This SAS KB article is designed to help business and technical stakeholders understand the basic rationale, steps, and implications of user name changes, while maintaining audit integrity and minimizing operational risk.

Why You Cannot Change User Names in the User Interface (UI)
Recommended Approach
Step-by-Step Instructions
- Example Scenario

Why You Cannot Change User Names in the User Interface (UI)

You cannot modify user names directly in the SAS Fraud Management web interface. This limitation is a deliberate security feature to ensure audit compliance and prevent unauthorized identity changes.

Recommended Approach

If you save a user name incorrectly (for example, due to a typographical error), the recommended approach is to delete the user and create a new user with the correct user name. This method ensures audit trail integrity.

Challenges and Considerations

Depending on the number of users and the complexity of roles and teams, the recommended approach might involve significant manual effort. This is especially true when changing authentication sources. (For example, from myid to my.name@company.com.)

SAS Fraud Management does not have this automation built-in because it is so rarely needed, and other priority fixes and enhancements take precedence.

Deferring to your goals, policies, risk tolerance, and preferences, the instructions here might help you to automate significant user name change events or at least prepare you to work with SAS^®Professional Services^® to do so.

Authentication

A primary use of user names in SAS Fraud Management tables is for authenticating users via a SAS^® Metadata Server. Referential integrity (RI) is maintained using the user_id values, so you can change the user_name values for authentication (see Figure 1).

Referential Integrity (RI) for users

Figure 1: Referential Integrity (RI) for users.

Historical Data and Reporting Impact

There are four denormalized columns that store user names for historical reference. You might choose to update these columns for consistency or retain them for audit purposes.

Affected tables.columns:

• fcm_alert.checkout_user
• fcm_error.user_name
• fcm_strategy_user_audit.user_name
• fcm_user_audit.user_name

Decision Point: Update Historical User Names?

Update: Ensures consistency across the SAS Fraud Management database but might need external mapping when coordinating with external systems, including SAS^® Fraud Management Analytical Data Sets (ADS), which feed SAS Analytical Reports (AR).
Retain: Preserves original audit trail matching external systems but might need external mapping to connect (look up) new-to-old references within SAS Fraud Management.

You need to evaluate analytic and reporting needs both within SAS Fraud Management and external to SAS Fraud Management to determine your preference.

In all cases, it is recommended that you create and retain a time-stamped external mapping of old-to-new user names to bridge any gaps for analytics and reporting. This process ensures audit integrity.

Managing Metadata After user name Changes

SAS Fraud Management Job 3 synchronizes the SAS^® Open Metadata Repository (OMR) with SAS Fraud Management users but does not delete user definitions from the SAS Open Metadata Repository. Users who are logically deleted in SAS Fraud Management are removed from the RSTUDIO group, which prevents further access to SAS Fraud Management using the old user names.

You might optionally clean up the SAS Open Metadata Repository using SAS^® Management Console or programmatically with optional assistance from SAS Professional Services.

Note that SAS Open Metadata Repository cleanup is not required because this change process prevents old user names from accessing SAS Fraud Management. You might choose to retain the old user names is if there are other SAS products that still use them. For systems that run only SAS Fraud Management, the best practice is to remove old users from the SAS Open Metadata Repository, which you can also do manually over time.

Risk Mitigation

For complex user name changes or metadata cleanup, contact SAS Professional Services for assistance
Perform thorough testing to approve production deployment.
Prepare and test exercise a backout plan.
Make SAS Open Metadata Repository and SAS Fraud Management database backups.
Perform post-deployment validation and regression testing.

Step-by-Step Instructions

Required steps to change SAS Fraud Management user names to authenticate logons:
1. Update the user name and reset the OMR_PROCESSED flag using your SQL tool of choice:
  
  update fcm_user set user_name = 'newuser', omr_processed = '0' where user_name = 'olduser'; commit;
2. Run Job 3 to process the new user name into the SAS Open Metadata Repository.
Optionally update the historical tables:

update fcm_alert set checkout_user = 'newuser' where checkout_user = 'olduser';
update fcm_error set user_name = 'newuser' where user_name = 'olduser';
update fcm_strategy_user_audit set user_name = 'newuser' where user_name = 'olduser';
update fcm_user_audit set user_name = 'newuser' where user_name = 'olduser';
commit;
Final validation.
1. Log on using the new user name, and perform regression tests to confirm successful updates.

Example Scenario

Change usertwo to user2 and do not make historical updates

Query the SOR table FCM_USER for the existing user, usertwo (see Figure 2). The value of OMR_PROCESSED is 1 – already processed, and the value of LOGICAL_DEL_IND is zero – active user.

Queried the existing user in the FCM_USER table

Figure 2: Queried the existing user in the FCM_USER table.

Check SAS Management Console for the user, usertwo (see Figure 3). The user information is present.

Checked the existing user in the SAS Management Console

Figure 3: Checked the existing user in the SAS Management Console.

Check SAS Management Console for the user’s groups, usertwo groups (see Figure 4). The user Groups and Roles includes the RSTUDIO group, so this group is active for SAS Fraud Management.

Checked the existing user groups in the SAS Management Console

Figure 4: Checked the existing user groups in the SAS Management Console.

Update the user name and reset the omr_processed flag using the following SQL (see Figure 5):

update fcm_user set user_name = 'user2', omr_processed = '0' where user_name = 'usertwo'; commit; select * from fcm_user where user_name = 'user2';

Figure 5: Queried the values after updating the user_name.

Run Job 3 as usual to load the new (changed) user into the SAS Open Metadata Repository. Refer to your SAS Fraud Management System Administrator’s Guide for additional information about Job 3.
After running Job 3, query the SOR table FCM_USER for the updated user, user2 (see Figure 6). The value of OMR_PROCESSED is 1 – already processed, and the value of LOGICAL_DEL_IND is zero – active user.

Figure 6: Queried the values after running Job 3.

Verify the user changes in SAS Management Console (see Figure 7). The user2 is created.

Verified that user2 was created in the SAS Management Console

Figure 7: Verified that user2 was created in the SAS Management Console.

Verify the user group changes in SAS Management Console (see Figure 8). The new (changed) user2 is enrolled in the RSTUDIO group.

Verified that user2 was enrolled in the RSTUDIO group in the SAS Management Console

Figure 8: Verified that user2 was enrolled in the RSTUDIO group in the SAS Management Console.

Optionally delete old user and/or group membership from the SAS Open Metadata Repository.

Change user names in SAS® Fraud Management

Table of Contents