topic Re: permissions and user access in Developers

permissions and user access

SASBob — Tue, 18 Sep 2018 15:13:09 GMT

Is it possible to control who can access the SAS Stored Process web application independently of other stored process access rights? Ultimately I'd like to create a group of users who can access the stored process web application and not allow any other users. This would be completely indepdendent of the SAS folder access, so some users may have access to execute a stored process in MS Excel through the add-in, but have no access to open the SAS Stored Process web application at all.

Re: permissions and user access

AllanBowe — Wed, 13 Oct 2021 20:00:12 GMT

Authorisation in SAS is set against metadata objects (eg folders, STPs) and authentication via SASLogon. I am not aware of an 'out of the box' way for SASLogon to determine client context (eg via SPWA or directly through the MSO Addin) and permit access on that basis.

However, it would be possible to inject some code at the beginning of each stp invocation to perform a kind of 'conditional abort'.

The place to set your 'initialisation' code is described here: https://support.sas.com/kb/39/250.html

You'll want to test for the existence of some automatic SPWA variable, such as `_HTCOOK` or those 'used by' 'web clients' as described here: http://support.sas.com/rnd/itech/doc9/dev_guide/stprocess/reserved.html

Here is a macro to help you get the list of groups for a particular user: https://github.com/sasjs/core/blob/main/meta/mm_getgroups.sas

To 'abort gracefully' from an STP you need the following:

    data _null_;
      rc = stpsrvset('program error', 0);
    run;
    endsas;

Bit of a workaround though.. Be interesting to learn if there are other solutions (short of disabling the SPWA).

Re: permissions and user access

SASBob — Tue, 18 Sep 2018 18:58:21 GMT

Thanks, I'll take a look and let you know how it goes.