SAS Namespace Types |
Subclass of AccessControl
The AccessControlEntry metadata type is used to define an access control directly on a resource. The access control is stored with the resource definition and is unique to that resource. That is, the AccessControlEntry (ACE) cannot be applied to another metadata object.
An ACE can specify permissions for both individual users and for groups. If a given identity is referenced more than once in the ACE, for example, both directly and by virtue of membership in one or more groups, the permission assigned directly to the identity will take precedence. When the SAS Open Metadata Architecture authorization facility evaluates access controls, a permission assigned in an ACE will take precedence over a permission assigned in an AccessControlTemplate (ACT). A resource-specific access control also takes precedence over any inherited access controls and permissions assigned in the Repository ACT. An ACE should not be explicitly created or deleted. Access controls are managed programmatically using the SAS Open Metadata Interface ISecurityAdmin server interface, which is documented in the SAS Open Metadata Interface: Reference and Usage. ISecurityAdmin provides methods for defining and managing direct access controls as well as access control templates.The following list of associations is used to determine if this object should inherit access controls from another object (inheritance), or if the association is allowed for the object (enforcement). An association will not be created unless the calling user is authorized to update one or both objects involved in the association. For more information about inheritance and enforcement rules, see the SAS Intelligence Platform: Security Administration Guide.
Inherited Attributes
Name,
Id,
Desc,
MetadataCreated,
MetadataUpdated,
ChangeState,
IsHidden,
LockedBy,
PublicType,
UsageVersion
Name | Cardinality | Description | Associated Types |
AssociatedCondition Partner: OwningAccessControlEntry | 0 to 1 | The associated condition used to grant or deny access to a resource. | PermissionCondition |
Identities Partner: AccessControlEntries | 0 to * | The identities associated to this access control entry. | Identity IdentityGroup Person |
Permissions Partner: AccessControlEntries | 0 to * | The permissions that are granted or denied by this access control entry. | Permission |
Inherited Associations
AccessControls/Objects,
AccessControlTemplates/AccessControlItems,
Changes/Objects,
CustomAssociations/OwningObject,
Documents/Objects,
Extensions/OwningObject,
ExternalIdentities/OwningObject,
FavoritesContainers/Favorites,
Groups/Members,
Implementors/ImplementedObjects,
Keywords/Objects,
LocalizedAttributes/AssociatedLocalizedObject,
Notes/Objects,
Objects/AccessControls,
PrimaryPropertyGroup/AssociatedObject,
Prompts/PromptEnabledObject,
Properties/AssociatedObject,
PropertySets/OwningObject,
ReferencedObjects/AssociatedObjects,
ResponsibleParties/Objects,
SourceTransformations/TransformationSources,
SpecSourceTransformations/SourceSpecifications,
SpecTargetTransformations/TargetSpecifications,
TargetTransformations/TransformationTargets,
Timestamps/Objects,
Trees/Members,
TSObjectNamespace/TSObjects,
UsedByPrototypes/UsingPrototype,
UsingPrototype/UsedByPrototypes,
Variables/AssociatedObject
AssociatedCondition
Cardinality: 0 to 1
Partner: OwningAccessControlEntry
The associated condition used to grant or deny access to a resource.
Associated Types:
PermissionConditionIdentities
Cardinality: 0 to *
Partner: AccessControlEntries
The identities associated to this access control entry.
Associated Types:
Identity, IdentityGroup, PersonPermissions
Cardinality: 0 to *
Partner: AccessControlEntries
The permissions that are granted or denied by this access control entry.
Associated Types:
Permission
Copyright © 2011 by SAS Institute Inc., Cary, NC, USA. All rights reserved.