topic Re: Library authorization at the table level in SAS Enterprise Guide

Library authorization at the table level

RexDeus9 — Wed, 16 May 2018 15:18:36 GMT

Hi,

Working with Sas Management Console (SAS 9.4). We have a Library of 20 data sets that are used by two different Groups.

1.- We want Group A to have access to ALL of them, which works fine

2.- We want Group B to only see 2 tables

Unfortunately this seems impossible to set with SMC, even when we REMOVE all permissions (RM/WM/CIMD/R/W/C/D) are set to Deny, users of Group B still have access to ALL tables.

What are we missing???

Re: Library authorization at the table level

Kurt_Bremser — Wed, 16 May 2018 15:26:38 GMT

Did you deny globally, for SASUSERS?

Re: Library authorization at the table level

RexDeus9 — Wed, 16 May 2018 16:03:18 GMT

Hi Kurt,

No, just that group.

Re: Library authorization at the table level

Kurt_Bremser — Wed, 16 May 2018 16:32:20 GMT

@RexDeus9 wrote:

Hi Kurt,

No, just that group.

That's your problem. Deny for SASUSERS (PUBLIC should already be denied), and then allow selectively for your groups.

Re: Library authorization at the table level

RexDeus9 — Wed, 16 May 2018 16:40:04 GMT

Hi Kurt,

Sorry, I was wrong in my first reply, SASUsers are DENIED everything.

Re: Library authorization at the table level

Kurt_Bremser — Wed, 16 May 2018 16:52:22 GMT

Have you made sure that the users in group B are not in group A also?

Re: Library authorization at the table level

RexDeus9 — Wed, 16 May 2018 17:04:47 GMT

Yes, they are totally different.

Re: Library authorization at the table level

FredrikE — Thu, 17 May 2018 05:23:20 GMT

Hi!

I think what you need to do is:

For EACH table:

- Deny rm and r for SASUSERS.

- Grant rm and r for group A

- Grant rm and r for internal sas users (SAS Admins, SAS General servers...)

On the 2 tables:

- Deny rm and r for SASUSERS.

- Grant rm and r for group A

- Grant rm and r for group B

- Grant rm and r for internal sas users (SAS Admins, SAS General servers...)

//Fredrik

Re: Library authorization at the table level

RexDeus9 — Thu, 17 May 2018 18:43:41 GMT

Hi Fredrik,

Thank you for your reply. Unfortunately it doesn't change anything. I removed ALL permissions to 'sasusers' and 'public' as well, on top of Group B.

Group B still has access to ALL tables for that Library. I really wonder why SAS even bothers providing the 'Authorization' tab at this level (Tables).

Getting pretty frustrated with this.:-(

Yvan

Re: Library authorization at the table level

SASKiwi — Thu, 17 May 2018 20:05:08 GMT

I assume you know that permissions at the metadata level can be bypassed by users assigning their own LIBNAMEs pointing at the table folders, unless you use metadata-bound libraries. Are you OK with that?

Re: Library authorization at the table level

RexDeus9 — Fri, 18 May 2018 14:59:23 GMT

Hi,

I browsed the documentation, not sure it's worth the pain for a few tables, or maybe it's just me.

Re: Library authorization at the table level

Kurt_Bremser — Fri, 18 May 2018 16:03:52 GMT

How do you access the tables in question? By browsing through the SAS metadata folders, or by opening them from the server list in Enterprise Guide, or in code?

Re: Library authorization at the table level

NunoTGrunho — Fri, 18 May 2018 16:07:56 GMT

Hi,

Where are you setting that permissions, at libname level, folder level?

Are the tables that you trying to grant and deny registered on metadata?

Re: Library authorization at the table level

RexDeus9 — Fri, 18 May 2018 17:54:37 GMT

Hi,

Permissions are set on he following:

- Library level (They will never see the library without this one)

- Folder of the Library

- Table in the Library folder

Yes, the tables are registered in the Metadata.

Re: Library authorization at the table level

RexDeus9 — Fri, 18 May 2018 17:55:30 GMT

Hi Kurt,

Working with SAS EG.

Re: Library authorization at the table level

Kurt_Bremser — Fri, 18 May 2018 20:33:13 GMT

@RexDeus9 wrote:

Hi Kurt,

Working with SAS EG.

If the libraries are assigned with a basic libname statement (and not with the meta engine), then the metadata access control will not be active.

You can make sure that the access control works by converting to metadata bound libraries.

Re: Library authorization at the table level

SASKiwi — Fri, 18 May 2018 23:36:57 GMT

You mean metadata-bound libraries? I agree totally - you would have to have a much better reason to justify implementing MBLs.

Just pointing out, you can spend a lot of time getting metadata permissions right only for users to bypass them...

Re: Library authorization at the table level

Patrick — Sat, 19 May 2018 01:22:11 GMT

@RexDeus9

Alternatively to metadata bound libraries you can always secure tables on OS level and with a new SAS version you could also go for Sever Lockdown (but that requires quite a bit of planning/design to implement).

Re: Library authorization at the table level

Kurt_Bremser — Sat, 19 May 2018 04:55:08 GMT

The ultima ratio is always the operating system. Once the permissions are properly set, no other user can bypass them.

Re: Library authorization at the table level

SASKiwi — Sun, 20 May 2018 00:03:51 GMT

One option not mentioned is to do folder-level permissions where Group B have a separate folder / library with the two datasets they are allowed to see then another folder for Group A containing all of the datasets (2 being copies). Then it is easy to align OS and metadata permissions so users can't bypass them.