topic Re: Permissions R and RW from different users on the same library in Administration and Deployment

Permissions R and RW from different users on the same library

Crysis85 — Fri, 16 Jun 2017 16:11:56 GMT

Hello,

I have to set up some users and libraries on a SAS system.

Let's say I have library LIB and user A and B

I want that A has read permissions to LIB

I want that B has read and write permissions to LIB

I set up those permissions explicitly on the Managemente Console user A has only Read Metadata allowed and all the rest denied

user B has all permissions.

The result is that when I log on Enterprise Guide as user A, I can modify existing tables in LIB, create new ones, delete existing ones, even if the these permissions are denied.

How is this possible?

How can I implement this idea?

Re: Permissions R and RW from different users on the same library

Astounding — Fri, 16 Jun 2017 16:23:31 GMT

From a Unix perspective, you handle this by defining groups. (You may not have the authority to set up and maintain a group, so you may need to get help on this.) Add one user to the group, but not the other.

That's what the middle set of permissions controls ... group access. Or in shorter terms, 774 = all for LIB owner, all for group, read only for the rest of the world.

After logging on, a user might have to switch from his default group over to your group to gain access.

Re: Permissions R and RW from different users on the same library

Crysis85 — Fri, 16 Jun 2017 16:54:25 GMT

I thought of that but It's not feasible because there are many more users and many more libraries? Isn't possible to set this up on the management console? What's the point of the Management Console with all the fine grained permissions if they don't work?

Re: Permissions R and RW from different users on the same library

anja — Fri, 16 Jun 2017 17:58:07 GMT

Hi there,

permissions / metadata security works well, lets see if we can figure out the problem.

What version of SAS are you using, and what's the EG version?

Are you familiar with this info:

Use and Enforcement of Permissions:

http://support.sas.com/documentation/cdl/en/bisecag/69827/HTML/default/viewer.htm#p1b2lkywlgefxcn14v68kok29w1b.htm

Permissions by Object

http://support.sas.com/documentation/cdl/en/bisecag/69827/HTML/default/viewer.htm#n0pt0r7u55rqu2n1cdu2wvt47j78.htm

Permissions by Tasks

http://support.sas.com/documentation/cdl/en/bisecag/69827/HTML/default/viewer.htm#n0bxpw0fyk4srkn1xp0yhc2gvq4g.htm

Thanks

Anja

Re: Permissions R and RW from different users on the same library

anja — Fri, 16 Jun 2017 17:59:49 GMT

P.S. where did you apply the permissions, via Lib Manager or the SAS Folders?

Re: Permissions R and RW from different users on the same library

Kurt_Bremser — Fri, 16 Jun 2017 18:01:17 GMT

You need to make your libraries metadata-bound, so they can only be used with the metadara engine.

Or you invest the necessary time to design a proper group structure in the OS. And solve the extreme cases with access control lists.

Re: Permissions R and RW from different users on the same library

PaulHomes — Fri, 16 Jun 2017 19:26:36 GMT

... and don't forget that table objects in metadata inherit permissions from the metadata folder in which they are contained and not the metadata library in which they are registered. For consistency you can assign permissions to a metadata folder containing both the library and the tables. Also keep in mind metadata security recommended practices and assign permissions, ideally via ACTs, on the folder, for groups (not users), only denying permissions broadly (to PUBLIC or SASUSERS) and then granting back to appropriate groups.

You will also want to consider how the library is being assigned: which engine: native or Metadata Libname Engine (MLE), and where necessary the MLE metaout value, and the AssignMode extended attribute value.

Re: Permissions R and RW from different users on the same library

Crysis85 — Sat, 17 Jun 2017 06:09:54 GMT

I think I followed the best practices. I set up the folder structures like this

General_Folder___Folder_GroupA

___Folder_GroupB

I set up 3 ACT: ACT_A has all the permissions for user A, and read only permission for user B, ACT_B the opposite and i set up a "Deny_SASuser" to deny permission on SASUSER

On Folder_GroupA (which will cointain tabs that userA should be able to write and read and userB read only) i assign ACT_A and Deny_SASUSER.

On Folder_GroupB ACT_B and Deny_SASUSER

I then create a library in Folder_GroupA (native library, preassigned). I check the permissions on the new library. User permissions are all inherited as I wanted (all the appropried "greens" and "greys"). UserA has all the permissions, UserB has only read metadata and read.

I then log as UserA on EG (7.1 by the way) and I can create all the tabs that I want. Problem is that, when I log as UserB I can do the same.

I'd like, if possible, more clarification on native/ML engine. I tried to set Metadata Libname Engine but then I couldn't manage to create any tables with any user.

Thanks.

Re: Permissions R and RW from different users on the same library

PaulHomes — Sat, 17 Jun 2017 22:11:45 GMT

What you have done sounds about right for ensuring appropriate metadata permissions but you will also need to consider file system permissions too, being aware of the difference between creating physical tables (SAS datasets) in the physical directory in the file system and (optionally) registering those tables in metadata folders. You can create physical tables without registering the tables in metadata (and vice-versa). You might also want to submit a "libname _all_ list;" in EG to see how all of the libraries have been assigned and what engines are being used.

You wont be able to create tables in a MLE library uless you use one of the metaout options that supports it.

As you have found, this is quite a complex area with all of the various considerations. I would suggest one of the best ways to get a handle on this is to attend the SAS Platform Administration Fast Track course which covers many of these concepts.

As has been suggested by others, the 2 main options that admins use to control access to metadata and physical layers is to align metadata and file system access controls or use metadata bound libraries (to enforce the use of the metadata authorization layer).

Re: Permissions R and RW from different users on the same library

anja — Tue, 20 Jun 2017 13:50:56 GMT

Hi.

Enclosed some info on metadata bound libraries:

What is a metadata bound lib

Great blog from Paul:

Creating metadata bound libs

Lockdown

Thanks

Anja