Assume
you have the following SPD Server users:
User Password Group ACLSPECIAL
---- -------- ----- ----------
William worker1 group1 no
Guy worker2 group1 no
Frank worker3 group2 no
Ed worker4 group2 no
Bossman worker5 group2 no
Aclspec worker6 group3 yes
The user
Bossman
creates a table that contains sensitive data.
Only certain users or user groups are authorized to see certain rows
in the table.
Bossman
uses WHERE constraints
to control which table rows are available to different users or user
groups.
LIBNAME foo sasspds 'tmp' ... user="bossman";
DATA foo.employees;
input user $ grp $ salary $ position $ state $ region $;
cards;
WILLIAM GROUP1 70000 Engr1 CA W
GUY GROUP1 60000 Engr1 CA W
ED GROUP1 50000 Engr2 NJ E
FRANK GROUP2 80000 Engr2 TX S
TOM GROUP2 65000 Engr3 WA W
BOSSMAN GROUP2 80000 Mgr NJ E;
The following
code provides Read access for all users and uses table WHERE constraints
to determine which table rows a user or user group can see:
PROC SPDO lib=foo;
SET ACLUSER;
ADD ACL employees;
MODIFY ACL employees / read;
quit;
The following
code creates a table WHERE constraint that allows
Bossman
to read any row of the table, but any other user can read only rows
where the value in the User column matches the user's user ID.
PROC SPDO lib=foo;
SET ACLUSER;
constraint add employees;
WHERE (User = "@SPDSUSR")
or ("@SPDSUSR" = "BOSSMAN");
constraint describe employees;
quit;
The following
code creates a table WHERE constraint that allows
Bossman
or an ACLSPECIAL user to read any row of the table, but any other
user can read only rows where the value in the User column matches
the user's group ID.
PROC SPDO lib=foo;
SET ACLUSER;
constraint remove employees;
constraint add employees;
WHERE (grp= "@SPDSGRP")
or ("@SPDSUSR" = "BOSSMAN")
or ("@SPDSSPEC" = "TRUE");
constraint describe employees;
quit;
The following
code creates a table WHERE constraint that allows
Bossman
to read all rows. Other users can read only rows where the value
in the User column matches the user's user ID, except for user
Guy
, who can also read rows for employees from the state
of California.
PROC SPDO lib=foo;
SET ACLUSER;
constraint remove employees;
constraint add employees;
WHERE (User = "@SPDSUSR")
or ("@SPDSUSR" = "BOSSMAN")
or ("@SPDSUSR" = "GUY" and state = "CA");
constraint describe employees;
quit;
The following
code creates a table WHERE constraint that allows
Bossman
to read all rows. Other users can read only rows where the value
in the User column matches the user's user ID, or rows where the value
in the Salary column is less than or equal to $6,000 per month, rounded
down to the nearest dollar.
PROC SPDO lib=foo;
SET ACLUSER;
constraint remove employees;
constraint add employees;
WHERE (User = "@SPDSUSR")
or ("@SPDSUSR" = "BOSSMAN")
or (floor(salary/12) <= 6000);
constraint describe employees;
quit;
The following
code creates a table WHERE constraint that allows
Bossman
to read all rows.
William
can read rows
for employees that belong to the West region.
Ed
can read rows for employees that belong to the East region.
Frank
can read rows for employees
that belong to the South region.
PROC SPDO lib=foo;
SET ACLUSER;
constraint remove employees;
constraint add employees;
WHERE (("@SPDSUSR" = "BOSSMAN")
or ("@SPDSUSR" = "WILLIAM" and REGION = "W")
or ("@SPDSUSR" = "ED" and REGION = "E")
or ("@SPDSUSR" = "FRANK" and REGION = "S"));
constraint describe employees;
quit;