libnames.parm: ---------------------------------- LIBNAME=d1 pathname=/IDX1/spdsmgr/d1 owner=admin ; LIBNAME=d2 pathname=/IDX1/spdsmgr/d2 owner=prod1 ; LIBNAME=colsec pathname=/IDX1/spdsmgr/colsec owner=boss ; LIBNAME=onepath pathname=/IDX1/spdsmgr/onepath ;
Password Database List: User Level Entry Type Group ----------------------------------- ADMINGRP 0 GROUP ENTRY GROUP1 0 GROUP ENTRY GROUP2 0 GROUP ENTRY GROUP3 0 GROUP ENTRY GROUP4 0 GROUP ENTRY PRODGRP 0 GROUP ENTRY ADMIN1 7 user ID ADMINGRP ADMIN2 7 user ID ADMINGRP PROD1 7 user ID PRODGRP PROD2 7 user ID PRODGRP USER1 0 user ID GROUP1 USER2 0 user ID GROUP2 USER3 0 user ID GROUP3 USER4 0 user ID GROUP4 USER5 0 user ID GROUP1 USER6 0 user ID GROUP2 USER7 0 user ID GROUP3 USER8 0 user ID GROUP4 BOSS 7 user ID ADMINGRP EMPLOYEE 0 user ID
/* Libref d2 is assigned to connect to */ /* domain d2 as domain owner (prod1). */ libname d2 sasspds 'd2' server=zztop.5162 user='prod1' password='spds123' IP=YES ; /* PROC SPDO connects to libref d2. */ PROC SPDO library=d2 ; /* The session context is set to the domain owner. */ set acluser prod1 ; /* The ADD ACL statement creates the domain ACL */ add ACL / LIBNAME ; /* The MODIFY ACL statement modifies the domain ACL */ /* to grant group permissions to domain d2. ProdGrp */ /* is granted full access to the domain, including */ /* ACL access. */ modify ACL / LIBNAME prodgrp=(y,y,y,y) group1=(y,y,n,n) group2=(y,n,n,n) group3=(y,n,n,n) ; /* Specific users are given access to the domain. */ modify ACL / LIBNAME user7=(y,n,n,n) admin1=(y,n,n,n) ; list ACL _all_ ; quit ;
/* Libref prod2d2 is created to connect to domain d2 */ /* as user prod2 */ libname prod2d2 sasspds 'd2' server=zztop.5162 user='prod2' password='spds123' IP=YES ; PROC SPDO library=prod2d2 ; /* The ACLUSER statement sets the session */ /* context to 'prod1', who owns the */ /* ACL to be modified */ set acluser prod1 ; /* The domain ACL is modified to deny Group1 */ /* access to the domain and to give Group 4 */ /* Read-only access. */ modify ACL / LIBNAME group1=(n,n,n,n) group4=(y,n,n,n) ; list ACL _all_ ; quit ;
/* Libref admin1d2 is created to enable user */ /* Admin1 to connect to domain d2. */ libname admin1d2 sasspds 'd2' server=zztop.5162 user='admin1' password='spds123' ACLSPECIAL=YES IP=YES ; PROC SPDO library=admin1d2 ; set acluser prod1 ; /* The MODIFY ACL statement specifies a grouplist */ /* that gives AdminGrp Read-only access to the domain */ modify ACL / LIBNAME admingrp=(y,n,n,n) ; list ACL _all_ ; quit ;
LIBNAME=LIBINHER pathname=/IDX1/spdsmgr/spds41test/libinher LIBACLINHERIT=YES owner=admin; LIBNAME=noinher pathname=/IDX1/spdsmgr/spds41test/noinher owner=admin;
/* Connect to libinher as admin. * ibname libinher sasspds 'libinher' server=zztop.5129 user='admin' password='spds123'; /* Connect to noinher as admin. */ libname noinher sasspds 'noinher' server=zztop.5129 user='admin' password='spds123'; /* Create tables. */ data libinher.admins_table noinher.admins_table ; do i = 1 to 10; output; end; run; /* Set up access for user anonymous. */ /* Create domain ACL for domain libinher */ PROC SPDO library=libinher; set acluser admin; add acl / LIBNAME; /* Allow users read-only */ /* access to the domain. */ modify acl / LIBNAME read; list acl _all_; quit; /* Create domain ACL for domain noinher. */ PROC SPDO library=noinher; set acluser admin ; add acl / LIBNAME ; /* Allow users read-only */ /* access to the domain. */ modify acl / LIBNAME read ; list acl _all_; quit; /* Connect to domains as user anonymous. */ libname a_inher sasspds 'libinher' server=zztop.5129 user='anonymous'; libname a_noher sasspds 'noinher' server=zztop.5129 user='anonymous'; /* Print the tables. */ proc print data=a_inher.admins_table; title 'with libaclinher'; run; proc print data=a_noher.admins_table; title 'without libaclinher'; run;
