Metadata-Based Authorization

The platform provides a proprietary, metadata-based authorization layer that supplements protections from the host environment and other systems. You can use this layer to manage access to almost any metadata object (for example, reports, data definitions, information maps, jobs, stored processes, and server definitions).
Across authorization layers, protections are cumulative. In order to perform a task, a user must have sufficient access in all applicable layers.
In the metadata layer, the following permissions are always enforced:
  • the ReadMetadata permission (RM), which controls the ability to see an object
  • the WriteMetadata permission (WM), which controls the ability to update or delete an object
Other permissions are specialized and affect only certain types of objects.
CAUTION:
In the metadata authorization layer, not all permissions are enforced for all items.
It is essential to understand which actions are controlled by each permission.
CAUTION:
Some clients enable power users to create and run SAS programs that access data directly, bypassing metadata-layer controls.
It is essential to manage physical layer access in addition to metadata-layer controls. For example, use host operating system protections to limit access to any sensitive SAS data sets.
For more information, see Authorization Model.