SAS Namespace Types

AccessControlEntry

Overview

The AccessControlEntry metadata type is used to define an access control directly on a resource. The access control is stored with the resource definition and is unique to that resource. That is, the AccessControlEntry (ACE) cannot be applied to another metadata object.

An ACE can specify permissions for both individual users and for groups. If a given identity is referenced more than once in the ACE, for example, both directly and by virtue of membership in one or more groups, the permission assigned directly to the identity will take precedence.

When the SAS Open Metadata Architecture authorization facility evaluates access controls, a permission assigned in an ACE will take precedence over a permission assigned in an AccessConrolTemplate (ACT). A resource-specific access control also takes precedence over any inherited access controls and permissions assigned in the Repository ACT.

An ACE should not be explicitly created or deleted. ACEs are managed programmatically using the SAS Open Metadata Interface ISecurityAdmin method class, which is documented in the SAS 9.2 Open Metadata Interface: Reference and Usage. The ISecurityAdmin class provides methods for defining and managing direct access controls as well as access control templates.

Security Inheritance and Enforcement Rules

The following is a list of associations which are used to determine if this object should inherit access controls from another object (inheritance) or if the association is allowed for the object (enforcement). For more information about inheritance a nd enforcement rules, see the SAS 9.2 Intelligence Platform: Security Administration Guide.

There are no security or enforcement rules.

Attributes

Inherited Attributes
Name Id Desc MetadataCreated MetadataUpdated ChangeState LockedBy PublicType UsageVersion

Associations

= indicates the resident side of an association, or where the association is persisted for cross-repository associations. If no resident side is indicated, this association may not cross repository boundaries.

Name	Cardinality	Description	Associated Types
AssociatedCondition Partner: OwningAccessControlEntry	0 to 1	Expression used to conditionally grant a user or group access to a resource.	PermissionCondition
Identities Partner: AccessControlEntries	0 to *	The identities associated to this access control entry.	Identity IdentityGroup Person
Permissions Partner: AccessControlEntries	0 to *	The permissions that are granted or denied by this access control entry.	Permission

Inherited Associations
AccessControls/Objects , AccessControlTemplates/AccessControlItems , Changes/Objects , CustomAssociations/OwningObject , Documents/Objects , Extensions/OwningObject , ExternalIdentities/OwningObject , Groups/Members , Implementors/ImplementedObjects , Keywords/Objects , LocalizedAttributes/AssociatedLocalizedObject , Notes/Objects , Objects/AccessControls , PrimaryPropertyGroup/AssociatedObject , Prompts/PromptEnabledObject , Properties/AssociatedObject , PropertySets/OwningObject , ReferencedObjects/AssociatedObjects , ResponsibleParties/Objects , SourceTransformations/TransformationSources , SpecSourceTransformations/SourceSpecifications , SpecTargetTransformations/TargetSpecifications , TargetTransformations/TransformationTargets , Timestamps/Objects , Trees/Members , TSObjectNamespace/TSObjects , UsedByPrototypes/UsingPrototype , UsingPrototype/UsedByPrototypes , Variables/AssociatedObject

Association Details

AssociatedCondition
     Cardinality: 0 to 1
     Partner: OwningAccessControlEntry

Expression used to conditionally grant a user or group access to a resource.

Associated Types:
PermissionCondition

Identities
     Cardinality: 0 to *
     Partner: AccessControlEntries

The identities associated to this access control entry.

Associated Types:
Identity IdentityGroup Person

Permissions
     Cardinality: 0 to *
     Partner: AccessControlEntries

The permissions that are granted or denied by this access control entry.

Associated Types:
Permission

Top of Page