cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
BookmarkSubscribeRSS Feed
🔒 This topic is solved and locked. Need further help from the community? Please sign in and ask a new question.
JuanS_OCS
Amethyst | Level 16 JuanS_OCS
Amethyst | Level 16
Go to Solution

Permissions for Change Managed folders on SAS DI

Posted 04-14-2016 05:15 AM (3386 views)

Hi all,

 

To set up a Change Managed folder in SAS DI is quite easy!:
Create a Change-Managed Folder in the Folders Tree - http://support.sas.com/documentation/cdl/en/bidaag/69032/HTML/default/viewer.htm#p0jwlqhvab11lrn130h...

 

Therefore, it should only require, on each managed folder (and only on them):
     - Users with Project repositories: RM, and Check for the metadata. Optionally: R,W, and other full permissions for the data, except administer.
    - Job deployers: RM and WM (+Scheduling role) should be enough.

 

But apparently it is not enough in my case for one specific project. There seem to be external components (not even in SAS Folders, but in the metadata) to administer permissions.

 

An example of an error during a check out:

MyUser@DOMAIN - User is not authorized to Checkout object QueryTable : 'Subquery_Results_46603 (sq)' (Id="A5VCWKRJ.CQ0000F3").

 

If I search by the Id or Subquery_Results, SMC cannot find the object.
      A - Of course a SAS Foundation metabrowse can find the object in the metadata.
      B - I can also find the object within SMC in Resource Management- By Type - and then Query Table or Prototype (for Prototype objects), etc.

 

On those metadata itemes I simply cannot provide permissions because there is no SAS Fflder. I can only provide permissions, individually, object by object (whithin option B), but there are hundreds of them. Not an option.

 

Therefore:
     - correct permissions on those folders (as following SAS best practices) are not enough.
     - Only if I apply permissions in ALL the metadata, through the Default ACT which is quite unsecure and unclear, then I can apply the permission on the object.

 

Hopefully you know more than I do, and one of you can help here: how can I apply, securely and manageable, permissions in the other metadata objects that are not under the Change Managed folders?

 

Thank you in advance,


Best regards,
Juan

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions
TomH
SAS Employee TomH
SAS Employee

Re: Permissions for Change Managed folders on SAS DI

Posted 04-15-2016 03:59 PM (4368 views)  |   In reply to JuanS_OCS

Hello Juan,

 

When performing a Check out on an object like a SAS Data Integration Studio job, the job will almost always contain references to metadata objects that are not surfaced within Folders. Objects that are not surfaced in Folders tabs in SAS Management Console or SAS Data Integration Studio inherit permissions directly from the Default ACT (or the ACT that is designated as Default). Query Tables, Work Tables, Feature Maps, and Classifier Maps are examples of objects that fall into this category.

 

 

As you have discovered, if the user that is attempting to perform a Change Management task (like Check Out) is not granted CheckInMetadata permissions via an ACT, you will not be able to leverage Change Management in DI Studio.  

 

Here is one solution: 

 

  • Go to the Authorization Manager plug-in and edit the Default ACT. Grant CheckInMetadata permissions to the SASUSERS group on the Permissions Pattern tab under Properties for the Default ACT.  Save the change.
  • Open Properties on the root "SAS Folders" object under the Folders tab in SAS Management Console, go to the Authorization tab, highlight the SASUSERS group, then select on Deny for CheckInMetadata so this permission is explicitly denied at the folder root. 

 

This grants the CheckInMetadata permission for all dependent metadata objects, but denies CheckInMetadata to all registered users for all objects that do inherit permissions from folders.  The result is that the only folders that will allow Check Out and Check In will be those that you configured based on the Change Management documentation.

