IsAuthorized

Determines whether an authenticated user is authorized to access a resource with a specific permission.

Authorization methods

ISecurity 1.0

IsAuthorized(credHandle,resource,permission,permissionCondition,authorized);

If the CREDHANDLE parameter is an empty string, authorization is returned for the requesting user.

The RESOURCE parameter identifies the object to which access is requested. The parameter accepts two types of input:

Use of a repository URN causes the IsAuthorized method to check the specified repository's default ACT for information to make the authorization decision. The repository ACT controls whether a user can create objects in the repository. A client can use the URN to determine whether the user represented by the CREDHANDLE parameter is granted or denied WriteMetadata, which determines whether the user can create objects in the repository. Group memberships are evaluated when making the decision. For example, if the requesting user is not specifically denied WriteMetadata permission in the repository ACT, and a group to which he belongs is granted WriteMetadata permission in the repository ACT, then he is allowed to create objects in the repository. For more information about identity precedence, see SAS Intelligence Platform: Security Administration Guide.

The PERMISSION parameter specifies the permission to check for. A single permission value can be passed to the IsAuthorized method.

The PERMISSIONCONDITION parameter is used with data permissions, such as Read and Write. A value returned in this parameter indicates that a permission is granted, but only if the condition specified in an associated PermissionCondition object is met. The syntax of a permission condition is not defined. It is specific to the resource being protected and to the technology responsible for enforcing the security of the resource. For example, a PermissionCondition object for a table would contain an SQL WHERE clause, but for an OLAP dimension, it would contain an MDX expression identifying the level members that can be accessed in the OLAP dimension.

It is possible for a user to have multiple permission conditions associated with his or her access to a resource. In this case, the PERMISSIONCONDITION parameter is returned with multiple strings embedded. Each embedded condition is separated from the preceding condition by the string <!--CONDITION-->. If you receive a PERMISSIONCONDITION output string, you must check to see whether it contains multiple permission conditions by searching for <!--CONDITION--> in the returned string. If multiple permission conditions are found, then they should be used to filter data so the resulting data is a union of the data returned for each permission condition individually. In other words, the permission conditions would have the OR operation performed on them.

The SAS Open Metadata Interface explicitly returns the following exceptions for the isAuthorized method:

The following is a Java example of the IsAuthorized method. The method is issued to determine whether the credentialed user has Read permission to the requested table. The example includes code that formats and prints the results of the request.

  public void isAuthorized() throws Exception {

          try
          {
                  System.out.println("");
                 // Skip a line
                  System.out.println("<<<< Begin isAuthorized() >>>>" );

                  // These statements define holders for the credHandle, 
                  // permissionCondition, and authorized parameters. Assume the 
                  // requested resource, a table, was defined earlier. Also
                  // that a credential handle was obtained earlier.
                  StringHolder credHandle = new StringHolder();
                  StringHolder permCond = new StringHolder();
                  BooleanHolder isAuth = new BooleanHolder();

                   // Issues the isAuthorized method specifying the Read permission.
                  iSecurity.IsAuthorized(credHandle.value, table_URN, "Read", 
permCond, isAuth);

                  System.out.println();
                  // Specify a title for the output and to print parameter 
                  // values along with the isAuthorized result.
                  System.out.println("<<<<<< isAuthorized() call parameters with 
(Read Permission) results >>>>>>");
                  System.out.print("credHandle=" + credHandle.value + ", ");
                  System.out.print("resourceURN=" + table_URN + ", ");
                  System.out.print("permission=Read, ");
                  System.out.print("permissonCondition=" + permCond.value + ", ");
                  System.out.print("isAuth=" + isAuth.value);
                  System.out.println(); 
                 // force NewLine

                  System.out.println("<<<< End isAuthorized() >>>>" );
          }
          // The following statement catches the method's exceptions.
          catch (Exception e) {
                  System.out.println("IsAuthorized: Exceptions");
                  e.printStackTrace();
                  throw e;
          }

  }

Here is the output from the request:

<<<< Begin isAuthorized() >>>>

<<<<<< isAuthorized() call parameters with (Read Permission) results >>>>>>
credHandle=1e11e9ff00000002, resourceURN=OMSOBJ:PhysicalTable/A5CY5BIY.AO000003, 
permission=Read, permissonCondition=Based on this condition, isAuth=true

<<<< End isAuthorized() >>>>

The user represented by the credential handle has Read permission to PhysicalTable A5CY5BIY.AO000003.