Key Actions Auditing

Introduction

This topic provides information that is specific to SAS Visual Analytics. For general information, see Configuring Auditing for SAS Web Applications in the SAS Intelligence Platform: Middle-Tier Administration Guide.
The following figure depicts the flow of audit data:
Flow of Audit Data
flow of audit data
The vertical flow provides data for an administrative report:
  1. If auditing is enabled and a user performs an auditable action, the current application generates one or more audit records. The audit records are written to the SAS_AUDIT and SAS_AUDIT_ENTRY tables in the public schema of the SharedServices database in the SAS Web Infrastructure Platform.
  2. The next time the extraction process runs, it notices that the audit tables in the SAS Web Infrastructure Platform’s SharedServices database have data that does not exist in the corresponding autoload data directory (drop zone). The extraction process writes the new data to the Append subdirectory of the EVDMLA autoload data directory. The scope of extraction consists of all records for a fixed set of object types. See Audit Content and Coverage. Audit records for logon and logoff actions are not extracted.
  3. The next time the autoload process runs, it notices that the audit data in the Append subdirectory is newer than the corresponding LASR table. The autoload process appends the new data to the existing LASR table.
The horizontal flows manage audit data as follows:
  • To manage the sizes of the audit tables in the SAS Web Infrastructure Platform’s SharedServices database, audit archive rules move specified records of a specified age to the audit archive tables.
  • To manage the sizes of the audit archive tables in the SAS Web Infrastructure Platform’s SharedServices database, you must periodically purge records from those tables.
  • To ensure that data is available in memory after the server restarts, appended data is immediately written to a second location, the AUDIT_VISUALANALYTICS table in the autoload data directory. This is standard autoload append behavior. See How Autoload Works.
  • To manage the size of the AUDIT_VISUALANALYTICS tables in the autoload drop zone, a scheduled task deletes records of a specified age, and then refreshes the corresponding LASR table. In the initial configuration, the task runs daily and deletes records that are more than 30 days old.

How to Safely Enable Auditing

CAUTION:
Audit data can consume significant amounts of disk space and processing capacity.
To safely enable auditing, complete all of the following steps.
  1. In the SAS Web Infrastructure Platform’s SharedServices database, make sure that appropriate audit archive rules are in place. See Archive Process for Audit Records in the SAS Intelligence Platform: Middle-Tier Administration Guide.
    Note: Predefined rules cause audit records that are older than 30 days to be archived, subject to the following constraints:
    • Predefined rules apply to only actions that SAS Visual Analytics audits, sign-in actions, and sign-out actions. (Sign-in and sign-out actions are not included in the SAS Visual Analytics extraction of audit records or the SAS Visual Analytics administrative reports.)
    • Predefined rules are not provided for sites that use a SAS Web Infrastructure Platform database other than PostgreSQL.
    • Predefined rules do not replace any existing site-specific custom archive rules.
    Note: For ID values to use in the archive rules, see Audit Type IDs. The suggested value for FREQUENCY_NO is 2592000000 milliseconds (30 days).
  2. In the SAS Web Infrastructure Platform’s SharedServices database, establish a procedure to periodically purge records from the audit archive tables. See Purging Audit Records in the SAS Intelligence Platform: Middle-Tier Administration Guide.
  3. On the autoload host, start the scheduled task that deletes old records from the full AUDIT_VISUALANALYTICS table. See Start auditRefresh.
  4. Restart the SAS Web Application Server.

