Authorization and Permissions Overview

Metadata-Based Authorization

Authorization is the process of determining which users have which permissions for which resources. The SAS Intelligence Platform includes an authorization mechanism that consists of access controls that you define and store in a metadata repository. These metadata-based controls supplement protections from the host environment and other systems. You can use the metadata authorization layer to manage access to the following resources:

almost any metadata object (for example, reports, data definitions, information maps, jobs, stored processes, and server definitions)
OLAP data
relational data (depending on the method by which the data is accessed)

You can set permissions at several levels of granularity:

Repository-level controls provide default access controls for objects that have no other access controls defined.
Resource-level controls manage access to a specific item such as a report, an information map, a stored process, a table, a column, a cube, or a folder. The controls can be defined individually (as explicit settings) or in patterns (by using access control templates).
Fine-grained controls affect access to subsets of data within a resource. You can use these controls to specify who can access particular rows within a table or members within a cube dimension.

You can assign permissions to individual users or to user groups. Each SAS user has an identity hierarchy that starts with the user's individual SAS identity and can include multiple levels of nested group memberships.

The effect of a particular permission setting is influenced by any related settings that have higher precedence. For example, if a report inherits a grant from its parent folder but also has an explicit denial, the explicit setting determines the outcome.

The available metadata-based permissions are summarized in the following table.

Metadata-Based Permissions

Permissions	Use
ReadMetadata, WriteMetadata, WriteMemberMetadata, CheckInMetadata	Use to control user interactions with a metadata object.
Read, Write, Create, or Delete	Use to control user interactions with the underlying computing resource that is represented by a metadata object; and to control interactions with some metadata objects, such as dashboard objects.
Administer	Use to control administrative interactions (such as starting or stopping) with the SAS server that is represented by a metadata object.

Multiple Authorization Layers

A user's ability to perform a particular action is determined not only by metadata-based access controls but also by external authorization mechanisms such as operating system permissions and database controls. To perform a particular action, the user must have the necessary permissions in all of the applicable authorization layers. For example, regardless of the access controls that have been defined for the user in the metadata repository, the user cannot access a particular file if the operating system permissions do not permit the action.