https://communities.sas.com/t5/Administration-and-Deployment/User-Groups-Access/m-p/411065#M11058 <P>Hi All,</P><P>&nbsp;</P><P>I have this problem setting up an access to a user that belongs to many group in SAS Management Console. There are 10 folders in the environment and each folder represent a group. The scenario is that Folder1 belong to Group1 and all groups have deny access to this folder except Group1 and Folder2 belongs to Group2 and&nbsp;<SPAN>all groups have deny access to this folder except Group2. Now User1 is involved in a Project to Group1 and Group2 so User1 will be added to both groups. In a way I'm thinking that User1 can still access both folders since User1 belongs to the 2 groups but upon checking User1 cannot access those 2 Folders.</SPAN></P><P>&nbsp;</P><P><SPAN>Can anyone help me find a solution that when I add 2 groups to a User the user can still see the Folder in which the Group has access to? </SPAN></P><P>&nbsp;</P><P><SPAN>Btw, creating new groups is not applicable since there are a lot of situation a User can be involved in different sets of Folders as this may result in almost 1 group only contains 1 or 2 Users. There are a lot of folders in our environment it's just that I put 10 folders in order for me to show the situation.</SPAN></P><P>&nbsp;</P><P><SPAN>Thanks.</SPAN></P><P><SPAN>-Albert0</SPAN></P><P><SPAN>&nbsp;</SPAN></P> Tue, 07 Nov 2017 06:28:04 GMT Albert0 2017-11-07T06:28:04Z https://communities.sas.com/t5/Administration-and-Deployment/User-Groups-Access/m-p/411065#M11058 <P>Hi All,</P><P>&nbsp;</P><P>I have this problem setting up an access to a user that belongs to many group in SAS Management Console. There are 10 folders in the environment and each folder represent a group. The scenario is that Folder1 belong to Group1 and all groups have deny access to this folder except Group1 and Folder2 belongs to Group2 and&nbsp;<SPAN>all groups have deny access to this folder except Group2. Now User1 is involved in a Project to Group1 and Group2 so User1 will be added to both groups. In a way I'm thinking that User1 can still access both folders since User1 belongs to the 2 groups but upon checking User1 cannot access those 2 Folders.</SPAN></P><P>&nbsp;</P><P><SPAN>Can anyone help me find a solution that when I add 2 groups to a User the user can still see the Folder in which the Group has access to? </SPAN></P><P>&nbsp;</P><P><SPAN>Btw, creating new groups is not applicable since there are a lot of situation a User can be involved in different sets of Folders as this may result in almost 1 group only contains 1 or 2 Users. There are a lot of folders in our environment it's just that I put 10 folders in order for me to show the situation.</SPAN></P><P>&nbsp;</P><P><SPAN>Thanks.</SPAN></P><P><SPAN>-Albert0</SPAN></P><P><SPAN>&nbsp;</SPAN></P> Tue, 07 Nov 2017 06:28:04 GMT https://communities.sas.com/t5/Administration-and-Deployment/User-Groups-Access/m-p/411065#M11058 Albert0 2017-11-07T06:28:04Z https://communities.sas.com/t5/Administration-and-Deployment/User-Groups-Access/m-p/411071#M11060 <P>Do not set "deny" for your groups. Deny for a higher level group (SASUSERS) and then specifically allow all your groups that shall have access.</P> Tue, 07 Nov 2017 07:04:36 GMT https://communities.sas.com/t5/Administration-and-Deployment/User-Groups-Access/m-p/411071#M11060 Kurt_Bremser 2017-11-07T07:04:36Z https://communities.sas.com/t5/Administration-and-Deployment/User-Groups-Access/m-p/412546#M11103 <P>As&nbsp;<a href="https://communities.sas.com/t5/user/viewprofilepage/user-id/11562">@Kurt_Bremser</a>&nbsp;mentioned, your conflicts can be avoided by denying broadly to implicit groups (PUBLIC or SASUSERS) and then granting narrowly to those groups that should have access (remembering admins too).&nbsp; Those are examples of SAS metadata security best practices described in several papers over the years. The most recent of these are the <EM>Recommended SAS 9.4 Security Model Design</EM> papers from&nbsp;<a href="https://communities.sas.com/t5/user/viewprofilepage/user-id/52061">@DavidStern</a>&nbsp;in the SAS Global Enablement and Learning (GEL) group. I encourage you to read the GEL papers and watch the webinar that I did with David a few weeks ago. By following those&nbsp;practices&nbsp;you should find SAS metadata security much simpler to implement and understand and ultimately avoid conflicts like these. You can find links to the papers and the webinar at&nbsp;<A href="http://bit.ly/SASUKMetacodaWebinar" target="_blank">http://bit.ly/SASUKMetacodaWebinar</A></P> Sat, 11 Nov 2017 06:10:37 GMT https://communities.sas.com/t5/Administration-and-Deployment/User-Groups-Access/m-p/412546#M11103 PaulHomes 2017-11-11T06:10:37Z