topic Re: Authorization librarie for users in Administration and Deployment

Authorization librarie for users

ddddddddd1223 — Thu, 08 Jul 2021 17:28:19 GMT

Hi everyone,

I am looking for any guides for managing user authorization to access libraries.

I should create a group of users allowed just to access one library between the many libraries already registered in SAS Management Console. I tried to create a new user without giving to him any authorization or any group, but he can access everything. The only way I managed to avoid him to see the data in the library has been to insert his group in the authorization tab properties of the library, and deny explicitly the authorization for that group. But I hope this is not the only way, because I should deny the authorization for all the libraries that already exist, and all the future ones.

Thank you for any help.

Re: Authorization librarie for users

gwootton — Thu, 08 Jul 2021 18:05:51 GMT

Typically you would control access to libraries by modifying the permissions on the folder that contains the library.
If that folder has access granted to SASUSERS (the group that contains all users), then any new user would have access.
If you intend to limit access to SASUSERS and grant access to a specific group, be sure the SAS General Servers group is a member of that new group or otherwise has access to ensure shared servers like Pooled Workspace and Stored Process can access it.
Here is the documentation on the topic:

Metadata Authorization Model
https://go.documentation.sas.com/doc/en/bicdc/9.4/bisecag/n0iqe26rd4ui8ln1sqg5g7cs4qhc.htm

Re: Authorization librarie for users

Kurt_Bremser — Thu, 08 Jul 2021 18:15:44 GMT

The proper strategy for permissions in metadata is: deny globally, allow locally.

So you should remove SASUSERS access to all your libraries, and allow it specifically for each group.

Re: Authorization librarie for users

Nigel_Pain — Fri, 09 Jul 2021 09:11:25 GMT

Here's what we have (and I feel quite confident in how it's done because I was guided by none other than David Stern!).

We have quite a few grroups of users with widely ranging areas of analysis. This means that we have a large number of libraries (over 300 at the last count), many of which are ODBC links to databases. Each has its own set of authorised users. So, pretty much, each library is in its own folder, all within the /Shared Data folder. ACTs are applied to each of those folders, which grant all access to one group and just RM,R to another. This ensures that those permissions are inherited by an registered tables.

But in order for users to see the folders and their contents, SASUSERS needs RM access to the /Shared Data folder and that would be inherited by all its child folders. So we have another ACT which we apply to each child folder which denies all permissions to SASUSERS. The specific ACT for a child folder overrides this for the groups which it specifies.

I hope this is useful.