 |
|
| Getting Started With Permissions |
The Authorization Tab
| Where Are Permissions Set? |
You can set permissions on a folder, a report, an information map, a server definition, a cube definition, a stored process definition, or almost any other metadata item. Each item's permission settings are displayed on that item's Authorization tab. To view or set permissions for any item, right-click the item, select Properties, and select the item's Authorization tab.
![[untitled graphic]](images/authtab.gif)
On an item's Authorization tab, you can set permissions individually by selecting check boxes in the Effective Permissions list. These are called explicit settings. You can also set permissions in patterns by clicking the Access Control Templates button. These are called ACT settings.
Note: For specialized tasks such as setting repository-level permissions
and defining access to subsets of data, see Granularity and Mechanics. ![[cautionend]](../../../../common/63294/HTML/default/images/cautend.gif)
| Who are Permissions Assigned To? |
You can assign permissions to individual users or to user groups. Each SAS user has an identity hierarchy that starts with the user's individual SAS identity, can include multiple levels of nested group memberships, and ends with automatic membership in SASUSERS and then PUBLIC. For a depiction, see Identity Precedence.
On an item's Authorization tab, the Users and Groups list usually includes at least the following groups:
- PUBLIC
-
automatically includes everyone who can access the metadata server. This is the broadest group.
- SASUSERS
-
automatically includes those members of PUBLIC who have a well-formed user definition. This is a broad group that represents all registered users.
- SAS Administrators
-
includes metadata administrators. This is a small, highly privileged group.
- SAS System Services
-
includes one or more service identities. This group shouldn't have regular users as members. Usually, the SAS Trusted User is the only member.
Someone who isn't listed on an item's Authorization tab has the access of their closest listed group. Each user's closest listed group is determined by that user's group memberships and identity hierarchy. Here are some examples:
-
The closest listed group for an administrator is usually SAS Administrators.
-
The closest listed group for a regular registered user is often SASUSERS.
-
The closest (and only) listed group for an unregistered user is PUBLIC.
To create specialized settings, click Add and add users or groups to the list. Or, click Access Control Templates and apply a predefined pattern of settings.
The Advanced button is available only if you are unrestricted. Use this button to trace an item's inheritance parents or to look up settings for any user.
| What Do the Colors Indicate? |
The following table explains the significance of the check box colors:
| Color | Term | Significance |
|---|---|---|
|
(clear)1 |
Explicit | The permission is set on the current item and individually assigned to the selected identity. |
|
(green) |
ACT | The permission comes from an applied ACT whose pattern explicitly assigns the grant or denial to the selected identity. |
|
(gray) |
Indirect | The permission comes from someone else (a group that has an explicit or ACT setting) or somewhere else (a parent item or the repository ACT).2 |
| 1
Explicit settings are usually white because the background color for
the permissions list is usually white.
2 For the WriteMemberMetadata permission, gray can indicate that the setting mirrors the WriteMetadata setting. For an unrestricted user, gray indicates a grant that can't be removed. |
||
![[white check box]](images/am-white.gif)
![[green check box]](images/am-green.gif)
![[gray check box]](images/am-grey.gif)
The color changes that occur when you select a check box are explained in Mechanics of the Effective Permissions List.
| What Is the Effect of a Permission Setting? |
On each item's Authorization tab, the permissions list always includes at least the following basic permissions:
-
the ReadMetadata permission (controls the ability to see an item)
-
the WriteMetadata permission (controls the ability to update or delete an item)
Other permissions are specialized and affect only certain types of items. For example, the ability to delete most items is controlled by the WriteMetadata permission, not by the Delete permission. For details, see Use and Enforcement of Each Permission.
The effect of a particular permission setting is influenced by any related settings that have higher precedence. For example, if a report inherits a grant from its parent folder but also has an explicit denial, the inherited grant has lower precedence. The explicit setting determines the outcome, so the result is a denial.
On each item's Authorization tab, the check marks that are displayed in the Effective Permissions list incorporate all precedence considerations. The displayed effective permissions are a calculation of the net impact of all applicable permission settings in the metadata layer. However, the Authorization tab doesn't reflect access in other layers such as the operating system.
|
|
Copyright © 2011 by SAS Institute Inc., Cary, NC, USA. All rights reserved.