Principle
|
Scenario
|
Outcome and Explanation
|
---|---|---|
If there are multiple permission conditions that apply to a user because of the user's
group memberships, then the identity that has the highest precedence controls the
outcome.
|
A condition on TableA
limits Read permission for GroupA.
Another condition on TableA limits Read permission for the SASUSERS group.
The user is a member
of both GroupA and SASUSERS.
|
The user can see only
the rows that GroupA is permitted to see. GroupA has a higher level
of identity precedence than SASUSERS, so the filters that are assigned
to GroupA define the user's access.
|
If there are multiple
permission conditions at the highest level of identity precedence,
then any data that is allowed by any of the tied conditions is returned.
|
A condition on TableA
limits Read permission for GroupA.
Another condition on
TableA limits Read permission for GroupB.
The user is a first-level
member of both GroupA and GroupB.
|
The user can see any
row that is permitted for either GroupA or GroupB.
|
||
is
not supported. Instead, use the keyword OR.
Syntax Element
|
Example
|
---|---|
AND , OR , NOT |
Toy_Type='cars' OR Toy_Type='dolls' |
IN , NOTIN |
Toy_Type IN ('dolls' 'cars' 'animals') |
CONTAINS , ? |
Toy_Type CONTAINS 'cars' |
BETWEEN , NOT
BETWEEN |
Toy_Price BETWEEN 20 AND 30 |
LIKE |
Toy_Type LIKE 'dolls' |
= , > , < , >= , <= , <> |
Toy_Price=25 |
^= , NE |
Toy_Price^=30 |
Syntax Element
|
Description
|
---|---|
SUB::SAS.Userid |
returns the requesting
user’s authenticated ID, normalized to the uppercase format
USERID or USERID@DOMAIN.
Here is an example for
use in the batch tools:
-condition "empID='SUB::SAS.Userid'" |
SUB::SAS.IdentityGroups |
returns the requesting user’s group and role memberships (direct, indirect, and implicit). The returned list contains group and
role names (not display names).
Here is an example for
use in the batch tools:
-condition "FacilityRegion IN ('SUB::SAS.IdentityGroups')" |
SUB::SAS.PersonName |
returns the requesting
user’s name (as specified in the Name field
on the General tab of the user’s metadata
definition).
|
SUB::SAS.ExternalIdentity |
returns a site-specific
identifier for the requesting user. External identity values are populated
by the platform’s user import macros (if you bulk load user
information into metadata).
|
empID='SUB::SAS.Userid'
.
Each affected user’s ID is substituted into the right side
of the condition. In a request from the sasdemo user, the condition
resolves as empID='sasdemo'
, so
only those rows where the value in the empID column is sasdemo
are returned to the sasdemo user. If you assign the condition to a group, each member’s
access is restricted to those rows where the empID value matches his
or her authenticated user ID. Here is an example of the full command for the use in
batch tools:sas-set-metadata-access -profile Admin "/Shared Data/LASRtableA(Table)" -grant sasusers:Read -condition "empID='SUB::SAS.Userid'"