Assume that the following
SPD Server users exist:
User Password Group ACLSPECIAL
---- -------- ----- ----------
William worker1 group1 no
Guy worker2 group1 no
Frank worker3 group2 no
Ed worker4 group2 no
Bossman worker5 group2 no
Aclspec worker6 group3 yes
The user
Bossman
creates
a table that contains sensitive data. Only some users or user groups
are authorized to see certain rows in the table.
Bossman
uses
WHERE constraints to control which table rows are available to different
users or user groups.
LIBNAME foo sasspds 'tmp' ... user="bossman";
DATA foo.employees;
input user $ grp $ salary $ position $ state $ region $;
cards;
WILLIAM GROUP1 70000 Engr1 CA W
GUY GROUP1 60000 Engr1 CA W
ED GROUP1 50000 Engr2 NJ E
FRANK GROUP2 80000 Engr2 TX S
TOM GROUP2 65000 Engr3 WA W
BOSSMAN GROUP2 80000 Mgr NJ E;
The following code provides
Read access for all users. The code uses table WHERE constraints to
determine which table rows a user or user group can read:
PROC SPDO lib=foo;
SET ACLUSER;
ADD ACL employees;
MODIFY ACL employees / read;
quit;
The user
Bossman
can
create table WHERE constraints to control access to the table in the
following ways:
-
Bossman
can
read any row of the table. Any other user can read only rows where
the value in the User column matches the user's user ID.
PROC SPDO lib=foo;
SET ACLUSER;
constraint add employees;
WHERE (User = "@SPDSUSR")
or ("@SPDSUSR" = "BOSSMAN");
constraint describe employees;
quit;
-
Bossman
or
an ACLSPECIAL user can read any row of the table; any other user can
read only rows where the value in the User column matches the user's
group ID.
PROC SPDO lib=foo;
SET ACLUSER;
constraint remove employees;
constraint add employees;
WHERE (grp= "@SPDSGRP")
or ("@SPDSUSR" = "BOSSMAN")
or ("@SPDSSPEC" = "TRUE");
constraint describe employees;
quit;
-
Bossman
can
read all rows. Other users can read only rows where the value in the
User column matches the user's user ID, except for user
Guy
.
User
Guy
can also read rows for employees
from the state of California.
PROC SPDO lib=foo;
SET ACLUSER;
constraint remove employees;
constraint add employees;
WHERE (User = "@SPDSUSR")
or ("@SPDSUSR" = "BOSSMAN")
or ("@SPDSUSR" = "GUY" and state = "CA");
constraint describe employees;
quit;
-
Bossman
can
read all rows. Other users can read only rows where the value in the
User column matches the user's user ID, or rows where the value in
the Salary column is less than or equal to $6,000 per month (rounded
down to the nearest dollar).
PROC SPDO lib=foo;
SET ACLUSER;
constraint remove employees;
constraint add employees;
WHERE (User = "@SPDSUSR")
or ("@SPDSUSR" = "BOSSMAN")
or (floor(salary/12) <= 6000);
constraint describe employees;
quit;
-
Bossman
can
read all rows. User
William
can read rows
for employees who belong to the West region. User
Ed
can
read rows for employees who belong to the East region. User
Frank
can
read rows for employees who belong to the South region.
PROC SPDO lib=foo;
SET ACLUSER;
constraint remove employees;
constraint add employees;
WHERE (("@SPDSUSR" = "BOSSMAN")
or ("@SPDSUSR" = "WILLIAM" and REGION = "W")
or ("@SPDSUSR" = "ED" and REGION = "E")
or ("@SPDSUSR" = "FRANK" and REGION = "S"));
constraint describe employees;
quit;