BookmarkSubscribeRSS Feed
Lapis Lazuli | Level 10

Hi experts,


For SAS Viya 3.5 there is a SAS Environment Management supplied report named User Activity which shows audit info for users accessing VA reports. We have a need to open access to this report (and the underlying CAS data) for some group of users who are not members of the SAS Administrators group. Are there instructions for accomplishing this?



SAS Employee


The User Activity report is in the /Products/SASEnvironmentManager/Dashboard Items path in SAS Content, which has a rule conditionally prohibiting Authenticated Users from seeing it. You will need to modify the condition of this rule to include a group this user is a member of, or call them out specifically. For instance by replacing this:
!groupsForCurrentUser().contains('SASAdministrators') && !groupsForCurrentUser().contains('sasapp')
with this:
!groupsForCurrentUser().contains('SASAdministrators') && !groupsForCurrentUser().contains('sasapp') && !groupsForCurrentUser().contains('NewGroup')
!groupsForCurrentUser().contains('SASAdministrators') && !groupsForCurrentUser().contains('sasapp') && !currentUser() == 'userid'
General Authorization: How To (Rules page)
The User Activity report uses the SystemData.Audit CAS table which Authenticated Users by default does not have permission to see, so the user/group will need to be granted permission on the SystemData caslib as well.
CAS Authorization: How To (Authorization Window)

Lapis Lazuli | Level 10

Hi @ronf_sas 


Thanks for replying. Two questions:


1. Is there no issue/pitfall with opening the permissions for the folder and caslib to non SAS Admins?

2. I want to open access only to this specific report and only to the specific CASLIB table and not to open access to the entire VA report folder and to the entire SystemData CASLIB. Is there an easy way to accomplish this?

1. Generally speaking the permissions are set such that non-administrators only have access to their own information. The User Activity report and SystemData.Audit CASLIB contain data on all users, so this is not granted by default.
2. Yes, you can set authorizations on specific objects and tables, so you can achieve this, you would just need to add additional permission configurations.

By default the rule against the Dashboard folder is a conditional prohibit on Authenticated Users to /folders/folders/folder_id/**, so Authenticated Users have permission to see the folder, but permission is revoked to see any objects inside the folder (convey permission). As you want to grant access to a single object within the folder, you would not be able to use this rule, so you'd need to disable it which would grant users Read permission conveyed to all the objects within it. You'd then need to edit the permissions for each report in the folder and conditionally prohibit permission, with the same condition as the prohibit you disabled (prohibit Authenticated Users unless they are a member of the SAS Administrators or sasapp group)

Similarly for the SystemData CASLIB, Authenticated Users by default do not have ReadInfo permission on the library. This would need to be granted at the library level and then removed at the table level for all tables but AUDIT, which would need ReadInfo and Select granted.
Greg Wootton | Principal Systems Technical Support Engineer

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

CLI in SAS Viya

Learn how to install the SAS Viya CLI and a few commands you may find useful in this video by SAS’ Darrell Barton.

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 3 replies
  • 1 like
  • 3 in conversation