View Access Inheritance

The server uses View access inheritance to control access to tables that are referenced by the server views. View access inheritance gives a user who has access to a View access to the individual component tables that make up the view. For example, user Stan creates tables WinterSales and SpringSales, and then Stan creates a view that joins the two tables. Stan creates an ACL that gives user Kyle Read access to the view. Because Kyle has Read access to the view of the joined tables, Kyle also has Read access to the individual component tables WinterSales and SpringSales.
/* User Stan creates tables WinterSales and SpringSales.   */
/* Only user Stan can read these tables directly.          */

libname Stan sasspds 'temp' user='Stan';
DATA Stan.WinterSales;
INPUT idWinterSales colWinterSales1 $ colWinterSales2 $ ... ;
...
;

DATA Stan.SpringSales;
INPUT idSpringSales colSpringSales1 $ colSpringSales2 $ ... ;
...
quit;

/* Stan creates view WinterSpring to join tables WinterSales */
/* and SpringSales. Stan gives user Kyle read access to the  */
/* view.  Because Kyle has rights to read view WinterSpring, */
/* he also has read access rights to the individual tables   */
/* that Stan used to create the view WinterSpring. Kyle can  */
/* only read the tables WinterSales and SpringSales through  */
/* the view WinterSpring. If Kyle tries to directly access   */
/* the table WinterSales or the table SpringSales, SPD       */
/* Server does not comply and issues an access failure       */
/* warning.                                                  */

PROC SQL;
CONNECT TO sasspds(dbq='temp' user='Stan';
EXECUTE(create view WinterSpring as 
        SELECT * from SpringSales, WinterSales
        WHERE SpringSales.id = WinterSales.id);
quit;

PROC SPDO lib=Stan;
SET ACLUSER;
SET ACLTYPE VIEW;
ADD ACL WinterSpring;
MODIFY ACL WinterSpring / Kyle=(y,n,n,n);
quit;

Server View access inheritance is available only when it is invoked with the SQL explicit pass-through syntax. If a user accesses a view directly through SAS SQL or a SAS DATA step, the user must also have direct access to the component tables that are referenced in the view. In this case, the ACL credentials of the user are applied to the component view tables. This restriction limits the usefulness of the server views that are accessed via SAS SQL to cases where a SAS SQL user creates a virtual table to simplify SQL coding.
The server SQL views that reference DICTIONARY tables cannot be used by SAS SQL.
Last updated: February 8, 2017