Permissions on Folders |
One approach to establishing protections on custom folders is to create a few general-use ACTs and apply one or more of those ACTs on the Authorization tab of any folder that you need to secure. To grant access back to a particular group, supplement a folder's baseline ACT settings by adding grants on that folder's Authorization tab.
The examples in this chapter use the following baseline ACTs:
Hide |
prevents visibility (for users who aren't in the SAS Administrators group). |
Protect |
prevents updates, deletions, and contributions (by users who aren't in the SAS Administrators group). |
LimitData |
prevents access to data through the OLAP server, information maps, and the metadata LIBNAME engine (for all restricted users). |
Each ACT's name describes the effect of applying that ACT to an item that has no explicit or ACT (green) settings. The following tables document the permission pattern for each of these ACTs:
Group | Permission Pattern1 | |
---|---|---|
PUBLIC | Denial | ReadMetadata |
SAS Administrators | Grant | ReadMetadata |
SAS System Services | Grant | ReadMetadata |
1 Gives SAS Administrators and service identities exclusive read access to metadata. |
Group | Permission Pattern1 | |
---|---|---|
PUBLIC | Denial | WriteMetadata, WriteMemberMetadata, CheckInMetadata, Write, Administer |
SAS Administrators | Grant | WriteMetadata, WriteMemberMetadata, CheckInMetadata, Write, Administer, ReadMetadata |
1 Gives SAS Administrators exclusive write access to metadata. |
Group | Permission Pattern1 | |
---|---|---|
PUBLIC | Denial | Read |
1 Prevents all restricted users from accessing data (through information maps, the OLAP server, and the metadata LIBNAME engine). |
Each baseline ACT reduces a particular type of access down to a minimal level. In the Hide and Protect ACTs, the grants to SAS Administrators preserve standard administrative access so that members of that group can manage all metadata (for alternatives, see Separated Administration). In the Hide ACT, the grant to SAS System Services preserves necessary service access (the SAS Trusted User, who is a member of that group, reads certain metadata on behalf of all users). The LimitData ACT is unusual in that the pattern consists of a single setting. This chapter uses this ACT for consistency and in case at some future point you want to give a restricted user access to all data.
To create the baseline ACTs:
Log on to SAS Management Console as a registered user (anyone who has a well-formed user definition). Select the Plug-ins tab.
Expand Authorization Manager , right-click Access Control Templates, and select New Access Control Template.
On the General tab, enter the ACT name (Protect, Hide, or LimitData).
Note: If you previously created the Protect ACT to protect server definitions, just verify that the pattern on that ACT is correct.
On the Permission Pattern tab, define the settings this ACT will provide:
Click Add. In the Add Users and Groups dialog box, clear the Show Users check box. Move PUBLIC and any other participating identities (SAS Administrators and SAS System Services) to the Selected Identities list box. Click OK.
On the Permission Pattern tab, define explicit settings as specified in the preceding tables. Remove the automatically created grants of ReadMetadata permission except as specified.
Note: Make sure you are on the Permission Pattern tab and not the Authorization tab.
On the Authorization tab, protect the ACT that you are creating. Either apply the Protect ACT or add explicit settings that deny WriteMetadata permission to PUBLIC and grant WriteMetadata permission to the SAS Administrators group.
Note: If the Users and Groups list box on the ACT's Authorization tab is empty, click OK to save the ACT. Then, right-click the new ACT, select Properties, and select the Authorization tab again.
Click OK. Repeat until you have created all three baseline ACTs.
See Also
Copyright © 2011 by SAS Institute Inc., Cary, NC, USA. All rights reserved.