BookmarkSubscribeRSS Feed
ardobbins
Obsidian | Level 7

Hello All,

 

I'm trying to set up a folder structure with permissions assigned and looking for some assistance. 

 

Here is what I have and I don't understand why the permissions are being effective the way they are.

 

Folder structure is like so:

 

Corporate

-Accounting

-AML

-etc

 

I have a HIDE PUBLIC and SASUSER ACT applied  to the corporate folder - which only has SASUSER / PUBLIC ReadMetadata set to Deny applied

 

Next I have a Corporate Group assigned to the Corporate folder with ReadMetadata set to Grant.

 

Then I have individual groups for Accounting, AML, etc assigned to each of the sub folders of Corporate with RM, WM, WMM, CheckInMetaData, Read as Grant. I have also changed the corporate permission which was inherited from the Corporate folder to deny RM so only users in the Accounting group can see the accounting folder.

 

My scenario -

 

User Bob is in the Corporate Group and AML Group. He is able to see the Corporate folder but not the AML folder.

 

If I change the corporate group to RM on all the subfolder , User Bob is not only able to see the AML folder, but is able to see all the folders. 

 

Please instruct what I am doing wrong and how I can make happen what I'm trying to do. 

 

Thanks,

Andrew

1 REPLY 1
angian
SAS Employee
This is where you got yourself into trouble.
"I have also changed the corporate permission which was inherited from the Corporate folder to deny RM so only users in the Accounting group can see the accounting folder"
Rather than doing the above "reapply" HIDE PUBLIC and SASUSER ACT to the individual sub folders and grant back only the group that you need.
Golden rule is to deny broadly (SASUSER/PUBLIC) and grant back narrow. When you deny a group other than SASUSER/PUBLIC you end up in Bob's scenario and the "deny" wins because Bob is both a member of Corporate and Accounting.
Take a look at this paper you should find It useful. You broke rule #3 🙂 and what you need in your scenario is #4
http://support.sas.com/resources/papers/proceedings11/376-2011.pdf

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

CLI in SAS Viya

Learn how to install the SAS Viya CLI and a few commands you may find useful in this video by SAS’ Darrell Barton.

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 1 reply
  • 699 views
  • 1 like
  • 2 in conversation