Manage Permissions

Overview
Configure Default Access Control Entries
Set Permissions Using a Job List
Remove Users and Groups
Reference for Permissions

Overview

When security is enabled, each DataFlux Data Management Server maintains permissions that determine, in part, a user’s access to the jobs, services, data sets, and commands on that server. The permissisons are maintained for each object in an access control list (ACL.) Authorization can also be determined by IP address and by default access control entries.

Configure Default Access Control Entries

When a new object is added to the repository of the DataFlux Data Management Server, the server associates default access control entries (ACEs) with that new object. The default ACEs allow or deny access to the object by named users and groups. The default ACEs are determined by the following configuration options:
  • DMSERVER/SECURE/DEFAULT_ACE_GROUPS_ALLOW
  • DMSERVER/SECURE/DEFAULT_ACE_GROUPS_DENY
  • DMSERVER/SECURE/DEFAULT_ACE_USERS_ALLOW
  • DMSERVER/SECURE/DEFAULT_ACE_USERS_DENY
Consider these implementation details before you develop lists of users and groups for the four configuration options:
  • When you add or change the default ACE configuration, the changes apply only to subsequent additions to the repository.
  • The group allow and deny options can include the default groups PUBLIC and USERS.
  • Command permissions that are not object-based, such as List/Post, are not affected by the default ACE configuration.
  • Any conflict of ALLOW and DENY permissions generate error messages and prevent all users from connecting to the DataFlux Data Management Server.
  • Any user or group name in the four configuration options that is not recognized by your authentication provider (the SAS Metadata Server by default,) generates an error message and prevents all users from connecting to the server.
Follow these steps to configure your default access control entries:
  1. Develop a plan for your default ACE configuration that includes exact syntax for the users and groups that you plan to assign ALLOW or DENY access.
  2. Stop the the DataFlux Data Management Server.
  3. Open the configuration file install-path/etc/dmserver.cfg.
  4. For each of the configuration options in your plan, apply the planned list of users or groups as the values of the options. The lists are all formatted with a delimiter of the form “ | ” or space|space, as shown in the following example. 
    DMSERVER/SECURE/DEFAULT_ACE_USERS_ALLOW = Jones, Susan | Jim Albrecht | darusso
  5. Save and close the configuration file, and then restart the DataFlux Data Management Server.

Set Permissions Using a Job List

When a user posts a job or service to the server, that user becomes the owner of that object. The owner of an object can always execute and delete an object, regardless of user or group authorizations. When a user creates an object by copying the file, ownership is set to the administrators group. An administrator can change ownership to another user or group at any time.
Follow these steps to grant permissions directly from a job list in DataFlux Data Management Server for Batch Jobs and Real-Time Services:
Note: Profile jobs do not have associated object-level access control, so you cannot set permissions for profile jobs.
  1. Open Data Management Studio and click the DataFlux Data Management Servers riser bar.
  2. In the left navigation pane, select the DataFlux Data Management Server that you want to work with and connect to that server.
  3. Click the + sign next to your server to expand the list of job folders.
  4. Click the + to expand the category of jobs or services that you want to work with: Batch Jobs, Real-Time Data, or Process Services..
  5. Select a job or service from list in the left navigation pane, and then click the Permissions tab in the right information pane.
  6. Under Participants, click Add to open the Add Users and Groups dialog box.
    Note: If the Permissions tab does not appear, you might be viewing a profile job that does not have object-level access control.
  7. Select a user, or multiple users, and click Add. The user is added to the participant list for the job and granted permissions.
    Note: On the Permissions tab, you can also change ownership of a job or service by clicking to the right of the Owner field.

Remove Users and Groups

Follow these steps to remove a user or group object from the Users and Groups list on the DataFlux Data Management Server:
Note: The definition of the user or group is retained on the SAS Metadata Server or the Authentication Server.
  1. Connect to Data Management Server and open the Security tab.
  2. Select the user or group that you want to remove and click delete.
  3. Click Yes at the confirmation dialog box.
When the object is removed, its associated permissions are deleted.

Reference for Permissions

Permissions on the Data Management Server are defined as follows.
Permission
Description
Execute data service
When this option is enabled, the user can view and execute real-time data services. This includes run, preload, and unload a data service.
Execute process service
When this option is enabled, the user can view and execute real-time process services. This includes run, preload, and unload a process service.
Execute Batch Job
When enabled, the user can run a batch job, get a batch job file and get a batch job nodes' status.
Execute Profile Job
When enabled, the user can get and run a profile job.
Post Data Service
When enabled, the user can upload real-time data services to the server.
Post Process Service
When enabled, the user can upload real-time process services to the server.
Post Batch Job
When enabled, the user can upload a batch job to the server.
Post Profile Job
When enabled, the user can upload a profile job to the server.
Delete Data Service
When enabled, the user can delete a real-time data service.*
Delete process service
When enabled, the user can delete a real-time process service.*
Delete batch job
When enabled, the user can delete a batch job.*
Delete profile job
When enabled, the user can delete a profile job.*
List data service
When enabled, the user can list real-time data services.
List process service
When enabled, the user can list real-time process services.
List batch job
When enabled, the user can list batch jobs.
List profile job
When enabled, the user can list profile jobs.
* In addition to enabling this permission, the user must also be the owner of the object, or an administrator, when performing these delete functions.
Copyright © SAS Institute Inc. All rights reserved.