Baseline ACTs
One approach to setting permissions
on folders is to create a few general-use ACTs, and apply one or more
of those ACTs to each folder that you need to secure. To grant access
back to a particular group, supplement the ACT settings by adding
explicit controls on the target folder. The examples in this chapter
use three general-purpose ACTs. Each ACT reduces a particular type
of access down to a minimal level, so this chapter refers to these
ACTs as baseline ACTs.
gives SAS Administrators
and service identities exclusive Read access to metadata (limits visibility).
Example: Pattern for the Hide ACT
|
ReadMetadata1
|
||
|
ReadMetadata2
|
||
| 1This grant ensures that administrators can manage all metadata (for alternatives, see Separated Administration). | ||
| 2This grant ensures that the SAS Trusted User (who is a member of SAS System Services) can read certain metadata on behalf of all users. | ||
gives SAS Administrators
exclusive Write access to metadata (limits updates, deletions, and
contributions).
Example: Pattern for the Protect ACT
|
WriteMetadata, WriteMemberMetadata,
CheckInMetadata, Write, Administer, ReadMetadata1
|
||
| 1These grants ensure that administrators can manage all metadata (for alternatives, see Separated Administration). | ||
gives unrestricted
users exclusive access to data (limits the availability of data that
is accessed through information maps, the OLAP server, or the metadata
LIBNAME engine).
Example: Pattern for the LimitData ACT
|
Permission Pattern1
|
||
|---|---|---|
| 1This pattern is unusual in that it consists of a single setting. In the future, you might use this ACT to give a restricted user access to all data. | ||
CAUTION:
Relational
data that is accessed through other methods is unaffected by the Read
permission.
Do not rely exclusively
on the metadata authorization layer to protect relational data. Use
host-layer protections also. See Host Access to SAS Tables.