Architecting, installing and maintaining your SAS environment

Folder Level Permissions

Reply
Occasional Contributor
Posts: 7

Folder Level Permissions

[ Edited ]

I have two folder structure and two groups.

 

 

Folder X contains  Apps and Executive_Apps subfolders.

Folder Y contains same like above.

Grus

1)X_Exec_viewer_group

2)Y_Exec_viewer_ group

 

Folder X and sub folders should be accessible by X_Exec_viewer_group only(Including Apps and Executive folders) .

Folder Y and sub folders should be accessible by Y_Exec_viewer_ group only(Including Apps and Executive folders) .

 

Current settings are designed based on Denial ACTs on each folder. Which doesn’t look correct.

 

     Group Name                                 X/Executive_Apps       |       Y/ Executive_Apps

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------

X_Exec_viewer_group                             RM,R                    |          Dined 

Y_Exec_viewer_group                            Denied                   |          RM,R

 

Means:E. g.: X_Exec_viewer_group is denied access to  Exececutive_Apps subfolder in X folder based on ACTs to Y_Exec_viewer_group and vice a versa.

 

Now of a person is given access to X_Exec_viewer_group and Y _Exec_viewer_groups both. They will not be able to access any of those Folders ie X->Executive_Apps and Y-> Executives_Apps folders because of denial ACTs .

 

it is fine for individual folder access request. But when we give two groups access to single user we are getting issue means that uset not able to access two folders based on Denial ACT.

 

Please guide me to set correct settings.

 

Thanks

Super Contributor
Posts: 451

Re: Folder Level Permissions

I'm not going to solve this for you but I can give you one pointer: abide by the Golden Rules for Security Model Design. In your case I would specifically point out to rule 3 that denials are not the way to allow access. Apply deny rules only at a general level and than allow specific user groups (never users).

 

Hope this helps,

- Jan.

Frequent Contributor
Posts: 134

Re: Folder Level Permissions

[ Edited ]

Your post is illegible :

_ could you, please, edit the message once again and add some meaningful indentation and/or typo signs into the different lines / tree "branches" ?

Frankly, I am not sure anyone will ever try to decipher your text with this kind of ultra minimal editing...

HTH
Ronan

Occasional Contributor
Posts: 7

Re: Folder Level Permissions

Thanks for reply ronan. I wrongly posted the my question with rich text format so all text combined and makes not meaningful. So i modified my question with different lines and tree branches. Could you please look now.
Super Contributor
Posts: 451

Re: Folder Level Permissions

Thanks for clarifying the problem. You get denials for both folders as these take precedence over the allow's.The explanation for rule 3 mentions this conflict: "Two or more ACTs are applied to the object itself, or to any parent of the object, one granting the user or a group to which the user belongs the permission and one denying it.".

 

This can be fixed by applying rule 4: deny access to the folders for a higher level implicit group like SASUSERS or even PUBLIC. Than the allows should work. Do not forget to also allow for access by the administrators.

 

Hope this helps,

- Jan.

Ask a Question
Discussion stats
  • 4 replies
  • 342 views
  • 6 likes
  • 3 in conversation