PROC SQL; connect to sasspds (dbq="path1" server=host.port user='anonymous'); /* queries comparing literal rows are */ /* only selected if the symbolic */ /* substitution evaluates as 'true' */ select * from connection to sasspds( select * from mytable where "@SPDSUSR" = "SOMEUSER"); select * from connection to sasspds( select * from mytable where "@SPDSGRP" = "SOMEGROUP"); select * from connection to sasspds( select * from mytable where "@SPDSSPEC" = "TRUE"); /* queries based on column values will only */ /* select appropriate columns */ select * from connection to sasspds( select * from mytable where usercol = "@SPDSUSR"); select * from connection to sasspds( select * from mytable where grpcol = "@SPDSGRP"); /* Create a view to worktable that allows */ /* users FRED or BOB, groups BCD or ACD, or */ /* someone with ACLSPECIAL to read the table */ execute(create view workview as select * from worktable where "@SPDSUSR" in ("FRED", "BOB") or "@SPDSGRP" in ("BCD", "ACD") or "@SPDSSPEC" = "TRUE") by sasspds; /* Create a view to worktable that allows users */ /* to access only rows where the column "usergrp" */ /* matches their group. The userID BOSS can access */ /* any group records where the column "userid" is */ /* "BOSS" */ execute(create view workview as select * from worktable where usergrp = "@SPDSGRP" and ("@SPDSUSR" = "BOSS" or userid != "BOSS")) by sasspds; disconnect from sasspds; quit;
libnames.parm: ---------------------------------- LIBNAME=d1 pathname=/IDX1/spdsmgr/d1 owner=admin ; LIBNAME=d2 pathname=/IDX1/spdsmgr/d2 owner=prod1 ; LIBNAME=colsec pathname=/IDX1/spdsmgr/colsec owner=boss ; LIBNAME=onepath pathname=/IDX1/spdsmgr/onepath ; Password database List: User Level Entry Type Group ----------------------------------- ADMINGRP 0 GROUP ENTRY GROUP1 0 GROUP ENTRY GROUP2 0 GROUP ENTRY GROUP3 0 GROUP ENTRY GROUP4 0 GROUP ENTRY PRODGRP 0 GROUP ENTRY ADMIN1 7 user ID ADMINGRP ADMIN2 7 user ID ADMINGRP PROD1 7 user ID PRODGRP PROD2 7 user ID PRODGRP USER1 0 user ID GROUP1 USER2 0 user ID GROUP2 USER3 0 user ID GROUP3 USER4 0 user ID GROUP4 USER5 0 user ID GROUP1 USER6 0 user ID GROUP2 USER7 0 user ID GROUP3 USER8 0 user ID GROUP4 BOSS 7 user ID ADMINGRP EMPLOYEE 0 user ID
LIBNAME d2 sasspds 'd2' server=zztop.5162 user='prod1' password='spds123' IP=YES ; /* Give permissions to LIBNAME */ PROC SPDO library=d2 ; /* assign who owns the ACLs */ set acluser prod1 ; /* Give specific groups access */ /* to the domain. */ add ACL / LIBNAME ; modify ACL / LIBNAME prodgrp=(y,y,y,y) group1=(y,y,n,n) group2=(y,n,n,n) group3=(y,n,n,n) ; /* Give spedific users access to */ /* the domain */ modify ACL / LIBNAME user7=(y,n,n,n) admin1=(y,n,n,n) ; list ACL _all_ ; quit ;
LIBNAME prod2d2 sasspds 'd2' server=zztop.5162 user='prod1' password='spds123' IP=YES ; PROC SPDO library=prod2d2 ; /* Set user ID as 'user1', who owns */ /* the ACL to be modified */ set acluser prod1 ; modify ACL / LIBNAME group1=(n,n,n,n) group4=(y,n,n,n) ; list ACL _all_ ; quit ;
LIBNAME admin1d2 sasspds 'd2' server=zztop.5162 user='admin1' password='spds123' ACLSPECIAL=YES IP=YES ; PROC SPDO library=admin1d2 ; /* The ACLSPECIAL= statement allows */ /* the user 'admin1' to operate under */ /* the user ID 'prod1', allowing the */ /* ACLs to be modified. */ set acluser prod1 ; modify ACL / LIBNAME admingrp=(y,n,n,n) ; list ACL _all_ ; quit ;
