Using the ACL Command Set

Overview of the ACL Command Set

This section describes PROC SPDO commands that you use to create and maintain ACLs on SPD Server resources.
To issue an ACL-related command, you must first specify an ACL user ID to define the scope of your access. You might also want to set up a scoping member type to access ACLs for resource types other than DATA. Then you can add, modify, list, or delete ACLs within the scope that you set up. You can switch the scope of a user type, a member type, or both at any point in a command sequence. Then you can continue with additional ACL commands in the new scope.

SET ACLTYPE memtype;

sets the member type for subsequent ACL operations. Valid values are DATA, CATALOG, VIEW, and MDDB. The default is DATA.

SET ACLUSER [name];

sets the SPD Server user scope for subsequent ACL operations. The user scope restricts the user’s view to only those ACL records that have the specified user name as the owner of the ACL entry. If you omit the name value, the default name is the user who assigns the libref.
To perform an ACL operation on a resource entry, one of the following statements must be true:
  • the user is the owner of the ACL entry
  • the user has Control access to the ACL entry
  • ACLSPECIAL=YES is enabled on the user’s PROC SPDO LIBNAME connection
Note: You must first issue a SET ACLUSER command before you issue any ADD ACL commands that are described in the following section.

ADD ACL Command

ADD ACL acl1 acl2... [C=cat T=type] [/options]

creates new ACL entries acl1 acl2, and so on. All the ACL entries that you create can be one-part resource names or two-part (table.column) names.
Specify one or more of the following ADD ACL options:
READ
grants universal Read access to the resource.
WRITE
grants universal Write access to the resource.
ALTER
grants universal Alter access to the resource.
GROUPREAD
grants group Read access to the resource.
GROUPWRITE
grants group Write access to the resource.
GROUPALTER
grants group Alter access to the resource.
GENERIC
indicates that the specified ACLs are generic ACLs.
PERSIST
indicates that the specified ACLs are persistent ACLs.
LIBNAME
identifies the special LIBNAME domain resource.
MODEL=acl-name
specifies the name of another ACL. This option requests SPD Server to copy all the access permissions and access list entries from this ACL.
C=cat
identifies the specified ACL names as the names of catalog entries in the catalog cat. Pair this value with the T= option.
T=type
identifies the catalog entry type that is used to qualify the specified ACLs when the C=cat option is specified.

ADD ACL Command Examples

Add a LIBNAME Domain ACL
This ACL grants universal Read and group Write access.
     add acl/LIBNAME
        read
        groupwrite;
Add a Resource ACL
This ACL for the resource MINE_JAN1999 grants universal Read and Write access.
add acl mine_jan1999/read write;
Add a Generic ACL
This generic ACL for MINE* grants universal Read access.
add acl mine/generic read;
Add a Column ACL
This ACL for the column MINE_JAN2006.SALARY grants group Read access and denies access to all others.
add acl mine_jan2006.salary/groupread;
Add a Generic Column ACL
This ACL for the column MINE*.SALARY grants group Read access and denies access to all others.
     add acl mine.salary/generic
        groupread;
Add a Catalog ACL
This ACL for the MYCAT catalog grants universal Read and group Read / Write access.
     set acltype catalog;
     add acl mycat/read
      groupread
      groupwrite;
Add a Generic ACL for Catalog Entries
This ACL for catalog entries, MYCAT.MY*.CATAMS, grants universal Read and group Read access. 
    set acltype catalog;
     add acl my
      c=mycat
      t=catams/generic
      read
      groupread;

MODIFY ACL and MODIFY ACL _ALL_

MODIFY ACL acl1 acl2... [C=cat T=type] /options User List;

MODIFY ACL _ALL_ /options User List;

modifies existing ACLs for the specified resources (acl1, acl2, and so on). The ACL entries can be one-part resource names or two-part (table.column) names. Specify _ALL_ to modify all existing ACLs for which you have Control access. If you specify_ALL_ as the table identifier in a two-part name, you modify all tables for which the given column is matched. If you specify _ALL_ as the column identifier in a two-part name, you modify all columns for which the given table is matched. Specify the characteristics that you want to modify by specifying one or more of the following options, or by specifying user list.
Specify one or more of the MODIFY ACL options:
READ
grants universal Read access.
NOREAD
removes universal Read access.
WRITE
grants universal Write access.
NOWRITE
removes universal Write access.
ALTER
grants universal Alter access.
NOALTER
removes universal Alter access.
GROUPREAD
grants group Read access.
NOGROUPREAD
removes group Read access.
GROUPWRITE
grants group Write access.
NOGROUPWRITE
removes group Write access.
GROUPALTER
grants group Alter access.
NOGROUPALTER
removes group Alter access.
GENERIC
indicates that the specified ACLs are generic ACLs.
LIBNAME
identifies the special LIBNAME domain ACL.
C=cat
identifies the specified ACLs as names of catalog entries from the catalog cat. Pair this value with the T= option.
T=type
identifies the catalog entry type that is used to qualify the specified ACLs when the C=cat option is specified.
User List
a list of the following form:user name = (Y/N,Y/N,Y/N,Y/N) where each comma-delimited Y or N represents, in order, user settings for Read, Write, Alter, and Control privileges.

