Key Actions Auditing
Introduction
This topic provides information that is specific to SAS
Visual Analytics. For general information, see Configuring Auditing for SAS Web Applications in the SAS Intelligence Platform: Middle-Tier Administration Guide.
The following figure
depicts the flow of audit data:
Flow of Audit Data
The vertical flow provides
data for an administrative report:
-
If auditing is enabled and a user performs an auditable action, the current application generates one or more audit records. The audit records are written to the SAS_AUDIT and SAS_AUDIT_ENTRY tables in the public schema of the SharedServices database in the SAS Web Infrastructure Platform.
-
The next time the extraction process runs, it notices that the audit tables in the SAS Web Infrastructure Platform’s SharedServices database have data that does not exist in the corresponding autoload data directory (drop zone). The extraction process writes the new data to the Append subdirectory of the EVDMLA autoload data directory. The scope of extraction consists of all records for a fixed set of object types. See Audit Content and Coverage. Audit records for logon and logoff actions are not extracted.
-
The next time the autoload process runs, it notices that the audit data in the Append subdirectory is newer than the corresponding LASR table. The autoload process appends the new data to the existing LASR table.
The horizontal flows
manage audit data as follows:
-
To manage the sizes of the audit tables in the SAS Web Infrastructure Platform’s SharedServices database, audit archive rules move specified records of a specified age to the audit archive tables.
-
To manage the sizes of the audit archive tables in the SAS Web Infrastructure Platform’s SharedServices database, you must periodically purge records from those tables.
-
To ensure that data is available in memory after the server restarts, appended data is immediately written to a second location, the AUDIT_VISUALANALYTICS table in the autoload data directory. This is standard autoload append behavior. See How Autoload Works.
-
To manage the size of the AUDIT_VISUALANALYTICS tables in the autoload drop zone, a scheduled task deletes records of a specified age, and then refreshes the corresponding LASR table. In the initial configuration, the task runs daily and deletes records that are more than 30 days old.
How to Safely Enable Auditing
CAUTION:
Audit data
can consume significant amounts of disk space and processing capacity.
To safely enable auditing,
complete all of the following steps.
-
In the SAS Web Infrastructure Platform’s SharedServices database, make sure that appropriate audit archive rules are in place. See Archive Process for Audit Records in the SAS Intelligence Platform: Middle-Tier Administration Guide.Note: Predefined rules cause audit records that are older than 30 days to be archived, subject to the following constraints:
-
Predefined rules apply to only actions that SAS Visual Analytics audits, sign-in actions, and sign-out actions. (Sign-in and sign-out actions are not included in the SAS Visual Analytics extraction of audit records or the SAS Visual Analytics administrative reports.)
-
Predefined rules are not provided for sites that use a SAS Web Infrastructure Platform database other than PostgreSQL.
-
Predefined rules do not replace any existing site-specific custom archive rules.
Note: For ID values to use in the archive rules, see Audit Type IDs. The suggested value for FREQUENCY_NO is 2592000000 milliseconds (30 days). -
-
In the SAS Web Infrastructure Platform’s SharedServices database, establish a procedure to periodically purge records from the audit archive tables. See Purging Audit Records in the SAS Intelligence Platform: Middle-Tier Administration Guide.
-
On the autoload host, start the scheduled task that deletes old records from the full AUDIT_VISUALANALYTICS table. See Start auditRefresh.
-
Set the property va.AuditingEnabled to
true. See How to Set Configuration Properties. -
Restart the SAS Web Application Server.
Audit Content and Coverage
The following tables
describe SAS Visual Analytics audit records. Here are some key points:
-
To visualize audit information, see Reports for Administrators.
-
In some cases, multiple audit records are written for a single user interaction. For example, if UserA opens ReportA, and ReportA uses TableA and TableB, records that are written include
[Report.BI]Open, multiple[Table]Readrecords for TableA, and multiple[Table]Readrecords for TableB. -
In the audit_info field,
Security access deniedindicates that a permissions-based access denial from the LASR authorization service occurred.Capacity access deniedindicates that a capacity-based access denial from the LASR authorization service occurred. See Limit Space for Tables. -
The server_app field is populated for actions that use the transport service. For example, when a user prints a report object, the executor_nm value identifies the client (for example, Visual Analytics Viewer 7.4) and the server_app value identifies the underlying component (for example, Visual Analytics Transport Service 7.4).
-
The email_recipients field is not populated for actions that are performed in SAS Mobile BI.
-
For some of the specialized fields,
newandoldvalues are recorded. Thenewvalue reflects current information.
