Previous Page | Next Page

Security Overview

Authorization and Permissions Overview


Metadata-Based Authorization

Authorization is the process of determining which users have which permissions for which resources. The SAS Intelligence Platform includes an authorization mechanism that consists of access controls that you define and store in a metadata repository. These metadata-based controls supplement protections from the host environment and other systems. You can use the metadata authorization layer to manage access to the following resources:

You can set permissions at several levels of granularity:

You can assign permissions to individual users or to user groups. Each SAS user has an identity hierarchy that starts with the user's individual SAS identity and can include multiple levels of nested group memberships.

The effect of a particular permission setting is influenced by any related settings that have higher precedence. For example, if a report inherits a grant from its parent folder but also has an explicit denial, the explicit setting determines the outcome.

The available metadata-based permissions are summarized in the following table.

Metadata-Based Permissions
Permissions Use
ReadMetadata, WriteMetadata, WriteMemberMetadata, CheckInMetadata Use to control user interactions with a metadata object.
Read, Write, Create, or Delete Use to control user interactions with the underlying computing resource that is represented by a metadata object; and to control interactions with some metadata objects, such as dashboard objects.
Administer Use to control administrative interactions (such as starting or stopping) with the SAS server that is represented by a metadata object.


Multiple Authorization Layers

A user's ability to perform a particular action is determined not only by metadata-based access controls but also by external authorization mechanisms such as operating system permissions and database controls. To perform a particular action, the user must have the necessary permissions in all of the applicable authorization layers. For example, regardless of the access controls that have been defined for the user in the metadata repository, the user cannot access a particular file if the operating system permissions do not permit the action.

Previous Page | Next Page | Top of Page