space
Previous Page | Next Page

SAS Namespace Submodels

Authorization Submodel

The Authorization submodel contains metadata types that are used to define access controls. Access controls can be defined on resources and on application actions.


Metadata Types

The Authorization submodel has the following metadata types. Click on a metadata type to display its attributes and associations.

AccessControl

AccessControlEntry

AccessControlTemplate

ApplicationAction

InternalLogin

Permission

PermissionCondition

SecurityRule

SecurityRuleScheme

SecurityTypeContainmentRule

The Permission metadata type is used to represent the permissions that are enforced. The SAS Authorization Facility defines ReadMetadata, WriteMetadata, CheckinMetadata, WriteMemberMetadata, Read, Write, Create and Delete permissions. The SAS Metadata Server enforces ReadMetadata, WriteMetadata, CheckinMetadata, and WriteMemberMetadata. WriteMemberMetadata is enforced only on Tree objects that function as folders. Clients must enforce Read, Write, Create, Delete and may define and enforce other permissions.

The AccessControlEntry and AccessControlTemplate metadata types are used to associate identities and permissions with resources. AccessControlEntry objects assign access controls directly to a resource. An AccessControlTemplate is an independent resource that contains access controls and can be applied to many resources. The PermissionCondition metadata type enables clients to place conditions on permissions. The clients must provide enforcement of the conditions.

The SecurityRule, SecurityRuleScheme, and SecurityTypeContainmentRule metadata types are for internal use only and define access control inheritance.

The ApplicationAction metadata type represents a feature or action of an application and is used in conjunction with the Role metadata type to manage user access to the feature or action based on Role membership.

The InternalLogin metadata type is for internal use only. It enables support for internal user authentication.


Usage

Developers are discouraged from creating objects of these metadata types by using the AddMetadata method and other methods that add resource objects. The preferred method to define access controls is to use the SAS Management Console Authorization Manager plugin or, if a batch interface is preferred, by using the new SAS Open Metadata Interface ISecurityAdmin interface. For more information about the ISecurityAdmin interface, see "Security Administration (ISecurityAdmin Class) Methods" in the SAS Open Metadata Interface: Reference and Usage.

space
Previous Page | Next Page | Top of Page