|
Field
|
Description
|
Example Value
|
|---|---|---|
|
General:
|
||
|
audit_id
|
Identifier for the audit
record
|
871
|
|
timestamp_dttm
|
Date and time (GMT)
|
08:06:2014 06:42:59.219
|
|
user_id
|
Metadata name of the
identity that performed the action
|
sasadm
|
|
action_type
|
Name of action
|
Add
|
|
object_type
|
Object type (in the
audit service’s type classification scheme)
|
Report.BI
|
|
executor_nm
|
Application name, device
type (if applicable), and version
|
Visual Analytics Designer
7.4
|
|
action_success_flg
|
Whether the action succeeded
(Y) or failed (N)
|
Y
|
|
audit_info
|
Information about a
failed action, additional details
|
LASR_ACTION=TASK_TABLEINFO;
Security access denied
|
|
Specialized:
|
||
|
location
|
metadata path and type,
or local filename
|
SBIP://METASERVER/User
Folders/ncjoe/My Folder/MyReport(Report)
|
|
lasr_server_name
|
Machine name and port
of a SAS LASR Analytic Server
|
abc.mycompany.com:7300
|
|
table_name
|
Server tag and name
of a LASR table
|
HPS.CARS
|
|
client_id
|
IP address or mobile
device ID
|
12.34.56.789
|
|
report_elements
|
Identifiers for successfully
printed objects (or, all)
|
ve2
|
|
server_app
|
Underlying component
or service
|
Visual Analytics Transport
Service 7.4
|
|
elapsed_time
|
Time for the execute
method in a query (seconds.milliseconds)
|
27.829
|
|
export_output
|
Output type
|
XLSX
|
|
export_rows
|
Number of rows exported
(or, all)
|
250
|
|
export_object
|
Name of the report object
from which data is exported
|
List Table 2
|
|
email_sender
|
Email address
|
joe@company.com
|
|
email_recipients
|
One or more email addresses
|
tara@company.com,joy@company.com
|
|
Audited Activity
|
[object_type] action_types
|
Specialized
Fields
|
|---|---|---|
|
Subscribe to a report
on a mobile device.
|
[BIReportSubscription]
Create
|
client_id, location,
server_app
|
|
Delete a report from
a mobile device.
|
[BIReportSubscription]
Delete
|
client_id, location,
server_app
|
|
Open, create, save,
save as, or delete a report.
|
[Report.BI] Open, Create,
Save, Delete
|
client_id, location,
oldlocation (for save as)
|
|
Move, copy and paste,
or rename a report.
|
[Report.BI] Move, Copy,
Rename
|
client_id, location,
oldlocation
|
|
Send a link to a report
via email.
|
[Report.BI] SendEmail
|
client_id, location,
email_sender, email_recipients
|
|
Export data from an
object within a report.
|
[Report.BI] Export
|
client_id, location,
export_object, export_rows, export_output
|
|
Print some or all objects
in a report to PDF.
|
[Report.BI] Print
|
client_id, location,
report_elements, server_app
|
|
Automatic refresh of
a report by the transport service.
|
[Report.BI] Execute
|
client_id, location,
server_app
|
|
Start a server (or trigger
autostart) from the UI.
|
[Server.LASR] Start
|
client_id, lasr_server_name
|
|
Stop a server.
|
[Server.LASR] Cancel
|
client_id, lasr_server_name
|
|
Read a LASR table.
|
[Table] Read
|
client_id, location,
lasr_server_name, table_name
|
|
Read a source table
(before import or load).
|
[Table] Read
|
client_id, location
(of the source table)
|
|
Load, import, or reload
a LASR table.
|
[Table] Add
|
client_id, location,
lasr_server_name, table_name
|
|
Add a table to co-located
or NFS-mounted storage.
|
[Table] Add
|
client_id, location
(in metadata, new table)
|
|
Unload a LASR table.
|
[Table] Release
|
client_id, location,
lasr_server_name, table_name
|
|
Delete a physical table
from co-located HDFS.
|
[Table] Delete
|
client_id, location
(in HDFS)
|
|
Append, modify, or delete
rows; add computed columns.
|
[Table] Update
|
client_id, location,
lasr_server_name, table_name
|
|
Open, create, save,
save as, or delete a data query.
|
[VisualDataQuery]
Open, Create, Save, Delete
|
client_id, location,
oldlocation (for save as)
|
|
Move or rename a data
query.
|
[VisualDataQuery]
Move, Rename
|
client_id, location,
oldlocation
|
|
Run a data query.
|
[VisualDataQuery] Execute
|
client_id, location,
elapsed_time
|
|
Open, create, save,
save as, or delete an exploration.
|
[VisualExploration]
Open, Create, Save, Delete
|
client_id, location,
oldlocation (for save as)
|
|
Move, copy and paste,
or rename an exploration.
|
[VisualExploration]
Move, Copy, Rename
|
client_id, location,
oldlocation
|
|
Send a link to an exploration
via email.
|
[VisualExploration]
SendEmail
|
client_id, location,
email_sender, email_recipients
|
|
Export data from an
object within an exploration.
|
[VisualExploration]
Export
|
client_id, location,
export_object, export_rows, export_output
|
|
Print some or all objects
in an exploration to PDF.
|
[VisualExploration]
Print
|
client_id, location,
report_elements
|
|
Access encrypted SASHDAT
(use of passphrase).
|
[Library] or [Server.Hadoop]
Read
|
client_id, library_name,
or hadoop_server_name
|
|
Object Type (ID)
|
Action Types (ID)
|
|---|---|
|
Server.LASR (206)
|
Start (34), Cancel (47)
|
|
Server.Hadoop (208)
|
Read (45)
|
|
Library (31)
|
Read (45)
|
|
Table (32)
|
Read (45), Add (36),
Release (48), Delete (2), Update (1)
|
|
BIReportSubscription
(827000)
|
Create (0), Delete (2)
|
|
Report.BI (106)
|
Create (0), Delete (2),
Open (13), Save (53), Move (39), Rename (40), Copy (16), SendEmail
(44), Export (26), Print (7), Execute (35)
|
|
VisualExploration (101)
|
Create (0), Delete (2),
Open (13), Save (53), Move (39), Rename (40), Copy (16), SendEmail
(44), Export (26), Print (7)
|
|
VisualDataQuery (826001)
|
Create (0), Delete (2),
Open (13), Save (53), Move (39), Rename (40), Execute (35)
|
Copyright © SAS Institute Inc. All Rights Reserved.
Last updated: December 18, 2018