The platform provides
a proprietary, metadata-based authorization layer that supplements
protections from the host environment and other systems. You can
use the metadata authorization layer to manage access to almost any
metadata object (for example, reports, data definitions, information
maps, jobs, stored processes, and server definitions).
Across authorization
layers, protections are cumulative. In order to perform a task, a
user must have sufficient access in all applicable layers.
In the metadata layer,
the following permissions are always enforced:
-
the ReadMetadata permission (RM),
which controls the ability to see an object
-
the WriteMetadata permission (WM),
which controls the ability to update or delete an object
Other permissions are
specialized and affect only certain types of objects.
CAUTION:
In the
metadata authorization layer, not all permissions are enforced for
all items.
It is essential to
understand which actions are controlled by each permission.
CAUTION:
Some clients
enable power users to create and run SAS programs that access data
directly, bypassing metadata-layer controls.
It is essential to
manage physical layer access in addition to metadata-layer controls.
For example, use host operating system protections to limit access
to any sensitive SAS data sets.