/* information from libnames.parm */ /* */ /* LIBNAME=LIBINHER */ /* pathname=/IDX1/spdsmgr/spds41test/libinher */ /* LIBACLINHERIT=YES */ /* owner=admin; */ /* LIBNAME=noinher */ /* pathname=/IDX1/spdsmgr/spds41test/noinher */ /* owner=admin; */ LIBNAME libinher sasspds 'libinher' server=zztop.5129 user='admin' password='spds123'; LIBNAME noinher sasspds 'noinher' server=zztop.5129 user='admin' password='spds123'; data libinher.admins_table noinher.admins_table ; do i = 1 to 10; output; end; run; /* Set up LIBNAME access for user anonymous */ PROC SPDO library=libinher; /* set who will own these ACLs */ set acluser admin; /* Add a LIBNAME ACL to d1 */ add acl / LIBNAME; /* Modify LIBNAME ACL Domain d1 */ /* Allow users in Group 1 read-only */ /* access to the domain */ modify acl / LIBNAME read; list acl _all_; quit; /* Set up LIBNAME access for user anonymous */ PROC SPDO library=noinher; /* Specify who owns these ACLs */ set acluser admin ; /* add a LIBNAME ACL to d1 */ add acl / LIBNAME ; /* Modify LIBNAME ACL Domain d1 */ /* Allow users in Group 1 read-only */ /* access to the domain */ modify acl / LIBNAME read ; list acl _all_; quit; LIBNAME a_inher sasspds 'libinher' server=zztop.5129 user='anonymous'; LIBNAME a_noher sasspds 'noinher' server=zztop.5129 user='anonymous'; PROC PRINT data=a_inher.admins_table; title 'with libaclinher'; run; PROC PRINT data=a_noher.admins_table; title 'without libaclinher'; run;
/* John logs in using the anonymous */ /* user ID and creates a table */ LIBNAME john sasspds 'onepath' server=zztop.5162 user='anonymous' password='anonymous' IP=YES ; data john.anonymous_table ; do i = 1 to 100 ; output ; end ; run ; /* Mary can also log in as anonymous */ /* and read the table that John */ /* created. */ LIBNAME mary sasspds 'onepath' server=zztop.5162 user='anonymous' IP=YES ; PROC PRINT data=mary.anonymous_table (obs=10) ; title 'mary reading anonymous_table' ; run ; /* user1 can log in and read the table */ /* that John created */ LIBNAME user1 sasspds 'onepath' server=zztop.5162 user='user1' password='spds123' IP=YES ; PROC PRINT data=user1.anonymous_table (obs=10) ; title 'user1 reading anonymous_table' ; run ; /* Tables created by user ID anonymous */ /* can have ACLs */ PROC SPDO library=john ; /* assign who owns the ACL */ set acluser anonymous ; /* The MODIFY statement sets an ACl so */ /* only user ID 'anonymous' can read */ /* the table */ add ACL anonymous_table ; modify ACL anonymous_table / anonymous=(y,n,n,n); list ACL _all_; quit ; /* Now, only user ID 'anonymous' can */ /* read the table */ LIBNAME user1 sasspds 'onepath' server=zztop.5162 user='user1' password='spds123' IP=YES ; PROC PRINT data=user1.anonymous_table (obs=10) ; title 'user1 trying to read anonymous_table' ; run ; LIBNAME mary sasspds 'onepath' server=zztop.5162 user='anonymous' password='anonymous' IP=YES ; PROC PRINT data=mary.anonymous_table (obs=10) ; title 'mary reading anonymous_table' ; run ; /* Mary can't write to anonymous_table */ data mary.anonymous_table ; do i = 1 to 100 ; output ; end ; run ;
LIBNAME d1 sasspds 'd1' server=zztop.5162 user='admin1' password='spds123' IP=YES ; PROC SPDO library=d1 ; /* assign who owns the ACLs */ set acluser admin1 ; /* add a LIBNAME ACL to d1 */ add ACL / LIBNAME ;
modify ACL / LIBNAME admingrp=(y,y,y,y) group1=(y,n,n,n) group2=(y,n,n,n) group3=(y,y,n,n) group4=(y,y,n,n) ; list ACL _all_; quit ; /* create two tables */ data d1.admin1_table1 ; do i = 1 to 100 ; output ; end ; run ; /* admin1 has write priviliges to */ /* the domain */ data d1.admin1_table2 ; do i = 1 to 100 ; output ; end ; run ; /* Generic ACLs allow all users to */ /* read tables created by admin1 */ /* unless a specific ACL is placed */ /* on a resource */ PROC SPDO library=d1 ; /* Assign who owna the ACLs */ set acluser admin1 ;
add ACL / generic read ; modify ACL / generic read admingrp=(y,n,n,y) ; list ACL _all_; quit ; /* Test access for a user in group1 */ LIBNAME user1d1 sasspds 'd1' server=zztop.5162 user='user1' password='spds123' IP=YES ; PROC PRINT data=user1d1.admin1_table1 (obs=10) ; title 'read admin1_table1 by user1' ; run ; PROC PRINT data=user1d1.admin1_table2 (obs=10) ; title 'read admin1_table2 by user1' ; run ; /* Test access for a user in group2 */ LIBNAME user2d1 sasspds 'd1' server=zztop.5162 user='user2' password='spds123' IP=YES ; PROC PRINT data=user2d1.admin1_table1 (obs=10) ; title 'read admin1_table1 by user2' ; run ; PROC PRINT data=user2d1.admin1_table2 (obs=10) ; title 'read admin1_table2 by user2' ; run ;
