Domain Access Options

When you issue a libref statement to create a domain for SPD Server, you can use the following optional specifications to control the accessibility of resources among other SPD Server users:
OWNER=
LIBACLINHERIT=
DYNLOCK=
Overview of Dynamic Locking
Benefits of Dynamic Locking
Dynamic Locking Details
Usage

OWNER=

Specifies the owner of a domain. The SPD Server owner controls the resources of the domain, and can create a LIBNAME ACL on the domain to grant or deny privileges to other SPD Server users. When the domain is specified with an owner, only the owner can use the TEMP=YES LIBNAME option with the domain.
The owner can use LIBNAME ACL to grant the following:
  • READ access to allow a user or group to get a LIBNAME to the domain
  • WRITE access to allow a user or group to create new objects in the domain
  • CONTROL access to allow a user or group to modify the owner's LIBNAME ACL
Usage:
OWNER=owner-id

LIBACLINHERIT=

The LIBACLINHERIT parameter file option controls the ACL precedence of permission checks. Precedence of permission checks includes inheriting the permissions of the LIBNAME ACL for resources owned by the domain owner. In this case, the LIBNAME ACL is used first to give READ or WRITE access to the domain, and then to inherit ACLs to resources that belong to the domain owner. When a user attempts to access resources in a domain where the domain owner specifies LIBACLINHERIT=YES, the following ACL precedence of permissions checks are made on the resource:
  1. If user-specific permissions are defined on the object for the accessor, the accessor gets these permissions.
  2. If group-specific permissions are defined on the object for the accessor's group, the accessor gets these permissions.
  3. If LIBNAME ACL permissions are defined for the accessor, the accessor gets the LIBNAME ACL permissions on the object.
  4. If LIBNAME ACL permissions are defined for the accessor's group, the accessor gets the LIBNAME ACL permissions on the object.
  5. Else, the accessor gets UNIVERSAL ACLs on the resource.
An OWNER=<owner-name>LIBACLINHERIT=YES domain statement uses a slightly different methodology because of the OWNER= parameter. When specifying the OWNER= parameter with LIBACLINHERIT=YES, the owner can grant:
  • READ access to allow a user or group to get a LIBNAME to the domain
  • ALTER access to allow a user or group to create new objects in the domain
  • CONTROL access to allow a user or group to modify the owner's LIBNAME ACL
ALTER access can be used with OWNER= and LIBACLINHERIT=YES to allow a user or group to create a new resource in the domain. In some cases, ALTER access is preferable to WRITE access for an OWNER= domain, because ALTER access prevents users or groups that inherit WRITE access from writing to, updating, or deleting resources that were created by the domain owner. LIBNAME ALTER access with OWNER= and LIBACLINHERIT=YES allows the owner to grant privileges to users to create objects in the domain, and WRITE access can be used to inherit write access to the owner's resources.
The following is an example of SAS code submitted to SPD Server using LIBACLINHERIT. The example begins by showing information in the libnames.parm file where domain names and paths are declared.
Contents of the libnames.parm file:
LIBNAME=libinher
PATHNAME=/IDX1/spdsmgr/spds45test/libinher
LIBACLINHERIT=YES
OWNER=admin ;

LIBNAME=noinher
PATHNAME=/IDX1/spdsmgr/spds45test/noinher
OWNER=admin ;
SAS code submitted to SPD Server by the user: 
LIBNAME libinher sasspds 'libinher'
  server=gomez.5129
  user='admin'
  password='spds123' ;

LIBNAME noinher sasspds 'noinher'
  server=gomez.5129
  user='admin'
  password='spds123' ;

data libinher.admins_table
  noinher.admins_table ;

  do i = 1 to 10 ;
    output ;
end ;
run ;


/* LIBNAME access for user anonymous */
  PROC SPDO library=libinher ;


/* Admin owns these ACLs */
  set acluser admin ;


/* Add a LIBNAME ACL to d1 */
  add acl / LIBNAME ;


