cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
BookmarkSubscribeRSS Feed
🔒 This topic is solved and locked. Need further help from the community? Please sign in and ask a new question.
Dph
Calcite | Level 5 Dph
Calcite | Level 5
Go to Solution

Prevent Users from Renaming Datasets

Posted 09-06-2021 04:38 AM (1317 views)

We have a team of EG users with some users have read only and some have write access for a certain library. I noticed that users can rename a dataset even if they have only read access to a library. Below are the settings:

 

Folder permission:

drwxrwx--- 2 sas_admin sas 7 Sep 6 16:12 testlib1

 

Dataset permission:

-rw-rw---- 1 sas_admin sas 196608 Sep 6 15:32 cars.sas7bdat

 

We registered the table in SMC and set the permission of user for both library and registered table:

Dph_0-1630916733862.png

 

They cannot delete or update the dataset but they can still rename it. 

 

Any thoughts how can we prevent this?

 

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions
Kurt_Bremser
Super User Kurt_Bremser
Super User

Re: Prevent Users from Renaming Datasets

Posted 09-06-2021 03:47 PM (1152 views)  |   In reply to Dph

As long as users have write permission for the directory on the operating system level, you will not be safe.

Remove the group write permission, and give only privileged users write permission via access control lists. This is what I have done for decades.

Maxims of Maximally Efficient SAS Programmers
How to convert datasets to data steps
The macro for direct download as ZIP
How to post code
Please vote for Provide Sequential Search Capability for Hash Objects
How to deal with locked files on UNIX

View solution in original post

0 Likes
9 REPLIES 9
LinusH
Tourmaline | Level 20 LinusH
Tourmaline | Level 20

Re: Prevent Users from Renaming Datasets

Posted 09-06-2021 05:27 AM (1274 views)  |   In reply to Dph

Data authorization can be a bit complicated.

If you don't enforce the use of META engine, permission set in SMC has "no" effect - only Linus/UNIX folder permissions are in effect.

Data never sleeps
0 Likes
Dph
Calcite | Level 5 Dph
Calcite | Level 5

Re: Prevent Users from Renaming Datasets

Posted 09-06-2021 05:34 AM (1250 views)  |   In reply to LinusH
Hi,
Yeah, sorry I did not mention but the libraries are assigned using meta engine:

LIBNAME TESTLIB1 META LIBRARY='TESTLIB1' METAOUT=DATA;
0 Likes
Patrick
Opal | Level 21 Patrick
Opal | Level 21

Re: Prevent Users from Renaming Datasets

Posted 09-06-2021 05:37 AM (1243 views)  |   In reply to Dph

Yes and no. "METAOUT=DATA" will also show tables not registered in SAS Metadata.

 

The only way to really secure your data is on OS level as users will always have the option to issue a different libname via code and then only OS level permissions apply.

 

If you really want to ensure that data access is only possible via the libnames defined in SAS Metadata then you need a metadata bound library.

0 Likes
Dph
Calcite | Level 5 Dph
Calcite | Level 5

Re: Prevent Users from Renaming Datasets

Posted 09-06-2021 06:11 AM (1211 views)  |   In reply to Patrick
Yes I know the metaout=data will show all the tables but the dataset in question is a registered one.. I also understand the risk you mentioned.

I have to read about it since I am not familiar with metadata bound libraries, but may I know if we implement this will it prevent the 'read only' users from renaming of the datasets?
0 Likes
Kurt_Bremser
Super User Kurt_Bremser
Super User

Re: Prevent Users from Renaming Datasets

Posted 09-06-2021 03:47 PM (1153 views)  |   In reply to Dph

As long as users have write permission for the directory on the operating system level, you will not be safe.

Remove the group write permission, and give only privileged users write permission via access control lists. This is what I have done for decades.

Maxims of Maximally Efficient SAS Programmers
How to convert datasets to data steps
The macro for direct download as ZIP
How to post code
Please vote for Provide Sequential Search Capability for Hash Objects
How to deal with locked files on UNIX
0 Likes
Dph
Calcite | Level 5 Dph
Calcite | Level 5

Re: Prevent Users from Renaming Datasets

Posted 09-06-2021 11:11 PM (1124 views)  |   In reply to Kurt_Bremser

I see, so it really cannot be controlled in metadata level. I haven't done any ACLs before but I just tested sample files/folders and it seems to work as expected. It will be a bit tedious because we have around 50 libraries and 30 users in that team, although only 20% of them have write access in each of the library.

 

Thanks, everyone.

0 Likes
Kurt_Bremser
Super User Kurt_Bremser
Super User

Re: Prevent Users from Renaming Datasets

Posted 09-07-2021 03:29 AM (1089 views)  |   In reply to Dph

With "not be safe" I meant that there might always be a way for users to copy and remove (resulting in a rename) files with the FCOPY and FDELETE functions.

The FCOPY and FDELETE functions do not care about library metadata when you use them with .sas7bdat files (a dataset is then just a file like any other file).

Even easier is the use of the mv system command if you have XCMD enabled or the users have access to the commandline with SSH.

The only thing that can prevent these actions is the operating system.

Maxims of Maximally Efficient SAS Programmers
How to convert datasets to data steps
The macro for direct download as ZIP
How to post code
Please vote for Provide Sequential Search Capability for Hash Objects
How to deal with locked files on UNIX
0 Likes
Kurt_Bremser
Super User Kurt_Bremser
Super User

Re: Prevent Users from Renaming Datasets

Posted 09-07-2021 05:19 AM (1073 views)  |   In reply to Dph

You could control it exclusively in metadata if you used SAS Token Authentication and a pooled workspace server, which would mean that for the OS only the sassrv user would read and write datasets, and you could set all libraries to drwx------ with owner sassrv. But that is not what you usually do, as you lose control over what an individual user does (disk storage, CPU consumption, etc).

Maxims of Maximally Efficient SAS Programmers
How to convert datasets to data steps
The macro for direct download as ZIP
How to post code
Please vote for Provide Sequential Search Capability for Hash Objects
How to deal with locked files on UNIX
0 Likes
Dph
Calcite | Level 5 Dph
Calcite | Level 5

Re: Prevent Users from Renaming Datasets

Posted 09-08-2021 02:35 AM (1008 views)  |   In reply to Kurt_Bremser

Pooled workspace server setup will not be feasible, primarily because of the regular audit / security review.. Most likely will have to do combination of dataset registration + ACLs. Though I have to test further. 

 

Thank you for your inputs

0 Likes

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

Get Started with SAS Information Catalog in SAS Viya

SAS technical trainer Erin Winters shows you how to explore assets, create new data discovery agents, schedule data discovery agents, and much more.

Watch Get Started with SAS Information Catalog in SAS Viya on YouTube

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 9 replies
  • ‎09-06-2021 04:38 AM
  • 1318 views
  • 0 likes
  • 4 in conversation