space
Previous Page | Next Page

SAS Namespace Types

AccessControlEntry


Subclass of AccessControl


Overview

The AccessControlEntry metadata type is used to define an access control directly on a resource. The access control is stored with the resource definition and is unique to that resource. That is, the AccessControlEntry (ACE) cannot be applied to another metadata object.

An ACE can specify permissions for both individual users and for groups. If a given identity is referenced more than once in the ACE, for example, both directly and by virtue of membership in one or more groups, the permission assigned directly to the identity will take precedence.

When the SAS Open Metadata Architecture authorization facility evaluates access controls, a permission assigned in an ACE will take precedence over a permission assigned in an AccessControlTemplate (ACT). A resource-specific access control also takes precedence over any inherited access controls and permissions assigned in the Repository ACT.

An ACE should not be explicitly created or deleted. Access controls are managed programmatically using the SAS Open Metadata Interface ISecurityAdmin server interface, which is documented in the SAS Open Metadata Interface: Reference and Usage. ISecurityAdmin provides methods for defining and managing direct access controls as well as access control templates.

Security Inheritance and Enforcement Rules

The following list of associations is used to determine if this object should inherit access controls from another object (inheritance), or if the association is allowed for the object (enforcement). An association will not be created unless the calling user is authorized to update one or both objects involved in the association. For more information about inheritance and enforcement rules, see the SAS Intelligence Platform: Security Administration Guide.

Attributes

Inherited Attributes
Name, Id, Desc, MetadataCreated, MetadataUpdated, ChangeState, IsHidden, LockedBy, PublicType, UsageVersion

Associations

= indicates the resident side of an association, or where the association is persisted for cross-repository associations. If no resident side is indicated, this association may not cross repository boundaries.
Name Cardinality Description Associated Types
AssociatedCondition

Partner: OwningAccessControlEntry

0 to 1 The associated condition used to grant or deny access to a resource.  PermissionCondition
Identities

Partner: AccessControlEntries

0 to * The identities associated to this access control entry.  Identity
IdentityGroup
Person
Permissions

Partner: AccessControlEntries

0 to * The permissions that are granted or denied by this access control entry.  Permission

Inherited Associations
AccessControls/Objects, AccessControlTemplates/AccessControlItems, Changes/Objects, CustomAssociations/OwningObject, Documents/Objects, Extensions/OwningObject, ExternalIdentities/OwningObject, FavoritesContainers/Favorites, Groups/Members, Implementors/ImplementedObjects, Keywords/Objects, LocalizedAttributes/AssociatedLocalizedObject, Notes/Objects, Objects/AccessControls, PrimaryPropertyGroup/AssociatedObject, Prompts/PromptEnabledObject, Properties/AssociatedObject, PropertySets/OwningObject, ReferencedObjects/AssociatedObjects, ResponsibleParties/Objects, SourceTransformations/TransformationSources, SpecSourceTransformations/SourceSpecifications, SpecTargetTransformations/TargetSpecifications, TargetTransformations/TransformationTargets, Timestamps/Objects, Trees/Members, TSObjectNamespace/TSObjects, UsedByPrototypes/UsingPrototype, UsingPrototype/UsedByPrototypes, Variables/AssociatedObject

Association Details

AssociatedCondition
     Cardinality:   0 to 1
     Partner:   OwningAccessControlEntry

The associated condition used to grant or deny access to a resource. 

Associated Types:
PermissionCondition

Identities
     Cardinality:   0 to *
     Partner:   AccessControlEntries

The identities associated to this access control entry. 

Associated Types:
Identity, IdentityGroup, Person

Permissions
     Cardinality:   0 to *
     Partner:   AccessControlEntries

The permissions that are granted or denied by this access control entry. 

Associated Types:
Permission

Previous Page | Next Page | Top of Page