BookmarkSubscribeRSS Feed
🔒 This topic is solved and locked. Need further help from the community? Please sign in and ask a new question.
ravicapg
Fluorite | Level 6

I have two folder structure and two groups.

 

 

Folder X contains  Apps and Executive_Apps subfolders.

Folder Y contains same like above.

Grus

1)X_Exec_viewer_group

2)Y_Exec_viewer_ group

 

Folder X and sub folders should be accessible by X_Exec_viewer_group only(Including Apps and Executive folders) .

Folder Y and sub folders should be accessible by Y_Exec_viewer_ group only(Including Apps and Executive folders) .

 

Current settings are designed based on Denial ACTs on each folder. Which doesn’t look correct.

 

     Group Name                                 X/Executive_Apps       |       Y/ Executive_Apps

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------

X_Exec_viewer_group                             RM,R                    |          Dined 

Y_Exec_viewer_group                            Denied                   |          RM,R

 

Means:E. g.: X_Exec_viewer_group is denied access to  Exececutive_Apps subfolder in X folder based on ACTs to Y_Exec_viewer_group and vice a versa.

 

Now of a person is given access to X_Exec_viewer_group and Y _Exec_viewer_groups both. They will not be able to access any of those Folders ie X->Executive_Apps and Y-> Executives_Apps folders because of denial ACTs .

 

it is fine for individual folder access request. But when we give two groups access to single user we are getting issue means that uset not able to access two folders based on Denial ACT.

 

Please guide me to set correct settings.

 

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
jklaverstijn
Rhodochrosite | Level 12

Thanks for clarifying the problem. You get denials for both folders as these take precedence over the allow's.The explanation for rule 3 mentions this conflict: "Two or more ACTs are applied to the object itself, or to any parent of the object, one granting the user or a group to which the user belongs the permission and one denying it.".

 

This can be fixed by applying rule 4: deny access to the folders for a higher level implicit group like SASUSERS or even PUBLIC. Than the allows should work. Do not forget to also allow for access by the administrators.

 

Hope this helps,

- Jan.

View solution in original post

4 REPLIES 4
jklaverstijn
Rhodochrosite | Level 12

I'm not going to solve this for you but I can give you one pointer: abide by the Golden Rules for Security Model Design. In your case I would specifically point out to rule 3 that denials are not the way to allow access. Apply deny rules only at a general level and than allow specific user groups (never users).

 

Hope this helps,

- Jan.

ronan
Lapis Lazuli | Level 10

Your post is illegible :

_ could you, please, edit the message once again and add some meaningful indentation and/or typo signs into the different lines / tree "branches" ?

Frankly, I am not sure anyone will ever try to decipher your text with this kind of ultra minimal editing...

HTH
Ronan

ravicapg
Fluorite | Level 6
Thanks for reply ronan. I wrongly posted the my question with rich text format so all text combined and makes not meaningful. So i modified my question with different lines and tree branches. Could you please look now.
jklaverstijn
Rhodochrosite | Level 12

Thanks for clarifying the problem. You get denials for both folders as these take precedence over the allow's.The explanation for rule 3 mentions this conflict: "Two or more ACTs are applied to the object itself, or to any parent of the object, one granting the user or a group to which the user belongs the permission and one denying it.".

 

This can be fixed by applying rule 4: deny access to the folders for a higher level implicit group like SASUSERS or even PUBLIC. Than the allows should work. Do not forget to also allow for access by the administrators.

 

Hope this helps,

- Jan.

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

CLI in SAS Viya

Learn how to install the SAS Viya CLI and a few commands you may find useful in this video by SAS’ Darrell Barton.

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 4 replies
  • 2195 views
  • 6 likes
  • 3 in conversation