About Authorization

The authorization process applies access controls to authenticated users. After a user successfully authenticates, the DataFlux Data Management Server queries the SAS Metadata Server for the group membership information of the authenticated user. The DataFlux Data Management Server applies user and group membership information to its locally defined authorizations to allow or deny access to jobs, services, and commands.

The authorization types that are available on the DataFlux Data Management Server consist of access control entries, access control by IP address, and access control by ALLOW and DENY groups.

The DataFlux Data Management Server checks a user’s authorizations in the following sequence:

If a user is a member of the administrators group, the DENY group, or the ALLOW group, then access is granted or denied and no further authorization takes place.

Members of the administrators group and the ALLOW group are granted access to all DataFlux Data Management Server commands and objects.

After group memberships are compared against the access controls entries the DataFlux Data Management Server determines whether the following command permissions are set for the user:

Group permissions are handled in accordance with the group's membership hierarchy. For example, a user can be a member of groups G1 and G2. Group G1 is a member of group G3. So, G1 and G2 are one step away from the user, and G3 is two steps away from the user. The authorization process looks at permissions on all group sets in an increasing order of steps from the user. If a command permission can be determined from the groups that are one step from the user, then the DataFlux Data Management Server will not look further.

When the server looks at a set of groups that are the same distance from the user, if any group has the DENY permission, then the user is denied access. Otherwise, if any group has the ALLOW permission, then the authorization process checks the access control entriess. If there are no access control entries, then the user receives access. If permissions are not set for any group, or the permission is set to INHERIT, then the authorization checks move to the set of groups one step farther from the user.

If access rights cannot be determined after going through the groups to which the user is a member, then the next group whose permissions are checked is the USERS group. All users that have definitions on the SAS Metadata Server belong to the USERS group. Administrators can set command permissions for the USERS group and use that group in access control entries in the same manner as any other group.

If access rights have not been determined, based on command permissions, the last step in the authorization process is to check whether permissions are set for the PUBLIC group. The PUBLIC group includes all users who are not registered on the SAS Metadata Server. If the permission is ALLOW, then the authorization process checks the access control entries. Otherwise, the user is granted access. If the permission is DENY, INHERIT, or is not set, then the user is denied access.

If neither the user, nor the user’s groups, the USERS group, or the PUBLIC group have permission set, then the DataFlux Data Management Server denies access without checking the access control entries. This means that the DataFlux Data Management Server requires a specific command permission before the Data Management Server will look at the access control entries of an individual object.

Authorization checks of access control entries (ACEs) begin by determining if the user is the owner of the object. If the user is the owner, then the user is granted access to the object. If the object is owned by a group, the user must be a direct or indirect member of that group to be granted access to the object.

Next, the authorization check searches the ACEs. If ALLOW or DENY permissions are not found for the requesting user, then the ACEs are checked for groups of which the user is a member.

If the ACEs do not grant the user access to the corresponding job or service, the user is denied access.