DATA Step Functions for Metadata Security Administration

METASEC_GETNAUTH Function

Returns the nth authorization for an object.

rc = METASEC_GETNAUTH(tc,uri,n,type,name,auth,perm,cond<,flags,display>);

Argument	Direction	Description
tc	in	Transaction context handle; can be an empty string " " to invoke with a temporary context
uri	in	Character variable or constant that contains the URI of the object that is requested; can be an empty string " " if tc is specified; you can optimize performance by using the following form of URI: omsobj:metatype/identifier.identifier
n	in	One-based numeric index value that indicates which row to return from the array; for more information, see Array Parameters
type	in/out	Character variable that contains the identity type. The variable should be large enough to store the two available values, IdentityGroup or Person, probably at least $13. If this argument is empty, all identities associated to authorizations for the object are returned. Can be a comma-delimited list that is parallel to a list for the name argument; for more information, see About the in/out Arguments.
name	in/out	Character variable that contains the identity name, which must be unique for every identity of that type on the metadata server. If this argument is empty, all identities associated to authorizations for the object are returned. Can be a comma-delimited list that is parallel to a list for the type argument; for more information, see About the in/out Arguments.
auth	out	Integer bit field that indicates grant or deny, and the origin of the grant or deny. You can use macro variables from %MDSECCON() to translate the integer into a recognizable message;for more information, see Authorizations and the %MDSECCON() Macro.
perm	in/out	For input, it is an optional, comma-delimited list of permission names for which authorizations are requested;for more information, see About the in/out Arguments. If this argument is empty, all available permissions are returned. For output, it is a character variable that contains the name of the permission whose grant or deny state is specified in the auth argument.
cond	out	Character variable that contains the condition if a grant permission is conditional; can be very long, so if this argument is too short, the value is truncated
flags	in	Optional integer bit field; you can use one of the following macro variables from %MDSECCON() _SECAD_ACT_CONTENTS Return the authorizations that define the contents of an ACT when the tc or uri argument references an ACT _SECAD_DO_NOT_RETURN_PERMCOND Do not return any available values for the cond argument For more information see Using the %MDSECCON() Macro.
display	out	Optional; character variable that contains the value of the DisplayName attribute if the identity has a DisplayName attribute

Authorizations and the %MDSECCON() Macro

As noted in Arguments, the auth parameter of the METASEC_GETNAUTH function returns an integer that indicates grant or deny and the origin of the grant or deny. To simplify usage, you can use macro variables from %MDSECCON() instead of the integer values. Here are the authorizations, macro variables, and descriptions. For more information, see Using the %MDSECCON() Macro. For suggested usage, see Example: Working with ACTs.

Authorization Type	Macro Variable	Description
Explicit deny	_SEC_PERM_EXPD	Explicit deny that originates from the authorization that is directly associated to the object
Explicit grant	_SEC_PERM_EXPG	Explicit grant that originates from the authorization that is directly associated to the object
Explicit mask	_SEC_PERM_EXPM	Mask to extract explicit value that originates from the authorization that is directly associated to the object
ACT deny	_SEC_PERM_ACTD	Deny that originates from an ACT other than the default ACT
ACT grant	_SEC_PERM_ACTG	Grant that originates from an ACT other than the default ACT
ACT mask	_SEC_PERM_ACTM	Mask to extract indirect value that originates from an ACT other than the default ACT
Indirect deny	_SEC_PERM_NDRD	Indirect deny that originates from an IdentityGroup membership, through inheritance, or from the default ACT; an indirect value is always returned
Indirect grant	_SEC_PERM_NDRG	Indirect grant that originates from an IdentityGroup membership, via inheritance, or from the default ACT; an indirect value is always returned
Indirect mask	_SEC_PERM_NDRM	Mask to extract indirect value that originates from an IdentityGroup membership, via inheritance, or from the default ACT; an indirect value is always returned.

About the in/out Arguments

Some of this function's arguments are in/out. After the first call for the specified URI, the in/out parameters do not need to be reset to the initial calling value. Subsequent calls will retrieve the output values from the cache, and place them in the output variable without consideration of the value when the call was made. In other words, after the first call is made for the URI, the metadata server ignores the input aspect of the in/out parameters.

Here is an example of comma-delimited lists for type and name arguments:

type = "person,person,person";
name = "Fred,Yolanda,Viktorija";

rc = metasec_getnauth(tc,uri,n,type,name,auth,permission,cond);

Return Values

Value	Description
0	Successful completion
-1	Unable to connect to the metadata server
-2	Error parsing type or name input list
-3	No objects match the specified URI
-4	Numeric value (flag) exceeds the maximum usable value
-5	n is out of range
-99 or less	Other error; see log or sysmsg() for information

Details

This function calls the ISecAdmin method GetAuthorizationsOnObj(). For information about the method, see SAS Open Metadata Interface: Reference.

Example

Example: Working with ACTs

Related Functions

Top of Page