This variation addresses
the following additional business requirements:
-
Four people who work in a Human
Resources department must be able to view salary information for all
employees. You have created a user-defined group in the metadata repository
for these users (the HR group).
-
Users who do not have individual
metadata identities must not be able to see any of the data. These
users have the access that has been defined for the PUBLIC group.
This table summarizes
the strategy:
Information Map Controls
Access Class (User Group)
|
|
All rows (Human Resources)
|
|
|
|
|
|
|
|
Note: The information map in this
example exists only for the purpose of obtaining salary information,
so the "No rows" users do not need to be able to see or use this information
map.
Note: For each member of SASUSERS,
this explicit grant is narrowed by the byPersonName filter that you
created in the main example. Here, the filter is used as an authorization-based
prefilter.
-
Prepare the information
map by using either of these methods:
-
Create a new information map for
this variation by completing steps 1 and 2 in the main example.
-
Reuse the information map from
the main example by saving that map with a different name and deassigning
the filter that was assigned on the
General Prefilters tab.
-
Open the information
map and select
Tools
Authorization to open the
Authorization dialog box.
-
In the
Users
and Groups list, select
PUBLIC. In the
Effective Permissions list, add
explicit
denials for the Read and ReadMetadata permissions.
-
Click
Add. In the
Add Users and Groups dialog box,
select the HR and SASUSERS groups and then click
OK.
-
In the
Authorization dialog box, give SASUSERS explicit
grants of the Read and ReadMetadata permissions.
-
To limit the SASUSERS
grant of the Read permission, assign the byPersonName filter to that
group.
-
Click
Add
Condition to open the
Row-Level Permission
Condition dialog box.
Note: The
Add Condition button became available when you added the explicit grant of Read
permission.
-
In the
Selected
filters list, select the SECURITY_ASSOC table.
-
In the
Available
filters list, select the byPersonName filter and then
use the arrow button to move that filter to the
Selected
filters list.
Note: Unlike a filter that you
assign on the
General Prefilters tab, this
filter applies only to members of the SASUSERS group as evaluated
according to the identity hierarchy and access control precedence
rules.
-
Click
OK to close the
Row-Level Permission Condition dialog box.
-
In the
Authorization dialog box, give the HR group explicit grants of the Read and ReadMetadata
permissions. Because you want this group to be able to view all salaries,
do not constrain Read access by adding a permission condition.
-
In the
Authorization dialog box, click
Close. To make your changes
take effect, save the information map.
With these access controls
in place, retrieval is as follows:
-
Users who don't have their own
SAS identity (PUBLIC-only users) can't see or use the information
map.
-
Users who have their own SAS identity
but aren't listed in the security associations table can see the information
map, but retrieve no rows.
-
Users who have their own SAS identity,
are listed in the security associations table, and are not members
of the HR group get only those rows that contain data for their own
direct and indirect reports.
-
Users who are members of the HR
group get all rows.