Permission Condition

Row-level security enables you to control who can access particular rows within a LASR table or a SAS data set bound to a SecuredTable object, and it is defined by data filter expressions. Row-level access distinctions can be based on a simple attribute (such as security clearance level) or on a more complex expression that consists of multiple criteria.
Row-level security affects access to subsets of data within a resource. To establish row-level security, you add constraints called permission conditions to explicit grants of the Read or Select permission. Each permission condition filters a particular LASR table or metadata bound data set for a particular user or group. Each permission condition constrains an explicit grant of the Read or Select permission so that the associated user or group can see only those rows that meet the specified condition.
When row-level security is used, there are three possible authorization decision outcomes for a user request to view data:
Denials, Grants, and Conditional Grants for Permission Conditions
Icon
Term
Meaning
deny icon
Denial
The requesting user cannot see any rows.
grant icon
Grant
The requesting user can see all rows.
conditional grant icon
Conditional grant
The requesting user can see only those rows that meet the specified filtering conditions.
Here are some key points about how permission conditions are incorporated into the metadata-layer access control evaluation process:
  • A permission condition is applied only if it is on the setting that is closest to the requesting user. Other permission conditions that are relevant because of further-removed group memberships do not provide additional, cumulative access.
  • If there is an identity precedence tie between multiple groups at the highest level of identity precedence, those tied conditions are combined in a Boolean OR expression. If the identity precedence tie includes an unconditional grant, access is not limited by any conditions.
The following table provides examples:
Precedence for Permission Conditions
Principle
Scenario
Outcome and Explanation
If there are multiple permission conditions that apply to a user because of the user's group memberships, then the identity that has the highest precedence controls the outcome.
A condition on TableA limits Read permission for GroupA.
Another condition on TableA limits Read permission for the SASUSERS group.
The user is a member of both GroupA and SASUSERS.
The user can see only the rows that GroupA is permitted to see. GroupA has a higher level of identity precedence than SASUSERS, so the filters that are assigned to GroupA define the user's access.
If there are multiple permission conditions at the highest level of identity precedence, then any data that is allowed by any of the tied conditions is returned.
A condition on TableA limits Read permission for GroupA.
Another condition on TableA limits Read permission for GroupB.
The user is a first level member of both GroupA and GroupB.
The user can see any row that is permitted for either GroupA or GroupB.
Copyright © SAS Institute Inc. All Rights Reserved.
Last updated: February 22, 2018