Precedence of permission
checks for a LIBACLINHERIT=YES OWNER= domain can include inheriting
the permissions of the LIBNAME ACL of the user for resources that
are owned by the domain owner. This allows the domain owner to create
domain resources that other users can access via LIBNAME ACLs, without
having to create user or group ACLs for those resources.
When a suer attempts
to access resources in a LIBACLINHERIT=YES OWNER=
<domain-name>,
the following ACL precedence of permission checks are made on the
resource:
-
If user-specific ACLs are defined on the object for
the user, the user gets these permissions.
-
If group-specific ACLs are defined on the object for
the user’s group, the user gets these permissions.
-
If LIBNAME ACL permissions are defined for the user
and the resource belongs to the OWNER= of the domain, then the user
gets the domain LIBNAME ACL permissions on the object.
-
If LIBNAME ACL permissions are defined for the user’s
group and the user is a member of the OWNER= group of the domain,
then the user gets the LIBNAME ACL group permissions on the object.
-
If universal ACLs are defined on the object for the
user, the user gets the universal ACL permissions.
An OWNER=
<owner-name>LIBACLINHERIT=YES
domain statement uses a slightly different methodology. When the owner
specifies the OWNER= parameter with LIBACLINHERIT=YES, the owner can
grant the following access levels:
-
Read access to allow a user or
group to get a LIBNAME to the domain
-
Alter access to allow a user or
group to create new objects in the domain
-
Control access to allow a user
or group to modify the owner's LIBNAME ACL
The owner can use Alter
access with OWNER= and LIBACLINHERIT=YES to allow a user or group
to create a new resource in the domain. Alter access is sometimes
preferable to Write access for an OWNER= domain. Alter access prevents
users or groups that inherit Write access from writing to, updating,
or deleting resources that were created by the domain owner. When
the owner uses LIBNAME Alter access with OWNER= and LIBACLINHERIT=YES,
the owner can grant privileges to users to create objects in the domain.
The owner can use Write access to inherit Write access to the owner's
resources.
The following example
shows SAS code submitted to SPD Server using LIBACLINHERIT. The example
begins with information in the libnames.parm file where domain names
and paths are declared.
Contents of the libnames.parm
file:
LIBNAME=libinher
PATHNAME=/IDX1/spdsmgr/spds45test/libinher
LIBACLINHERIT=YES
OWNER=admin ;
LIBNAME=noinher
PATHNAME=/IDX1/spdsmgr/spds45test/noinher
OWNER=admin ;
SAS code submitted to
SPD Server by the user:
LIBNAME libinher sasspds 'libinher'
server=gomez.5129
user='admin'
password='spds123' ;
LIBNAME noinher sasspds 'noinher'
server=gomez.5129
user='admin'
password='spds123' ;
data libinher.admins_table
noinher.admins_table ;
do i = 1 to 10 ;
output ;
end ;
run ;
/* LIBNAME access for user anonymous */
PROC SPDO library=libinher ;
/* Admin owns these ACLs */
set acluser admin ;
/* Add a LIBNAME ACL to d1 */
add acl / LIBNAME ;
/* Modify LIBNAME ACL Domain d1 */
/* Allow users in Group 1 */
/* read-only access to domain */
modify acl / LIBNAME read ;
list acl _all_ ;
quit ;
/* Set up LIBNAME access for */
/* user anonymous */
PROC SPDO library=noinher ;
/* Specify who owns these ACLs */
set acluser admin ;
/* add a LIBNAME ACL to d1 */
add acl / LIBNAME ;
/* Modify LIBNAME ACL Domain d1 */
/* Allow users in Group 1 read- */
/* only access to the domain */
modify acl / LIBNAME read ;
list acl _all_ ;
quit ;
LIBNAME a_inher sasspds 'libinher'
server=gomez.5129
user='anonymous' ;
LIBNAME a_noher sasspds 'noinher'
server=gomez.5129
user='anonymous' ;
PROC PRINT data=a_inher.admins_table ;
title 'with libaclinher' ;
run ;
PROC PRINT data=a_noher.admins_table ;
title 'without libaclinher'
run ;