I have two folder structure and two groups.
Folder X contains Apps and Executive_Apps subfolders.
Folder Y contains same like above.
Grus
1)X_Exec_viewer_group
2)Y_Exec_viewer_ group
Folder X and sub folders should be accessible by X_Exec_viewer_group only(Including Apps and Executive folders) .
Folder Y and sub folders should be accessible by Y_Exec_viewer_ group only(Including Apps and Executive folders) .
Current settings are designed based on Denial ACTs on each folder. Which doesn’t look correct.
Group Name X/Executive_Apps | Y/ Executive_Apps
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
X_Exec_viewer_group RM,R | Dined
Y_Exec_viewer_group Denied | RM,R
Means:E. g.: X_Exec_viewer_group is denied access to Exececutive_Apps subfolder in X folder based on ACTs to Y_Exec_viewer_group and vice a versa.
Now of a person is given access to X_Exec_viewer_group and Y _Exec_viewer_groups both. They will not be able to access any of those Folders ie X->Executive_Apps and Y-> Executives_Apps folders because of denial ACTs .
it is fine for individual folder access request. But when we give two groups access to single user we are getting issue means that uset not able to access two folders based on Denial ACT.
Please guide me to set correct settings.
Thanks
Thanks for clarifying the problem. You get denials for both folders as these take precedence over the allow's.The explanation for rule 3 mentions this conflict: "Two or more ACTs are applied to the object itself, or to any parent of the object, one granting the user or a group to which the user belongs the permission and one denying it.".
This can be fixed by applying rule 4: deny access to the folders for a higher level implicit group like SASUSERS or even PUBLIC. Than the allows should work. Do not forget to also allow for access by the administrators.
Hope this helps,
- Jan.
I'm not going to solve this for you but I can give you one pointer: abide by the Golden Rules for Security Model Design. In your case I would specifically point out to rule 3 that denials are not the way to allow access. Apply deny rules only at a general level and than allow specific user groups (never users).
Hope this helps,
- Jan.
Your post is illegible :
_ could you, please, edit the message once again and add some meaningful indentation and/or typo signs into the different lines / tree "branches" ?
Frankly, I am not sure anyone will ever try to decipher your text with this kind of ultra minimal editing...
HTH
Ronan
Thanks for clarifying the problem. You get denials for both folders as these take precedence over the allow's.The explanation for rule 3 mentions this conflict: "Two or more ACTs are applied to the object itself, or to any parent of the object, one granting the user or a group to which the user belongs the permission and one denying it.".
This can be fixed by applying rule 4: deny access to the folders for a higher level implicit group like SASUSERS or even PUBLIC. Than the allows should work. Do not forget to also allow for access by the administrators.
Hope this helps,
- Jan.
The SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment.
SAS technical trainer Erin Winters shows you how to explore assets, create new data discovery agents, schedule data discovery agents, and much more.
Find more tutorials on the SAS Users YouTube channel.