Tips for Efficiently Using Permissions

Assign Permissions To Groups

You can simplify access control management by assigning permissions to groups rather than to individual users. These examples assume that there are not other explicit or ACT settings on the item:
  • To allow only unrestricted users to access an item, set denials on that item for the PUBLIC group.
  • To enable only registered users to access an item, set denials for the PUBLIC group and then grant access back to the SASUSERS group.
  • To enable only ETL developers and unrestricted users to access an item, create a group for the ETL developers. Then deny permissions to the PUBLIC group and grant access back to the ETL developers group.

Use Folders To Organize Content

You can simplify access control management by creating a folder structure that reflects the access distinctions that you want to make. Instead of setting permissions on each individual item, set permissions on the folders. The items in a folder inherit the folder's effective permissions.
Tip
To protect the folder structure, do not grant WriteMetadata permission on a folder to someone for whom WriteMemberMetadata permission is sufficient.

Centralize Permissions with ACTs

You can simplify access control management by using ACTs. An ACT is a reusable named pattern of settings that you can apply to multiple items. Each ACT consists of these elements:
  • a list of users and groups
  • an indication of whether each permission is granted, denied, or unspecified for each user and group in the list

Deny Broadly, Grant Selectively (To the Extent Possible)

Assign denials to the broadest group (PUBLIC) and then add offsetting grants for users or groups whose access you want to preserve. Deny access at the highest point of control and then grant access back on specific containers or items. These constraints apply:
  • The highest point of control is the repository-level settings that are defined on the foundation repository ACT's Permission Pattern tab. The security model requires that participating users have ReadMetadata and WriteMetadata access at this level, so broadly denying access here is not a workable approach. Instead, use the next point of control, which is the top of the folder tree on the Folders tab.
  • Within the folder tree, users need a clear path of grants of ReadMetadata in order to navigate to the items that they use. For this permission, setting denials on folders at a high level is not a workable approach.