cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
BookmarkSubscribeRSS Feed
☑ This topic is solved. Need further help from the community? Please sign in and ask a new question.
Amitkmr1979
Fluorite | Level 6 Amitkmr1979
Fluorite | Level 6
Go to Solution

Issue while removing a certain group from Library 'Authorization' Tab and Folder having it

Posted 02-28-2023 03:14 AM (744 views)

Dear Friends,

I was asked to create a separate group with few people added to it, who can only access the sensitive data in the new library created.

 

I created new group, new library, added the required people and granted them full access sans administer. 

 

The problem is when I create a new library some of the groups are automatically getting added with couple of them which has full access. We are able to remove deny all role for analysts, but for another group when I try to remove or deny all (Read/Write Meta data, checkinmetadata, read, write create, delete) I get the below message:

Amitkmr1979_0-1677571916769.png

And when I try to remove the group I get below message

Amitkmr1979_1-1677571978177.png

Please can you advise why is this happening and how can I remove or deny permission for that particular role?

 

Best Regards

0 Likes
Reply
1 ACCEPTED SOLUTION

Accepted Solutions
PaulHomes
Rhodochrosite | Level 12 PaulHomes
Rhodochrosite | Level 12

Re: Issue while removing a certain group from Library 'Authorization' Tab and Folder having it

Posted 02-28-2023 05:35 AM (711 views)  |   In reply to Amitkmr1979

Hi,

 

The 2nd screenshot is telling you that you cannot remove the group from the list because it appears from either a parent object in the inheritance path or via an applied ACT. You cannot remove the group here but you can change it's permissions (if appropriate). If you really want to remove the group from the list then it needs to be removed from the auth tab on a parent object or the permission pattern of an applied ACT (but that could have a very big impact).

 

The 1st screenshot I suspect is because you are denying permissions to non-implicit groups (i.e. not PUBLIC or SASUSERS) and it results in a conflict where you yourself would no longer have the ability to see the object. A best practice is to only ever deny permissions to PUBLIC or SASUSERS and then grant back to the groups that require access. See rule #3 in https://support.sas.com/resources/papers/proceedings11/376-2011.pdf. You may also want to have a look at the GEL Golden Rules at https://communities.sas.com/t5/SAS-Communities-Library/Golden-Rules-for-Security-Model-Design/ta-p/3...

 

I hope this helps.

 

Cheers

Paul

View solution in original post

Reply
2 REPLIES 2
PaulHomes
Rhodochrosite | Level 12 PaulHomes
Rhodochrosite | Level 12

Re: Issue while removing a certain group from Library 'Authorization' Tab and Folder having it

Posted 02-28-2023 05:35 AM (712 views)  |   In reply to Amitkmr1979

Hi,

 

The 2nd screenshot is telling you that you cannot remove the group from the list because it appears from either a parent object in the inheritance path or via an applied ACT. You cannot remove the group here but you can change it's permissions (if appropriate). If you really want to remove the group from the list then it needs to be removed from the auth tab on a parent object or the permission pattern of an applied ACT (but that could have a very big impact).

 

The 1st screenshot I suspect is because you are denying permissions to non-implicit groups (i.e. not PUBLIC or SASUSERS) and it results in a conflict where you yourself would no longer have the ability to see the object. A best practice is to only ever deny permissions to PUBLIC or SASUSERS and then grant back to the groups that require access. See rule #3 in https://support.sas.com/resources/papers/proceedings11/376-2011.pdf. You may also want to have a look at the GEL Golden Rules at https://communities.sas.com/t5/SAS-Communities-Library/Golden-Rules-for-Security-Model-Design/ta-p/3...

 

I hope this helps.

 

Cheers

Paul

Reply
Amitkmr1979
Fluorite | Level 6 Amitkmr1979
Fluorite | Level 6

Re: Issue while removing a certain group from Library 'Authorization' Tab and Folder having it

Posted 02-28-2023 06:46 AM (700 views)  |   In reply to PaulHomes

Thanks Paul,

 

I just got to know that it could be applied through ACT or inherited from parent folder which I do not want to change. 

 

I am looking to create an ACT and then add the group for whom I want to give permission to sensitive data. 

 

Thanks very much for your links below.

 

Without SAS community I would have struggled ages 🙂 

Reply

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

Get Started with SAS Information Catalog in SAS Viya

SAS technical trainer Erin Winters shows you how to explore assets, create new data discovery agents, schedule data discovery agents, and much more.

Watch Get Started with SAS Information Catalog in SAS Viya on YouTube

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 2 replies
  • ‎02-28-2023 03:14 AM
  • 745 views
  • 3 likes
  • 2 in conversation