Baseline ACTs

One approach to setting permissions on folders is to create a few general-use ACTs, and apply one or more of those ACTs to each folder that you need to secure. To grant access back to a particular group, supplement the ACT settings by adding explicit controls on the target folder. The examples in this chapter use three general-purpose ACTs. Each ACT reduces a particular type of access down to a minimal level, so this chapter refers to these ACTs as baseline ACTs.
icon Hide
gives SAS Administrators and service identities exclusive Read access to metadata (limits visibility).
Example: Pattern for the Hide ACT
Group
Permission Pattern
PUBLIC
Deny
ReadMetadata
SAS Administrators
Grant
ReadMetadata1
SAS System Services
Grant
ReadMetadata2
1This grant ensures that administrators can manage all metadata (for alternatives, see Separated Administration).
2This grant ensures that the SAS Trusted User (who is a member of SAS System Services) can read certain metadata on behalf of all users.
icon Protect
gives SAS Administrators exclusive Write access to metadata (limits updates, deletions, and contributions).
Example: Pattern for the Protect ACT
Group
Permission Pattern
PUBLIC
Deny
WriteMetadata, WriteMemberMetadata, CheckInMetadata, Write, Administer
SAS Administrators
Grant
WriteMetadata, WriteMemberMetadata, CheckInMetadata, Write, Administer, ReadMetadata1
1These grants ensure that administrators can manage all metadata (for alternatives, see Separated Administration).
icon LimitData
gives unrestricted users exclusive access to data (limits the availability of data that is accessed through information maps, the OLAP server, or the metadata LIBNAME engine).
Example: Pattern for the LimitData ACT
Group
Permission Pattern1
PUBLIC
Deny
Read
1This pattern is unusual in that it consists of a single setting. In the future, you might use this ACT to give a restricted user access to all data.
CAUTION:
Relational data that is accessed through other methods is unaffected by the Read permission.
Do not rely exclusively on the metadata authorization layer to protect relational data. Use host-layer protections also. See Host Access to SAS Tables.