Audit Content and Coverage

The following tables describe SAS Visual Analytics audit records. Here are some key points:
  • To visualize audit information, see Reports for Administrators.
  • In some cases, multiple audit records are written for a single user interaction. For example, if UserA opens ReportA, and ReportA uses TableA and TableB, records that are written include [Report.BI]Open, multiple [Table]Read records for TableA, and multiple [Table]Read records for TableB.
  • In the audit_info field, Security access denied indicates that a permissions-based access denial from the LASR authorization service occurred. Capacity access denied indicates that a capacity-based access denial from the LASR authorization service occurred. See Limit Space for Tables.
  • The server_app field is populated for actions that use the transport service. For example, when a user prints a report object, the executor_nm value identifies the client (for example, Visual Analytics Viewer 7.4) and the server_app value identifies the underlying component (for example, Visual Analytics Transport Service 7.4).
  • The email_recipients field is not populated for actions that are performed in SAS Mobile BI.
  • For some of the specialized fields, new and old values are recorded. The new value reflects current information.
Audit Content
Field
Description
Example Value
General:
audit_id
Identifier for the audit record
871
timestamp_dttm
Date and time (GMT)
08:06:2014 06:42:59.219
user_id
Metadata name of the identity that performed the action
sasadm
action_type
Name of action
Add
object_type
Object type (in the audit service’s type classification scheme)
Report.BI
executor_nm
Application name, device type (if applicable), and version
Visual Analytics Designer 7.4
action_success_flg
Whether the action succeeded (Y) or failed (N)
Y
audit_info
Information about a failed action, additional details
LASR_ACTION=TASK_TABLEINFO; Security access denied
Specialized:
location
metadata path and type, or local filename
SBIP://METASERVER/User Folders/ncjoe/My Folder/MyReport(Report)
lasr_server_name
Machine name and port of a SAS LASR Analytic Server
abc.mycompany.com:7300
table_name
Server tag and name of a LASR table
HPS.CARS
client_id
IP address or mobile device ID
12.34.56.789
report_elements
Identifiers for successfully printed objects (or, all)
ve2
server_app
Underlying component or service
Visual Analytics Transport Service 7.4
elapsed_time
Time for the execute method in a query (seconds.milliseconds)
27.829
export_output
Output type
XLSX
export_rows
Number of rows exported (or, all)
250
export_object
Name of the report object from which data is exported
List Table 2
email_sender
Email address
joe@company.com
email_recipients
One or more email addresses
tara@company.com,joy@company.com
Audit Coverage
Audited Activity
[object_type] action_types
Specialized Fields
Subscribe to a report on a mobile device.
[BIReportSubscription] Create
client_id, location, server_app
Delete a report from a mobile device.
[BIReportSubscription] Delete
client_id, location, server_app
Open, create, save, save as, or delete a report.
[Report.BI] Open, Create, Save, Delete
client_id, location, oldlocation (for save as)
Move, copy and paste, or rename a report.
[Report.BI] Move, Copy, Rename
client_id, location, oldlocation
Send a link to a report via email.
[Report.BI] SendEmail
client_id, location, email_sender, email_recipients
Export data from an object within a report.
[Report.BI] Export
client_id, location, export_object, export_rows, export_output
Print some or all objects in a report to PDF.
[Report.BI] Print
client_id, location, report_elements, server_app
Automatic refresh of a report by the transport service.
[Report.BI] Execute
client_id, location, server_app
Start a server (or trigger autostart) from the UI.
[Server.LASR] Start
client_id, lasr_server_name
Stop a server.
[Server.LASR] Cancel
client_id, lasr_server_name
Read a LASR table.
[Table] Read
client_id, location, lasr_server_name, table_name
Read a source table (before import or load).
[Table] Read
client_id, location (of the source table)
Load, import, or reload a LASR table.
[Table] Add
client_id, location, lasr_server_name, table_name
Add a table to co-located or NFS-mounted storage.
[Table] Add
client_id, location (in metadata, new table)
Unload a LASR table.
[Table] Release
client_id, location, lasr_server_name, table_name
Delete a physical table from co-located HDFS.
[Table] Delete
client_id, location (in HDFS)
Append, modify, or delete rows; add computed columns.
[Table] Update
client_id, location, lasr_server_name, table_name
Open, create, save, save as, or delete a data query.
[VisualDataQuery] Open, Create, Save, Delete
client_id, location, oldlocation (for save as)
Move or rename a data query.
[VisualDataQuery] Move, Rename
client_id, location, oldlocation
Run a data query.
[VisualDataQuery] Execute
client_id, location, elapsed_time
Open, create, save, save as, or delete an exploration.
[VisualExploration] Open, Create, Save, Delete
client_id, location, oldlocation (for save as)
Move, copy and paste, or rename an exploration.
[VisualExploration] Move, Copy, Rename
client_id, location, oldlocation
Send a link to an exploration via email.
[VisualExploration] SendEmail
client_id, location, email_sender, email_recipients
Export data from an object within an exploration.
[VisualExploration] Export
client_id, location, export_object, export_rows, export_output
Print some or all objects in an exploration to PDF.
[VisualExploration] Print
client_id, location, report_elements
Access encrypted SASHDAT (use of passphrase).
[Library] or [Server.Hadoop] Read
client_id, library_name, or hadoop_server_name
Audit Type IDs
Object Type (ID)
Action Types (ID)
Server.LASR (206)
Start (34), Cancel (47)
Server.Hadoop (208)
Read (45)
Library (31)
Read (45)
Table (32)
Read (45), Add (36), Release (48), Delete (2), Update (1)
BIReportSubscription (827000)
Create (0), Delete (2)
Report.BI (106)
Create (0), Delete (2), Open (13), Save (53), Move (39), Rename (40), Copy (16), SendEmail (44), Export (26), Print (7), Execute (35)
VisualExploration (101)
Create (0), Delete (2), Open (13), Save (53), Move (39), Rename (40), Copy (16), SendEmail (44), Export (26), Print (7)
VisualDataQuery (826001)
Create (0), Delete (2), Open (13), Save (53), Move (39), Rename (40), Execute (35)
Last updated: December 18, 2018