 |
|
| Security Report Macros |
%MDSECDS
Generates authorization data sets. This is the top-level macro (it calls the underlying macros and should be used on its own).
| Used in: | Security reporting |
| Type: | Stand-alone |
| Requirement: | Connection to the metadata server |
| Syntax | |
| Examples |
Syntax |
| %MDSECDS (OUTDATA=data-set, <FOLDER="path">, <INCLUDESUBFOLDERS=YES | NO>, <MEMBERTYPES="list">, <MEMBERFILTER="expression">, <PERMS="list">, <IDENTITYNAMES="list">, <IDENTITYTYPES="list">); |
- OUTDATA
-
provides a base name for the output. By default, the base name is work.mdsecds. See Authorization Data Sets.
The following options define the scope of the extraction:
- FOLDER
-
identifies a starting point folder. By default, the starting point is the server root (the first node on the Folders tab in SAS Management Console). If you provide a path (such as "\Products\SAS Intelligence Platform\Samples"), the starting point is the last folder in the path.
Note: To avoid having to type a long pathname, copy the path from a child item's General tab into your code.
![[cautionend]](../../../../common/63294/HTML/default/images/cautend.gif)
- INCLUDESUBFOLDERS
-
controls whether the entire subtree is included. By default, all objects in the entire subtree are included. If you specify NO, only the immediate contents of the starting point folder are included.
- MEMBERTYPES
-
limits by object type. By default, all public types are included. If you provide a comma-delimited list of types, only those types are included.
You must provide the public type name in its TypeName format. For example, if you access the Advanced tab in the properties dialog box for the Information Map (relational) object type, you will see that its TypeName is InformationMap.Relational. All public types are displayed on the Folders tab in SAS Management Console under System
![[arrow]](../../../../common/63294/HTML/default/images/arrow.gif)
Types.Note: If you use this option, examine the output. The log doesn't display errors or warnings for incorrectly specified types.
- MEMBERFILTER
-
limits by metadata attribute value. By default, no filter is applied. If you provide an expression, only objects that meet the criteria are included. The format for the expression is @attribute-name comparison-operator 'value' (for example, @objID ='A5HDAJSI.B90006Y5' or @Name =:'Salary').
Comparison operators for character data include = (equals), =: (begins with), ? (contains), and ne (not equals).
Metadata attributes are associated with an object's metadata type (not public type). Here are two common attributes:
To find additional attributes:objID is the object's metadata ID, which is displayed on the object's Inheritance tab.
Note: To access an object's Inheritance tab, open the object's properties dialog box, select the Authorization tab, and then click Advanced. This feature is available only to unrestricted users.
Name is the object's name, which is displayed in the Name field on the object's General tab.
-
Determine the MetadataType of the object you are interested in. The type is displayed on the object's Inheritance tab. For example, if you look at the Inheritance tab for your My Folder
![[%MDSECDS]](images/myfolder.gif)
, you will see that the MetadataType
for a folder is Tree. MetadataType
is a low level, internal classification. -
In the reference documentation for the metadata model, look up that MetadataType to find the names of its attributes.
-
- PERMS
-
specifies which permissions to include. By default, all permissions that are supported for each object type are included for objects of that type. If you provide a comma-delimited list of permissions, only those permissions are included. Even if the permissions in your user interface are translated, you must specify the English-language permission names (for example, ReadMetadata).
- IDENTITYNAMES
-
specifies which identities to include. By default, only the named participants (the identities that are listed on an object's Authorization tab) are included. If you provide a comma-delimited list of identity names, only those identities are included. List identities by their names, not their display names.
If you use this option, you must also use the IDENTITYTYPES option.
- IDENTITYTYPES
-
specifies whether names in the IDENTITYNAMES list correspond to users or to groups. For example, the first name listed in the IDENTITYNAMES parameter must match the first value in the IDENTITYTYPES list. Valid values in this list are Person and IdentityGroup.
| Examples |
This code extracts information about permissions on the objects in the Sales folder but doesn't include objects in subfolders:
%mdsecds(folder="\Shared Data\Sales", includesubfolders=no);
This code extracts information about permissions on tables and schemas in the Sales folder and its subfolders:
%mdsecds(folder="\Shared Data\Sales", membertypes="Library,OLAPSchema");
This code extracts information that indicates which libraries a particular user (the SAS Demo User) can see:
%mdsecds(identitynames="sasdemo", identitytypes="Person", membertypes="Library", perms="ReadMetadata");
This code extracts information that indicates which stored processes two users (the SAS Demo User and Tara O'Toole) can see:
%mdsecds(identitynames="sasdemo,totoo", identitytypes="Person,Person", membertypes="StoredProcess", perms="ReadMetadata");
This code extracts information that indicates which reports one user and one group (the SAS Demo User and PUBLIC) can modify:
%mdsecds(identitynames="sasdemo,PUBLIC", identitytypes="Person,IdentityGroup", membertypes="Report", perms="WriteMetadata");
This code extracts information that indicates who can view reports that include the word "Salary" in their names:
%mdsecds(membertypes="Report", perms="ReadMetadata", memberfilter="@Name ? 'Salary'");
This code extracts permission settings for an item that is referenced by its object ID:
%mdsecds(memberfilter="@objID = 'A5HDAJSI.B90006Y5'");
|
|
Copyright © 2011 by SAS Institute Inc., Cary, NC, USA. All rights reserved.