The sample program on the Full Code tab demonstrates using metadata DATA step functions to locate and update a stored password in the metadata through SAS^® code.

To run the sample program, you must update it with values for the following:

• the metadata server host name and port
• the user name and password to authenticate
• the authentication domain of the password to update and the new password

Optionally, you can also provide the user ID to update in cases in which a user has multiple IDs available under the same authentication domain.

Here are the steps that the sample program performs:

1. Connects to the metadata server and locates the login object.
2. Performs a set attribute function on the "Password" attribute to the new value.
3. Pulls the "Password" attribute value and checks it against what it was given to confirm that the new value is present.

To access the sample program, click the Full Code tab.

---

These sample files and code examples are provided by SAS Institute Inc. "as is" without warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability and fitness for a particular purpose. Recipients acknowledge and agree that SAS Institute shall not be liable for any damages whatsoever arising out of their use of this material. In addition, SAS Institute will provide no support for the materials contained herein.

You must update the top of the sample program with the correct metadata connection information. This information includes an ID and password to connect to the metadata server, the authentication domain for the login that you want to change (such as DefaultAuth), and the new value for the password. The program connects to the metadata, attempts to locate the account, and sets a value for the Password attribute. It then retrieves the stored password and checks its value against the encoded value of the original password that was supplied to confirm that it was set successfully.

Note: If the user has access to more than one stored password for the authentication domain, the program does not update the password. This issue can occur if a user is an administrator or has a shared credential stored in a user group. In this case, you can use the commented out queries in which you can specify which login user ID to update.

/* Update the following metadata connection information with values from your system. */
%let user=metauser;
%let pass=password;
%let host=meta.demo.sas.com;
%let port=8561;

/* You must provide information to identify the login to be updated and the new password. */

%let authdomain=DefaultAuth;
%let newpass=newPassword;

/* Uncomment the following line of code if you want to use the query below that allows you to specify a user ID to search.*/
/* To use this code, you must also switch the queries in two places below.*/ 
/* You can search for "uname" to find them. */
 *%let uname=sasdemo;

/* Establishes a connection to the metadata server. */
options metaserver="&host"
		metaport=&port
		metauser="&user"
		metapass="&pass"
		metarepository=Foundation
		metaprotocol=BRIDGE;

/* This DATA step performs the queries against the metadata to confirm the existence of the object and then attempts to update the password. */

data _null_;
	length id type $ 50;
	call missing (of _character_);

	/* This query looks for a login object with a user ID equal to the uname value specified above that is a member of the Authentication Domain specified above.*/
	/* Uncomment this query and comment out the one below it to use. */
	*obj="omsobj:Login?Login[@UserId = '"||"&uname"||"'][Domain/AuthenticationDomain[@Name = '"||"&authdomain"||"']]"; 

	/* This query searches for any login for the supplied domain, so a normal user should only find themselves. */
	obj="omsobj:Login?Login[Domain/AuthenticationDomain[@Name = '"||"&authdomain"||"']]";
	put "NOTE:Object Query definition is " obj;
	login_count=metadata_resolve(obj,type,id);
	if login_count = -1 then do;
		put "ERROR: Failed to connect to the Metadata Server. Check your connection information.";
		abort cancel;
	end;

	put "NOTE: Found " login_count "logins";

 	/* Only move forward if only one login is found that matches the query, so you avoid updating the wrong object. */
	if login_count = 1 then do;
	objid=cats(type,"/",id);
	put "NOTE: Resetting password for Object: " objid=;

	/* This is the command that sets the password attribute. */
	rc=metadata_setattr(objid,"Password","&newpass");

	/* Interprets the return code to the log. */
	put "NOTE: Password change RC is " rc=;
		if rc = 0 then do;
		 put "NOTE: Password change was successful.";
		end;
		else if rc = -1 then do;
		 put "ERROR: Unable to connect to Metadata Server. This section of the code is hit after successfully connecting to Metadata, so this should not happen.";
		end;
		else if rc = -2 then do;
		 put "ERROR: Unable to set the attribute. This is probably a role / permission issue.";
		end;
		else if rc = -3 then do;
		 put "ERROR: No objects match the URI. This URI was built from another response so this should not happen.";
		end;
	end;
	else do; 
		put "ERROR: Query parameters did not return only 1 login. If you are not already, you may wish to try specifying a user ID.";
		abort cancel;
		end;
run;

/* Retrieves the password that was stored and sets it to a macro variable. */

data _null_;
	length passval $ 255;
	call missing (of _character_);
	/* This query looks for a login object with a user ID equal to the uname value specified above that is a member of the Authentication Domain specified above.*/
	/* Uncomment this query and comment out the one below it to use. */
	*obj="omsobj:Login?Login[@UserId = '"||"&uname"||"'][Domain/AuthenticationDomain[@Name = '"||"&authdomain"||"']]"; 

	obj="omsobj:Login?Login[Domain/AuthenticationDomain[@Name = '"||"&authdomain"||"']]";
	rc=metadata_getattr(obj,"Password",passval);
	if passval = "{SAS002}B6535B5C02BB1BC110FD31944FC989D3" then do;
		/* Throws an error if you are returned the encoded version of "*******" */
		put "WARNING: You are logged in as a user with the unrestricted or user administration metadata role.";
		put "WARNING: I cannot validate the password was set correctly as all passwords are returned to you as '********'";
		put "WARNING: Stopping validation process.";
		abort cancel;
	end;
	/* Puts the retrieved password into a macro variable. */
	call symput('retpass',passval);
run;

/* If a new password is supplied encoded, sets its literal value to the _PWENCODE macro variable. */

data _null_;
	newpassprefix=substr("&newpass",1,4);
	if newpassprefix="{SAS" then do;
	put "NOTE: New password was supplied encoded, setting this value to _PWENCODE variable for validation.";
	call symput('_PWENCODE',"&newpass");
	end;
run;

/* Encodes the password provided. (This populates _PWENCODE with the encoded password). */
proc pwencode in="&newpass"; run;

/* Checks whether the returned and encoded passwords match. */
data _null_;
	retpass=symget("retpass");
	encpass=symget("_PWENCODE");
	if retpass=encpass then do;
	put "NOTE: Confirmed new password is now stored in Metadata.";
	end;
	/* Throws an error if the passwords don't match. */
	else put "ERROR: Checking stored password against the value specified did not match.";
run;

/* Resets variables. */
data _null_;
	%symdel user pass host port authdomain uname newpass retpass _PWENCODE;
run;

---

These sample files and code examples are provided by SAS Institute Inc. "as is" without warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability and fitness for a particular purpose. Recipients acknowledge and agree that SAS Institute shall not be liable for any damages whatsoever arising out of their use of this material. In addition, SAS Institute will provide no support for the materials contained herein.

Operating System and Release Information