SPDO Procedure

MODIFY ACL Statement

Modifies existing ACLs for resources.

Requirements: You must be the resource owner, have ACL access to a resource, or have special privilege in order to modify an ACL. When using special privilege, set the ACLSPECIAL= option in the LIBNAME statement.
Before using MODIFY ACL, you must set the context for the request with the SET ACLUSER statement. The user name specified in SET ACLUSER must be that of the ACL owner. See SET ACLUSER Statement.
When modifying ACLs for resources other than DATA, also set the ACL type. For more information, see SET ACLTYPE Statement.
Syntax
Arguments
Details
Examples
Example 1: Modify Domain ACL
Example 2: Modify ACL MINE
Example 3: Modify Generic ACL
Example 4: Modify All ACLs
Example 5: Modify a Column ACL
Example 6: Modify a Generic Column ACL
Example 7: Modify ACL for a Catalog
Example 8: Modify Generic ACL for Catalog Entries

Syntax

MODIFY ACL acl1 [acl2...] [C=cat T=type] /[acl-type][permission];
MODIFY ACL acl | _ALL_ /[acl-type ][permission] [GroupList][UserList];

Arguments

_ALL_

modifies all existing resource ACLs for which ACLUSER has Control access.

acl

specifies the name of the ACL entry that you want to modify. You can specify more than one ACL.

acl-type

/GENERIC

identifies the specified ACLs as generic ACLs.

Note If you specify /GENERIC when modifying a table column ACL, the /GENERIC applies to the table name, not to the column name. You cannot use wildcards with column names.

/LIBNAME

identifies the domain ACL.

C=cat

identifies the selected ACLs as the names of catalog entries from the catalog cat. The C= option must be paired with the T= option.

permissions

specifies to grant or remove one or more of the following permissions:

ALTER

grants universal ALTER access to the resource.

GROUPALTER

grants group ALTER access to the resource.

GROUPREAD

grants group READ access to the resource.

GROUPWRITE

grants group WRITE access to the resource.

NOALTER

removes universal ALTER access to the resource.

NOGROUPALTER

removes group ALTER access to the resource.

NOGROUPREAD

removes group READ access to the resource.

NOGROUPWRITE

removes group WRITE access to the resource.

NOREAD

removes universal READ access to the resource.

NOWRITE

removes universal WRITE access to the resource.

READ

grants universal READ access to the resource.

WRITE

grants universal WRITE access to the resource.

GroupList

specifies the permissions that you want to assign or modify for an ACL group in the form: 

groupname = (Y/N,Y/N,Y/N,Y/N)
groupname is a group name that is registered in the password database.
The comma-separated Y or N indicates a grant or denial for (READ, WRITE, ALTER, or CONTROL).

T=type

identifies the catalog entry type used to qualify the selected ACLs. This option is required when the C= option is specified.

UserList

specifies the permissions that you want to assign or modify for a user in the form: 

username = (Y/N,Y/N,Y/N,Y/N)
username is a user name that is registered in the password database.
The comma-separated Y or N indicates a grant or denial for (READ,WRITE,ALTER,CONTROL).

Details

Use the MODIFY ACL _ALL_syntax when you want to modify all existing ACLs for which ACLUSER has Control access.
Use the MODIFY ACL acl1 [acl2] syntax to modify specified ACLs that are owned by ACLUSER. If you specify _ALL_ as the table identifier in a two-part name, you modify all tables for which the given column is matched. If you specify _ALL_ as the column identifier in a two-part name, you modify all columns for which the given table is matched.
Use the UserList or GroupList option when you want to grant a user or group Control access to a resource. These options are the only way to define permissions for specific users and ACL groups.

Examples

Example 1: Modify Domain ACL

This modifies the domain ACL to set READ and WRITE access for a given user.
modify acl/LIBNAME
ralph=(y,y,n,n);

Example 2: Modify ACL MINE

This modifies ACL MINE_AUG2016 to deny universal WRITE access and add user-specific permissions. 
modify acl mine_aug2016/nowrite
 bolick=(y,n,n,n)
johndoe=(n,n,n,n);

Example 3: Modify Generic ACL

This modifies a generic ACL MINE* to add user-specific permissions.
modify acl mine/generic
 tom=(y,y,y,n);

Example 4: Modify All ACLs

This modifies all ACLs to grant READ access to a given user. 
modify acl _all_/gene=(y,,,);

Example 5: Modify a Column ACL

This modifies column ACL MINE_AUG2016.SALARY to add explicit READ and WRITE access for a given user. 
modify acl mine_aug2016.salary/ralph=(y,y,n,n);

Example 6: Modify a Generic Column ACL

This modifies generic column ACL, MINE*.SALARY, to add explicit READ and WRITE access for a given user. 
modify acl mine.salary/generic
 debby=(y,y,n,n);

Example 7: Modify ACL for a Catalog

This modifies catalog MYCAT to remove universal READ and group WRITE access. 
set acltype catalog;
modify acl mycat/noread nogroupwrite;

Example 8: Modify Generic ACL for Catalog Entries

This modifies a generic ACL for catalog entries, MYCAT.MY*.CATAMS, to remove universal READ access. 
set acltype catalog;
modify acl my
c=mycat
t=catams/generic noread;
Copyright © SAS Institute Inc. All Rights Reserved.
Last updated: February 3, 2017