Previous Page | Next Page

Permissions on Folders

Baseline ACTs

One approach to establishing protections on custom folders is to create a few general-use ACTs and apply one or more of those ACTs on the Authorization tab of any folder that you need to secure. To grant access back to a particular group, supplement a folder's baseline ACT settings by adding grants on that folder's Authorization tab.

The examples in this chapter use the following baseline ACTs:

[icon]Hide

prevents visibility (for users who aren't in the SAS Administrators group).

[icon]Protect

prevents updates, deletions, and contributions (by users who aren't in the SAS Administrators group).

[icon]LimitData

prevents access to data through the OLAP server, information maps, and the metadata LIBNAME engine (for all restricted users).

Each ACT's name describes the effect of applying that ACT to an item that has no explicit [white check box] or ACT [green check box] (green) settings. The following tables document the permission pattern for each of these ACTs:

The Hide ACT
Group Permission Pattern1
PUBLIC Denial ReadMetadata
SAS Administrators Grant ReadMetadata
SAS System Services Grant ReadMetadata
1 Gives SAS Administrators and service identities exclusive read access to metadata.

The Protect ACT
Group Permission Pattern1
PUBLIC Denial WriteMetadata, WriteMemberMetadata, CheckInMetadata, Write, Administer
SAS Administrators Grant WriteMetadata, WriteMemberMetadata, CheckInMetadata, Write, Administer, ReadMetadata
1 Gives SAS Administrators exclusive write access to metadata.

The LimitData ACT
Group Permission Pattern1
PUBLIC Denial Read
1 Prevents all restricted users from accessing data (through information maps, the OLAP server, and the metadata LIBNAME engine).

Each baseline ACT reduces a particular type of access down to a minimal level. In the Hide and Protect ACTs, the grants to SAS Administrators preserve standard administrative access so that members of that group can manage all metadata (for alternatives, see Separated Administration). In the Hide ACT, the grant to SAS System Services preserves necessary service access (the SAS Trusted User, who is a member of that group, reads certain metadata on behalf of all users). The LimitData ACT is unusual in that the pattern consists of a single setting. This chapter uses this ACT for consistency and in case at some future point you want to give a restricted user access to all data.

To create the baseline ACTs:

  1. Log on to SAS Management Console as a registered user (anyone who has a well-formed user definition). Select the Plug-ins tab.

  2. Expand Authorization Manager [icon], right-click Access Control Templates, and select New Access Control Template.

  3. On the General tab, enter the ACT name (Protect, Hide, or LimitData).

    Note:   If you previously created the Protect ACT to protect server definitions, just verify that the pattern on that ACT is correct.  [cautionend]

  4. On the Permission Pattern tab, define the settings this ACT will provide:

    1. Click Add. In the Add Users and Groups dialog box, clear the Show Users check box. Move PUBLIC and any other participating identities (SAS Administrators and SAS System Services) to the Selected Identities list box. Click OK.

    2. On the Permission Pattern tab, define explicit [white check box] settings as specified in the preceding tables. Remove the automatically created grants of ReadMetadata permission except as specified.

      Note:   Make sure you are on the Permission Pattern tab and not the Authorization tab.  [cautionend]

  5. On the Authorization tab, protect the ACT that you are creating. Either apply the Protect ACT or add explicit [check box white] settings that deny WriteMetadata permission to PUBLIC and grant WriteMetadata permission to the SAS Administrators group.

    Note:   If the Users and Groups list box on the ACT's Authorization tab is empty, click OK to save the ACT. Then, right-click the new ACT, select Properties, and select the Authorization tab again.   [cautionend]

  6. Click OK. Repeat until you have created all three baseline ACTs.

See Also

Demonstration: Departmental and Project Separation

Further Considerations for Permissions on Folders

Use and Enforcement of Each Permission

Key Points About the Baseline ACT Approach

Protecting Server Definitions

Previous Page | Next Page | Top of Page

Copyright © 2011 by SAS Institute Inc., Cary, NC, USA. All rights reserved.