Thanks Paul, I've got this working thanks to the link you provided.

For those that find this thread in the future, here's what I did:

General:

F: is a dedicated drive for the work and utility files.  It is the "root" of the work and util files.

We have F:\SASWork and F:\SASUtil to split out the work and utility files.  These correspond to the -WORK and -UTILLOC invocation options.

We have three SAS levels on the one machine, so we have F:\SASWork\Lev1 | Lev2 | Lev9 and F:\SASUtil\Lev1 | Lev2 | Lev9.

All directories and files are owned by SYSTEM down to the directories created by SAS (i.e. _TD12345_<machinename>)

The link Paul provided uses the "Everyone" principal.  I used "Users" instead of "Everyone", since all SAS users will be authenticated.

I tweaked some of the settings differently from the link Paul provided.  I tested pretty heavily, and these settings appear to meet my needs.  In general, I granted as little permission as possible but still work correctly.  See details below.

Option 1:

F:\

SYSTEM and Administrators:  Full Control ~ This folder, subfolders and files

Machinename\Users:  Traverse folder / execute file + List folder / read data ~ This folder, subfolders and files  (This will display as "Special permissions")

Inheritance is on

F:\SASWork

Everything is inherited

F:\SASWork\Lev1 | Lev2 | Lev9

Everything is inherited

Additional ACEs:

Machinename\Users:  Traverse folder / execute file + List folder / read data + Read attributes + Create folders / append data ~ This folder only.

     This allows the current SAS process to create the _TD12345_MachineName_ folder under F:\SASWork\Lev1.  This directory, subfolders, and files are owned by the user who has launched the SAS process.

     Note that some of these permissions duplicate permissions from the Users principal inherited from F:\.

CREATOR OWNER:  Full Control ~ Subfolders and files only.

     This allows the current SAS process to read/write/delete files and subfolders under _TD12345_MachineName_

Under this scenario, another user can list the contents of someone else's user library, but cannot read the data.

For example, I can execute libname foo "F:\SASWork\Lev1\_TD12345_MachineName", where that path is someone else's work folder.  The DMS explorer will show the contents, i.e. SAS datasets, in that library, but I cannot open them or read their data.

In the unlikely scenario where even the name of the contents in the other user's work library is sensitive:

Option 2:

Same as above, except:

1) Turn off inheritance on Lev1 | Lev2 | Lev9

2) Remove the inherited Machinename\Users principal  (i.e. remove Traverse folder / execute file + List folder / read data from This folder, subfolders, and files)

3) Propagate the explicit permissions to the child objects (i.e. SYSTEM and Administrators)

4) So, the remaining Machinename\Users principal granting Traverse folder / execute file + List folder / read data + Read attributes + Create folders / append data  only applies to This folder only.

In this scenario, I cannot even list the contents of the other user's work library.  libname foo "F:\SASWork\Lev1\_TD12345_MachineName", where that path is someone else's work folder, fails with Access denied.

I went with Option 1, which meets my security needs.

Thanks again for the help Paul, and I hope this may help someone else who finds this in the future.

Regards,

Scott

Message was edited by: Scott Bass:  Further testing showed that CREATOR OWNER needs Full Control, not just Modify

No problem Scott. Glad I could help. I think I might bookmark this one myself.