Permissions

About Permissions

Key Points

Here are the key points about permissions:
  • SAS Visual Analytics uses the platform’s metadata authorization layer to manage access to objects such as reports, explorations, tables, libraries, servers, and folders.
  • SAS Visual Analytics supports row-level security. SAS Visual Analytics does not support column-level security.
    Note: Do not set denials of the ReadMetadata permission on individual columns within a table. If a table is loaded by a user who lacks access to one or more columns, duplicate metadata entries are created for the unavailable columns.
  • In the administrator, you can set folder, library, table, and row-level permissions. For alternate interfaces, see Access Management in the SAS Intelligence Platform: Security Administration Guide.
    Note: In the administrator, you cannot view or set permissions on the objects that support metadata-bound libraries (secured library folders, secured libraries, and secured tables).
  • Access to each object is displayed as part of the object’s properties. Not all permissions are relevant for all objects.
  • Do not block ReadMetadata access for the SAS Trusted User (for example, sastrust@saspw). To preserve access, grant the ReadMetadata permission to the SAS System Services group.
  • For simplicity, set permissions on folders, not on individual objects. Most objects (including tables) inherit permissions from their parent folders. To learn how to customize the metadata folder structure, see Working with SAS Folders in the SAS Intelligence Platform: System Administration Guide.
  • For simplicity, assign permissions to groups, not to individual users. The broadest group is called PUBLIC. The SASUSERS group includes all registered users. To learn how to manage permissions systematically using access control templates, see Access to Metadata Folders in the SAS Intelligence Platform: Security Administration Guide.

Permission Definitions

The following table documents permissions that have a special purpose in SAS Visual Analytics, and introduces some of the standard permissions.
Permission
Affected Actions
Administer (A)
On a LASR library, load and import tables.
On a SAS LASR Analytic Server, stop the server or set a tables limit.
Read (R)
On a LASR table, read data.
On a LASR library, load and import tables.
On an encrypted SASHDAT library, add, delete, or load data.
Write (W)
On a LASR table, unload and reload the table; append and delete rows; and edit computed columns.
ReadMetadata (RM)
View an object. For example, to see an exploration, report, table, or library, you need the ReadMetadata permission for that object.
WriteMetadata (WM)
Edit, rename, set permissions for, or delete an object; create certain associations among objects.
WriteMemberMetadata (WMM)
On a folder, add or remove objects.
For more information, see Metadata Authorization Model in the SAS Intelligence Platform: Security Administration Guide.

Permissions by Task

LASR Tables and Servers

The following table documents metadata-layer permissions for working with LASR tables and SAS LASR Analytic Servers.
Permissions for Working with LASR Tables and Servers
Task
Server
Library
Folder
Table
Read data
RM
RM
RM
RM, R
Append or delete rows
RM
RM
RM
RM, R, W
Edit computed columns
RM
RM
RM
RM, R, W
Load or import a table1
RM
RM, R, WM, A
RM, R, WMM, W
-
Load a stop list
RM, WM
RM, R, WM, A
RM, R, WMM, W
-
Reload a table
RM
RM
RM
RM, R, WM, W
Unload a table
RM
RM
RM
RM, R, W
Start a server
RM
-
-
-
Stop a server
RM, A
-
-
-
Set a server’s tables limit
RM, WM, A
-
-
-
Assign a library to a server
RM, WM
RM, WM
-
-
Register a table in metadata
-
RM, WM
RM, WMM
-
Update a table’s metadata
-
RM
RM
RM, WM
Delete a table from metadata
-
RM, WM
RM, WMM
RM, WM
1An initial load (or import) creates a new LASR table object. Read and Write permissions on the folder support actions against the new table.

Explorations and Reports

The following table documents metadata-layer permissions for working with reports and explorations.
Permissions for Working with Reports and Explorations
Task
Server
Table
Folder
Report
Exploration
Open a report or exploration
RM
RM, R
-
RM
RM
Export a report or exploration
RM
RM, R
-
RM
RM
Modify a report or exploration
RM
RM, R
-
RM, WM
RM, WM
Save a new report or exploration
-
RM
RM, WMM
-
-
Delete a report or exploration
-
RM
RM, WMM
RM, WM
RM, WM
To create, update, or delete a report, access to the SAS Content Server is also required. See Administering the SAS Content Server in the SAS Intelligence Platform: Middle-Tier Administration Guide. To view the data that populates a report, ReadMetadata permission for the library where the data is stored is also required. See the first row in Permissions for Working with LASR Tables and Servers.

