Permissions defined in an ACE (Access Control Entry) that have been explicitly or directly applied to an object may be ignored when the object has a conflicting permission from an ACT (Access Control Template). This behavior can result in a permission being denied when it should be granted.

This problem has been encountered when all the following are true:

1. A user is a direct member of one or more Identity Groups at the same group membership level.
2. One Identity Group is granted access by an explicit ACE.
3. Another or same Identity Group is denied access by an ACT.

To circumvent the problem, remove the ACT containing the deny.

Note: See The User/Group Identity Hierarchy in the SAS® 9.1.3 Intelligence Platform: Security Administration Guide for details on group membership level.

Select the Hot Fix tab in this note to access the hot fix for this issue.

Operating System and Release Information

A fix for SAS 9.1.3 (9.1 TS1M3) for this issue is available at:

A fix for SAS 9.1.3 (9.1 TS1M3) with Asian Language Support (DBCS) for this issue is available at :