topic The METASEC_GETNAUTH function return 'deny', 'grant' or 'mask'. How to interpret 'mask'? in Administration and Deployment

The METASEC_GETNAUTH function return 'deny', 'grant' or 'mask'. How to interpret 'mask'?

FrankPoppe — Mon, 05 Sep 2022 08:36:59 GMT

Hi,
I am trying to use the METASEC_GETNAUTH function to determine what the permissions on specific objects (tables) are, for a user running my web application.
The documentation (SAS Help Center: METASEC_GETNAUTH Function) refers to the values of macro variables set by the %MDSECCON() and lists the meaning. First problem is that the documentation gives the prefix _SEC_ but using MPRINT reveals it is in fact _SECAD_.
And programming would have been easier if the documentation would give the actual values (1, 2, 3, 4, 8 , 12, 16, 32, 48).

But my question it this.
There are nine possible values, three each for direct, indirect and ACT permissions. That's clear.
For each they mean 'grant', 'deny' or 'mask'.
I don't really know how to interpret 'mask' ??

Re: The METASEC_GETNAUTH function return 'deny', 'grant' or 'mask'. How to interpret 'mask'?

LinusH — Mon, 05 Sep 2022 12:51:11 GMT

"Mask to extract indirect value.." - I don't understand the meaning of this.

I would send this question to SAS tech support, to clarify the documentation.

Re: The METASEC_GETNAUTH function return 'deny', 'grant' or 'mask'. How to interpret 'mask'?

Patrick — Mon, 05 Sep 2022 14:01:27 GMT

Have you seen this docu entry?

Re: The METASEC_GETNAUTH function return 'deny', 'grant' or 'mask'. How to interpret 'mask'?

FrankPoppe — Tue, 06 Sep 2022 09:00:03 GMT

Yes, I have seen that page in the documentation, and that is where the problem is.

It is not correct, the name of macro variables that are created start with _SECAD_, not _SEC_
It could have listed the actual numeric values (1,2,3,4,8,12,16,32,48)
It does not explain what 'mask' means

Re: The METASEC_GETNAUTH function return 'deny', 'grant' or 'mask'. How to interpret 'mask'?

gwootton — Tue, 06 Sep 2022 13:46:09 GMT

Have you considered using the MDSECDS macro instead? It uses METASEC_GETNAUTH for you (the code that does this is located in <SASHome>/SASFoundation/9.4/sasautos/mdsecgp.sas)

The way that code uses mask is (this is for explicit, but it does it for the others as well):

else if (band(authint, &_SECAD_PERM_EXPM) ) then do;
if (band(authint,&_SECAD_PERM_EXPD )) then
authorization = "Denied Explicitly";
else
authorization = "Granted Explicitly";
end;

%MDSECDS Security Report Macro
https://go.documentation.sas.com/doc/en/bicdc/9.4/bisecag/n0l1mpdt430djgn1bl1c3euei85w.htm

I'll pass the documentation folks your feedback.

Re: The METASEC_GETNAUTH function return 'deny', 'grant' or 'mask'. How to interpret 'mask'?

FrankPoppe — Tue, 04 Oct 2022 09:48:09 GMT

Hi @gwootton Greg,

Sorry not to react earlier, in some way I missed your contribution.

Yes - I did look to the MDSECDS macro. And I do use it sometimes. But in this case I only want to know what the permissions are for a specific user for a specific table object, and then that MDSECDS is rather an overload.

Just checking the different authorizations is simpler here.

I don't really understand (yet) what the function of the mask value is, but the piece of code you give shows how to handle it.

Regards,

Frank

Re: The METASEC_GETNAUTH function return 'deny', 'grant' or 'mask'. How to interpret 'mask'?

gwootton — Tue, 04 Oct 2022 13:01:24 GMT

The mask gives us a way to be more efficient in code. The result of the function will only ever be the permission and never the mask, but instead of evaluating the response like if response = 1 then, else if response = 2 then, etc etc, we can more broadly evaluate the response as: step 1, is it a act, explicit or inherited permission, then is it a grant (if not its a deny). If you're only doing this for a single user/object the efficiency here is negligible, but if you're evaluating lots of objects / users it makes the code complete faster. There are also masks for grant and deny if you don't care about the source of the permission and only its effect.

Re: The METASEC_GETNAUTH function return 'deny', 'grant' or 'mask'. How to interpret 'mask'?

FrankPoppe — Tue, 04 Oct 2022 16:14:46 GMT

I think I now understand how to interpret this.

I originally understood the table as a listing of all the values that can be returned by the function. But that is not the case.

The returned value is composed of three bits: a deny or grant for explicit (1 or 2), a deny or grant for ACT (4 or 8 ) and for indirect (16 or 32).

The mask values (3, 12, 48) are just a helper to mask or select two bits if you are checking each of the three possible denies or grants.

Re: The METASEC_GETNAUTH function return 'deny', 'grant' or 'mask'. How to interpret 'mask'?

SylviaPowell — Thu, 13 Oct 2022 15:14:59 GMT

Hello Frank,

Thank you for your comments. I've updated the documentation for the METASEC_GETNAUTH= Function to show the correct prefix in the macro variable names. I've also added the integer associated with each macro variable to the table, and added a discussion of masks. The updated documentation will be available in the SAS 9.4M8 documentation update.

Until then, here is an explanation of masks:

A mask is a filter that returns an indirect result. A bitwise AND between the mask and a value within that mask produces the input value; otherwise, it produces a zero. Three masks -- an explicit mask (3), ACT mask (12), and an indirect mask (48) -- are provided to test whether a METASEC_GETNAUTH output value applies to a given authorization category.

The masks can be used with the BAND function. Here is example code that

illustrates how the masks can be used:

rc=metasec_getnauth("",objuri,n,

identitytypes,identitynames,

auth,tmppermissions,condition,

&_SECAD_RETURN_ROLE_TYPE, identitydispname);

...

authint = input(auth, 16.);

...

if (band(authint, &_SECAD_PERM_EXPM) ) then do;

if (band(authint,&_SECAD_PERM_EXPD)) then

authorization = "Denied Explicitly";

else

authorization = "Granted Explicitly";

end;

else if (band(authint, &_SECAD_PERM_ACTM) ) then do;

if (band(authint,&_SECAD_PERM_ACTD)) then

authorization = "Denied by ACT";

else

authorization = "Granted by ACT";

end;

else if (band(authint,&_SECAD_PERM_NDRM) ) then do;

if (band(authint,&SECAD_PERM_NDRD)) then

authorization = "Denied Indirectly";

else

authorization = "Granted Indirectly";

end;

...

The documentation was updated with the help of Greg Wootton.