/* John logs in using the anonymous */ /* user ID and creates a table. */ libname john sasspds 'onepath' server=zztop.5162 user='anonymous' password='anonymous' IP=YES ; data john.anonymous_table ; do i = 1 to 100 ; output ; end ; run ; /* Mary can also log in as anonymous */ /* and read the table that John */ /* created. */ libname mary sasspds 'onepath' server=zztop.5162 user='anonymous' IP=YES ; proc print data=mary.anonymous_table (obs=10) ; title 'mary reading anonymous_table' ; run ; /* User1 can log in and read the table */ /* that John created. */ libname user1 sasspds 'onepath' server=zztop.5162 user='user1' password='spds123' IP=YES ; proc print data=user1.anonymous_table (obs=10) ; title 'user1 reading anonymous_table' ; run ; /* Tables created by the anonymous user */ /* can have ACLs. */ PROC SPDO library=john ; /* assign who owns the ACL */ set acluser anonymous ; /* The MODIFY statement sets an ACL so */ /* only user 'anonymous' can read */ /* the table. */ add ACL anonymous_table ; modify ACL anonymous_table / anonymous=(y,n,n,n); list ACL _all_; quit ; /* Now, only user 'anonymous' can */ /* read the table. */ libname user1 sasspds 'onepath' server=zztop.5162 user='user1' password='spds123' IP=YES ; proc print data=user1.anonymous_table (obs=10) ; title 'user1 trying to read anonymous_table' ; run ; proc print mary sasspds 'onepath' server=zztop.5162 user='anonymous' password='anonymous' IP=YES ; proc print data=mary.anonymous_table (obs=10) ; title 'mary reading anonymous_table' ; run ; /* Mary can't write to anonymous_table. */ data mary.anonymous_table ; do i = 1 to 100 ; output ; end ; run ;
libname d1 sasspds 'd1' server=zztop.5162 user='admin1' password='spds123' IP=YES ; PROC SPDO library=d1 ; /* Assign who owns the ACLs. */ set acluser admin1 ; /* Add a domain ACL to d1. */ add ACL / LIBNAME ;
modify ACL / LIBNAME admingrp=(y,y,y,y) group1=(y,n,n,n) group2=(y,n,n,n) group3=(y,y,n,n) group4=(y,y,n,n) ; list ACL _all_; quit ; /* Create two tables. */ data d1.admin1_table1 ; do i = 1 to 100 ; output ; end ; run ; /* Admin1 has write priviliges to */ /* the domain. */ data d1.admin1_table2 ; do i = 1 to 100 ; output ; end ; run ; /* Generic ACLs allow all users to */ /* read tables created by admin1 */ /* unless a specific ACL is placed */ /* on a resource. */ PROC SPDO library=d1 ; /* Assign who owns the ACLs. */ set acluser admin1 ;
add ACL / generic read ; modify ACL / generic read admingrp=(y,n,n,y) ; list ACL _all_; quit ; /* Test access for a user in group1. */ libname user1d1 sasspds 'd1' server=zztop.5162 user='user1' password='spds123' IP=YES ; proc print data=user1d1.admin1_table1 (obs=10) ; title 'read admin1_table1 by user1' ; run ; proc print data=user1d1.admin1_table2 (obs=10) ; title 'read admin1_table2 by user1' ; run ; /* Test access for a user in group2. */ libname user2d1 sasspds 'd1' server=zztop.5162 user='user2' password='spds123' IP=YES ; proc print data=user2d1.admin1_table1 (obs=10) ; title 'read admin1_table1 by user2' ; run ; proc print data=user2d1.admin1_table2 (obs=10) ; title 'read admin1_table2 by user2' ; run ;
