https://communities.sas.com/t5/Administration-and-Deployment/Deny-access-to-Oracle-library/m-p/133926#M1466 <HTML><HEAD></HEAD><BODY><P>1) In my belief, you need READ on the library so that the meatautoresources can assign the library. READ on tables within the library have no effect. For extensive use of metadata authorization, use MLE.</P><P>2) Not sure about how you local groups and domain accounts connect. And how is the authentication to Oracle set up? Do you have a group account shared among all users, and where is it defined? Are you also sure that user#2 is authenticated and matched with a SAS metadata account?</P></BODY></HTML> Mon, 13 May 2013 07:06:33 GMT LinusH 2013-05-13T07:06:33Z https://communities.sas.com/t5/Administration-and-Deployment/Deny-access-to-Oracle-library/m-p/133925#M1465 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P><SPAN style="text-decoration: underline;">Summary:</SPAN></P><P>For a library that is not allocated via the Metadata Libname Engine (it's pre-assigned), what does "Read" access buy me?&nbsp; Is there a difference in behaviour between a Base and Oracle library?</P><P></P><P><SPAN style="text-decoration: underline;">Details:</SPAN></P><P>We have an Oracle library that is pre-assigned.&nbsp; So, both our EG sessions and Base SAS sessions (invoked via RDP on the server) get this library allocated via the usual -metaautoresources "SASApp" option.&nbsp; For the rest of this post I'll just refer to EG (Workspace Server) sessions.</P><P></P><P>The metadata permissions are:</P><P></P><P>PUBLIC:&nbsp; Deny All</P><P>SAS System Services:&nbsp; +RM, -(all others).&nbsp; sastrust is the only user.</P><P>SAS Administrators: (locally defined user group):&nbsp; +RM, +WM, +CM, +A, -(all others).&nbsp; Another local group is the only member.&nbsp; That local group has a few domain accounts.</P><P>SASUSERS:&nbsp; +RM, -(all others)</P><P></P><P>We do have ACT's in place, but all of the above permissions are inherited (gray background).</P><P></P><P>As I see it, since the Oracle library is pre-assigned, and since SASUSERS has ReadMetadata access, the Workspace Server will allocate the Oracle library, which uses an Oracle service account username/password to make the connection.&nbsp; Thus all authenticated users should see and have access to this library.</P><P></P><P>What has me stumped is we have two (non-administrator) users that have access to this Oracle library, and others that do not.&nbsp; For those that do not, they do not see the library in EG at all.&nbsp; I don't see why one set of (authenticated) users would see the library, but others would not.</P><P></P><P>Questions:</P><P>1) For a pre-assigned library, does Read access buy me anything?&nbsp; Or do I need ReadMetadata to either show/hide the library?&nbsp; Does Read access only apply to MLE allocated libraries?</P><P>2) Given the metadata permissions above, any thoughts as to how I can trace the reasons why user#1 gets access and user#2 does not?</P><P></P><P>Thanks,</P><P>Scott</P></BODY></HTML> Mon, 13 May 2013 03:27:26 GMT https://communities.sas.com/t5/Administration-and-Deployment/Deny-access-to-Oracle-library/m-p/133925#M1465 ScottBass 2013-05-13T03:27:26Z https://communities.sas.com/t5/Administration-and-Deployment/Deny-access-to-Oracle-library/m-p/133926#M1466 <HTML><HEAD></HEAD><BODY><P>1) In my belief, you need READ on the library so that the meatautoresources can assign the library. READ on tables within the library have no effect. For extensive use of metadata authorization, use MLE.</P><P>2) Not sure about how you local groups and domain accounts connect. And how is the authentication to Oracle set up? Do you have a group account shared among all users, and where is it defined? Are you also sure that user#2 is authenticated and matched with a SAS metadata account?</P></BODY></HTML> Mon, 13 May 2013 07:06:33 GMT https://communities.sas.com/t5/Administration-and-Deployment/Deny-access-to-Oracle-library/m-p/133926#M1466 LinusH 2013-05-13T07:06:33Z