Usage Note 30860: Implementing bulk-load processes for metadata identity management after users have been entered manually
 |  |  |  |  |
As an alternative to using the User Manager in the SAS® Management Console to add and maintain user identities in the metadata repository, you can use bulk-load processes provided via sample programs and SAS autocall macros. These processes are designed to be an exclusive mechanism for managing metadata identities.
In order to synchronize user information between the external enterprise source (such as Microsoft's Active Directory Server or the UNIX /etc/passwd file) and the metadata identity, the bulk-load processes rely on an external identifier key that is stored in the metadata as an ExternalIdentity object. Users that are added manually through the SAS Management Console User Manager do not have an ExternalIdentity association. If you attempt to run the synchronization process using the bulk-load utility, any users that were previously entered manually could cause the synchronization to fail.
You can synchronize your metadata identities with your enterprise data source when you have already entered some users manually through any of the following methods:
- You can exclude any manually-entered users from the bulk-load process by adding code to filter them from the enterprise extract.
- You can delete the manually-entered users from the metadata using the SAS
Management Console and allow the bulk-load process to re-add them. However, this
method might cause additional problems. When you delete a user definition you also
remove all associations to that user, including security associations. When you re-create the user definition – even if it has the same name and logins – it is treated
as a completely different user. The following are some examples of problems that can occur:
- The new user definition will not automatically get the same permissions as the original user definition.
- If any of the deleted users had previously used the SAS® Information Delivery Portal, then their Portal Permissions tree and personal content will be deleted.
- If any of the deleted users owned project repositories, those repositories will be deleted.
- If any of the deleted users had saved reports in personal folders, those reports will be deleted.
- You can add an ExternalIdentity object to manually entered users prior to running the synchronization process. Click the Full Code tab for sample code that illustrates how you can add this information. Ensure that you supply the appropriate parameters before you run the program.
The best approach when you have a large number of users is to use the bulk-load processes to load and synchronize metadata identities initially, and to avoid entering users manually. The synchronization process will perform correctly and the steps outlined above are unnecessary.
The bulk-load processes are documented in the SAS 9.1.3 Intelligence Platform Security Administration Guide in Appendix 2. SAS Technical Support consultants are available to answer specific questions you might have concerning this process. If you require a resource to customize the initial load and synchronization programs for your site, please contact your SAS account representative who can coordinate with SAS Consulting Services to assist you.
Operating System and Release Information
| Product Family | Product | System | SAS Release | |
| Reported | Fixed* | |||
| SAS System | SAS Metadata Server | z/OS | 9.1 TS1M3 SP4 | |
| Microsoft® Windows® for 64-Bit Itanium-based Systems | 9.1 TS1M3 SP4 | |||
| Microsoft Windows Server 2003 Datacenter 64-bit Edition | 9.1 TS1M3 SP4 | |||
| Microsoft Windows Server 2003 Enterprise 64-bit Edition | 9.1 TS1M3 SP4 | |||
| Microsoft Windows XP 64-bit Edition | 9.1 TS1M3 SP4 | |||
| Microsoft® Windows® for x64 | 9.1 TS1M3 SP4 | |||
| Microsoft Windows 2000 Advanced Server | 9.1 TS1M3 SP4 | |||
| Microsoft Windows 2000 Datacenter Server | 9.1 TS1M3 SP4 | |||
| Microsoft Windows 2000 Server | 9.1 TS1M3 SP4 | |||
| Microsoft Windows 2000 Professional | 9.1 TS1M3 SP4 | |||
| Microsoft Windows Server 2003 Datacenter Edition | 9.1 TS1M3 SP4 | |||
| Microsoft Windows Server 2003 Enterprise Edition | 9.1 TS1M3 SP4 | |||
| Microsoft Windows Server 2003 Standard Edition | 9.1 TS1M3 SP4 | |||
| Microsoft Windows XP Professional | 9.1 TS1M3 SP4 | |||
| 64-bit Enabled AIX | 9.1 TS1M3 SP4 | |||
| 64-bit Enabled HP-UX | 9.1 TS1M3 SP4 | |||
| 64-bit Enabled Solaris | 9.1 TS1M3 SP4 | |||
| HP-UX IPF | 9.1 TS1M3 SP4 | |||
| Linux | 9.1 TS1M3 SP4 | |||
| Linux on Itanium | 9.1 TS1M3 SP4 | |||
This program adds an ExternalIdentity association to metadata identities to allow the bulkload synchronization programs to successfully update metadata identities that were not originally added using the bulkload processes.
This code should be embedded within your synchronization program, after the steps where you perform your metadata and enterprise extracts. You must also repeat the metadata extract after this block of code, in order to pick up the changes.
Be sure to supply values for the three macro variables that are assigned at the beginning of the program. Each variable's purpose is indicated in the accompanying comments.
/*------------------------------------------------------------------------
* Add External Identities to Internal Identities for Synchronization.
* Compare Persons and IdentityGroups stored in metadata identities
* stored in the external enterprise source to identify identities that
* will not successfully synchronize unless an ExternalIdentity object
* is added to the metadata Identity.
*
* This sample code can be embedded within your synchronization program.
* You should place it after you perform your metadata and enterprise
* extracts. Then, after this code has executed, you must repeat the
* metadata extract in order to pick up the changes.
*
* User input required: You must supply values for the 3 macro variables
* at the beginning of the program.