Data Queries and LASR Star Schemas

The following table documents metadata-layer permissions for working with data queries and LASR star schemas.
Permissions for Working with Data Queries and LASR Star Schemas
Task
Server
Table2
Folder
Query or Schema
Save a new query or schema1
RM
RM
RM, WMM
-
Run a query or schema1
RM
RM
-
RM
Edit and save a query or schema
RM
RM
RM
RM, WM
Delete or rename a query or schema
RM
-
RM, WMM
RM, WM
1These tasks create new LASR tables, so the permission requirements for loading a LASR table must also be met. See Permissions for Working with LASR Tables and Servers.
2This column refers to any source tables that are represented in metadata. To run a query or schema against a LASR table, Read permission for the LASR table is also required.
Read access to data in a LASR star schema is not affected by permissions for input tables. Instead, Read access to data in a LASR star schema is affected by the Read and ReadMetadata permissions for the output table or view. ReadMetadata permission for the associated server, library, and folder is also required. See the first row in Permissions for Working with LASR Tables and Servers.
Note: You can set explicit access controls (including permission conditions) on the output table or view for a LASR star schema. Any explicit access controls persist when you rerun the LASR star schema.

Grant or Deny a Permission

To set an explicit grant or denial:
  1. In the administrator’s Folders pane, right-click on an object, and select Authorization.
    Tip
    To display the Folders pane, select Viewthen selectFolders from the main menu.
  2. In the Effective Permissions table, locate the identity to which you want to assign an explicit control. If the identity is not listed, click the add identities icon to open the Add Identities window.
    Note: In the Add Identities window, only user administrators can successfully search by user ID. Regular users cannot see other users’ IDs.
    Note: An explicit grant of the ReadMetadata permission is automatically set for each identity that you add.
  3. Double-click on a cell. From the cell’s drop-down list, select either Deny or Grant.
    authorization
    When the drop-down list collapses, notice that the cell contains an explicit control indicator explicit indicator.
    Note: If the selected identity is an unrestricted user, all permissions are granted and you cannot make changes.
  4. If you changed a group's access, review the impact on the other listed identities. Controls that you add for a group can affect access for all members of that group.
  5. In the toolbar at the top of the tab, click the save icon.

Set a Row-Level Permission Condition

To limit Read access to rows in a LASR table:
  1. In the administrator’s Folders pane, right-click on a LASR table, and select Authorization.
    Tip
    To display the Folders pane, select Viewthen selectFolders from the main menu.
  2. In the Read column, double-click on the cell for the identity whose row-level access you want to constrain. (Or, if the identity is not listed, click the add identities icon at the right edge of the table.)
    Note: An explicit grant of the ReadMetadata permission is automatically set for each identity that you add.
  3. From the cell’s drop-down list, select Conditional grant.
    conditional grant
    Note: If Conditional grant is not in the drop-down list, the table does not support row-level security. Only LASR tables support row-level security.
    Note: If Conditional grant is already selected, select Conditional grant again to view or edit the existing condition.
  4. In the New Permission Condition window, create a condition that specifies which rows the identity can see. See Syntax (Enhanced Editor).
    Note: Conditions from releases prior to 6.2 or from batch tools use a basic editor. In the basic editor, syntax is not validated. See Syntax (Basic Editor, Batch).
  5. Click OK. Notice that the cell contains the conditional grant icon conditional grant icon with an explicit control indicator explicit indicator.
  6. If you set a permission for a group, review the impact on the other listed identities. Constraints that you add for a group can affect access for all members of that group.
  7. In the toolbar at the top of the tab, click the save icon.
Tip
When you test conditions in another application (such as the explorer), refresh the data source in that application so that your changes are reflected. See Caching.
A permission condition constrains Read access to rows within a LASR table. For more information, see Row-Level Security.

View Authorization Information

Here are some details about the Authorization page:
  • Each object’s Authorization page describes access to that object. The displayed effective permissions are a calculation of the net effect of all applicable metadata-layer permission settings. To identify the source of an effective permission, double-click on its cell, and select Show Origins from the drop-down list. See Permission Origins.
  • Icons indicate grants grant icon, conditional (row-level) grants conditional grant icon, and denials deny icon.
  • The explicit indicator icon explicit indicator indicates an access control that is explicitly set on the current object and explicitly assigned to the selected identity.
  • The ACT indicator icon direct ACT indicator icon indicates an access control that comes from an applied ACT whose pattern assigns the grant or denial to the selected identity.
  • In combination, icons provide information as follows:
    Icon
    Meaning
    grant iconexplicit indicator icon
    Grant from an explicit control
    grant icondirect ACT indicator icon
    Grant from a directly applied ACT
    grant icon
    Grant from an indirect source (such as a parent group or parent object)
    conditional grant iconexplicit indicator icon
    Conditional grant from an explicit control
    conditional grant icon
    Conditional grant from an indirect source (a parent group)
    denial iconexplicit indicator icon
    Denial from an explicit control
    denial icondirect ACT indicator icon
    Denial from a directly applied ACT
    denial icon
    Denial from an indirect source (such as a parent group or parent object)
  • To compare permissions for two tables, open them both, and then select Viewthen selectTab Layoutthen selectStacked from the main menu.
Last updated: December 18, 2018