Getting Started With Permissions

Explicit Settings

A permission that is assigned to a particular user or group is an explicit setting for that user or group. To experiment with explicit settings, complete this exercise in SAS Management Console:

Log on as someone who has a well-formed user definition.
On the Folders tab, right-click your My Folder and select New Folder. Create a new folder named test.
Right-click the test folder and select Properties. On the test folder's Authorization tab, briefly examine the settings for each identity in the Users and Groups list box. Notice that all of the settings are indirect . These settings come from the test folder's parent folder.

Note: You can't remove anyone, because all of the listed identities participate in settings that are defined elsewhere.
To give the SASUSERS group an explicit setting:
1. In the Users and Groups list box on the test folder's Authorization tab, select SASUSERS. Notice that SASUSERS has an indirect denial of the ReadMetadata permission.
  
  Note: These instructions assume that your My Folder has standard settings. If this setting is not present, select another identity (such as PUBLIC) that does have an indirect denial of ReadMetadata.
2. Select the opposing check box (grant ReadMetadata). This gives the SASUSERS group an explicit grant of ReadMetadata permission on the test folder.
3. Select the grant ReadMetadata check box again. This removes the explicit grant and reveals the underlying indirect denial.
4. Select the (already selected) deny ReadMetadata check box. This adds an explicit denial on top of the indirect denial.
5. Click OK. An error message tells you that you can't save these settings. The only explicit setting on the test folder is the denial of ReadMetadata permission for SASUSERS. This denial blocks access for all registered users, including you. Click OK to close the message box and return to the Authorization tab.
  
  Note: If you are unrestricted, you won't see the error message. Go to step 5.
6. To see the impact that the SASUSERS denial has on you, select yourself in the Users and Groups list box on the test folder's Authorization tab. Notice that your previous indirect grant of ReadMetadata permission is now an indirect denial of ReadMetadata permission.
7. To restore access for yourself, select the grant ReadMetadata check box. This gives you an explicit grant that offsets the SASUSERS explicit denial. Click OK.
  
  Note: An offsetting grant doesn't have to be assigned directly to you; it can be assigned to any group that is closer to you than the group that has the explicit denial. For example, your custom group memberships are closer to you than SASUSERS, and SASUSERS is closer to you than PUBLIC.
To give an explicit setting to someone who is not already listed:
1. On the test folder's Authorization tab, click Add. In the Add Users and Groups dialog box, clear the Show Groups check box. Move one user (such as the SAS Demo User) to the Selected Identities list box and click OK.
  
  Note: In practice, it is preferable to assign permissions to groups rather than to individual users (for ease of management).
2. On the Authorization tab, notice that the user is selected and has an explicit grant of ReadMetadata permission. An explicit grant of ReadMetadata permission is automatically given to every restricted identity that you add.
  
  Select the opposing check box, deny ReadMetadata permission. This replaces the explicit grant with an explicit denial.
  
  Note: If the selected user has the unrestricted role, you can't change any settings.
3. Click Remove and then click Yes in the confirmation message box. You can remove this user because this user is named only in explicit settings.
Note: Regular users can't navigate to each other's MyFolder because of a denial of ReadMetadata permission to PUBLIC on a parent folder.
To clean up, right-click the test folder and select Delete.

	Orientation to Working With Permissions
	The Authorization Tab