Introduction to Access Management

About Access Management

Permissions that you set on an object’s Authorization tab are part of a metadata-based access control system within the SAS Metadata Server.
These permissions supplement protections in other layers, such as the operating system. Protections are cumulative across layers. You cannot perform a task unless you have sufficient access in all layers.
CAUTION:
Do not rely exclusively on metadata-layer permissions to protect data.
Manage physical access in addition to metadata-layer access. See the discussion of access to SAS data in SAS Intelligence Platform: Security Administration Guide.

Granularity and Mechanics of Permissions

Repository-Level Controls

Repository-level controls function as a gateway. Participating users should have the ReadMetadata and WriteMetadata permissions at the repository level. Repository-level controls also serve as a parent-of-last-resort, defining access to resources that do not have more specific settings. Repository-level controls are defined on the Permission Pattern tab of the repository ACT. In a standard configuration, the repository ACT is named Default ACT.

Resource-Level Controls

Resource-level controls manage access to a specific object such as a report, a stored process, a table, or a folder. You can define resource-level controls individually (as explicit settings) or in patterns (by using access control templates).

Fine-Grained Controls

Fine-grained controls affect access to subsets of data within a resource. To establish fine-grained controls, you define permission conditions that filter data to constrain access.

Feature-Level Controls

Some applications use roles to limit access to functionality. These applications check each user's roles in order to determine which menu items and features to display for that user. Roles are documented as part of user administration.

Inheritance and Precedence of Permissions

Two Relationship Networks

Permission settings are conveyed across two distinct relationship networks, a resource network and an identity network.
Permissions that are set directly on an object have priority over permissions that are set on the object’s parent. For example, when access to a report is evaluated, a denial that is set on the report (and assigned to the PUBLIC group) overrides a grant that is set on the report's parent folder (even if the grant is assigned to you).

The Resource Relationships Network

Permissions that you set on one object can affect many other objects. For example, a report inherits permissions from the folder in which the report is located. The resource relationship network consists primarily of a folder tree. For details and exceptions, see the discussion of the metadata authorization model in SAS Intelligence Platform: Security Administration Guide.

The Identity Relationships Network

Permissions that you assign to one group can affect many other identities. For example, if you grant a group access to a table, that grant applies to all users who are members of the group. The identity relationship network is governed by a precedence order that starts with a primary identity, can incorporate multiple levels of nested group memberships, and ends with implicit memberships in SASUSERS and then PUBLIC.
If there is a tie in this network (for example, if you directly assign a user to two groups and give one group a grant and another group a denial), the outcome is a denial.

Use and Enforcement of Each Permission

General-Purpose Permissions

The following table introduces the general-purpose permissions:
General-Purpose Permissions
Permission
(Abbreviation)
Actions Affected
ReadMetadata (RM)
View an object. For example, to see a report, you need the ReadMetadata permission for that report.
WriteMetadata (WM)
Edit, delete, or set permissions for an object. To delete an object, you also need the WriteMemberMetadata permission for the object’s parent folder.
WriteMemberMetadata (WMM)
Add an object to a folder or delete an object from a folder. To enable someone to interact with a folder's contents but with not the folder itself, grant WMM and deny WM.
CheckInMetadata (CM)
Check in and check out objects in a change-managed area. The CheckInMetadata permission is applicable only in SAS Data Integration Studio.

Specialized Permissions

The following table introduces some of the specialized permissions:
Specialized Permissions
Permission
(Abbreviation)
Actions Affected
Administer (A)
Operate (monitor, stop, pause, resume, refresh, or quiesce) certain SAS servers and spawners.
Create (C)
Add data through the metadata LIBNAME engine.
Read (R)
Read data through certain objects (for example, cubes, information maps, and tables that are accessed through the metadata LIBNAME engine).
Write (W)
Update data through certain objects (for example, data that is accessed through the metadata LIBNAME engine and publishing channels).
Delete (D)
Delete data through the metadata LIBNAME engine.

Additional Information

For more information, see the following documents:
  • SAS Guide to Metadata-Bound Libraries (for information about the Insert, Update, Select, Create Table, Drop Table, and Alter Table permissions, and an additional use of the Delete permission)
  • SAS Language Interfaces to Metadata (for information about the metadata LIBNAME engine)
  • SAS Intelligence Platform: Security Administration Guide (for information about the metadata authorization layer)