BookmarkSubscribeRSS Feed
🔒 This topic is solved and locked. Need further help from the community? Please sign in and ask a new question.
RupaJ
Lapis Lazuli | Level 10

Hello SAS users,

 

Could some one please tell me how I should grant/revoke access to a user on a SAS application server. I have a SASAPP2 server that only few users in the company have access to and now I see couple users who should not be having access on that server. Now how do I revoke the access for those users. Have been looking around for quite some time to figure this out. Pretty sure this should be very straightforward. 

 

Thanks!

1 ACCEPTED SOLUTION

Accepted Solutions
PaulHomes
Rhodochrosite | Level 12

Rather than looking at this problem as how do I revoke access to people who have access but shouldn't, I would recommend taking a step back and considering how do I make sure I only grant access to the people who should have access. Based on the latter it looks like the access controls on the app server are not currently setup correctly to only grant access to those who should have access.

 

If you were to look at denying access to specific users or non-implicit groups (groups other than PUBLIC/SASUSERS) then you are very likely to run into conflict scenarios. You end up finding people-who-have-access-who-shouldn't or people-who-don't-have-access-but-should that can hard to troubleshoot (and the first group don't always tell you).

 

The recommended practice is to deny broadly (wipe out everyone's access) using PUBLIC (or SASUSERS) and then start granting access back to those who should have access (SAS System Services, SAS Administrators, other org groups).

 

For more info on this, there several resources you could look at:

If you follow those best practice examples then you control who has access by making sure they are members of groups that should have access. By making sure you do not deny permissions to any identity other than PUBLIC/SASUSERS then you also won't get conflicts. If the groups are setup correctly and someone doesn't have access then they need to join a group that has access. If they have access but shouldn't then they need to leave any groups that have access. If neither of those choices make business sense then the access controls and groups need to be revisited.

View solution in original post

4 REPLIES 4
PaulHomes
Rhodochrosite | Level 12

Rather than looking at this problem as how do I revoke access to people who have access but shouldn't, I would recommend taking a step back and considering how do I make sure I only grant access to the people who should have access. Based on the latter it looks like the access controls on the app server are not currently setup correctly to only grant access to those who should have access.

 

If you were to look at denying access to specific users or non-implicit groups (groups other than PUBLIC/SASUSERS) then you are very likely to run into conflict scenarios. You end up finding people-who-have-access-who-shouldn't or people-who-don't-have-access-but-should that can hard to troubleshoot (and the first group don't always tell you).

 

The recommended practice is to deny broadly (wipe out everyone's access) using PUBLIC (or SASUSERS) and then start granting access back to those who should have access (SAS System Services, SAS Administrators, other org groups).

 

For more info on this, there several resources you could look at:

If you follow those best practice examples then you control who has access by making sure they are members of groups that should have access. By making sure you do not deny permissions to any identity other than PUBLIC/SASUSERS then you also won't get conflicts. If the groups are setup correctly and someone doesn't have access then they need to join a group that has access. If they have access but shouldn't then they need to leave any groups that have access. If neither of those choices make business sense then the access controls and groups need to be revisited.

RupaJ
Lapis Lazuli | Level 10

Thanks @PaulHomes - I exactly did as you mentioned. Thanks so much for the detailed response. Appreciate it!

PaulHomes
Rhodochrosite | Level 12

Great to hear it was helpful and thanks for marking it solved.

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

Get Started with SAS Information Catalog in SAS Viya

SAS technical trainer Erin Winters shows you how to explore assets, create new data discovery agents, schedule data discovery agents, and much more.

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 4 replies
  • 2182 views
  • 7 likes
  • 3 in conversation