https://communities.sas.com/t5/Administration-and-Deployment/Prevent-Users-from-Renaming-Datasets/m-p/766335#M22985 <P>You&nbsp;<EM>could</EM> control it exclusively in metadata if you used SAS Token Authentication and a pooled workspace server, which would mean that for the OS only the sassrv user would read and write datasets, and you could set all libraries to drwx------ with owner sassrv. But that is not what you usually do, as you lose control over what an individual user does (disk storage, CPU consumption, etc).</P> Tue, 07 Sep 2021 09:19:44 GMT Kurt_Bremser 2021-09-07T09:19:44Z https://communities.sas.com/t5/Administration-and-Deployment/Prevent-Users-from-Renaming-Datasets/m-p/766177#M22972 <P>We have a team of EG users with some users have read only and some have write access for a certain library. I noticed that users can rename a dataset even if they have only read access to a library. Below are the settings:</P><P>&nbsp;</P><P>Folder permission:</P><P>drwxrwx--- 2 sas_admin sas 7 Sep 6 16:12 testlib1</P><P>&nbsp;</P><P>Dataset permission:</P><P>-rw-rw---- 1 sas_admin&nbsp;sas 196608 Sep 6 15:32 cars.sas7bdat</P><P>&nbsp;</P><P>We registered the table in SMC and set the permission of user for both library and registered table:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Dph_0-1630916733862.png" style="width: 400px;"><img src="https://communities.sas.com/t5/image/serverpage/image-id/63322i0FDDA4DD8F397FA5/image-size/medium?v=v2&amp;px=400" role="button" title="Dph_0-1630916733862.png" alt="Dph_0-1630916733862.png" /></span></P><P>&nbsp;</P><P>They cannot delete or update the dataset but they can still rename it.&nbsp;</P><P>&nbsp;</P><P>Any thoughts how can we prevent this?</P><P>&nbsp;</P> Mon, 06 Sep 2021 08:38:03 GMT https://communities.sas.com/t5/Administration-and-Deployment/Prevent-Users-from-Renaming-Datasets/m-p/766177#M22972 Dph 2021-09-06T08:38:03Z https://communities.sas.com/t5/Administration-and-Deployment/Prevent-Users-from-Renaming-Datasets/m-p/766183#M22973 <P>Data authorization can be a bit complicated.</P> <P>If you don't enforce the use of META engine, permission set in SMC has "no" effect - only Linus/UNIX folder permissions are in effect.</P> Mon, 06 Sep 2021 09:27:16 GMT https://communities.sas.com/t5/Administration-and-Deployment/Prevent-Users-from-Renaming-Datasets/m-p/766183#M22973 LinusH 2021-09-06T09:27:16Z https://communities.sas.com/t5/Administration-and-Deployment/Prevent-Users-from-Renaming-Datasets/m-p/766184#M22974 Hi,<BR />Yeah, sorry I did not mention but the libraries are assigned using meta engine:<BR /><BR />LIBNAME TESTLIB1 META LIBRARY='TESTLIB1' METAOUT=DATA; Mon, 06 Sep 2021 09:34:45 GMT https://communities.sas.com/t5/Administration-and-Deployment/Prevent-Users-from-Renaming-Datasets/m-p/766184#M22974 Dph 2021-09-06T09:34:45Z https://communities.sas.com/t5/Administration-and-Deployment/Prevent-Users-from-Renaming-Datasets/m-p/766185#M22975 <P>Yes and no. "<SPAN>METAOUT=DATA</SPAN>" will also show tables not registered in SAS Metadata.</P> <P>&nbsp;</P> <P>The only way to really secure your data is on OS level as users will always have the option to issue a different libname via code and then only OS level permissions apply.</P> <P>&nbsp;</P> <P>If you really want to ensure that data access is only possible via the libnames defined in SAS Metadata then you need a metadata bound library.</P> Mon, 06 Sep 2021 09:39:02 GMT https://communities.sas.com/t5/Administration-and-Deployment/Prevent-Users-from-Renaming-Datasets/m-p/766185#M22975 Patrick 2021-09-06T09:39:02Z https://communities.sas.com/t5/Administration-and-Deployment/Prevent-Users-from-Renaming-Datasets/m-p/766192#M22976 Yes I know the metaout=data will show all the tables but the dataset in question is a registered one.. I also understand the risk you mentioned.