Icons in Access Management
How are Direct Controls Indicated?
The main displays of
effective permissions on the Authorization page
use the following icons to provide immediate information about the
source of each setting.
|
Icon
|
Term
|
Meaning
|
|---|---|---|
 |
Direct
control: Explicit
|
The direct access control
is set on the current object and specifically assigned to the selected
identity.
|
 |
Direct
control: ACT
|
The direct access control
comes from an applied access control template (ACT) whose pattern
specifically assigns the grant or deny to the selected identity.
|
|
(none)
|
Indirect setting
|
The setting comes from
someone else (a group that has a direct control), somewhere else (a
parent object or the repository ACT), or special status (such as
unrestricted). For the WriteMemberMetadata permission, indirect means
that the setting mirrors the WriteMetadata setting.
|
Tip
The explicit and ACT indicator
icons correspond to the white and green colors on the Authorization window
in SAS Environment Manager. As in SAS Environment Manager, if both
an explicit control and an applied ACT setting are present, only the
explicit indicator is displayed.
|
Icon
|
Meaning
|
|---|---|
 |
Deny from an explicit
control
|
|
|
Deny from an applied
ACT
|
|
|
Deny from an indirect
source (such as a parent group or parent object)
|
 |
Grant from an explicit
control
|
|
|
Grant from an applied
ACT
|
|
|
Grant from an indirect
source (such as a parent group or parent object)
|
Tip
For additional details about
the source of a setting, use the permission origins feature.
What Does a Blank Cell in an ACT Pattern Mean?
The display of an ACT’s
pattern is limited as follows:
-
An ACT’s pattern includes only those identities that have pattern settings. For this reason, the table on an ACT’s Authorization
Basic tab usually includes
only a few groups. Not all users and groups are listed.
-
An ACT’s pattern consists of only those settings that are explicitly defined in the pattern. For this reason, the table on an ACT’s AuthorizationBasic tab usually has grants or denies in only a few cells.
The other cells are blank.
Note: This differs from the display in SAS Environment Manager, where the net effect of the pattern is displayed along with the pattern settings.
For each blank cell
and each unlisted identity, the net effect of the pattern is determined
by the closest pattern setting. Each identity’s group memberships
determine which setting is closest. The precedence order is as follows:
-
The identity’s direct group membership have the highest precedence.
-
The identity’s nested group memberships are next, with each successive level of nesting having lower precedence than the preceding level. Nested memberships are a consideration only if the identity is a member of a group that is in turn a member of another group.
-
The identity’s automatic membership in the SASUSERS implicit group is next, unless the identity is a user who is not properly registered in the metadata. This group includes all registered users. For example, most users get their repository-level access through grants to SASUSERS in the default ACT’s pattern.
-
The identity’s automatic membership in the PUBLIC implicit group is last. PUBLIC is a superset of SASUSERS. PUBLIC includes everyone that can connect to the metadata server, regardless of whether they are registered users. Because PUBLIC is the broadest group, denies are usually assigned to it.
If an identity has conflicting
pattern settings at the same level of precedence, the net effect of
those settings is a deny. If there are no pattern settings that are
relevant for an identity, the ACT has no effect on that identity.
Copyright © SAS Institute Inc. All rights reserved.