PROC SPDO library=d1 ; /* Assign who owns the ACLs */ set acluser admin1 ; /* This ACL takes precedence over the */ /* generic ACL for users that try to */ /* access admin1_table2. */ add ACL admin1_table2 ; modify ACL admin1_table2 / group1=(y,n,n,n) admingrp=(y,n,n,y) ; list ACL _all_; quit ; /* Test access for a user in group1 */ LIBNAME user1d1 sasspds 'd1' server=zztop.5162 user='user1' password='spds123' IP=YES ; PROC PRINT data=user1d1.admin1_table2 (obs=10) ; title 'read admin1_table2 by user1' ; run ; /* Test access for a user in group2 */ LIBNAME user2d1 sasspds 'd1' server=zztop.5162 user='user2' password='spds123' IP=YES ; PROC PRINT data=user2d1.admin1_table2 (obs=10) ; title 'read admin1_table2 by user2' ; run ;
LIBNAME d1 sasspds 'd1' server=zztop.5162 user='admin' password='spds123 IP=YES ; PROC SPDO library=d1 ; /* assign who owns the ACLs */ set acluser admin ; /* add a LIBNAME ACL to d1 */ add ACL / LIBNAME ; /* Allow any user in same group */ /* as admin to read, write, or */ /* alter tables in the domain */ modify ACL / LIBNAME admingrp=(y,y,y,n) group1=(y,n,n,n) group2=(y,n,n,n) group3=(y,y,n,n) group4=(y,y,n,n) ; list ACL _all_; run; /* admin1 has write privileges to */ /* the domain */ data d1.admin1_table1 ; do i = 1 to 100 ; output ; end ; run ; /* Generic ACL allows all users to */ /* read tables created by admin1 */ PROC SPDO library=d1 ; /* assign who owns the ACLs */ set acluser admin1 ; /* Modify LIBNAME for groupread */ /* and groupwrite. The ACL MUST */ /* inlcude groupread if other */ /* users in the same group as */ /* admin2 need to be able to read */ /* tables that were created by */ /* admin2. */ add ACL admin1_table1 / generic read groupread groupalter ; list ACL _all_; run; /* admin1 has write privileges to */ /* the domain */ data d1.admin1_table2 ; do i = 1 to 100 ; output ; end ; run ; /* generic ACL allows all users to */ /* read the tables */ PROC SPDO library=d1 ; /* assign who owns the ACLs */ set acluser admin1 ; /* Add a table and modify LIBNAME ACL */ /* for groupread and groupwrite. The */ /* ACL MUST include groupread to give */ /* users in the same group as admin2 */ /* the ability to read tables created */ /* by admin2 */ add ACL admin1_table2 / group1=(y,n,n,n) admingrp=(y,n,n,y) ; list ACL _all_; run; /* admin2 has write privileges to the */ /* domain */ data admin2d1.admin2_table ; do i = 1 to 100 ; output ; end ; run ; /* Admin2 must use PROC SPDO to allow */ /* users read access to the table. */ /* The PROC SPDO example below uses */ /* generic syntax with a read. This */ /* provides any user outside of the */ /* admingrp read access to tables */ /* that were created by acdmin2. The */ /* groupread and groupalter allow */ /* access by users within admingrp. */ PROC SPDO library=admin2d1 ; /* Assign who owns the ACLs */ set acluser admin2 ; /* Modify LIBNAME ACL for groupread */ /* and groupwrite. The ACL MUST */ /* include groupread if other users */ /* in the same group as admin2 need */ /* to read tables created by admin2. */ add ACL / generic read groupread groupalter ; list ACL _all_; /* admin (same group) can read the */ /* table */ PROC PRINT data=d1.admin2_table (obs=10) ; title 'read by admin' ; run ; /* Admin has been given the ability to */ /* modify or replace tables created by */ /* admin2 with 'groupalter' */ data d1.admin2_table ; do i = 1 to 100 ; output ; end ; run ; /* Provide other users in same group */ /* read access to the table */ PROC SPDO library=admin2d1 ; /* assign who owns the ACLs */ set acluser user3 ; /* Modify LIBNAME ACL for groupread */ /* and groupwrite. The ACL MUST */ /* include groupread if other users in */ /* the same group as admin2 are to be */ /* able to read tables that were */ /* created by admin2 */ add ACL user3_table / groupread ; list ACL _all_;
