Previous Page | Next Page

Getting Started With Permissions

Using WriteMetadata and WriteMemberMetadata Permissions

The following permissions affect the ability to create, update, and delete metadata.

WriteMetadata (WM)

Edit, delete, change permissions for, or rename an item. For example, to edit a report, you need WM for the report. To delete a report, you need WM for the report (and WMM for the report's parent folder). For containers other than folders (such as repositories, libraries, and schemas), WM also affects adding and deleting child items. For example, to add an item anywhere in a repository, you need WM at the repository level. For folders, adding and deleting child items is controlled by WMM, not WM.

WriteMemberMetadata (WMM)

Add an item to a folder or delete an item from a folder. For example, to save a report to a folder, you need WMM for the folder. To remove a report from a folder, you need WMM for the folder (and WM for the report). To enable someone to interact with a folder's contents but with not the folder itself, grant WMM and deny WM.

Note:   We recommend that anyone who has a grant of WM is not denied WMM.  [cautionend]

To experiment with WM and WMM, complete this exercise in SAS Management Console:

  1. Log on as someone who has a well-formed user definition.

    Note:   Step 5a assumes that you are restricted and aren't in the SAS Administrators group. To create a temporary restricted user for this exercise, complete steps 2-3 in Add Administrators (for example, use the name temp and log on as temp@saspw).  [cautionend]

  2. On the Folders tab, right-click your My Folder [my folder icon] and select New Folder. Create a new folder named learn.

  3. To see how WM influences WMM:

    1. Right-click the learn folder, select Properties, and select the Authorization tab.

    2. Notice that WMM is in the permissions list. This permission is meaningful only for folders.

    3. In the Users and Groups list box, select PUBLIC. Notice that this group has indirect [gray check box] denials for both WM and WMM. Add an explicit [white check box] grant of WM. Notice that this causes the WMM setting to change to a grant.

    4. Select the grant WM check box again. This clears the check box and removes the explicit grant. Notice that the WMM setting also reverts to a denial.

    5. Add an explicit [white check box] grant of WMM. Notice that this has no effect on the WM setting. The mirroring is one-way. WM influences WMM, but WMM doesn't influence WM. Remove the grant of WMM to revert to the initial settings (indirect [gray check box] denials of both WM and WMM). Click OK.

  4. To see how WMM on a folder is conveyed to the items inside the folder:

    1. Right-click the learn folder and select New Folder. Create a new folder named child.

      [folders]


    2. On the learn folder's Authorization tab, click Add. In the Add Users and Groups dialog box, clear the Show Groups check box. Move one restricted user (such as the SAS Demo User) to the Selected Identities list box and click OK.

    3. In the permissions list, give the user who you just added an explicit denial of WM and an explicit grant of WMM. Click OK.

      Note:   If the permissions list is disabled, the selected user is unrestricted (for example, the original SAS Administrator is unrestricted). Add a restricted user to the Authorization tab.  [cautionend]

    4. On the child folder's Authorization tab, select the user who you added in step 4b. Notice that the denial of WM on the learn folder isn't conveyed to the child folder. Instead, the grant of WMM on the learn folder is conveyed to the child folder as an indirect grant of WM. On the child folder, the WMM setting mirrors the WM setting as usual.

  5. To see which actions each permission controls:

    1. Right-click your My Folder [my folder icon]. Notice that actions such as New Folder and New Stored Process are available (because you have WMM) but, if you are a regular user, Rename and Delete are not (because you don't have WM).

      Note:   This is an example of a folder that is under administrative control. Certain users (or groups) can contribute items to the folder, but the folder itself is protected.   [cautionend]

    2. Right-click the learn folder and examine its pop-up menu. Notice that the New Folder, New Stored Process, Delete, and Rename actions are all available (because you have both WM and WMM).

  6. To clean up, right-click the learn folder and select Delete. If you created a temporary user for this exercise, log on with your administrative account, delete the temporary user (on the Plug-ins tab under User Manager) and that user's associated folder (at SAS Folders [arrow] Users [arrow] <the temporary user>).

See Also

Orientation to Working With Permissions

The Authorization Tab

Previous Page | Next Page | Top of Page