PROC SPDO library=d1 ; /* Assign who owns the ACLs. */ set acluser admin1 ; /* This ACL takes precedence over the */ /* generic ACL for users that try to */ /* access admin1_table2. */ add ACL admin1_table2 ; modify ACL admin1_table2 / group1=(y,n,n,n) admingrp=(y,n,n,y) ; list ACL _all_; quit ; /* Test access for a user in group1. */ libname user1d1 sasspds 'd1' server=zztop.5162 user='user1' password='spds123' IP=YES ; proc print data=user1d1.admin1_table2 (obs=10) ; title 'read admin1_table2 by user1' ; run ; /* Test access for a user in group2. */ libname user2d1 sasspds 'd1' server=zztop.5162 user='user2' password='spds123' IP=YES ; proc print data=user2d1.admin1_table2 (obs=10) ; title 'read admin1_table2 by user2' ; run ;
libname d1 sasspds 'd1' server=zztop.5162 user='admin' password='spds123 IP=YES ; PROC SPDO library=d1 ; /* Assign who owns the ACLs. */ set acluser admin ; /* Add a domain ACL to d1. */ add ACL / LIBNAME ; /* Allow any user in same group */ /* as admin to read, write, or */ /* alter tables in the domain. */ modify ACL / LIBNAME admingrp=(y,y,y,n) group1=(y,n,n,n) group2=(y,n,n,n) group3=(y,y,n,n) group4=(y,y,n,n) ; list ACL _all_; run; /* Admin1 has write privileges to */ /* the domain. */ data d1.admin1_table1 ; do i = 1 to 100 ; output ; end ; run ; /* Generic ACL allows all users to */ /* read tables created by admin1. */ PROC SPDO library=d1 ; /* Assign who owns the ACLs. */ set acluser admin1 ; /* Modify domain ACL for groupread */ /* and groupwrite. The ACL MUST */ /* include groupread to enable */ /* other users in the same group */ /* as admin2 to be able to read */ /* tables that were created by */ /* admin2. */ add ACL admin1_table1 / generic read groupread groupalter ; list ACL _all_; run; /* a\Admin1 has write privileges to */ /* the domain. */ data d1.admin1_table2 ; do i = 1 to 100 ; output ; end ; run ; /* Generic ACL allows all users to */ /* read the tables. */ PROC SPDO library=d1 ; /* Assign who owns the ACLs. */ set acluser admin1 ; /* Add a table and modify domain ACL */ /* for groupread and groupwrite. The */ /* ACL MUST include groupread to give */ /* users in the same group as admin2 */ /* the ability to read tables created */ /* by admin2. */ add ACL admin1_table2 / group1=(y,n,n,n) admingrp=(y,n,n,y) ; list ACL _all_; run; /* Admin2 has write privileges to the */ /* domain. */ data admin2d1.admin2_table ; do i = 1 to 100 ; output ; end ; run ; /* Admin2 must use PROC SPDO to allow */ /* users read access to the table. */ /* The PROC SPDO example below uses */ /* generic syntax with a read. This */ /* provides any user outside of the */ /* admingrp read access to tables */ /* that were created by admin2. The */ /* groupread and groupalter allow */ /* access by users within admingrp. */ PROC SPDO library=admin2d1 ; /* Assign who owns the ACLs. */ set acluser admin2 ; /* Modify domain ACL for groupread */ /* and groupwrite. The ACL MUST */ /* include groupread if other users */ /* in the same group as admin2 need */ /* to read tables created by admin2. */ add ACL / generic read groupread groupalter ; list ACL _all_; /* Admin (same group) can read the */ /* table. */ proc print data=d1.admin2_table (obs=10) ; title 'read by admin' ; run ; /* Admin has been given the ability to */ /* modify or replace tables created by */ /* admin2 with 'groupalter'. */ data d1.admin2_table ; do i = 1 to 100 ; output ; end ; run ; /* Provide other users in same group */ /* read access to the table. */ PROC SPDO library=admin2d1 ; /* Assign who owns the ACLs. */ set acluser user3 ; /* Modify domain ACL for groupread */ /* and groupwrite. The ACL MUST */ /* include groupread if other users in */ /* the same group as admin2 are to be */ /* able to read tables that were */ /* created by admin2. */ add ACL user3_table / groupread ; list ACL _all_;
libname d2 sasspds 'd2' server=zztop.5162 user='prod1' password='spds123' IP=YES ;
