BookmarkSubscribeRSS Feed
ddddddddd1223
Calcite | Level 5

Hi everyone,

 

I am looking for any guides for managing user authorization to access libraries. 

 

I should create a group of users allowed just to access one library between the many libraries already registered in SAS Management Console. I tried to create a new user without giving to him any authorization or any group, but he can access everything. The only way I managed to avoid him to see the data in the library has been to insert his group in the authorization tab properties of the library, and deny explicitly the authorization for that group. But I hope this is not the only way, because I should deny the authorization for all the libraries that already exist, and all the future ones.

 

Thank you for any help.

 

3 REPLIES 3
gwootton
SAS Super FREQ
Typically you would control access to libraries by modifying the permissions on the folder that contains the library.
If that folder has access granted to SASUSERS (the group that contains all users), then any new user would have access.
If you intend to limit access to SASUSERS and grant access to a specific group, be sure the SAS General Servers group is a member of that new group or otherwise has access to ensure shared servers like Pooled Workspace and Stored Process can access it.
Here is the documentation on the topic:

Metadata Authorization Model
https://go.documentation.sas.com/doc/en/bicdc/9.4/bisecag/n0iqe26rd4ui8ln1sqg5g7cs4qhc.htm
--
Greg Wootton | Principal Systems Technical Support Engineer
Kurt_Bremser
Super User

The proper strategy for permissions in metadata is: deny globally, allow locally.

So you should remove SASUSERS access to all your libraries, and allow it specifically for each group.

Nigel_Pain
Lapis Lazuli | Level 10

Here's what we have (and I feel quite confident in how it's done because I was guided by none other than David Stern!).

We have quite a few grroups of users with widely ranging areas of analysis. This means that we have a large number of libraries (over 300 at the last count), many of which are ODBC links to databases. Each has its own set of authorised users. So, pretty much, each library is in its own folder, all within the /Shared Data folder. ACTs are applied to each of those folders, which grant all access to one group and just RM,R to another. This ensures that those permissions are inherited by an registered tables.

But in order for users to see the folders and their contents, SASUSERS needs RM access to the /Shared Data folder and that would be inherited by all its child folders. So we have another ACT which we apply to each child folder which denies all permissions to SASUSERS. The specific ACT for a child folder overrides this for the  groups which it specifies.

I hope this is useful.

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

Get Started with SAS Information Catalog in SAS Viya

SAS technical trainer Erin Winters shows you how to explore assets, create new data discovery agents, schedule data discovery agents, and much more.

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 3 replies
  • 956 views
  • 2 likes
  • 4 in conversation