SAS(R) 9.2 Intelligence Platform: Security Administration Guide
 |
|
| Getting Started With Permissions |
Key Points About Working With Permissions
Here are some key points about using metadata layer permissions:
-
These permissions supplement protections from the host environment and other systems. Across authorization layers, protections are cumulative. In order to perform a task, a user must have sufficient access in all applicable layers.
-
Setting permissions is an item-centric activity. To define permissions for someone, do not begin by finding that person's user definition. Instead, begin by navigating to an item that you want to protect or make available.
-
Only the ReadMetadata and WriteMetadata permissions are universally relevant and enforced. See Use and Enforcement of Each Permission.
-
After you add a broad denial, review the impact that this has on everyone else. For example, if the only setting on an item is an explicit PUBLIC denial, that denial blocks access for everyone (other than unrestricted users). To offset the denial, add one or more selective explicit (or ACT) grants.
-
Before you deny the ReadMetadata permission on a folder, consider the navigational consequences. Without ReadMetadata permission on a folder, you can't navigate to items beneath that folder. Users need a clear path of grants of ReadMetadata permission in order to navigate to the content that they use.
The
following
table summarizes what happens when you select a check box on the Authorization tab. In each row, the pointer
![[arrow]](images/ba-pointer.gif)
indicates an action
(a mouse click) that occurs between the before and the after.
| Before and After | Explanation |
|---|---|
![[Mechanics of the Effective Permissions List]](images/ba-one.gif) |
A new explicit setting overrides and hides the opposing indirect (gray) setting. |
![[Mechanics of the Effective Permissions List]](images/ba-two.gif) |
A new explicit setting overrides and hides the opposing ACT (green) setting. |
![[Mechanics of the Effective Permissions List]](images/ba-three.gif) |
A new explicit setting is added on top of the matching indirect (gray) setting. |
![[Mechanics of the Effective Permissions List]](images/ba-four.gif) |
A new explicit setting is added on top of the matching ACT (green) setting. |
![[Mechanics of the Effective Permissions List]](images/ba-five.gif) |
A new explicit setting replaces the opposing explicit setting. |
![[Mechanics of the Effective Permissions List]](images/ba-six.gif) |
The explicit setting is removed and an underlying indirect (gray) or ACT (green) setting is revealed. |
The following figure summarizes the relative priority of access controls based on where they are set and who they are assigned to.
Summary: Relative Precedence of Access Controls
![[Summary: Relative Precedence of Access Controls]](images/permissions.gif)
In the preceding figure, notice that explicit and ACT settings on an object (a report in this case) always have priority over settings on the object's parent (a folder in this case). For example, if a report has an explicit denial of ReadMetadata permission for PUBLIC and the report's folder has a grant of ReadMetadata permission for you, you can't see the report. For further discussion and examples, see Authorization Decisions.
See Also
|
SAS Management Console: Guide to Users and Permissions |
|
|
Copyright © 2009 by SAS Institute Inc., Cary, NC, USA. All rights reserved.
