View Access Inheritance

SPD Server uses view access inheritance to control access to tables that are referenced by SPD Server views. View access inheritance allows a user that has rights to a given view to also have rights to access the individual component tables that comprise the view.

For example, user Stan creates tables WinterSales and SpringSales, and then Stan creates a view that joins the two tables. Stan gives user Kyle Read access to the view. Using view access inheritance, because Kyle has Read access to the view of the joined tables, Kyle also has Read access to the individual component tables WinterSales and SpringSales.

/* User Stan creates tables WinterSales and SpringSales.   */
/* Only user Stan can read these tables directly.          */

LIBNAME Stan sasspds 'temp' user='Stan';
DATA Stan.WinterSales;
INPUT idWinterSales colWinterSales1 $ colWinterSales2 $ ... ;
...
;

DATA Stan.SpringSales;
INPUT idSpringSales colSpringSales1 $ colSpringSales2 $ ... ;
...
quit;

/* Stan creates view WinterSpring to join tables WinterSales */
/* and SpringSales. Stan gives user Kyle read access to the  */
/* view.  Because Kyle has rights to read view WinterSpring, */
/* he also has read access rights to the individual tables   */
/* that Stan used to create the view WinterSpring. Kyle can  */
/* only read the tables WinterSales and SpringSales through  */
/* the view WinterSpring. If Kyle tries to directly access   */
/* the table WinterSales or the table SpringSales, SPD       */
/* Server does not comply and issues an access failure       */
/* warning.                                                  */

PROC SQL;
CONNECT TO sasspds(dbq='temp' user='Stan';
EXECUTE(create view WinterSpring as 
        SELECT * from SpringSales, WinterSales
        WHERE SpringSales.id = WinterSales.id);
quit;

PROC SPDO lib=Stan;
SET ACLUSER;
SET ACLTYPE=view;
ADD ACL WinterSpring;
MODIFY ACL WinterSpring / Stan=(y,n,n,n);
quit;

SPD Server view access inheritance is available only when it is invoked with SPD Server explicit pass-through SQL syntax. If the view is accessed directly through SAS SQL or a SAS DATA step, the user of the view must also have direct access to the component tables that are referenced in the view. In this case, the ACL credentials of the user of the view are applied to the component view tables. This restriction limits the usefulness of SPD Server views that are accessed via SAS SQL to cases where a SAS SQL user creates a virtual table to simplify SQL coding.

Even though the SPD Server view access inheritance feature is not available for views issued from a SAS session, the ability to create and use views on SPD Server tables from SAS is a significant improvement in functionality.