SAS Institute. The Power to Know

SAS(R) 9.2 Intelligence Platform: Security Administration Guide

PDF | Purchase
Previous Page | Next Page

Permissions on Folders

Variation 1: Add Subgroups, Designate Content Creators

This example eliminates the project folders and introduces the following requirements:

  • Regional employees see only content for their region.

  • A central group of managers see all content.

  • A central group of content creators creates all content.

The following figure depicts the folder and group structure.

Variation 1: Folder and Group Structure

[Variation 1: Folder and Group Structure]

The following table lists the protections for the first four folders:

Variation 1a: Permission Settings
Folder Protections
Baseline ACTs Supplemental Grants
[icon]DemoBranch [icon]Protect

[icon]LimitData
[icon]DivisionA [icon]Hide [icon]GroupA: +RM

[icon]ContentCreators: +RM

[icon]Managers:+RM
[icon]RegionA1 [icon]Hide [icon]RegionA1: +RM, +R

[icon]ContentCreators: +RM, +R, +WMM

[icon]Managers:+RM, +R
[icon]RegionA2 [icon]Hide [icon]RegionA2: +RM, +R

[icon]ContentCreators: +RM, +R, +WMM

[icon]Managers:+RM, +R

Notice that you are repeating many of the same explicit settings on each region, and that this will be the case throughout the DemoBranch. For greater efficiency and more centralized control, create a custom ACT (called RegionLevel) that provides the supplemental grants for your content creators (RM, R, WMM) and your managers (RM, R). Remember to protect the ACT itself as explained in step five in Baseline ACTs.

The following table lists the protections for the first four folders:

Variation 1b: Permisssion Settings (use a supplemental ACT)
Folder Protections
Baseline ACTs Supplemental Grants
[icon]DemoBranch [icon]Protect

[icon]LimitData
[icon]DivisionA [icon]Hide [icon]GroupA: +RM

[icon]ContentCreators: +RM

[icon]Managers:+RM
[icon]RegionA1 [icon]Hide [icon]RegionA1: +RM, +R

[icon]RegionLevel
[icon]RegionA2 [icon]Hide [icon]RegionA2: +RM, +R

[icon]RegionLevel

If you decide to offer content at the division level and you want that content to be available to only managers, you might make these changes:

  • Create a DivisionLevel ACT with grants for Managers (RM, R) and ContentCreators (RM, R, WMM). Apply that ACT to each division folder.

    Note:   This is the same pattern that you use for the RegionLevel ACT, so you could instead simply use that ACT. In this example, you choose to create a separate ACT because you anticipate that the requirements for division-level access and region-level access might diverge in the future.  [cautionend]

  • Apply the Protect ACT on each region folder (to take away the inherited grant of WriteMetadata permission that content contributors inherit from their division-level grant of WriteMemberMetadata permission).

    Note:   If you choose to not do this, members of the content creators group can delete, rename, or change permissions for the region folders.  [cautionend]

The following table lists the protections for the first four folders:

Variation 1c: Permission Settings (support division-level content)
Folder Protections
Baseline ACTs Supplemental Grants
[icon]DemoBranch [icon]Protect

[icon]LimitData
[icon]DivisionA [icon]Hide [icon]GroupA: +RM

[icon]DivisionLevel
[icon]RegionA1 [icon]Hide

[icon]Protect

 [icon]RegionA1: +RM, +R

[icon]RegionLevel
[icon]RegionA2 [icon]Hide

[icon]Protect

 [icon]RegionA2: +RM, +R

[icon]RegionLevel

See Also

Use and Enforcement of Each Permission

Previous Page | Next Page | Top of Page

Copyright © 2009 by SAS Institute Inc., Cary, NC, USA. All rights reserved.