Group permissions are handled in accordance with the
group's membership hierarchy. For example, a user can be a member
of groups G1 and G2. Group G1 is a member of group G3. So, G1 and
G2 are one step away from the user, and G3 is two steps away from
the user. The authorization process looks at permissions on all group
sets in an increasing order of steps from the user. If a command permission
can be determined from the groups that are one step from the user,
then the DataFlux Data Management Server will not look further.
When the server looks
at a set of groups that are the same distance from the user, if any
group has the DENY permission, then the user is denied access. Otherwise,
if any group has the ALLOW permission, then the authorization process
checks the access control entriess. If there are no access control
entries, then the user receives access. If permissions are not set
for any group, or the permission is set to INHERIT, then the authorization
checks move to the set of groups one step farther from the user.
If access rights cannot
be determined after going through the groups to which the user is
a member, then the next group whose permissions are checked is the
USERS group. All users that have definitions on the SAS Metadata Server
belong to the USERS group. Administrators can set command permissions
for the USERS group and use that group in access control entries in
the same manner as any other group.
If access rights have
not been determined, based on command permissions, the last step in
the authorization process is to check whether permissions are set
for the PUBLIC group. The PUBLIC group includes all users who are
not registered on the SAS Metadata Server. If the permission is ALLOW,
then the authorization process checks the access control entries.
Otherwise, the user is granted access. If the permission is DENY,
INHERIT, or is not set, then the user is denied access.
If neither the user,
nor the user’s groups, the USERS group, or the PUBLIC group
have permission set, then the DataFlux Data Management Server denies
access without checking the access control entries. This means that
the DataFlux Data Management Server requires a specific command permission
before the Data Management Server will look at the access control
entries of an individual object.