https://communities.sas.com/t5/SAS-Visual-Analytics/SAS-IdentityGroups-in-Conditional-Grants/m-p/196345#M1619 <HTML><HEAD></HEAD><BODY><P>From thread <A _jive_internal="true" href="https://communities.sas.com/thread/62416">https://communities.sas.com/thread/62416</A></P><P></P><P>You can activate the old editor on a table with a command like this</P><P></P><P>./sas-set-metadata-access -host servername -port 8561 -user USERNAME -password PASSWORD "Analytical LASR Data - Sandbox/SALES(Table)" -grant "SalesUsers":Read -condition '("rbs-"|| departmentname) IN ("SUB::SAS.IdentityGroups") OR "rbs-FullAccess" IN ("SUB::SAS.IdentityGroups")'</P><P></P><P>Works for VA 6.4</P></BODY></HTML> Tue, 07 Jul 2015 06:19:20 GMT Allan_dk 2015-07-07T06:19:20Z https://communities.sas.com/t5/SAS-Visual-Analytics/SAS-IdentityGroups-in-Conditional-Grants/m-p/196343#M1617 <HTML><HEAD></HEAD><BODY><P>Hi all,</P><P></P><P>As I am working my way to create the reports needed for management, we are also getting the need to protect data.</P><P>In the datamart the reports are created from, we have a hierarchy defined at organisational units (in this case locations).</P><P></P><P>I would expect it to be possible to create a Conditional Grant on the dataset that would check the value of the OU field against the groups the logged in user is a member of.</P><P>It surprises me that is not (or no longer) possible in SAS VA 7.1 to use (for example) IN in your condition.</P><P></P><P>Basically I would need a restriction as : OU IN SUB::SAS.IdentityGroups.</P><P></P><P>When I try this on report level (where IN is available), I simply get either all records or none at all.</P><P>Somehow, I don't understand which editor uses SUB:: and if it should be in parenthesis or not.</P><P></P><P></P><P>Does anyone have experience in how to enable row-level security for groups where a manager can be in multiple groups?</P><P>The <A class="jive-link-external-small" href="https://www.metacoda.com/en/2014/01/conditional-grants-sas-visual-analytics/" style="font-weight: inherit; font-style: inherit; font-family: inherit; color: #0e66ba;">Conditional Grants in SAS Visual Analytics </A><SPAN style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 13px; line-height: 1.5em; background-color: #ffffff;">has helped a lot with understanding how the row-level security works, but I can't get this next step going.</SPAN></P><P></P><P>Regards,</P><P>Roy</P></BODY></HTML> Mon, 06 Jul 2015 13:16:26 GMT https://communities.sas.com/t5/SAS-Visual-Analytics/SAS-IdentityGroups-in-Conditional-Grants/m-p/196343#M1617 roy_walter 2015-07-06T13:16:26Z https://communities.sas.com/t5/SAS-Visual-Analytics/SAS-IdentityGroups-in-Conditional-Grants/m-p/196344#M1618 <HTML><HEAD></HEAD><BODY><P>Roy,</P><P>assign the row-level security on user level using a group by user.</P><P>this way I assign the access restrictions by table and user.</P><P>this way you have one access group by user and the rules are assigned at table level.</P><P>works for me.</P><P>greetings</P></BODY></HTML> Mon, 06 Jul 2015 19:34:04 GMT https://communities.sas.com/t5/SAS-Visual-Analytics/SAS-IdentityGroups-in-Conditional-Grants/m-p/196344#M1618 PeterWijers 2015-07-06T19:34:04Z https://communities.sas.com/t5/SAS-Visual-Analytics/SAS-IdentityGroups-in-Conditional-Grants/m-p/196345#M1619 <HTML><HEAD></HEAD><BODY><P>From thread <A _jive_internal="true" href="https://communities.sas.com/thread/62416">https://communities.sas.com/thread/62416</A></P><P></P><P>You can activate the old editor on a table with a command like this</P><P></P><P>./sas-set-metadata-access -host servername -port 8561 -user USERNAME -password PASSWORD "Analytical LASR Data - Sandbox/SALES(Table)" -grant "SalesUsers":Read -condition '("rbs-"|| departmentname) IN ("SUB::SAS.IdentityGroups") OR "rbs-FullAccess" IN ("SUB::SAS.IdentityGroups")'</P><P></P><P>Works for VA 6.4</P></BODY></HTML> Tue, 07 Jul 2015 06:19:20 GMT https://communities.sas.com/t5/SAS-Visual-Analytics/SAS-IdentityGroups-in-Conditional-Grants/m-p/196345#M1619 Allan_dk 2015-07-07T06:19:20Z https://communities.sas.com/t5/SAS-Visual-Analytics/SAS-IdentityGroups-in-Conditional-Grants/m-p/196346#M1620 <HTML><HEAD></HEAD><BODY><P>Hello Allan, Peter,</P><P></P><P>The batchtool did the job (though it needed some extra tweaking). I had come across this earlier, but could not get it working.</P><P>The -condition option failed from the example (after personallising it ofcourse). When I switched around the condition to: <SPAN style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 13px; background-color: #ffffff;"> "(departmentname) IN ('SUB::SAS.IdentityGroups')", meaning I switched around the single and double qoutes, it worked like a charm. If not, I get the message: "Invalid commandline syntax. Too many objects specified.".</SPAN></P><P></P><P>As for Peter's solution: The amount of tables we have and the changes in responsibilities would make this a hard method to maintain. With each change in responsibility, we would need to change a lot of tables. I fine solution, but too maintenance heavy for our organisation.</P><P></P><P>With the implemented solution, we can just shift users from one group/department to another and let the one time implementation on table level take over.</P></BODY></HTML> Tue, 07 Jul 2015 07:31:31 GMT https://communities.sas.com/t5/SAS-Visual-Analytics/SAS-IdentityGroups-in-Conditional-Grants/m-p/196346#M1620 roy_walter 2015-07-07T07:31:31Z