cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
BookmarkSubscribeRSS Feed
ScottBass
Rhodochrosite | Level 12 ScottBass
Rhodochrosite | Level 12

Deny access to Oracle library

Posted 05-12-2013 11:27 PM (945 views)

Hi,

Summary:

For a library that is not allocated via the Metadata Libname Engine (it's pre-assigned), what does "Read" access buy me?  Is there a difference in behaviour between a Base and Oracle library?

Details:

We have an Oracle library that is pre-assigned.  So, both our EG sessions and Base SAS sessions (invoked via RDP on the server) get this library allocated via the usual -metaautoresources "SASApp" option.  For the rest of this post I'll just refer to EG (Workspace Server) sessions.

The metadata permissions are:

PUBLIC:  Deny All

SAS System Services:  +RM, -(all others).  sastrust is the only user.

SAS Administrators: (locally defined user group):  +RM, +WM, +CM, +A, -(all others).  Another local group is the only member.  That local group has a few domain accounts.

SASUSERS:  +RM, -(all others)

We do have ACT's in place, but all of the above permissions are inherited (gray background).

As I see it, since the Oracle library is pre-assigned, and since SASUSERS has ReadMetadata access, the Workspace Server will allocate the Oracle library, which uses an Oracle service account username/password to make the connection.  Thus all authenticated users should see and have access to this library.

What has me stumped is we have two (non-administrator) users that have access to this Oracle library, and others that do not.  For those that do not, they do not see the library in EG at all.  I don't see why one set of (authenticated) users would see the library, but others would not.

Questions:

1) For a pre-assigned library, does Read access buy me anything?  Or do I need ReadMetadata to either show/hide the library?  Does Read access only apply to MLE allocated libraries?

2) Given the metadata permissions above, any thoughts as to how I can trace the reasons why user#1 gets access and user#2 does not?

Thanks,

Scott

Please post your question as a self-contained data step in the form of "have" (source) and "want" (desired results).
I won't contribute to your post if I can't cut-and-paste your syntactically correct code into SAS.
0 Likes
Reply
1 REPLY 1
LinusH
Tourmaline | Level 20 LinusH
Tourmaline | Level 20

Re: Deny access to Oracle library

Posted 05-13-2013 03:06 AM (816 views)  |   In reply to ScottBass

1) In my belief, you need READ on the library so that the meatautoresources can assign the library. READ on tables within the library have no effect. For extensive use of metadata authorization, use MLE.

2) Not sure about how you local groups and domain accounts connect. And how is the authentication to Oracle set up? Do you have a group account shared among all users, and where is it defined? Are you also sure that user#2 is authenticated and matched with a SAS metadata account?

Data never sleeps
Reply

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

CLI in SAS Viya

Learn how to install the SAS Viya CLI and a few commands you may find useful in this video by SAS’ Darrell Barton.

Watch CLI in SAS Viya on YouTube

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 1 reply
  • ‎05-12-2013 11:27 PM
  • 946 views
  • 1 like
  • 2 in conversation