PROC SPDO library=d2 ; /* Assign who owns these ACLs. */ set acluser prod1 ;
modify ACL prod1_table / prodgrp=(n,n,n,n) group1=(n,n,n,n) group2=(n,n,n,n) group3=(n,n,n,n) group4=(n,n,n,n) ;
modify ACL prod1_table / prod1=(y,y,y,y) ; list ACL _all_; quit;
data d2.prod1_table ; do i = 1 to 100 ; output ; end ; run ; PROC SPDO library=d2 ; /* Specify who owns the ACLs */ set acluser prod1 ;
modify ACL prod1_table / prodgrp=(y,n,n,y) group1=(y,n,n,n) group2=(y,n,n,n) group3=(y,n,n,n) group4=(y,n,n,n) ; list ACL _all_ ; run ;
libname d2 sasspds 'd2' server=zztop.5162 user='prod1' password='spds123' IP=YES ; PROC SPDO library=d2 ; /* Assign who owns the ACLs. */ set acluser prod1 ;
modify ACL / LIBNAME prodgrp=(y,y,y,y) group1=(n,n,n,n) group2=(n,n,n,n) group3=(n,n,n,n) group4=(n,n,n,n); list ACL _all_ ; run ; /* Modify ACL for tables to be refreshed. */ PROC SPDO library=d2 ; /* Set who owns the ACLs. */ set acluser prod1 ; /* Modify table ACL to revoke read and */ /* control by users in same group, */ /* which prevents locks during table */ /* refreshes. */ modify ACL prod1_table / prodgrp=(n,n,n,n); /* Modify table ACL to allow the */ /* 'prod1' user to refresh the */ /* table. */ modify ACL prod1_table / prod1=(y,y,y,y) ; list ACL _all_; /* Refresh warehouse table(s). */ data d2.prod1_table ; do i = 1 to 100 ; output ; end ; run ; PROC SPDO library=d2 ; /* Assign who owns the ACLs. */ set ACLUSER prod1 ; /* Allow users and groups access to */ /* the domain again. */ modify ACL / LIBNAME group1=(y,n,n,n) group2=(y,n,n,n) group3=(y,n,n,n) group4=(y,n,n,n) ; list ACL _all_ ; run ;
libname prod1d2 sasspds 'd2' server=zztop.5162 user='prod1' password='spds123' aclspecial=YES IP=YES ; PROC SPDO library=prod1d2 ; /* Assign to the user to who owns */ /* the ACL that will be modified. */ set acluser user1 ; /* Give user 'user4' read access */ /* to user1_table1. */ modify ACL user1_table1 / user4=(y,n,n,n) ; list ACL _all_ ; quit;
libname user1 sasspds 'onepath' server=zztop.5161 user='user1' password='spds123'; libname user2 sasspds 'onepath' server=zztop.5161 user='user2' password='spds123' aclgrp='group2'; libname user6 sasspds 'onepath' server=zztop.5161 user='user3' password='spds123' aclgrp='group2'; /* Generate some dummy data. */ data user1.t; id=1; salary=2000; run; /* Example of only user2 in group2 */ /* being allowed to read column */ /* salary. */ PROC SPDO library=user1 ; /* Assign who owns the ACLs. */ set acluser; /* Clean Up */ delete ACL t; delete ACL t.salary; /* Create an ACL on table t to */ /* allow members of group2 to read */ /* table. */ add ACL t; modify ACL t / group2=(y,n,n,n); /* Create an ACL on column t.salary*/ /* to only allow user2 of group2 to */ /* read the column. */ add ACL t.salary; modify ACL t.salary / user2=(y,n,n,n); quit; /* Let both users print the table. */ /* Only user2 can access column */ /* salary. */ proc print data=user2.t; run; proc print data=user6.t; run; /* Example of every BUT user2 in */ /* group2 being allowed to read */ /* column salary. */ PROC SPDO library=user1 ; /* Assign who owns the ACLs. */ set acluser; /* Clean up column ACL. */ delete ACL t.salary; /* Create an ACL on column t.salary */ /* to only allow members of group2 to */ /* read the column. */ add ACL t.salary; modify ACL t.salary / user2=(y,n,n,n); /* User permissions have priority over */ /* group permissions. So now deny */ /* user2 access to column salary. */ modify ACL t.salary / user2=(n,n,n,n); quit; /* Let both users print the table. */ /* Only user6 can access column */ /* salary. */ proc print data=user2.t; run; proc print data=user6.t; run; quit;