Usage Note 57753: Implementing row-level security in SAS® Visual Analytics using the IdentityGroups property and the IN operator
SAS Visual Analytics provides the ability to implement row-level security on data. As documented in the SAS® Visual Analytics: Administration Guide, there are three methods that you can use to define your conditions:
There are differences between the methods. For example, the user interface does not support the use of the IN operator, which is most often used with the IdentityGroups property. In order to implement row-level security using the IdentityGroups property (or any other statement using the IN operator), you must use the batch tools for metadata authorization.
For example, the following expression subsets Region for all users in the SASUSERS group where the value of Region matches the name of any group that user is a member of:
sas-set-metadata-access -host localhost -port 8561 -user "sasadm@saspw" -password xxxxxxx
"/Shared Data/Libraries/LASR Library/MEGACORP1MILLION (Table)" -grant SASUsers:Read -condition
"Region IN ('SUB::SAS.IdentityGroups')"
In this example, the sasdemo user is a member of a metadata group called "West." Therefore, only data for the "West" region is displayed.
Here are some tips for creating your condition:
- The data item name should be the name of the variable as it is defined in metadata. It should not refer to the label or description.
- If the data item name contains a space, enclose the data item name in single quotation marks and append an "n." For example, your
-condition
statement would look something like -condition "'FacilityRegion'n IN ('SUB::SAS.IdentityGroups')"
.
Note: For a link to the SAS Visual Analytics: Administration Guide, see the SAS Visual Analytics documentation page. Click the tab for the release that you are using, and look under the "Administration and Deployment" section.
Operating System and Release Information
SAS System | SAS Visual Analytics | Microsoft® Windows® for x64 | 7.1 | | 9.4 TS1M0 | |
Linux for x64 | 7.1 | | 9.4 TS1M0 | |
*
For software releases that are not yet generally available, the Fixed
Release is the software release in which the problem is planned to be
fixed.
Example code using the DATA step functions.
%mdseccon();
data _null_;
format tc $20.;
length type $60 id tid $17 tomsobj $200 groupname $30 cond $100;
infile datalines dsd eof=last;
/* will retain the object identifier and the transaction id */
retain tomsobj tc;
call missing(tid,groupname,cond,id,type);
if _n_ = 1 then
do;
put 'we are here';
/* Determine URI of the table to update */
rc=metadata_pathobj("","/Shared Data/Libraries/extract/RETAIL","Table",type,tid);
put rc= tid=;
/* Build an OMSOBJ for the Table */
tomsobj=cats("omsobj:",tid);
/* make sure that the object resolves */
table=metadata_resolve(tomsobj,type,id);
put tid= table= tomsobj=;
/* if table ne 1 then we need to stop */
if (table ne 1) then
stop;
/* Start transaction on object created above using the URI. */
rc=METASEC_BEGTRAN(tomsobj,0, tc);
if (rc < 0 ) then
do;
sysmsg = sysmsg();
put sysmsg;
end;
end;
/* read the first Group name and the condition */
input groupname cond ;
put groupname= cond=;
/* Apply the permission with the condition to the table */
/* return code "0" indicates that the update was successful */
rc1 = METASEC_SETAUTH(tc,tomsobj,'IdentityGroup',groupname,'G','Read',cond);
put 'return code for setting the permission ' rc1=;
return;
last:
do;
/* End the transaction and commit any changes made to */
/* the transaction since it was started. */
rc=METASEC_ENDTRAN(tomsobj,tc, &_SECAD_COMMIT_TC );
if (rc < 0 ) then
do;
sysmsg = sysmsg();
put sysmsg;
end;
end;
cards;
"Dept A", "(Year=1985)"
"Dept B","(Year=1986)"
;;
run;
Date Modified: | 2020-03-23 11:32:12 |
Date Created: | 2016-02-29 13:26:28 |