Example: Business Unit Separation

This example creates a secured custom branch with mutually exclusive access for two divisions. In this example, the project level folders are for only organizational purposes (there are no access distinctions at the project level). The following figure depicts a partial group and folder structure.
Group and Folder Structure
Group and Folder Structure
The following table lists the protections for the first four folders in the branch:
Mutually Exclusive Access
Folder
Direct Controls
ACTs
Explicit Grants
icon DemoBranch
icon Protect
icon LimitData
icon DivisionA
icon Hide
icon GroupA: +RM, +R
icon Project1
icon GroupA: +WMM
icon Project2
icon GroupA: +WMM
Here are some details about this example:
  • ReadMetadata permission flows into the DemoBranch from its parent folder. In all of the examples in this chapter, the immediate parent to the DemoBranch is visible to all registered users (SASUSERS). This is a standard setting. Unless you apply the Hide ACT to the top of your custom branch, the SASUSERS grant of ReadMetadata permission flows into your branch.
  • The ability to create, manage, and delete content is shut off at the top (by the Protect ACT on the DemoBranch). This constraint flows throughout the tree (except where you add supplemental grants of WriteMemberMetadata permission to specific functional groups on specific folders). Users don't add content or access data in the DemoBranch, so no supplemental grants are needed on that folder.
  • Because you want to prevent members of GroupB from seeing the DivisionA branch, you apply the Hide ACT on that branch. You then add supplemental grants for GroupA to restore their access.
  • On DivisionA's project folders, you apply the Protect ACT to override GroupA's inherited grant of WriteMetadata permission (GroupA's grant of WriteMemberMetadata permission on DivisionA becomes an inherited grant of WriteMetadata permission on the immediate children of DivisionA). This prevents members of GroupA from renaming, deleting, or changing permissions on each project folder. You then add a supplemental grant of WriteMemberMetadata permission so that members of GroupA can contribute content in the project folders.
  • On DivisionA's project folders, you don't apply the Hide ACT, because the ReadMetadata access that flows in from the DivisionA folder is appropriate. In this example, the requirement is that all members of GroupA should be able to access content throughout the DivsionA branch.
  • Notice that it isn't necessary to use separate folders for each type of object.
  • Any content contributors who register cubes must have WriteMetadata permission on the OLAP schema icon. By default, the schema is in the SAS Folders/Shared Data/SASApp - OLAP Schema folder.