cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
BookmarkSubscribeRSS Feed
☑ This topic is solved. Need further help from the community? Please sign in and ask a new question.
Edoedoedo
Pyrite | Level 9 Edoedoedo
Pyrite | Level 9
Go to Solution

Allow access only to a given group for a SASContent folder and deny to authenticated users

Posted 09-22-2023 05:04 AM (2697 views)

Hi,

 

I have a folder in the SASContent like /SASContent/Projects/SecretProject.

I need to restrict all grants for this specific path only to the group "SpecialGroup".

I can a new rule to grant "SpecialGroup" everything for that path without problems.

But the "Authenticated Users" principal is present everywhere with READ grant on /SASContent and convey, and hence the SecretProject folder inherits the READ grant for "Authenticated Users": I cannot deny that, otherwise I would lock everyone out.

 

How can I secure that path and only that from "Authenticated Users", still keeping the general READ grant on all /SASContent and convey for "Authenticated Users" BUT on the SecretProject folder?

 

Using Viya 2023.x

0 Likes
Reply
1 ACCEPTED SOLUTION

Accepted Solutions
angian
SAS Employee angian
SAS Employee

Re: Allow access only to a given group for a SASContent folder and deny to authenticated users

Posted 09-26-2023 11:36 PM (2637 views)  |   In reply to Edoedoedo

If you need to hide any members under SASContent then you do not want to use Read Convey at that level.  You can't break convey, and it should only be used when all children should inherit the grant.  This paper shows some examples with explanations.  Written for 3.5 but the same applies...

Understanding Security for SAS® Visual Analytics 8.2 on SAS® Viya® 

View solution in original post

0 Likes
Reply
3 REPLIES 3
gwootton
SAS Super FREQ gwootton
SAS Super FREQ

Re: Allow access only to a given group for a SASContent folder and deny to authenticated users

Posted 09-22-2023 08:49 AM (2681 views)  |   In reply to Edoedoedo
You could use a conditional prohibit read on authenticated users, with the condition "!groupsForCurrentUser.contains('SpecialGroup')", be sure SAS Administrators is a member of the Special Group.
--
Greg Wootton | Principal Systems Technical Support Engineer
Reply
angian
SAS Employee angian
SAS Employee

Re: Allow access only to a given group for a SASContent folder and deny to authenticated users

Posted 09-26-2023 11:36 PM (2638 views)  |   In reply to Edoedoedo

If you need to hide any members under SASContent then you do not want to use Read Convey at that level.  You can't break convey, and it should only be used when all children should inherit the grant.  This paper shows some examples with explanations.  Written for 3.5 but the same applies...

Understanding Security for SAS® Visual Analytics 8.2 on SAS® Viya® 

0 Likes
Reply
Edoedoedo
Pyrite | Level 9 Edoedoedo
Pyrite | Level 9

Re: Allow access only to a given group for a SASContent folder and deny to authenticated users

Posted 09-27-2023 05:49 AM (2586 views)  |   In reply to angian
Thanks, so the caveat was just not to apply "read convey" at SASContent level, so in the subfolder the authenticated users does not have the read permission by default, it seems much cleanerò
0 Likes
Reply

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

Get Started with SAS Information Catalog in SAS Viya

Learn how to explore data assets, create new data discovery agents, schedule data discovery agents, and much more.

Watch Get Started with SAS Information Catalog in SAS Viya on YouTube

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 3 replies
  • ‎09-22-2023 05:04 AM
  • 2698 views
  • 1 like
  • 3 in conversation