topic Re: Not showing right access (inherited) for nested groups in SAS Viya (Access Control Action Set) in SAS Viya

Not showing right access (inherited) for nested groups in SAS Viya (Access Control Action Set)

pavelr — Thu, 18 Aug 2022 10:33:37 GMT

What is the right way to check access for all nested groups in SAS Viya?

I have group1 and group2 which is a member of group1. So, group2 should inherit access given to group1.

Part 1. Is there a way to see permissions on objects (caslib, tables) for all nested group (and possibly users)?

When I use:

proc cas;
accessControl.whatIsEffective /
objectSelector={objType="caslib",caslib="mylib"},ReturnDecisionText=true;
run;quit;

I only get group1 in the list (no group2 though it inherits access):

Can I get something like this?

group1 - Authorized (explicit)

group2 - Authorized (inherited)

Part 2. SAS is not showing that a nested group has an access.

When I use:

proc cas;
accessControl.whatIsEffective /
ids={{identity="group2", identityType="group"}},
objectSelector={objType="caslib",caslib="mylib"}, ReturnDecisionText=true;
run; quit;

I get:

though it should be Authorized because group2 is a member of group1 and:

Why it does not show that group2 is Authorized?

Re: Not showing right access (inherited) for nested groups in SAS Viya (Access Control Action Set)

gwootton — Thu, 18 Aug 2022 13:53:54 GMT

Nested group memberships are handed by SASLogon, so when you log in as a member of group2, it will see that group2 is a member of group1 and your authorization token would indicate you are a member of group2 and group1. I suspect that since CAS does not need to know about nested groups to authorize correctly and looking them up would have a performance cost, it only displays the authorizations that have been applied directly or indirectly to the caslib.

Re: Not showing right access (inherited) for nested groups in SAS Viya (Access Control Action Set)

pavelr — Thu, 18 Aug 2022 14:12:34 GMT

Well, I can understand that SAS will not list permissions for all nested groups (Part 1 of my post) though it would be helpful, but why it does not show correct permissions if I ask to show them explicitly (Part 2 of my post)?

For example:

1) create group1

2) create group2 and make it a member of group1

3) grant ReadInfo on some caslib "mylib" to group1

4) Run

proc cas;
accessControl.whatIsEffective /
ids={{identity="group1", identityType="group"}},
objectSelector={objType="caslib",caslib="mylib"}, ReturnDecisionText=true;
run; quit;

5) Run

proc cas;
accessControl.whatIsEffective /
ids={{identity="group2", identityType="group"}},
objectSelector={objType="caslib",caslib="mylib"}, ReturnDecisionText=true;
run; quit;

Should 4) and 5) both show that these groups are Authorized? Yes (to my understanding). Why it shows Authorized in the first case and Not Authorized in the second case?

Re: Not showing right access (inherited) for nested groups in SAS Viya (Access Control Action Set)

gwootton — Thu, 18 Aug 2022 14:19:41 GMT

The CAS Server does not know that group 2 is a member of group 1, so when you ask if group 2 has permission it says no because no permission has been assigned to group 2.

Re: Not showing right access (inherited) for nested groups in SAS Viya (Access Control Action Set)

pavelr — Thu, 18 Aug 2022 14:41:43 GMT

Well, for me this is misleading.

Also, CAS Server still must know that group2 is a member of group1 because in reality group2 has access (inherited from group1) despite SAS code shows that it doesn't.

Re: Not showing right access (inherited) for nested groups in SAS Viya (Access Control Action Set)

gwootton — Thu, 18 Aug 2022 14:48:52 GMT

I don't think CAS is aware of the relationship between group 2 and group 1 because when it checks a user's memberships it gets a flat list rather than a tree. So if userA is a member of group2 which is a member of group1, CAS asks the identities service which groups user A is a member of and it returns both group 2 and group 1, so CAS never knows that user A is a member of both because group 2 is a member of group 1, only that user A is a member of both.

Re: Not showing right access (inherited) for nested groups in SAS Viya (Access Control Action Set)

pavelr — Thu, 18 Aug 2022 15:01:05 GMT

I see. But does it mean that accessControl.whatIsEffective what correctly for users (ids={{identity="user1", identityType="user"}}) and NOT correctly for all nested groups (ids={{identity="group2", identityType="group"}}) in case they do not have direct permissions?

What exactly happens when using accessControl.whatIsEffective / ids={{identity="group2", identityType="group"}}...? CAS doesn't check group2's membership? Does it check membership only for users?

Re: Not showing right access (inherited) for nested groups in SAS Viya (Access Control Action Set)

gwootton — Thu, 18 Aug 2022 15:08:22 GMT

Correct, when querying against a group CAS does not call the identities service to check its memberships and instead returns direct access controls for that group.

Re: Not showing right access (inherited) for nested groups in SAS Viya (Access Control Action Set)

pavelr — Mon, 22 Aug 2022 05:46:44 GMT

Thanks. At least now it is more clear what is happening and why.