<DOAS> Option

IOMI methods support a <DOAS> element in the OPTIONS parameter that enables SAS Open Metadata Interface clients to make a metadata request for another user. Typically, when a metadata request is made, the authorization facility checks the user ID and credentials of the requesting user to determine whether the request is allowed. The <DOAS> element permits the request to be made with another user ID, and authorized using the credentials of this other user.

Credentials refer to the set of metadata identities associated with a user who is registered in the SAS Metadata Server. The set begins with a principal identity represented by the Person (or IdentityGroup) object that is mapped directly to an authenticated user ID. The set also contains references to any IdentityGroup objects in which the principal identity is either directly or indirectly identified as a member.

The <DOAS> element enables middleware servers to use the identity of their own clients when making metadata requests. This way, the request is authorized based on the credentials of the client, rather than basing it on the credentials of the connecting user. That is, when the <DOAS> element is encountered, metadata is created, returned, and updated based on the credentials of the specified client, rather than the connecting user. It is the responsibility of the client to authenticate the user.

The <DOAS> element is supported in the AddMetadata, DeleteMetadata, GetMetadata, GetMetadataObjects, GetSubtypes, GetTypeProperties, IsSubtypeOf, and UpdateMetadata methods.

It is passed in the OPTIONS parameter in the form

<DOAS Credential="CredHandle"/>

CredHandle is a handle that is returned by the ISecurity GetCredentials method that represents the other user's credentials. For more information, see GetCredentials.

A client must have trusted user status on the SAS Metadata Server to issue the ISecurity GetCredentials method. A trusted user is a special user whose user ID is defined in the trustedUsers.txt file.

The following is an example of a GetMetadataObjects request that specifies the <DOAS> option. The method call is formatted for the standard interface.

<!-- set repository Id and type -->
reposid="A0000001.A4345678";
type="PhysicalTable";
ns="SAS";
flags=0;
options="<DOAS Credential="0000000000235462"/>";

rc = GetMetadataObjects(reposid, type, objects, ns, flags, options);

This request returns only PhysicalTable objects that the user identified in the credential handle is authorized to read.

The following is an example of an AddMetadata method that specifies the <DOAS> option. The method call is formatted for the INMETADATA parameter of the DoRequest method.

<AddMetadata>
  <Metadata>
     <PhysicalTable Name="NECust" 
                    Desc="All customers in the northeast region"/>
   </Metadata>
   <Reposid>A0000001.A2345678</Reposid>
   <NS>SAS</NS>
   <Flags>268435456</Flags>
   <Options>
    <DOAS Credential="0000000000235462"/>
   </Options> 
</AddMetadata>

The requested object is created only if the user who is identified in the credential handle has WriteMetadata permission to the specified repository.