BookmarkSubscribeRSS Feed
alko13
Quartz | Level 8

We are trying to setup permissions in SAS Management Console using ACT.

 

Our objective is to restrict write access certain tables.

We are using EG to read/modify tables.

We have created an ACT object and we have given only “Read Metadata” and “Read” permissions. All other actions are set to Deny. After creating ACT, we have assigned the ACT to a specific table.

We have double check that the table is effective with latest permissions from ACT.  However, the user can still edit the table using EG even though “Write” permission is set to Deny.

Note: Parent folder of this library also does not have WriteMetadata/Write Permission

 

Any tips/suggestions?

 

Thanks in advance

2 REPLIES 2
SASKiwi
PROC Star

There's a lot to learn with doing SAS metadata permissions and so I'll point you at @PaulHomes 's really excellent and useful link: https://platformadmin.com/blogs/paul/2017/06/sas-gel-security-rules-with-metacoda-security-tests/

 

For starters you apply ACTs to User Groups, not to files.

 

Also it's worth pointing out that these permissions apply only to metadata libraries referenced in your SAS programs. If someone runs a LIBNAME statement in a program, then that bypasses metadata permissions. The same applies at the OS level where deleting or renaming a SAS dataset file is still possible. It all depends on what level of security you want. Locking down SAS libraries completely is possible but it is complex to setup and there are maintenance overheads as well. If you are just wanting to make accidental overwriting less possible in SAS then metadata protection could be enough.

PaulHomes
Rhodochrosite | Level 12

I suspect the issue you are encountering is that you are using the SAS BASE engine to access data which ignores the R,W,C,D metadata permissions. Also whether the ReadMetadata permission is considered depends on how the SAS library is being assigned.

 

To enforce metadata "data" permissions you need to add a layer on top such as the SAS Metadata Libname Engine (see Metadata LIBNAME Engine https://documentation.sas.com/doc/en/pgmsascdc/9.4_3.5/lrmeta/part-3.htm) or SAS Metadata Bound Libraries (see SAS 9.4 Guide to Metadata-Bound Libraries https://support.sas.com/documentation/cdl/en/seclibag/66930/HTML/default/viewer.htm#seclibagwhatsnew...).

 

Controlling access to data through SAS metadata can be complicated and I think this is in part because with SAS 9 they had to walk a fine line between providing access via metadata but also maintaining backward compatibility for decades of legacy code that was written before the SAS Metadata Server existed. A SAS administrator can try to control access through the metadata authorization layer but needs to be aware that those access controls only work in some scenarios and that savvy coders can try to bypass them using traditional techniques with SAS libname statements. There are a variety of ways to try and prevent this but, as @SASKiwi mentions, it comes with complexity and maintenance overheads. Deciding on which technique to use also depends on to what extent are you trying to secure access to data: are you doing it for convenience or user experience where you want to limit access by default but are not concerned if some knowledgeable people can bypass it?; or are you doing it for security where you don't want anyone to be able to bypass it? For the former I would suggest the Metadata Libname Engine and for the latter I would recommend SAS Metadata Bound Libraries.

 

Of course another technique is to use a SAS/ACCESS engine and house the data in a 3rd party database which has it own authorization layer.

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

Get Started with SAS Information Catalog in SAS Viya

SAS technical trainer Erin Winters shows you how to explore assets, create new data discovery agents, schedule data discovery agents, and much more.

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 2 replies
  • 509 views
  • 4 likes
  • 3 in conversation