Usage Note 45294: Users are able to see plug-ins or tasks in client applications when they are not granted the corresponding capabilities by any role
A user might see all available plug–ins or tasks in a client application even when they have not been granted the corresponding capabilities via a role in the SAS® Metadata Server. This behavior occurs when you deny the ReadMetadata permission for the user, either implictly or explicitly, on the /System folder or its subfolders in metadata.
For example, if you deny ReadMetadata permission to sasdemo on the "/System/Applications/SAS Management Console" folder in the SAS Metadata Server, and the sasdemo user logs into SAS® Management Console, he will now see all of the plug-ins for the application, even if he does not belong to any role that grants capabilities for the SAS Management Console application.
In order to ensure that roles and capabilities are properly enforced, you must not deny the ReadMetadata permission to SASUSERS on the /System folder. If you allow public users to connect to your SAS Metadata Server by granting ReadMetadata to the PUBLIC group in your DefaultACT then you must also be sure ReadMetadata is not denied to PUBLIC on the /System folder.
Operating System and Release Information
SAS System | SAS Metadata Server | z/OS | 9.21 | | 9.2 TS2M0 | |
Microsoft® Windows® for 64-Bit Itanium-based Systems | 9.21 | | 9.2 TS2M0 | |
Microsoft Windows Server 2003 Datacenter 64-bit Edition | 9.21 | | 9.2 TS2M0 | |
Microsoft Windows Server 2003 Enterprise 64-bit Edition | 9.21 | | 9.2 TS2M0 | |
Microsoft Windows XP 64-bit Edition | 9.21 | | 9.2 TS2M0 | |
Microsoft® Windows® for x64 | 9.21 | | 9.2 TS2M0 | |
Microsoft Windows Server 2003 Datacenter Edition | 9.21 | | 9.2 TS2M0 | |
Microsoft Windows Server 2003 Enterprise Edition | 9.21 | | 9.2 TS2M0 | |
Microsoft Windows Server 2003 Standard Edition | 9.21 | | 9.2 TS2M0 | |
Microsoft Windows Server 2003 for x64 | 9.21 | | 9.2 TS2M0 | |
Microsoft Windows Server 2008 for x64 | 9.21 | | 9.2 TS2M0 | |
Microsoft Windows XP Professional | 9.21 | | 9.2 TS2M0 | |
Windows Vista | 9.21 | | 9.2 TS2M0 | |
Windows Vista for x64 | 9.21 | | 9.2 TS2M0 | |
64-bit Enabled AIX | 9.21 | | 9.2 TS2M0 | |
64-bit Enabled HP-UX | 9.21 | | 9.2 TS2M0 | |
64-bit Enabled Solaris | 9.21 | | 9.2 TS2M0 | |
HP-UX IPF | 9.21 | | 9.2 TS2M0 | |
Linux | 9.21 | | 9.2 TS2M0 | |
Linux for x64 | 9.21 | | 9.2 TS2M0 | |
Solaris for x64 | 9.21 | | 9.2 TS2M0 | |
*
For software releases that are not yet generally available, the Fixed
Release is the software release in which the problem is planned to be
fixed.
If a user has insufficient authorizations on the /System folder or its subfolders in metadata, they might receive errors or be given access to features of client applications that they should not see, even if they are not granted the necessary capabilities by a role in metadata.
Type: | Usage Note |
Priority: | |
Topic: | System Administration ==> Security ==> Permissions System Administration ==> Security ==> Roles System Administration ==> Servers ==> Metadata Software Components ==> SMC Plug-in
|
Date Modified: | 2012-01-09 12:09:44 |
Date Created: | 2012-01-05 13:41:22 |