MODIFY ACL Command Examples

Modify a LIBNAME Domain ACL
This command modifies a LIBNAME domain to set Read and Write access for a given user. 
modify acl/LIBNAME
  ralph=(y,y,n,n);
Modify the ACL MINE
This command modifies the ACL MINE_JAN2003 to deny universal Write access and to add user-specific permissions. 
     modify acl mine_jan2003/nowrite
       bolick=(y,n,n,n)
       johndoe=(n,n,n,n);
Modify a Generic ACL
This command modifies the generic ACL MINE* to add user-specific permissions. 
modify acl mine/generic
  tom=(y,y,y,n);
Modify All ACLs
This command modifies all ACLs to grant Read access to a given user. 
modify acl _all_/gene=(y,,,);
Modify a Column ACL
This command modifies the column ACL MINE_JAN2006.SALARY to add explicit Read and Write access for a given user. 
modify acl mine_jan2006.salary/ralph=(y,y,n,n);
Modify a Generic Column ACL
This command modifies the generic column ACL MINE*.SALARY to add explicit Read and Write access for a given user. 
modify acl mine.salary/generic
 debby=(y,y,n,n);
Modify an ACL for a Catalog
This command modifies the catalog MYCAT to remove universal Read and group Write access. 
set acltype catalog;
  modify acl mycat/noread nogroupwrite;
Modify a Generic ACL for Catalog Entries
This command modifies the generic ACL for catalog entries MYCAT.MY*.CATAMS to remove universal Read access. 
     set acltype catalog;
      modify acl my
       c=mycat
       t=catams/generic noread;

LIST ACL and LIST ACL _ALL_

LIST ACL acl1 acl2... [/options];

LIST ACL _ALL_ [/options];

lists information about the specified ACLs (acl1, acl2, and so on). The ACL entries can be one-part resource names or two-part (table.column) names. Specify _ALL_ to list all existing resource ACLs for which you have Control access. Specify _ALL_ as the table identifier in a two-part name to list all tables for which the given column is matched. Specify _ALL_ as the column identifier in a two-part name to list all columns for which the given table is matched.
Specify one or more of the LIST ACL options:
GENERIC
indicates that the specified ACLs are generic ACLs.
LIBNAME
identifies the special LIBNAME domain ACL.
C=cat
identifies the specified ACLs as names of catalog entries from the catalog cat. Pair this value with the T= option.
T=type
identifies the catalog entry type that is used to qualify the selected ACLs when the C=cat option is specified.
VERBOSE
performs the requested table ACL listing, followed by the column ACLs for one or more specified tables. This option is equivalent to specifying a LIST ACL table command followed by a LIST ACL table._ALL_ command.

LIST ACL Command Examples

List All ACL Entries
This command lists all ACL entries for the current ACL type setting. 
list acl _all_;
List a Generic ACL
This command lists a generic ACL entry for MINE*. 
list acl mine/generic;
List All Column ACLS for a Table
This command lists all column ACLs for table MINE_JAN2003. 
list acl mine_jan2003._all_;
List All Column ACLs for All Tables
This command lists all column ACLs for all tables. 
list acl _all._all_;
List a Specific Column
This command lists the column ACL for MINE_JAN2006.SALARY. 
list acl
 mine_jan2006.salary;
List All ACL Data for a Table
This command provides all ACL information for table MINE_JAN2006. 
list acl
 mine_jan2006/verbose;
List All ACLs for Catalogs
This command lists all ACLs for the ACL type catalog. 
set acltype catalog;
 list acl _all_;
List All ACLs for a Catalog
This command lists all ACLs for catalog MYCAT.?.CATAMS.
set acltype catalog;

  list acl _all_ c=mycat t=catams;

DELETE ACL and DELETE ACL _ALL_

DELETE ACL acl1 acl2... [C=cat T=type] /options

DELETE _ALL_[C=cat T=type] /options;

deletes existing ACLs for the specified resources (acl1 acl2, and so on). The ACL entries can be one-part resource names or two-part table.column names. Specify _ALL_ to delete all existing resource ACLs for which you have Control access. Specify _ALL_ as the table identifier in a two-part name to delete all tables for which the given column is matched. If you specify_ALL_ as the column identifier in a two-part name, you delete all columns for which the given table is matched.
Specify one or more of the DELETE ACL options:
GENERIC
indicates that the specified ACLs are generic ACLs.
LIBNAME
identifies the special LIBNAME domain ACL.
C=cat
identifies the specified ACLs as names of catalog entries from the catalog cat. Pair this value with the T= option.
T=type
identifies the catalog entry type that is used to qualify the specified ACLs when the C=cat option is specified.

DELETE ACL Examples

Delete a LIBNAME ACL
This command deletes a LIBNAME ACL. 
delete acl/LIBNAME;
Delete All ACLs for the Current ACL Type
This command deletes all the ACLs for the current ACL type. 
delete acl _all_;
Delete a Resource ACL
This command deletes the ACL MINE_JAN2003. 
delete acl mine_jan2003;
Delete a Generic ACL
This command deletes the generic ACL MINE*. 
delete acl mine/generic;
Delete a Column ACL
This command deletes a column ACL on MINE_JAN2003.SALARY. 
delete acl mine_jan2003.salary;
Delete All Column ACLs on a Table
This command deletes all column ACLs on the table KBIKE. 
delete acl kbike._all_;
Delete All Column ACLs on All Tables
This command deletes all column ACLs on all tables. 
delete acl _all_._all_;
Delete a Catalog ACL
This command deletes an ACL on the catalog RBIKE. 
set acltype catalog;
 delete acl rbike;
Delete a Generic ACL on Catalog Entries
This command deletes a generic ACL on the catalog entries MYCAT.MY*.CATAMS. 
set acltype catalog;
delete acl my
 c=mycat
 t=catams/generic;
Copyright © SAS Institute Inc. All rights reserved.