![[cautionend]](../common.hlp/images/cautend.gif)
| User and Group Management |
| Overview of the %MDUGRPAC Macro |
You should limit WriteMetadata permission for group definitions, because you must prevent regular users from making accidental or deliberate changes such as deleting a group definition or changing group membership assignments. By default, a group definition is protected only by the settings on the repository ACT, so it is necessary to set additional direct controls to protect these objects.
As an alternative to manually setting permissions on the Authorization tab of every group definition, you can use the %MDUGRPAC autocall macro (available in the SAS autocall macro library). This macro enables you to centrally manage access to group definitions. The %MDUGRPAC macro locates group definitions that are not protected by direct access controls and associates those definitions to an ACT (by default the ACT is named ACT Securing Groups).
Note: On the Users
and Permissions tab of the ACT that is created by this macro,
there are no default settings. See the numbered list below for recommended
settings.
For example, the following code creates an ACT and associates each unsecured IdentityGroup object in the specified repository to that ACT.
options metaserver=mymachine metaport=9999 metauser='winnt\userid' metapass='xxxyyyzzz1' metarepository=Foundation; %mdugrpac();
After you run this macro for first time, you must perform these tasks:
On the Users and Permissions tab of ACT Securing Groups, deny WriteMetadata permission to the PUBLIC group, and then grant this permission back to only those users who maintain your group definitions. For example, you might grant WriteMetadata permission to an Administrators group. Or you might choose not to grant WriteMetadata permission to anyone, which leaves an unrestricted user as the only identity that can make changes to group definitions. Do not deny ReadMetadata permission to anyone.
On the Authorization tab of the ACT, set permissions to control who can make changes to the ACT. It would be appropriate to simply deny WriteMetadata permission to PUBLIC, so that only an unrestricted user can make changes to this special ACT.
The following topic contains reference information about this macro.
| Syntax of the %MDUGRPAC Macro |
Here is the syntax for this macro:
%mdugrpac();
or
%mdugrpac(ACTName="Name of the ACT"
scope= ALL | IMPORTED | NONIMPORTED
mode= EXECUTE | REPORT);
specifies the name of the ACT that will be used to manage access to IdentityGroup objects (group definitions). By default, the macro creates an ACT named ACT Securing Groups (if that ACT does not already exist). If you want to associate unsecured group definitions to an existing ACT, use this option to indicate which ACT you want to use.
specifies which IdentityGroups can be secured by the ACT. Associations are not created for objects for which direct access controls are already defined. The default scope is ALL.
| ALL |
All IdentityGroups in the foundation repository are candidates for inclusion. |
| IMPORTED |
Only IdentityGroups that were created by a bulk-load process are candidates for inclusion. |
| NONIMPORTED |
Only IdentityGroups that were not created by a bulk-load process are candidates for inclusion. |
controls the behavior of the macro. The default mode is EXECUTE.
| EXECUTE |
causes the macro to create the associations and the new ACT (if it does not already exist), and to generate a list of the changes that were made. |
| REPORT |
causes the macro to only generate a list of the IdentityGroups that would be modified if you execute the macro. |
 |
|
Copyright © 2007 by SAS Institute Inc., Cary, NC, USA. All rights reserved.