BookmarkSubscribeRSS Feed
☑ This topic is solved. Need further help from the community? Please sign in and ask a new question.
Edoedoedo
Pyrite | Level 9

Hi,

 

I have a folder in the SASContent like /SASContent/Projects/SecretProject.

I need to restrict all grants for this specific path only to the group "SpecialGroup".

I can a new rule to grant "SpecialGroup" everything for that path without problems.

But the "Authenticated Users" principal is present everywhere with READ grant on /SASContent and convey, and hence the SecretProject folder inherits the READ grant for "Authenticated Users": I cannot deny that, otherwise I would lock everyone out.

 

How can I secure that path and only that from "Authenticated Users", still keeping the general READ grant on all /SASContent and convey for "Authenticated Users" BUT on the SecretProject folder?

 

Using Viya 2023.x

1 ACCEPTED SOLUTION

Accepted Solutions
angian
SAS Employee

If you need to hide any members under SASContent then you do not want to use Read Convey at that level.  You can't break convey, and it should only be used when all children should inherit the grant.  This paper shows some examples with explanations.  Written for 3.5 but the same applies...

Understanding Security for SAS® Visual Analytics 8.2 on SAS® Viya® 

View solution in original post

3 REPLIES 3
gwootton
SAS Super FREQ
You could use a conditional prohibit read on authenticated users, with the condition "!groupsForCurrentUser.contains('SpecialGroup')", be sure SAS Administrators is a member of the Special Group.
--
Greg Wootton | Principal Systems Technical Support Engineer
angian
SAS Employee

If you need to hide any members under SASContent then you do not want to use Read Convey at that level.  You can't break convey, and it should only be used when all children should inherit the grant.  This paper shows some examples with explanations.  Written for 3.5 but the same applies...

Understanding Security for SAS® Visual Analytics 8.2 on SAS® Viya® 

Edoedoedo
Pyrite | Level 9
Thanks, so the caveat was just not to apply "read convey" at SASContent level, so in the subfolder the authenticated users does not have the read permission by default, it seems much cleanerò

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

CLI in SAS Viya

Learn how to install the SAS Viya CLI and a few commands you may find useful in this video by SAS’ Darrell Barton.

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 3 replies
  • 515 views
  • 1 like
  • 3 in conversation