Providing Fine-Grained Access Using Condition Permissions

Overview

Effective with the first maintenance release for SAS 9.4, you can use permission conditions to give users access to some but not all of the data within a physical table. Use the following approach:
  1. If the physical table and its parent library are not already bound to metadata, bind them.
  2. Set metadata-layer permissions to control who can access each table.
  3. Use SAS Management Console to specify permission conditions.

Instructions

  1. On the Folders tab in SAS Management Console, beneath a /System/Secured Libraries branch, select the secured library object that corresponds to the metadata-bound library whose data sets you want to protect.
  2. In the right panel, right-click the table for which you are defining a permission condition. Select Properties, and then select the Authorization tab of the properties dialog box.
  3. Select or add the identity whose access you want to limit.
  4. In the permissions list, add an explicit white check box grant of the Select permission for the selected identity. In SAS Management Console, an explicit setting has a white background color (not gray or green).
  5. Click the Add Condition button.
    Note: If the Edit Condition button is displayed, a condition already exists for the selected user or group. You can click this button to modify the condition.
  6. In the Permission Condition dialog box, enter the WHERE clause for an SQL query that filters the data as appropriate for the selected identity. Do not include the WHERE key word in your entry.
    Tip
    To make dynamic, per-person access distinctions, you can use identity-driven properties as the values against which target data values are compared. Use the following syntax when specifying one of these properties: SUB::property-name (for example, SUB::SAS.Userid). For a list of available identity-driven properties, see Fine-Grained Controls for Data in SAS Intelligence Platform: Security Administration Guide.
    CAUTION:
    The syntax that you enter and save in the Permission Condition dialog box is not checked for validity.
    Make sure that the syntax that you have entered is correct.
  7. Click OK.