Create a Custom ACT

Why Create Custom ACTs?
How to Create a Custom ACT

Why Create Custom ACTs?

Several predefined ACTs are provided. To further centralize access management, create an ACT for each access pattern that you use multiple times. This list provides tips:
  • It is often useful to create ACTs to manage visibility of content for different business units.
  • It is often useful to create an ACT that manages Write access for a functional group that includes users from multiple business units.
  • You do not have to capture all of an object's protections in one ACT. You can use combinations of ACTs, explicit settings, and inherited settings to define access to an object.

How to Create a Custom ACT

  1. Review the existing ACTs to make sure that the pattern does not already exist.
    1. On the Plug-ins tab of SAS Management Console, select Environment Managementthen selectAuthorization Managerthen selectAccess Control Templates
    2. On the Permission Pattern tab of each ACT, examine the settings for each identity.
      Note: Do not confuse an ACT's Authorization tab with its Permission Pattern tab. Settings on an ACT's Authorization tab affect who can access that ACT; settings on an ACT's Permission Pattern tab affect access to the objects to which that ACT is applied.
  2. Create the ACT.
    1. On the Plug-ins tab in SAS Management Console, select Authorization Managerthen selectAccess Control Templates.
    2. Right-click and select New Access Control Template.
    3. On the General tab, enter a name. It is a good idea to use the description field to document the intended purpose of the ACT.
    4. On the Permission Pattern tab, add one or more identities and select check boxes. Each restricted identity that you add gets a grant of the ReadMetadata permission in the pattern.
      Note: The pattern is a collection of settings that will be added to the protections for each object to which you apply this ACT. Any gray check boxes come from group memberships. The gray settings are not part of the ACT's pattern; they just show the net effect of that pattern for the selected identity.
      Note: For each identity, the pattern can provide a grant, a deny, or a blank setting for each permission. Settings that are unspecified (neither granted nor denied) in an ACT's pattern have no effect when that ACT is applied to an object.
    5. On the Authorization tab, define who can do what to the new ACT. It is important to prevent regular users from modifying or removing an ACT. For example, you might add an explicit clear check box denial of WriteMetadata for PUBLIC and an offsetting explicit grant of WriteMetadata for the SAS Administrators group.
    6. In the Properties dialog box, click OK. The new ACT is now in the list of ACTs under Authorization Managerthen selectAccess Control Templates.
  3. Apply the ACT to one or more objects. For each object to which you want to add the ACT's settings, complete these steps:
    1. Navigate to the object's Authorization tab.
    2. Click Access Control Templates.
    3. In the Available list box, open the nodes and move the new ACT to the Currently Using list box. Click OK to close the dialog box.
    4. On the object's Authorization tab, verify that the revised settings are as you expect.
      Note: On the Authorization tab of an object to which an ACT is applied, settings that are explicit white check box in the ACT's pattern are green green check box.
      Note: The applied ACT contributes its settings to the object's protections. The object can also have explicit settings and other applied ACTs (as well as inherited settings).
  4. If necessary, adjust the ACT's pattern. The advantage of using an ACT is that you can change the pattern without revisiting the objects to which the pattern is applied. Simply make changes on the ACT's Permission Pattern tab.

See Also

Use and Enforcement of Each Permission
Who Can Set Permissions?
Copyright © SAS Institute Inc. All Rights Reserved.