cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
BookmarkSubscribeRSS Feed
☑ This topic is solved. Need further help from the community? Please sign in and ask a new question.
pavelr
Obsidian | Level 7 pavelr
Obsidian | Level 7
Go to Solution

Not showing right access (inherited) for nested groups in SAS Viya (Access Control Action Set)

Posted 08-18-2022 06:33 AM (3331 views)

What is the right way to check access for all nested groups in SAS Viya?

 

I have group1 and group2 which is a member of group1. So, group2 should inherit access given to group1.

 

Part 1. Is there a way to see permissions on objects (caslib, tables) for all nested group (and possibly users)?

When I use:

proc cas;
accessControl.whatIsEffective /
objectSelector={objType="caslib",caslib="mylib"},ReturnDecisionText=true;
run;quit;

 

I only get group1 in the list (no group2 though it inherits access): 

pavelr_0-1660816630981.png

Can I get something like this?

group1 - Authorized (explicit)

group2 - Authorized (inherited)

 

Part 2. SAS is not showing that a nested group has an access.

 

When I use:

proc cas;
accessControl.whatIsEffective /
ids={{identity="group2", identityType="group"}},
objectSelector={objType="caslib",caslib="mylib"}, ReturnDecisionText=true;
run; quit;

 

I get: 

pavelr_1-1660816885470.png

though it should be Authorized because group2 is a member of group1 and:

pavelr_2-1660816997294.png

Why it does not show that group2 is Authorized? 

 

 

0 Likes
Reply
1 ACCEPTED SOLUTION

Accepted Solutions
gwootton
SAS Super FREQ gwootton
SAS Super FREQ

Re: Not showing right access (inherited) for nested groups in SAS Viya (Access Control Action Set)

Posted 08-18-2022 11:08 AM (3288 views)  |   In reply to pavelr
Correct, when querying against a group CAS does not call the identities service to check its memberships and instead returns direct access controls for that group.
--
Greg Wootton | Principal Systems Technical Support Engineer

View solution in original post

0 Likes
Reply
8 REPLIES 8
gwootton
SAS Super FREQ gwootton
SAS Super FREQ

Re: Not showing right access (inherited) for nested groups in SAS Viya (Access Control Action Set)

Posted 08-18-2022 09:53 AM (3306 views)  |   In reply to pavelr
Nested group memberships are handed by SASLogon, so when you log in as a member of group2, it will see that group2 is a member of group1 and your authorization token would indicate you are a member of group2 and group1. I suspect that since CAS does not need to know about nested groups to authorize correctly and looking them up would have a performance cost, it only displays the authorizations that have been applied directly or indirectly to the caslib.
--
Greg Wootton | Principal Systems Technical Support Engineer
0 Likes
Reply
pavelr
Obsidian | Level 7 pavelr
Obsidian | Level 7

Re: Not showing right access (inherited) for nested groups in SAS Viya (Access Control Action Set)

Posted 08-18-2022 10:12 AM (3302 views)  |   In reply to gwootton

Well, I can understand that SAS will not list permissions for all nested groups (Part 1 of my post) though it would be helpful, but why it does not show correct permissions if I ask to show them explicitly (Part 2 of my post)?

For example:

1) create group1

2) create group2 and make it a member of group1

3) grant ReadInfo on some caslib "mylib" to group1

4) Run

proc cas;
accessControl.whatIsEffective /
ids={{identity="group1", identityType="group"}},
objectSelector={objType="caslib",caslib="mylib"}, ReturnDecisionText=true;
run; quit;

5) Run

proc cas;
accessControl.whatIsEffective /
ids={{identity="group2", identityType="group"}},
objectSelector={objType="caslib",caslib="mylib"}, ReturnDecisionText=true;
run; quit;

 

Should 4) and 5) both show that these groups are Authorized? Yes (to my understanding). Why it shows Authorized in the first case and Not Authorized in the second case?

0 Likes
Reply
gwootton
SAS Super FREQ gwootton
SAS Super FREQ

Re: Not showing right access (inherited) for nested groups in SAS Viya (Access Control Action Set)

Posted 08-18-2022 10:19 AM (3300 views)  |   In reply to pavelr
The CAS Server does not know that group 2 is a member of group 1, so when you ask if group 2 has permission it says no because no permission has been assigned to group 2.
--
Greg Wootton | Principal Systems Technical Support Engineer
0 Likes
Reply
pavelr
Obsidian | Level 7 pavelr
Obsidian | Level 7

Re: Not showing right access (inherited) for nested groups in SAS Viya (Access Control Action Set)

Posted 08-18-2022 10:41 AM (3298 views)  |   In reply to gwootton

Well, for me this is misleading.

Also, CAS Server still must know that group2 is a member of group1 because in reality group2 has access (inherited from group1) despite SAS code shows that it doesn't.

0 Likes
Reply
gwootton
SAS Super FREQ gwootton
SAS Super FREQ

Re: Not showing right access (inherited) for nested groups in SAS Viya (Access Control Action Set)

Posted 08-18-2022 10:48 AM (3296 views)  |   In reply to pavelr
I don't think CAS is aware of the relationship between group 2 and group 1 because when it checks a user's memberships it gets a flat list rather than a tree. So if userA is a member of group2 which is a member of group1, CAS asks the identities service which groups user A is a member of and it returns both group 2 and group 1, so CAS never knows that user A is a member of both because group 2 is a member of group 1, only that user A is a member of both.
--
Greg Wootton | Principal Systems Technical Support Engineer
0 Likes
Reply
pavelr
Obsidian | Level 7 pavelr
Obsidian | Level 7

Re: Not showing right access (inherited) for nested groups in SAS Viya (Access Control Action Set)

Posted 08-18-2022 11:01 AM (3290 views)  |   In reply to gwootton

I see. But does it mean that accessControl.whatIsEffective what correctly for users (ids={{identity="user1", identityType="user"}}) and NOT correctly for all nested groups (ids={{identity="group2", identityType="group"}}) in case they do not have direct permissions?

What exactly happens when using accessControl.whatIsEffective / ids={{identity="group2", identityType="group"}}...? CAS doesn't check group2's membership? Does it check membership only for users?

 

0 Likes
Reply
gwootton
SAS Super FREQ gwootton
SAS Super FREQ

Re: Not showing right access (inherited) for nested groups in SAS Viya (Access Control Action Set)

Posted 08-18-2022 11:08 AM (3289 views)  |   In reply to pavelr
Correct, when querying against a group CAS does not call the identities service to check its memberships and instead returns direct access controls for that group.
--
Greg Wootton | Principal Systems Technical Support Engineer
0 Likes
Reply
pavelr
Obsidian | Level 7 pavelr
Obsidian | Level 7

Re: Not showing right access (inherited) for nested groups in SAS Viya (Access Control Action Set)

Posted 08-22-2022 01:46 AM (3257 views)  |   In reply to gwootton

Thanks. At least now it is more clear what is happening and why.

0 Likes
Reply

SAS Innovate 2025: Save the Date

 SAS Innovate 2025 is scheduled for May 6-9 in Orlando, FL. Sign up to be first to learn about the agenda and registration!

Save the date!

Discussion stats
  • 8 replies
  • ‎08-18-2022 06:33 AM
  • 3332 views
  • 0 likes
  • 2 in conversation