Icons in Access Management

How are Denials, Grants, and Conditional Grants Indicated?

Denials, Grants, and Conditional Grants
Icon
Meaning
deny icon
Denial
grant icon
Grant
conditional grant icon
Conditional grant (a grant that is constrained by a permission condition). This icon is applicable to only fine-grained access controls for data (member-level permissions and row-level permissions).

How are Direct Controls Indicated?

The main displays of effective permissions (Authorizationthen selectBasic tab) use the following icons to provide immediate information about the source of each setting.
Direct Access Controls
Icon
Term
Meaning
explicit indicator
Direct control: Explicit
The direct access control is set on the current object and specifically assigned to the selected identity.
ACT icon
Direct control: ACT
The direct access control comes from an applied access control template (ACT) whose pattern specifically assigns the grant or denial to the selected identity.
(none)
Indirect setting
The setting comes from someone else (a group that has a direct control), somewhere else (a parent object or the repository ACT), or special status (such as unrestricted). For the WriteMemberMetadata permission, indirect means that the setting mirrors the WriteMetadata setting.
Tip
The explicit and ACT indicator icons correspond to the white and green colors on the Authorization window in SAS Environment Manager. As in SAS Environment Manager, if both an explicit control and an applied ACT setting are present, only the explicit indicator is displayed.
Icon Combinations in the Main Authorization Displays
Icon
Meaning
denial iconexplicit indicator icon
Denial from an explicit control
denial icondirect ACT indicator icon
Denial from an applied ACT
denial icon
Denial from an indirect source (such as a parent group or parent object)
grant iconexplicit indicator icon
Grant from an explicit control
grant icondirect ACT indicator icon
Grant from an applied ACT
grant icon
Grant from an indirect source (such as a parent group or parent object)
conditional grant iconexplicit indicator icon
Conditional grant from an explicit control
conditional grant icon
Conditional grant from an indirect source (a parent group)
Tip
For additional details about the source of a setting, use the permission origins feature.

What Does a Blank Cell in an ACT Pattern Mean?

The display of an ACT’s pattern is limited as follows:
  • An ACT’s pattern includes only those identities that have pattern settings. For this reason, the table on an ACT’s Authorizationthen selectBasic tab usually includes only a few groups. Not all users and groups are listed.
  • An ACT’s pattern consists of only those settings that are explicitly defined in the pattern. For this reason, the table on an ACT’s Authorizationthen selectBasic tab usually has grants or denials in only a few cells. The other cells are blank.
    Note: This differs from the display in SAS Environment Manager, where the net effect of the pattern is displayed along with the pattern settings.
For each blank cell and each unlisted identity, the net effect of the pattern is determined by the closest pattern setting. Each identity’s group memberships determine which setting is closest. The precedence order is as follows:
  1. The identity’s direct group membership have the highest precedence.
  2. The identity’s nested group memberships are next, with each successive level of nesting having lower precedence than the preceding level. Nested memberships are a consideration only if the identity is a member of a group that is in turn a member of another group.
  3. The identity’s automatic membership in the SASUSERS implicit group is next, unless the identity is a user who is not properly registered in the metadata. This group includes all registered users. For example, most users get their repository-level access through grants to SASUSERS in the default ACT’s pattern.
  4. The identity’s automatic membership in the PUBLIC implicit group is last. PUBLIC is a superset of SASUSERS. PUBLIC includes everyone that can connect to the metadata server, regardless of whether they are registered users. Because PUBLIC is the broadest group, denials are usually assigned to it.
If an identity has conflicting pattern settings at the same level of precedence, the net effect of those settings is a denial. If there are no pattern settings that are relevant for an identity, the ACT has no effect on that identity.
Last updated: February 22, 2018