. The WHERE clause consists of a canonical table column name and an exception value.

For example, consider this exceptions data set:

phone      PhoneType="manual Phone"
email      EmailType="manual Email"
logins     authDomKeyId="A002"
logins     userid="testid%"

Each line protects a set of objects in a particular target table, ensuring that those metadata objects are preserved.

The first entry excludes objects in the target phone table that have a PhoneType of manual Phone. In SAS Management Console, the PhoneType is displayed in the Type field in the Phone Properties dialog box.
The second entry excludes objects in the target email table that have the EmailType value manual Email. In SAS Management Console, the EmailType is displayed in the Type field in the Email Properties dialog box.
The last entry excludes any objects in the target logins table which have a userid value that begins with testid.

Note: Logins that are in authentication domains that do not exist in the master tables are preserved by default. It is not necessary to define exceptions for such logins.