LIBNAME d2 sasspds 'd2' server=zztop.5162 user='prod1' password='spds123' IP=YES ;
PROC SPDO library=d2 ; /* assign who will owns these ACLs */ set acluser prod1 ;
modify ACL prod1_table / prodgrp=(n,n,n,n) group1=(n,n,n,n) group2=(n,n,n,n) group3=(n,n,n,n) group4=(n,n,n,n) ;
modify ACL prod1_table / prod1=(y,y,y,y) ; list ACL _all_; quit;
data d2.prod1_table ; do i = 1 to 100 ; output ; end ; run ; PROC SPDO library=d2 ; /* Specify who owns the ACLs */ set acluser prod1 ;
LIBNAME d2 sasspds 'd2' server=zztop.5162 user='prod1' password='spds123' IP=YES ; PROC SPDO library=d2 ; /* Assign who owns the ACLs */ set acluser prod1 ;
modify ACL / LIBNAME prodgrp=(y,y,y,y) group1=(n,n,n,n) group2=(n,n,n,n) group3=(n,n,n,n) group4=(n,n,n,n); list ACL _all_ ; run ; /* Modify ACL for tables to be refreshed */ PROC SPDO library=d2 ; /* set who owns the ACLs */ set acluser prod1 ; /* Modify table ACL to revoke read and */ /* control by user IDs in same group, */ /* which prevents locks during table */ /* refreshes. */ modify ACL prod1_table / prodgrp=(n,n,n,n); /* Modify table ACL to allow the */ /* 'prod1' user ID to refresh the */ /* table. */ modify ACL prod1_table / prod1=(y,y,y,y) ; list ACL _all_; /* refresh warehouse table(s) */ data d2.prod1_table ; do i = 1 to 100 ; output ; end ; run ; PROC SPDO library=d2 ; /* Assign who owns the ACLs */ set ACLUSER prod1 ; /* Allow users and groups access to */ /* the domain again. */ modify ACL / LIBNAME group1=(y,n,n,n) group2=(y,n,n,n) group3=(y,n,n,n) group4=(y,n,n,n) ; list ACL _all_ ; run ;
LIBNAME prod1d2 sasspds 'd2' server=zztop.5162 user='prod1' password='spds123' aclspecial=YES IP=YES ; PROC SPDO library=prod1d2 ; /* assign to the user to who owns */ /* the ACL that will be modified */ set acluser user1 ; /* give user ID 'user4' read access */ /* to user1_table1 */ modify ACL user1_table1 / user4=(y,n,n,n) ; list ACL _all_ ; quit;
LIBNAME user1 sasspds 'onepath' server=zztop.5161 user='user1' password='spds123'; LIBNAME user2 sasspds 'onepath' server=zztop.5161 user='user2' password='spds123' aclgrp='group2'; LIBNAME user6 sasspds 'onepath' server=zztop.5161 user='user3' password='spds123' aclgrp='group2'; /* generate some dummy data */ data user1.t; id=1; salary=2000; run; /* Example of only user2 in group2 */ /* being allowed to read column */ /* salary */ PROC SPDO library=user1 ; /* Assign who owns the ACLs */ set acluser; /* Clean Up */ delete ACL t; delete ACL t.salary; /* Create an ACL on table t to */ /* allow members of group2 to read */ /* table */ add ACL t; modify ACL t / group2=(y,n,n,n); /* Create an ACL on column t.salary*/ /* to only allow user2 of group2 to */ /* read the column */ add ACL t.salary; modify ACL t.salary / group2=(y,n,n,n); quit; /* Let both users print the table */ /* Only user2 can access column */ /* salary */ proc print data=user2.t; run; proc print data=user6.t; run; /* Example of every BUT user2 in */ /* group2 being allowed to read */ /* column salary */ PROC SPDO library=user1 ; /* Assign who owns the ACLs */ set acluser; /* Clean Up Column ACL */ delete ACL t.salary; /* Create an ACL on column t.salary*/ /* to only allow members of group2 to */ /* read the column */ add ACL t.salary; modify ACL t.salary / user2=(y,n,n,n); /* User permissions have priority over */ /* group permissions. So now deny */ /* user2 access to column salary */ modify ACL t.salary / user2=(n,n,n,n); quit; /* Let both users print the table */ /* Only user6 can access column */ /* salary */ proc print data=user2.t; run; proc print data=user6.t; run; quit;