SAS Viya 3.4 has some new functionality that provides real help for those who want to transition from SAS Visual Analytics on 9.4 to SAS Viya. In prior releases of SAS Viya you could promote reports and explorations (and a few other supporting objects). In SAS Viya 3.4, promotion support is added for many additional SAS 9.4 resources, making it easier to make the leap to SAS Viya. In this blog, I will review this new functionality.
In SAS Viya 3.4, the following objects participate in promotion from SAS 9.4.
- Data definitions
- Stored processes
- Supporting resources (such as themes, images, graphs templates)
The details of support for each resource are unique and are discussed below.
User and group promotion from SAS 9.4 to SAS Viya is used to support the transition to the target environment of authorization settings that are associated with content. Metadata is exported to support the mapping of SAS 9.4 identity metadata (Users and Groups) to SAS Viya identities (Users, Groups and Custom groups).
During promotion of identity metadata:
- Users connections are mapped using metadata DefaultAuth:logonid to SAS Viya identity id
- Metadata-only groups from SAS 9.4 are converted to SAS Viya Custom groups (except SAS General Servers and SAS System Services)
- If custom groups of the same name (or sometimes the same purpose but a different name) exist in the target, the group is preserved and any mapped members from the source system are added to the group.
Identities are “promoted” to support re-implementation of authorization. You do not have to explicitly export authorization as it is included with libraries, tables, folders and reports when they are exported. Promotion of authorization is optional. If you don’t wish to include authorization, but rather re-implement it in
SAS Viya, you can switch this functionality off at import time.
SAS Viya has two authorization systems, the general authorization system for folders and content, and the CAS authorization system for data. These authorization systems are different than the metadata authorization model in SAS 9.4. So what happens when you promote content that includes authorization?
General Authorization (folders and content)
Promotion will attempt to convert SAS 9.4 authorization to rules in the General authorization system. During the process:
- Explicit Access Control Entries are converted to SAS Viya Rules
- Access Control Entries with denials are discarded
- Access Control Templates are not promoted
In addition, if an object (folder/report):
- does not exist in the target environment,relevant authorization is set for the object and the access control entries from the source are implemented as rules on the object.
- existsin the target environment, then access control entries from the source are merged with any pre-existing authorizations in the target environment.
The CAS authorization system covers CASlibs and data. Promotion will attempt to convert SAS 9.4 authorization on libraries and tables to access controls in the CAS authorization system. During the process:
- Access Control Entries are not promoted unless they are applied directly to a library or table.
- Access Control Entries are converted to CAS access controls.
- Row-level permissions are preserved.
- If an object exists in the target environment no authorization settings are imported.
- Access Control Templates are not promoted.
For details of how individual permissions for both data and content are mapped from SAS 9.4 to SAS Viya see the documentation has great coverage of the steps to follow.
To finish off, I'll share few observations on the process of exporting from 9.4 and importing in SAS Viya. Like SAS 9.4 promotion, you need to import in a specific order. This allows the software to make the relevant connections to dependent resources. For example, if the CASLIB already exists in the target, then import tables can be mapped to it. Typically, the order is: identities > library definitions > tables > reports and folders. To support this process, make sure, during export, you have a separate package for each resource type. Some considerations for the export process.
You should export:
- Identities (users and groups) from the security folders in SAS 9.4 metadata to a separate package.
- Only groups that you need in the target environment (you can subset any irrelevant SAS 9 groups at export time).
- LASR and Base Libraries and tables directly from the library definition in the folder tree (this prevents extraneous folders being created in the target environment).
- Libraries in a separate package from tables so that they may be imported first and be available for mapping when the tables are imported.
- Content and reports from the base of the folder tree so that all directly applied access control entries will be included in the package.
Prior to importing, make sure that users and groups are configured correctly in LDAP. As I already mentioned, physical data is not promoted so ensure that required data and formats are accessible to the SAS Viya environment.
The new functionality for promotion is a great start in helping with the transition from SAS 9.4 to SAS Viya. Look for more functionality in future releases.