SUPPORT

Select Your Region

Visit the Cary, NC, US corporate headquarters site

Americas

Europe

Middle East & Africa

Asia Pacific

View our worldwide contacts list for help finding your region

Americas

Europe

Middle East & Africa

Asia Pacific

Sign In

Get access to My SAS, trials, communities and more.

Sign Out

Get access to My SAS, trials, communities and more.

SAS Sites

sas.com
Support
Blogs
Communities
Developer
Curiosity
Videos

Documentation

Learn
Brand
PartnerNet
Merchandise
SUPPORT / SAMPLES & SAS NOTES
 

Support

Sample 31563: Creating a SAS® Information Map that filters using identity-driven, row-level permissions

DetailsResultsAboutRate It

Overview

BI row-level permissions enable you to limit access to SAS data and third-party relational data that is accessed through information maps. Row-level permissions are enforced when relational information maps are accessed from applications such as SAS® Web Report Studio.

This sample shows you how to create a simple identity-driven, row-level permission in SAS Information Map Studio. As the input table for the information map, this sample uses the SASHELP.CLASS table.

Note: This feature is only available for relational information maps. For OLAP-based information maps, you can specify member-level security (see How to Assign an OLAP Permission Condition).

Note: Row-level permission filters also can be based on group membership (see Sample 31885).

Note: This sample was written using SAS Information Map Studio 3.1, but the tasks are essentially the same for SAS Information Map Studio 4.2 and later.

Tip: If your environment includes a SAS Demo User, then use that account to follow along with the sample steps.

Create the Security Associations Table

A security associations table documents the relationships between a user and the information that you want to control access to. The following DATA step code was used to create the security associations table that is used in this sample. 


data sashelp.rlp_class;  
   input PersonName $13. @14 Gender $;  
   datalines;
SAS Demo User F
SAS Guest     M
;
run;

Note: Remember to register the security associations table in SAS® Management Console.

In this sample, SAS Demo User is given permission to only view information for females and SAS Guest is given permission to only view information for males.

rlp_class security table

About the security associations table

Instead of creating a separate security associations table, the PersonName column could have been added to the CLASS table. In this case, SAS Demo User would have been the value in the female rows and SAS Guest would have been the value in the male rows.

Create the Information Map

  1. Log in to SAS Information Map Studio. This sample uses the credentials for SAS Demo User.
  2. Use Insert –> Table to insert both the CLASS table and the RLP_CLASS table.

    3. Physical Panel

  3. From the Physical Data panel, move all of the columns from the CLASS table over to the Information Map panel. Do not move over any columns from the RLP_CLASS table.

    4. Both Panels

  4. Save the information map.
  5. Right-click on the information map name and select Properties.
  6. Select the Required Tables tab, make RLP_CLASS a required table, and then click OK.

    7. Make rlp_class a required table

  7. On the Relationships tab, associate Sex in the CLASS table with Gender in the RLP_CLASS table.

    8. image label

  8. Click the Presentation tab, and select Insert–>Filter.
  9. Name the filter and then click Edit Data Item to open the Edit Expression dialog box.
  10. Select Character as the type of expression.
  11. On the Data Sources tab beneath the Expression Text box, expand the RLP_CLASS table, select the PersonName column, and then click Add to Expression.

    12. Filter expression

  12. Click OK to return to the New Filter dialog box.

Define the Identity-Driven Filter

From the drop-down list beneath Value(s), select Derive identity values (for row-level permissions) to see a list of identity-driven properties. This sample filters on SAS.PersonName.

Identity-driven properties

Expand Filter expression at the bottom of the dialog box to see the criteria that you have just defined.

Filtere expression

About the Example column

The examples are derived from the currently logged in user (in this sample, the user is SAS Demo User). The examples are showing you how the value for the identity property should appear in the security associations table. This sample filters on SAS.PersonName. The sample could also filter on the SAS.IdentityName property. If the security associations table had included the values SASDEMO@d20093 and SASGUEST@d20093, then the sample could have filtered on the SAS.Userid property.

Make the Filter Required

  1. Right-click on the information map name and select Properties.
  2. Select the General Prefilters tab, and assign the RLP_Filter to the CLASS table, and then click OK.

    3. Make filter a prefilter

About prefilters

A prefilter is a mandatory filter that pre-screens and subsets the data in its associated table before any other part of a query is run.

View the Results

To see results of testing this filter in SAS Information Studio and SAS Web Report Studio, click the Results tab at the top of this sample.

Additional Documentation

For more information about creating row-level permissions, see the documentation for the version of SAS that you are using:

For more information about SAS Information Map Studio, see the SAS Information Map Studio documentation page.



These sample files and code examples are provided by SAS Institute Inc. "as is" without warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability and fitness for a particular purpose. Recipients acknowledge and agree that SAS Institute shall not be liable for any damages whatsoever arising out of their use of this material. In addition, SAS Institute will provide no support for the materials contained herein.