*-----------------------------------------------------------------------*/
%let metaextractlibref= ; *Insert the libref you use to store your metadata extract;
%let importlibref= ; *Insert the libref you use to store your enterprise extract;
%let html= ; *Supply a path where the identity report can be written;
%global Identityn GrpIdentityn;
ods html file="&html\nonextpersons.html";
proc sql;
Title 'Metadata Identities with no ExternalIdentity who will be Imported';
create table &metaextractlibref..nonextpersons as
select md.name, ie.keyid label="External_id",
md.extid_identifier label="Meta_extid" from
&metaextractlibref..person_info as md,
&importlibref..person as ie
where md.name=ie.name and md.extid_identifier="";
select * from &metaextractlibref..nonextpersons ;
select count(*) into :Identityn from &metaextractlibref..nonextpersons ;
quit;
ods html close;
ods html file="&html\nonextgroups.html";
proc sql;
Title 'Metadata Groups with no ExternalIdentity who will be Imported';
create table &metaextractlibref..nonextgroups as
select md.name,ie.keyid label="External_id",
md.extid_identifier label= "Meta_extid" from
&metaextractlibref..group_info as md, &importlibref..Idgrps as ie
where md.name=ie.name and md.extid_identifier="";
select * from &metaextractlibref..nonextgroups;
select count(*) into :GrpIdentityn from &metaextractlibref..nonextgroups;
quit;
ods html close;
%macro add_external_identity;
%put Note: Begin update Person Identities with External Identity.;
%if (%superq(Identityn) ^= 0) %then %do;
data _null_;
set &metaextractlibref..nonextpersons;
/* Only add external Identity to Persons */
length id $20
type uri puri obj $256;
id='';
type='';
uri='';
puri='';
Context='IdentityImport'; /* Default value from mduimpl */
/*------------------------------------------------------------------------
* this object identifies whether an ExternalIdentity already exists for the Person
------------------------------------------------------------------------*/
obj="omsobj:ExternalIdentity?ExternalIdentity[OwningObject/Person[@Name='"
|| name || "']]";
put obj=;
/*------------------------------------------------------------------------
* test to see if an ExternalIdentity already exists
------------------------------------------------------------------------*/
rc=metadata_resolve(obj,type,id);
put rc=; /* This should be 0 */
put id=;
put type=; /* This should be Person */
if (rc=0) then do;
/*------------------------------------------------------------------------
* add a new ExternalIdentity object with a
* name value of the Person's name, with a
* parent of the Person's identity object
------------------------------------------------------------------------*/
obj="omsobj:Person?@Name='" || name || "'";
put obj=;
rc=metadata_resolve(obj,type,id);
put rc=; /* This should be 1 */
put id=;
put type=; /* This should be Person */
rc=metadata_newobj("ExternalIdentity",
puri,
name,
"Foundation",
obj,
"ExternalIdentities");
put puri= rc= 'After newobj';
/*------------------------------------------------------------------------
* set the attributes for the Identifier and Context
------------------------------------------------------------------------*/
rc=metadata_setattr(puri,'Identifier',keyid);
put rc= 'After setattr Identifier';
rc=metadata_setattr(puri,'Context',Context);
put rc= 'After setattr Context';
end;
else put 'External Identity already exists for ' name;
run;
%end;
%else %put Note: There are no internal identities;
%put Note: Finish update Person Identities with External Identity.;
%mend;
%add_external_identity;
%macro add_external_Group_identity;
%put Note: Begin update IdentityGroup Identities with External Identity.;
%if (%superq(GrpIdentityn) ^= 0) %then %do;
data _null_;
set &metaextractlibref..nonextgroups;
/* Only add external Identity to Persons */
length id $20
type uri puri obj $256;
id='';
type='';
uri='';
puri='';
Context='IdentityImport'; /* Default value from mduimpl */
/*------------------------------------------------------------------------
* this object identifies if an ExternalIdentity already exists for the Group
------------------------------------------------------------------------*/
obj="omsobj:ExternalIdentity?ExternalIdentity[OwningObject/IdentityGroup[@Name='"
|| name || "']]";
put obj=;
/*------------------------------------------------------------------------
* test to see if an ExternalIdentity already exists
------------------------------------------------------------------------*/
rc=metadata_resolve(obj,type,id);
put rc=; /* This should be 0 */
put id=;
put type=; /* This should be Group */
if (rc=0) then do;
/*------------------------------------------------------------------------
* add a new ExternalIdentity object with a
* name value of the Group's name, with a
* parent of the Group's identity object
------------------------------------------------------------------------*/
obj="omsobj:IdentityGroup?@Name='" || name || "'";
put obj=;
rc=metadata_resolve(obj,type,id);
put rc=; /* This should be 1 */
put id=;
put type=; /* This should be IdentityGroup */
rc=metadata_newobj("ExternalIdentity",
puri,
name,
"Foundation",
obj,
"ExternalIdentities");
put puri= rc= 'After newobj';
/*------------------------------------------------------------------------
* set the attributes for the Identifier and Context
------------------------------------------------------------------------*/
rc=metadata_setattr(puri,'Identifier',keyid);
put rc= 'After setattr Identifier';
rc=metadata_setattr(puri,'Context',Context);
put rc= 'After setattr Context';
end;
else put 'External Identity already exists for ' name;
run;
%end;
%else %put Note: There are no internal identities;
%put Note: Finish update IdentityGroup Identities with External Identity.;
%mend;
%add_external_Group_identity;
| Type: | Usage Note |
| Priority: |
| Date Modified: | 2008-06-25 16:19:11 |
| Date Created: | 2008-01-03 13:36:52 |