/* Modify LIBNAME ACL Domain d1  */
/* Allow users in Group 1        */
/* read-only access to domain    */

modify acl / LIBNAME read ;

list acl _all_ ;
quit ;


/* Set up LIBNAME access for  */
/* user anonymous             */
PROC SPDO library=noinher ;


/* Specify who owns these ACLs */
  set acluser admin ;


/* add a LIBNAME ACL to d1 */
  add acl / LIBNAME ;


/* Modify LIBNAME ACL Domain d1 */
/* Allow users in Group 1 read- */
/* only access to the domain    */

modify acl / LIBNAME read ;

list acl _all_ ;
quit ;

LIBNAME a_inher sasspds 'libinher'
  server=gomez.5129
  user='anonymous' ;

LIBNAME a_noher sasspds 'noinher'
  server=gomez.5129
  user='anonymous' ;

PROC PRINT data=a_inher.admins_table ;
  title 'with libaclinher' ;
run ;

PROC PRINT data=a_noher.admins_table ;
  title 'without libaclinher'
run ;

DYNLOCK=

Overview of Dynamic Locking

Dynamic locking is an SPD Server feature that allows multiple users concurrent access to SPD Server tables. The tables can be concurrently accessed by multiple users for reading and writing, while maintaining the integrity of the table contents. When dynamic locking is enabled, users can insert, append, delete, and update the contents of an SPD Server table while doing concurrent reads on the table.
Dynamic locking is enabled or disabled at the domain level. All tables stored within the domain are subject to the enabled or disabled state of the dynamic locking feature. The DYNLOCK= statement should be used in libnames.parm file domain declarations.
How is dynamic locking different from SPD Server record-level locking? Clients that use dynamic locking connect to a separate SPD user proxy process for each LIBNAME connection in the domain. In SPD Server record-level locking, all clients share the same record-level locking proxy process.

Benefits of Dynamic Locking

SPD Server uses the dynamic locking feature to alleviate some of the problems and limitations that occur with record-level locking.
The dynamic locking method of using separate proxy processes instead of a single record-level proxy distributes resource allocations, which decreases the probability of a single proxy process hitting resource limits. Dynamic locking also removes a single record-level locking point of failure for the record-level proxy.
If there is a failure in an SPD Server user proxy when dynamic locking is being used, only the client that is connected to that proxy is affected. If there is a failure in an SPD Server record-level proxy, it all client connections are affected.
Dynamic locking can also provide better performance than record-level locking. Dynamic locking has performance advantages over record-level locking when concurrent read and write access to a table is required. This is due to the more distributed processing and parallelism of that occurs when multiple SPD Server user proxies are used. The performance benefit depends on the opportunities for parallelism and should be measured on a case-by-case basis.

Dynamic Locking Details

In order to use dynamic locking, SPD Server tables must be part of a named SPD Server domain. When dynamic locking is enabled for a domain, all of the SPD Server users that access tables in that domain will automatically use dynamic locking. The SPD Server clients do not need to set any additional parameters to take advantage of the domain's dynamic locking benefits.
When SPD Server proxy processes receive concurrent update, append, insert, and delete commands, they are sequentially queued and then executed in order of arrival. Only one update operation is performed on a table at any one time. Read requests can be executed at any point while an update is in progress. Read requests get the most recent information that is available in the table, based on the last physical update to disk.
Dynamic locking is not a replacement for using record-level locking in cases where the user requires SAS record-level integrity across multiple clients. Reading a record using dynamic locking does not guarantee that the record cannot change before a subsequent read or update is executed. If a true record-level lock is needed by a client, then the record-level locking protocol should be used.
It is not possible to use record-level locking on a domain that has dynamic locking enabled.

Usage

To enable dynamic locking, use the DYNLOCK= statement in the libnames.parm file domain declarations. If the DYNLOCK= option is not specified, the default SPD Server setting for DYNLOCK is NO.
DYNLOCK=<YES/NO>
Copyright © SAS Institute Inc. All rights reserved.