Data visible in the
information views is based on the user object and the privileges associated
with the object. Therefore, user privileges determine what records
are visible to the user. All users can query views but an empty result
set is returned if the user does not have privileges to a specific
view. Use the ADMIN DSN to connect to the information views.
A majority of the information
views return system-level data that is relevant only to administrators
or to technical support staff working with customers. The exceptions
are certain information views that return privilege information, since
users should be able to see what privileges they are granted on objects
for which they have at least a single privilege.
The following information
summarizes user visibility and the data returned from SAS Federation Server.
Administrators
and System Users
System users and server
administrators can view all data in all information views. The following
related views are restricted to system users and administrators only:
Administrators and System Users
|
|
|
AUTHORIZATION_IDENTIFIERS
|
System user and SAS® Federation Server
administrators only
|
The following table
lists the visibility rules that are associated with information views
that are related to data services:
Data Services
|
|
|
|
|
A data service
is visible to a user if:
-
the user has CONNECT, ADMINISTER,
or CREATE DSN privileges on the data service, or
-
the user has CONNECT privilege
on any data service DSN.
|
The following table
lists the visibility rules that are associated with information views
for data sources names:
DSN
|
|
|
|
|
A data source name (DSN)
is visible to a user if:
-
the user is the owner of the DSN,
or
-
has CONNECT privilege on the DSN.
|
SAS Federation Server needs
to display catalogs and schemas for the BASE service without connecting
to the data service first. This is different from other data services
because SAS Federation Server Manager can connect to a data
service and query it for an associated list of catalogs and schemas.
Non-administrator users must be able to see BASE objects. One example
is if the user has CREATE CACHE privilege and needs to be able to
cache views from the user interface. Creating views from SAS Federation Server Manager
is another example. Results from the catalogs and schemas information
views will be filtered depending on the user’s privileges.
Catalogs and Schemas
|
|
|
|
|
A catalog is visible
to a user if:
-
the data service is visible.
A schema is visible
to a user if:
-
the data service is visible.
|
The following table
lists the visibility rules that are associated with information views
for object privileges:
Object Privileges
|
|
|
|
|
Privilege rows are visible
to a user if:
-
the user is the grantor of the
privilege, or
-
the user is the grantee of the
privilege, or
-
one of the user’s groups
is the grantee of the privilege (including the USERS or PUBLIC group)
AND
-
the user has at least one privilege
on the object in the view (DSN/data service/catalog/schema/object/column)
|
Data cache metadata
is distributed between the CACHES, MESSAGES and CONFIG_OBJECTS information
views. Users with CREATE CACHE or ALTER CACHE privilege will need
to see data from these information views.
Data Cache
|
|
|
|
|
Data items are visible
to a user if:
-
the item is a data cache item,
and
-
the user has CREATE CACHE or ALTER
CACHE privilege on the item
|
Container
and Object Privileges
Privileges in the container
and object categories pertain to server, data services, catalogs,
schemas, objects, and columns.
Container and Object Privileges
|
|
|
DSN_PRIVILEGES and EFFECTIVE_DSN_PRIVILEGES
PRIVILEGES and EFFECTIVE_PRIVILEGES
X_COLUMN_PRIVILEGES/
X_EFFECTIVE_COLUMN_PRIVILEGES
|
Privileges for these
items are visible to a user if:
-
the user is the grantee
of the privilege.
-
one of the user’s
groups is the grantee of the privilege, including the USERS group.
-
the privilege is granted
in the PUBLIC group.
|