SAS provides a metadata-based authorization layer that supplements protections from the host environment and other systems. Across authorization layers, protections are cumulative. In order to perform a task, a user must have sufficient access in all applicable layers.
You can use the metadata authorization layer to manage access to the following resources:
almost any metadata object (for example, reports, data definitions, information maps, jobs, stored processes, and server definitions)
relational data (depending on the method by which that data is accessed)
It is important to manage physical layer access in addition to metadata-layer controls. For example, use host operating system protections to limit access to any sensitive SAS data sets. See Host Access to SAS Tables.
Enforcement of permissions other than ReadMetadata and WriteMetadata varies by item type and (for data) by the method with which a library is assigned.