User Roles and How to restrict server access from user group

PhiSlogan — Wed, 14 Nov 2018 09:28:55 GMT

Hello SAS community,
My objective is to restrict access for a group of users - using SAS Enterprise Guide and Management Console. So i have gotten this far and just realized that the user can actually just click on the server tab and the user has permissions and access to files on the server...

How i restricted the user group:
[1] In management console

i created a user group and then added user/members to the group.
then i clicked on to the folders tab and added the newly created user group in all folders paths, libraries and datasets that i do not want the group to access - hence i add the group to the user group list and deny all permissions.

[2] The result is what i want and inside Enterprise Guide i see that the restricted user group will not even see the directory/paths, libraries and datasets restricted.

The only issue i have now is that the user is still able to access the Servers and has permission to write and update any files on the server... I tried adding the group on to the server icon(by right clicking the SASApp server icon and selecting properties>authorization and adding the user group with deny in all permissions) this denies access and permission of users on all dirs, libraries and datasets.

Re: User Roles and How to restrict server access from user group

Kurt_Bremser — Wed, 14 Nov 2018 09:55:00 GMT

If you want to prevent users from writing to/reading from a specific location on the server, you either have to restrict them from using the relevant code elements (impractical, as these are needed for eg import/export tasks), or you have to make sure that those locations are made secure on the operating system level.

Library permissions can be handled in SAS metadata, but in order to make them "stick" you need to define those libraries as "metadata bound". Otherwise executing a simple libname can always undercut the metadata, unless you also restrict permissions on the OS level (see above).

My preferred path is to use the proper permissions in the operating system. If a user does not have read/execute permissions on the directory of a library, a libname for that directory will fail, and the library will not appear in the server list.

Note that relying on third-party tools (SAS in this case) to keep your operating system safe is foolish at best. Use the tools provided by the system itself (see Maxims 14 & 15).

topic Re: User Roles and How to restrict server access from user group in New SAS User

User Roles and How to restrict server access from user group

Re: User Roles and How to restrict server access from user group