Authorization-Based Prefilter with SAS.IdentityGroups

Introduction

This example is a variation on the preceding example. Instead of using a general prefilter, which applies universally to all requesting users, this example implements the SAS.IdentityGroups filter as an authorization-based prefilter. With this approach, you can establish different logic for different groups of users. In this example, we introduce a group of executives who should not be subject to the SAS.IdentityGroups filtering. Instead, members of the Executives group should see all of the data.
The following table summarizes the strategy:
Example: Two Classes of Access
Access Class (User Group)
Direct Access Controls
Full Access (Executives)
Grant Read [Explicit]
Filtered Access (PUBLIC)
Grant Read [Conditional]
The first steps, mapping users to data and creating the information map and filter are identical to the preceding example. However, instead of editing the information map’s properties to assign the filter as a general prefilter, complete the steps in the following topics.

Assign the Filter to the PUBLIC Group as a Permission Condition

  1. In SAS Information Map Studio, open the information map and select Toolsthen selectAuthorization to open the Authorization dialog box.
  2. In the Users and Groups list, select PUBLIC. In the Effective Permissions list, add an explicit white check box grant for the Read permission.
  3. To limit the PUBLIC grant of the Read permission, assign the IdentityGroups filter to that group as a permission condition.
    1. Click Add Condition to open the Row-Level Permission Condition dialog box.
      Note: The Add Condition button became available when you added the explicit grant of Read permission.
    2. In the Selected filters list, select the target table.
    3. In the Available filters list, select the IdentityGroups filter and then use the arrow button to move that filter to the Selected filters list.
      Note: Unlike a filter that you assign on the General Prefilters tab, this filter applies only to members of the associated group (PUBLIC in this example) as evaluated according to the identity hierarchy and access control precedence rules.
    4. Click OK to close the Row-Level Permission Condition dialog box.

Give Executives an Explicit Grant of the Read Permission

  1. In the Authorization dialog box, click Add. In the Add Users and Groups dialog box, select the Executives group and then click OK.
  2. In the Effective Permissions list, give the Executive group an explicit grant of the Read permission. Because you want this group to be able to view all data, do not constrain Read access by applying a permission condition.
  3. Click Close. To make your changes take effect, save the information map.

Test the Filter

With these access controls in place, retrieval is as follows:
  • Users who aren’t in the EAST, WEST, or Executive groups get no rows.
  • Users who are in the EAST or WEST groups get filtered access, as in the preceding example.
  • Users who are in the Executives group get all rows (unless they are also members of the EAST or WEST groups at a higher precedence level than they are in the Executives group).
Note: If anyone opens the target table directly, without going through the information map, the filter is not applied, so all rows are returned.
Copyright © SAS Institute Inc. All rights reserved.