Architecting, installing and maintaining your SAS environment

Deny access to Oracle library

Reply
Super Contributor
Posts: 376

Deny access to Oracle library

Hi,

Summary:

For a library that is not allocated via the Metadata Libname Engine (it's pre-assigned), what does "Read" access buy me?  Is there a difference in behaviour between a Base and Oracle library?

Details:

We have an Oracle library that is pre-assigned.  So, both our EG sessions and Base SAS sessions (invoked via RDP on the server) get this library allocated via the usual -metaautoresources "SASApp" option.  For the rest of this post I'll just refer to EG (Workspace Server) sessions.

The metadata permissions are:

PUBLIC:  Deny All

SAS System Services:  +RM, -(all others).  sastrust is the only user.

SAS Administrators: (locally defined user group):  +RM, +WM, +CM, +A, -(all others).  Another local group is the only member.  That local group has a few domain accounts.

SASUSERS:  +RM, -(all others)

We do have ACT's in place, but all of the above permissions are inherited (gray background).

As I see it, since the Oracle library is pre-assigned, and since SASUSERS has ReadMetadata access, the Workspace Server will allocate the Oracle library, which uses an Oracle service account username/password to make the connection.  Thus all authenticated users should see and have access to this library.

What has me stumped is we have two (non-administrator) users that have access to this Oracle library, and others that do not.  For those that do not, they do not see the library in EG at all.  I don't see why one set of (authenticated) users would see the library, but others would not.

Questions:

1) For a pre-assigned library, does Read access buy me anything?  Or do I need ReadMetadata to either show/hide the library?  Does Read access only apply to MLE allocated libraries?

2) Given the metadata permissions above, any thoughts as to how I can trace the reasons why user#1 gets access and user#2 does not?

Thanks,

Scott

Super User
Posts: 5,256

Re: Deny access to Oracle library

1) In my belief, you need READ on the library so that the meatautoresources can assign the library. READ on tables within the library have no effect. For extensive use of metadata authorization, use MLE.

2) Not sure about how you local groups and domain accounts connect. And how is the authentication to Oracle set up? Do you have a group account shared among all users, and where is it defined? Are you also sure that user#2 is authenticated and matched with a SAS metadata account?

Data never sleeps
Ask a Question
Discussion stats
  • 1 reply
  • 294 views
  • 1 like
  • 2 in conversation