<BR /><BR />I have to read about it since I am not familiar with metadata bound libraries, but may I know if we implement this will it prevent the 'read only' users from renaming of the datasets? Mon, 06 Sep 2021 10:11:24 GMT https://communities.sas.com/t5/Administration-and-Deployment/Prevent-Users-from-Renaming-Datasets/m-p/766192#M22976 Dph 2021-09-06T10:11:24Z https://communities.sas.com/t5/Administration-and-Deployment/Prevent-Users-from-Renaming-Datasets/m-p/766257#M22977 <P>As long as users have write permission for the&nbsp;<EM>directory</EM> on the operating system level, you will not be safe.</P> <P>Remove the group write permission, and give only privileged users write permission via access control lists. This is what I have done for decades.</P> Mon, 06 Sep 2021 19:47:25 GMT https://communities.sas.com/t5/Administration-and-Deployment/Prevent-Users-from-Renaming-Datasets/m-p/766257#M22977 Kurt_Bremser 2021-09-06T19:47:25Z https://communities.sas.com/t5/Administration-and-Deployment/Prevent-Users-from-Renaming-Datasets/m-p/766300#M22982 <P>I see, so it really cannot be controlled in metadata level. I haven't done any ACLs before but I just tested sample files/folders and it seems to work as expected. It will be a bit tedious because we have around 50 libraries and 30 users in that team, although only 20% of them have write access in each of the library.</P><P>&nbsp;</P><P>Thanks, everyone.</P> Tue, 07 Sep 2021 03:11:37 GMT https://communities.sas.com/t5/Administration-and-Deployment/Prevent-Users-from-Renaming-Datasets/m-p/766300#M22982 Dph 2021-09-07T03:11:37Z https://communities.sas.com/t5/Administration-and-Deployment/Prevent-Users-from-Renaming-Datasets/m-p/766328#M22984 <P>With "not be safe" I meant that there might always be a way for users to copy and remove (resulting in a rename) <EM>files</EM> with the FCOPY and FDELETE functions.</P> <P>The FCOPY and FDELETE functions do not care about library metadata when you use them with .sas7bdat files (a dataset is then just a file like any other file).</P> <P>Even easier is the use of the <FONT face="courier new,courier">mv</FONT> system command if you have XCMD enabled or the users have access to the commandline with SSH.</P> <P>The only thing that can prevent these actions is the operating system.</P> Tue, 07 Sep 2021 07:29:51 GMT https://communities.sas.com/t5/Administration-and-Deployment/Prevent-Users-from-Renaming-Datasets/m-p/766328#M22984 Kurt_Bremser 2021-09-07T07:29:51Z https://communities.sas.com/t5/Administration-and-Deployment/Prevent-Users-from-Renaming-Datasets/m-p/766335#M22985 <P>You&nbsp;<EM>could</EM> control it exclusively in metadata if you used SAS Token Authentication and a pooled workspace server, which would mean that for the OS only the sassrv user would read and write datasets, and you could set all libraries to drwx------ with owner sassrv. But that is not what you usually do, as you lose control over what an individual user does (disk storage, CPU consumption, etc).</P> Tue, 07 Sep 2021 09:19:44 GMT https://communities.sas.com/t5/Administration-and-Deployment/Prevent-Users-from-Renaming-Datasets/m-p/766335#M22985 Kurt_Bremser 2021-09-07T09:19:44Z https://communities.sas.com/t5/Administration-and-Deployment/Prevent-Users-from-Renaming-Datasets/m-p/766520#M23001 <P><SPAN>Pooled workspace server setup will not be feasible, primarily because of the regular audit / security review.. Most likely will have to do combination of dataset registration + ACLs. Though I have to test further.&nbsp;</SPAN></P><P>&nbsp;</P><P><SPAN>Thank you for your inputs</SPAN></P> Wed, 08 Sep 2021 06:35:28 GMT https://communities.sas.com/t5/Administration-and-Deployment/Prevent-Users-from-Renaming-Datasets/m-p/766520#M23001 Dph 2021-09-08T06:35:28Z