https://communities.sas.com/t5/Administration-and-Deployment/Allow-access-only-to-a-given-group-for-a-SASContent-folder-and/m-p/895400#M27270 <P>Hi,</P> <P>&nbsp;</P> <P>I have a folder in the SASContent like /SASContent/Projects/SecretProject.</P> <P>I need to restrict all grants for this specific path only to the group "SpecialGroup".</P> <P>I can a new rule to grant "SpecialGroup" everything for that path without problems.</P> <P>But the "Authenticated Users" principal is present everywhere with READ grant on /SASContent and convey, and hence the SecretProject folder inherits the READ grant for "Authenticated Users": I cannot deny that, otherwise I would lock everyone out.</P> <P>&nbsp;</P> <P>How can I secure that path and only that from "Authenticated Users", still keeping the general READ grant on all /SASContent and convey for "Authenticated Users" BUT on the SecretProject folder?</P> <P>&nbsp;</P> <P>Using Viya 2023.x</P> Fri, 22 Sep 2023 09:04:38 GMT Edoedoedo 2023-09-22T09:04:38Z https://communities.sas.com/t5/Administration-and-Deployment/Allow-access-only-to-a-given-group-for-a-SASContent-folder-and/m-p/895400#M27270 <P>Hi,</P> <P>&nbsp;</P> <P>I have a folder in the SASContent like /SASContent/Projects/SecretProject.</P> <P>I need to restrict all grants for this specific path only to the group "SpecialGroup".</P> <P>I can a new rule to grant "SpecialGroup" everything for that path without problems.</P> <P>But the "Authenticated Users" principal is present everywhere with READ grant on /SASContent and convey, and hence the SecretProject folder inherits the READ grant for "Authenticated Users": I cannot deny that, otherwise I would lock everyone out.</P> <P>&nbsp;</P> <P>How can I secure that path and only that from "Authenticated Users", still keeping the general READ grant on all /SASContent and convey for "Authenticated Users" BUT on the SecretProject folder?</P> <P>&nbsp;</P> <P>Using Viya 2023.x</P> Fri, 22 Sep 2023 09:04:38 GMT https://communities.sas.com/t5/Administration-and-Deployment/Allow-access-only-to-a-given-group-for-a-SASContent-folder-and/m-p/895400#M27270 Edoedoedo 2023-09-22T09:04:38Z https://communities.sas.com/t5/Administration-and-Deployment/Allow-access-only-to-a-given-group-for-a-SASContent-folder-and/m-p/895438#M27273 You could use a conditional prohibit read on authenticated users, with the condition "!groupsForCurrentUser.contains('SpecialGroup')", be sure SAS Administrators is a member of the Special Group. Fri, 22 Sep 2023 12:49:17 GMT https://communities.sas.com/t5/Administration-and-Deployment/Allow-access-only-to-a-given-group-for-a-SASContent-folder-and/m-p/895438#M27273 gwootton 2023-09-22T12:49:17Z https://communities.sas.com/t5/Administration-and-Deployment/Allow-access-only-to-a-given-group-for-a-SASContent-folder-and/m-p/895987#M27285 <P>If you need to hide any members under SASContent then you do not want to use Read Convey at that level.&nbsp; You can't break convey, and it should only be used when all children should inherit the grant.&nbsp; This paper shows some examples with explanations.&nbsp; Written for 3.5 but the same applies...</P> <P><A href="https://support.sas.com/resources/papers/proceedings18/2130-2018.pdf" target="_blank">Understanding Security for SAS&amp;reg; Visual Analytics 8.2 on SAS&amp;reg; Viya&amp;reg;</A>&nbsp;</P> Wed, 27 Sep 2023 03:36:52 GMT https://communities.sas.com/t5/Administration-and-Deployment/Allow-access-only-to-a-given-group-for-a-SASContent-folder-and/m-p/895987#M27285 angian 2023-09-27T03:36:52Z https://communities.sas.com/t5/Administration-and-Deployment/Allow-access-only-to-a-given-group-for-a-SASContent-folder-and/m-p/896011#M27289 Thanks, so the caveat was just not to apply "read convey" at SASContent level, so in the subfolder the authenticated users does not have the read permission by default, it seems much cleanerò Wed, 27 Sep 2023 09:49:38 GMT https://communities.sas.com/t5/Administration-and-Deployment/Allow-access-only-to-a-given-group-for-a-SASContent-folder-and/m-p/896011#M27289 Edoedoedo 2023-09-27T09:49:38Z