The Authorization Page

About the Authorization Page
Grant, Conditional Grant, and Denial Icons
Direct Control Indicators
Icon Combinations

About the Authorization Page

Each table or folder’s Authorization page displays effective permissions for that table or folder, indicates any direct access controls, and enables you to add or remove explicit controls. Only permissions that are potentially applicable for an object type are shown for objects of that type.
Only identities that participate in access controls that potentially affect the current object are persisted on this page. The following identities are persisted:
  • identities that are listed in the permission pattern of the repository access control template (ACT)
  • identities that have direct controls on an object that is a parent to this object
  • identities that have direct controls on this object
Note: Effective permissions are a calculation of the net effect of all applicable metadata-layer permission settings. Effective permissions do not encompass role-based constraints or constraints from other authorization layers.
Here is an example of the Authorization page that shows the SAS Demo User’s authorization properties for a LASR table.
Authorization Page
Authorization Page

Grant, Conditional Grant, and Denial Icons

The following table shows the icons associated with conditional grants in the Authorization page.
Grant, Conditional Grant, and Denial Icons
Icon
Meaning
grant icon
Grant
conditional grant icon
Conditional grant (a grant that is constrained by a permission condition, in row-level security)
deny icon
Denial

Direct Control Indicators

The Authorization page uses the following icons to provide immediate information about the source of each setting.
Direct Access Controls
Icon
Term
Meaning
explicit indicator
Direct control: Explicit
The direct access control is set on the current object and specifically assigned to the selected identity.
ACT icon
Direct control: ACT
The direct access control comes from an applied access control template (ACT) whose pattern specifically assigns the grant or denial to the selected identity.
(none)
Indirect setting
The setting comes from someone else (a parent group), somewhere else (a parent object), or special status (such as unrestricted). For the WriteMemberMetadata permission, indirect means that the setting mirrors the WriteMetadata setting.
Tip
The explicit and ACT indicator icons correspond to the white and green colors on the Authorization tab in SAS Management Console. If both an explicit control and an applied ACT setting are present, only the explicit indicator is visible.
Tip
For additional details about the source of a setting, select Show Origins from the drop-down list for that setting. See Permission Origins.

Icon Combinations

The following table shows all of the possible combinations of icons within a cell on a table’s Authorization page.
Icon Combinations
Icon
Description
grant iconexplicit indicator icon
Grant from an explicit control
grant icondirect ACT indicator icon
Grant from an applied ACT
grant icon
Grant from an indirect source (such as a parent group or parent object)
conditional grant iconexplicit indicator icon
Conditional grant from an explicit control
conditional grant icon
Conditional grant from an indirect source (a parent group)
denial iconexplicit indicator icon
Denial from an explicit control
denial icondirect ACT indicator icon
Denial from an applied ACT
denial icon
Denial from an indirect source (such as a parent group or parent object)
Copyright © SAS Institute Inc. All rights reserved.