SPD Server ACL Security Model

Overview of the ACL Security Model

SPD Server provides a security system that is based on Access Control Lists, or ACLs.
SPD Server comes bundled with SAS Management Console. SAS Management Console is a GUI utility that you can use to manage passwords and ACLs. SAS Management Console manages passwords using the same capabilities that the psmgr utility provides, and it also manages ACLs using the same capabilities provided by PROC SPDO.

ACL Security

UNIX File-Level Protection with ACL Security

Each session of SPD Server is attached to a user with a UNIX or Windows user ID. If SPD Server runs on UNIX, all files that the software creates are protected according to the permissions for creating UNIX files that are associated with that UNIX user's ID. SPD Server can read or write only files that have the appropriate file and directory access permissions to the SPD Server's user's ID. Use the UNIX umask command to restrict the permissions for creating files.

Validating User IDs and Passwords

SAS users must issue a user ID and password with the LIBNAME statement to connect to SPD Server. The user ID and password are verified against an SPD Server user ID table that is set up by the system administrator. You can enforce the expiration of passwords by using the psmgr administration tool for the user ID table or by using SAS Management Console, if it is installed and configured for SPD Server. Whether you are in a Windows or UNIX environment, you can prevent logins under the anonymous user ID by placing user anonymous in the user ID table with a password that is unknown to the SAS users.

Controlling LIBNAME Domains with ACL Security

You define the valid LIBNAME domains by adding entries in the LIBNAME parameter file for each SPD Server. The PATHNAME= specification defines the file system for the LIBNAME. LIBNAME= specifications provide the access route to the file system. Restricting knowledge of the LIBNAME= specification information restricts access to the corresponding file systems.

User Ownership of LIBNAME Domains and Tables

In the LIBNAME parameter file, you can attach the OWNER= specification to any defined LIBNAME domain. Only the system user whose user ID matches the OWNER= specification can create tables in this domain. (However, that user can grant other users Read or Write access rights through ACLs that were issued from the SAS LIBNAME statement.)
Each table created is tagged with the SPD user ID (referred to as the owner) of the user who created it. Only the owner or ACLSPECIAL users can access a table. (However, the owner can grant access to other users through ACLs by adding a LIBNAME ACL with PROC SPDO.)

Granting Permissions with ACLs

An SPD Server ACL permits three distinct levels of permission on a resource. First, you can grant Universal permissions to SPD Server users who are not in the same ACL group as the resource owner. Second, you can grant Group permissions to SPD Server users who are in the same ACL group as the resource owner. Third, you can grant User permissions to a specific SPD Server user ID. The precedence of permission checks is as follows:
  1. Check user-specific permissions first. If permissions are defined, the accessor is granted these permissions.
  2. If a resource is owned by the same ACL group as the accessor, the accessor is granted the resource's Group permissions.
  3. If the resource is owned by a different ACL group than the accessor, the accessor is granted the resource's Universal permissions.

ACL Concepts

ACL Groups

ACL groups are similar to UNIX groups. Each SPD Server user ID can belong to one or more ACL groups.
You can associate a given SPD Server user ID with up to five ACL groups. When a user connects to an SPD Server using a LIBNAME assignment, the user specifies a specific ACL group by using the ACLGRP= option. The ACLGRP= value in the user’s LIBNAME assignment must match one of the five groups that you defined for that user. If the user does not specify ACLGRP= in the LIBNAME assignment, the SPD Server affiliates the user with his or her default ACL group (which is the first group in the list).
When you define user-specific ACL permissions, you can use an ACL group wherever you can use an explicit SPD Server user ACL. Using an ACL group grants permissions to the ACL group instead of to only a specific SPD Server user.