 

If you prefer, you can limit the scope using an alternative like the following:

 

  • Create a new Group under User Manager (Change Management Users?) and make all users that need to leverage Change Management functionality within DI Studio members of this group. Save the group.
  • Go to the Authorization Manager plug-in and edit the Default ACT.  Add this new group to the Default ACT on the Permission Pattern tab and grant this group ReadMetadata and CheckInMetadata.
  • Open Properties on the root "SAS Folders" object under the Folders tab in SAS Management Console, go to the Authorization tab, examine the permissions for each of the Users/Groups to verify that no one is being granted CheckInMetadata at this level. 

The only users that are granted any CheckInMetadata permissions in the Default ACT are those in the Change Management Users group, not all users.  The only locations where users will be able to perform Check Out and Check In will be those you set up when following the documentation on using Change Management.  

 

 

I performed testing and confirmed that these options successfully resolve the Check Out issues.

 

Regards,

 

Tom

View solution in original post

2 REPLIES 2
TomH
SAS Employee TomH
SAS Employee

Re: Permissions for Change Managed folders on SAS DI

Posted 04-15-2016 03:59 PM (4369 views)  |   In reply to JuanS_OCS

Hello Juan,

 

When performing a Check out on an object like a SAS Data Integration Studio job, the job will almost always contain references to metadata objects that are not surfaced within Folders. Objects that are not surfaced in Folders tabs in SAS Management Console or SAS Data Integration Studio inherit permissions directly from the Default ACT (or the ACT that is designated as Default). Query Tables, Work Tables, Feature Maps, and Classifier Maps are examples of objects that fall into this category.

 

 

As you have discovered, if the user that is attempting to perform a Change Management task (like Check Out) is not granted CheckInMetadata permissions via an ACT, you will not be able to leverage Change Management in DI Studio.  

 

Here is one solution: 

 

  • Go to the Authorization Manager plug-in and edit the Default ACT. Grant CheckInMetadata permissions to the SASUSERS group on the Permissions Pattern tab under Properties for the Default ACT.  Save the change.
  • Open Properties on the root "SAS Folders" object under the Folders tab in SAS Management Console, go to the Authorization tab, highlight the SASUSERS group, then select on Deny for CheckInMetadata so this permission is explicitly denied at the folder root. 

 

This grants the CheckInMetadata permission for all dependent metadata objects, but denies CheckInMetadata to all registered users for all objects that do inherit permissions from folders.  The result is that the only folders that will allow Check Out and Check In will be those that you configured based on the Change Management documentation.

 

If you prefer, you can limit the scope using an alternative like the following:

 

  • Create a new Group under User Manager (Change Management Users?) and make all users that need to leverage Change Management functionality within DI Studio members of this group. Save the group.
  • Go to the Authorization Manager plug-in and edit the Default ACT.  Add this new group to the Default ACT on the Permission Pattern tab and grant this group ReadMetadata and CheckInMetadata.
  • Open Properties on the root "SAS Folders" object under the Folders tab in SAS Management Console, go to the Authorization tab, examine the permissions for each of the Users/Groups to verify that no one is being granted CheckInMetadata at this level. 

The only users that are granted any CheckInMetadata permissions in the Default ACT are those in the Change Management Users group, not all users.  The only locations where users will be able to perform Check Out and Check In will be those you set up when following the documentation on using Change Management.  

 

 

I performed testing and confirmed that these options successfully resolve the Check Out issues.

 

Regards,

 

Tom

JuanS_OCS
Amethyst | Level 16 JuanS_OCS
Amethyst | Level 16

Re: Permissions for Change Managed folders on SAS DI

Posted 04-28-2016 10:52 AM (3334 views)  |   In reply to TomH

Thanks a lot @TomH ! This helps a lot. Is this documented somewhere?

0 Likes

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

CLI in SAS Viya

Learn how to install the SAS Viya CLI and a few commands you may find useful in this video by SAS’ Darrell Barton.

Watch CLI in SAS Viya on YouTube

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 2 replies
  • ‎04-14-2016 05:15 AM
  • 3387 views
  • 2 likes
  • 2 in conversation