Architecting, installing and maintaining your SAS environment

Permission Help

Reply
Contributor
Posts: 24

Permission Help

Hello All,

 

I'm trying to set up a folder structure with permissions assigned and looking for some assistance. 

 

Here is what I have and I don't understand why the permissions are being effective the way they are.

 

Folder structure is like so:

 

Corporate

-Accounting

-AML

-etc

 

I have a HIDE PUBLIC and SASUSER ACT applied  to the corporate folder - which only has SASUSER / PUBLIC ReadMetadata set to Deny applied

 

Next I have a Corporate Group assigned to the Corporate folder with ReadMetadata set to Grant.

 

Then I have individual groups for Accounting, AML, etc assigned to each of the sub folders of Corporate with RM, WM, WMM, CheckInMetaData, Read as Grant. I have also changed the corporate permission which was inherited from the Corporate folder to deny RM so only users in the Accounting group can see the accounting folder.

 

My scenario -

 

User Bob is in the Corporate Group and AML Group. He is able to see the Corporate folder but not the AML folder.

 

If I change the corporate group to RM on all the subfolder , User Bob is not only able to see the AML folder, but is able to see all the folders. 

 

Please instruct what I am doing wrong and how I can make happen what I'm trying to do. 

 

Thanks,

Andrew

SAS Employee
Posts: 8

Re: Permission Help

Posted in reply to ardobbins
This is where you got yourself into trouble.
"I have also changed the corporate permission which was inherited from the Corporate folder to deny RM so only users in the Accounting group can see the accounting folder"
Rather than doing the above "reapply" HIDE PUBLIC and SASUSER ACT to the individual sub folders and grant back only the group that you need.
Golden rule is to deny broadly (SASUSER/PUBLIC) and grant back narrow. When you deny a group other than SASUSER/PUBLIC you end up in Bob's scenario and the "deny" wins because Bob is both a member of Corporate and Accounting.
Take a look at this paper you should find It useful. You broke rule #3 Smiley Happy and what you need in your scenario is #4
http://support.sas.com/resources/papers/proceedings11/376-2011.pdf
Ask a Question
Discussion stats
  • 1 reply
  • 132 views
  • 1 like
  • 2 in conversation