Column Security

You can control access to table contents at the column level by using ACLs. You can apply column-level security ACLs to individual users at the user level, or to collections of users at the group level. SPD Server enforces precedence for user and group ACL permissions: first, user ACL permissions are applied, then group ACL restrictions are applied. SPD Server user permissions override SPD Server group permissions.
When you use an ACL statement to create a protected column in a table, all individual users or groups are automatically denied access to the protected column until you explicitly grant them ACL permission to access it. When you issue an ACL statement to grant or deny the contents of a table column to a single user or to a user group, the protected column automatically becomes unavailable to all individual users and user groups, unless you specifically give them access to the protected column.
Consider a scenario in which a testing department hires a new member, Joe. Joe has applied for classified security clearance, but his security clearance level will not be certified for several weeks. All members of the department use an SPD Server table called Testing that contains a column of classified information. Joe needs access to all of the Testing table except the protected column, and the rest of his group needs access to the whole Testing table. Here are steps to give Joe and the other members of the department the correct permissions:
  1. You submit a user-level ACL statement to restrict the secure column in table Testing from Joe.
    Joe is explicitly denied access, but because the column is now a protected entity, all other users who access the Testing table are also denied access to the column by default.
  2. Instead of issuing user-level column ACL permissions to the rest of the testing group individually, you issue a group-level ACL column permission to the user group Testgroup. The permission must explicitly grant access to the protected column.
    After a column is protected with ACL security, you must grant explicit permissions in order for any user (or groups of users) to be able to access the column content.
  3. SPD Server reads the user-level ACL permissions first, and gives Joe access to the table Testing, but restricts him from the secure column.
  4. SPD Server reads the group ACL permissions and grants all of the Testgroup members access to the full table, including the secure column.
    Joe is a member of Testgroup, but the user-level ACL permissions maintain precedence over group-level ACL permissions. All the members of Testgroup have full table access, except Joe. Joe's user-level ACL column security restriction prevents him from accessing the classified column.
Now consider another scenario, in which John manages a group Devgroup whose members record their billable project hours and codes in an SPD Server table. In that table, manager John keeps billing-rate information based on employee salaries in a protected column Rate. Only John should be able to see the entire table, and the rest of the Devgroup should be able to see the table minus the Rate column. In this case, you create column security by protecting the Rate column with a user-level ACL permission statement for John. The Devgroup members can have full table permissions at the group level, but cannot see the protected column because John's user-level column security ACLs override any group-level ACLs for the Devgroup table.For example code that implements column-level security, see Column-Level Security Example.

Generic ACL

You can use generic ACL names for a class of resources that have a common prefix. You can use an asterisk (*) as a wildcard character to make a single ACL entry instead of making explicit entries for each resource. For example, if you have tables named Salesne, Salesse, Salesmw, Salessw, Salespw, and Salesnw, you could use the wildcard character to create the generic ACL name, Sales*, to include all of them. You then would define your ACL permissions on the Sales* generic ACL.
When you are using the SPDO procedure, use the /GENERIC command option to identify a generic ACL. (See Controlling SPD Server Resources with PROC SPDO.)
Note: If you specify /GENERIC when you define a table-column ACL, the /GENERIC option applies to the table name, not to the column name. You cannot use wildcard characters with column names.

LIBNAME ACL

You can control access permissions to an entire LIBNAME domain by using the SPD Server ACL facility. When you are using PROC SPDO, use the /LIBNAME option to identify the LIBNAME domain ACL.

Persistent ACL

A persistent ACL entry is an ACL that is not removed from the ACL tables when the resource itself is deleted. When you are using PROC SPDO, use the /PERSIST command option to identify a persistent ACL.

Resource

A PROC SPDO resource can be one of the following items:
  • a table (data set)
  • a table column (data set variable)
  • a catalog
  • a catalog entry
  • a utility file (for example, a VIEW, an MDDB, and so on)
  • a LIBNAME domain

Two-Part Resource Name

Two-part names identify a column entry in a table. Use the SAS convention table.column when you specify the table and column that you want to secure.
When you issue SPDO commands, you can use two-part names in any context that defines, modifies, lists, or deletes table-related ACLs. You can also specify the reserved word _ALL_ as the column name when you issue SPDO commands that support the _ALL_ resource name.

Giving Control to Others

You can permit other SPD Server users to alter your own ACL entry by granting a specific user or group access to that ACL entry. See MODIFY ACL and MODIFY ACL _ALL_ for more information about user-specific ACL entries.
Copyright © SAS Institute Inc. All rights reserved.