ACL Security Model

A user whose user name is specified as OWNER= on a domain can control access to his or her domain by creating a domain ACL. A domain ACL is created by specifying the /LIBNAME option when you add an ACL. The permissions defined in the domain ACL are applied whenever a server user attempts to connect to the domain. The owner must grant a user either Read or Write permission in the domain’s /LIBNAME ACL for the connection to succeed. The Read permission gives a user Read and Write permission to existing resources in the domain, based on the resource ACLs, but does not allow the user to create new resources in the domain. Write permission in the /LIBNAME ACL is necessary to allow a user to create new resources in the domain.

When creating an ACL for a domain that specifies LIBACLINHERIT=YES, SAS recommends granting Read permission to other users only. Write permission to a LIBACLINHERIT=YES domain would allow other users to update the owner’s tables in addition to creating tables in the domain. Alter access would allow other users to add and remove columns and indexes in the owner’s tables, in addition to creating tables in the domain. To protect the integrity of the owner’s tables, neither Write nor Alter permission should be defined in an ACL for a LIBACLINHERIT=YES domain.

Users who have been granted the ability to create resources in a domain will need to create ACLs for their resources to allow other users and groups to access the resources. In PROC SPDO, the resource type for all resources except the domain ACL is indicated by using the SET ACLTYPE statement. The SET ACLTYPE statement is specified before the ADD ACL statement and other statements that act on an ACL in PROC SPDO. If you omit the SET ACLTYPE statement from an ACL request, the server will assume that the resource type is DATA.

All resources except table columns are identified in an ACL entry by using a one-part name. When a two-part name is used, it is assumed that the first part is a table name and the second part is a column name.

SPD Server supports generic ACLs to enable resource owners to define permissions for a class of resources that have a common prefix. A generic ACL is created by specifying the /GENERIC option when you add the ACL entry. Marking an ACL as generic causes the ACL to function as if an asterisk (*) wildcard was appended to the end of the ACL entry’s name. For example, if you have tables named Salesne, Salesse, Salesmw, Salessw, Salespw, and Salesnw, you could make a generic ACL entry named Sales to secure all of the tables. This wildcard behavior enables you to make a single ACL entry cover many resources instead of making separate entries for each resource.

If you create a generic ACL for a resource that has a full name ACL, the full name ACL takes precedence. If you create multiple generic ACLs that cover the same table name, the longer generic ACL takes precedence. For example, if you have table MYTABLE and created ACL MYTABLE and generic ACL MYT*, the MYTABLE ACL takes precedence for permission checks on the table. If you create table MYTABLE, generic ACL MYT*, and generic ACL M*, the generic MYT* takes precedence for permission checks on the table.

Table owners can control access to table contents at the column level by defining column ACLs. Column ACLs can be defined for individual users at the user level, or for collections of users at the group level. SPD Server enforces precedence for user and group ACL permissions: First, user ACL permissions are applied, and then group ACL restrictions are applied. User permissions override group permissions.

When you use an ACL statement to create a protected column in a table, all individual users or groups are automatically denied access to the protected column until you explicitly grant them ACL permission to access it. When you issue an ACL statement to grant or deny the contents of a table column to a single user or to a user group, the protected column automatically becomes unavailable to all other users and user groups, unless you specifically give them access to the protected column.

Consider a scenario in which a testing department hires a new member, Joe. Joe has applied for classified security clearance, but his or her security clearance level will not be certified for several weeks. All members of the department use a table called Testing that contains a column of classified information. Joe needs access to all of the Testing table except the protected column, and the rest of his or her group needs access to the whole Testing table. Here are steps to give Joe and the other members of the department the correct permissions:

Now consider another scenario, in which John manages a group Devgroup whose members record their billable project hours and codes in a table. In that table, manager John keeps billing-rate information based on employee salaries in a protected column Rate. Only John should be able to see the entire table, and the rest of the Devgroup should be able to see the table minus the Rate column. In this case, you create column security by protecting the Rate column with a user-level ACL permission statement for John. The Devgroup members can have full table permissions at the group level, but cannot see the protected column because John's user-level column security ACL overrides any group-level ACLs for the Devgroup table.For example code that implements column-level security, see Column-Level Security Example.

A persistent ACL is an ACL that is not removed from a resource when the resource is deleted. When you are using PROC SPDO, use the /PERSIST option to identify a persistent ACL.