BookmarkSubscribeRSS Feed
☑ This topic is solved. Need further help from the community? Please sign in and ask a new question.
FrankPoppe
Quartz | Level 8

Hi,
I am trying to use the METASEC_GETNAUTH function to determine what the permissions on specific objects (tables) are, for a user running my web application.
The documentation (SAS Help Center: METASEC_GETNAUTH Function) refers to the values of macro variables set by the %MDSECCON() and lists the meaning. First problem is that the documentation gives the prefix _SEC_ but using MPRINT reveals it is in fact _SECAD_.
And programming would have been easier if the documentation would give the actual values (1, 2, 3, 4, 8 , 12, 16, 32, 48).

But my question it this. 
There are nine possible values, three each for direct, indirect and ACT permissions. That's clear.
For each they mean 'grant', 'deny'  or 'mask'.
I don't really know how to interpret 'mask' ??

1 ACCEPTED SOLUTION

Accepted Solutions
gwootton
SAS Super FREQ
Have you considered using the MDSECDS macro instead? It uses METASEC_GETNAUTH for you (the code that does this is located in <SASHome>/SASFoundation/9.4/sasautos/mdsecgp.sas)

The way that code uses mask is (this is for explicit, but it does it for the others as well):

else if (band(authint, &_SECAD_PERM_EXPM) ) then do;
if (band(authint,&_SECAD_PERM_EXPD )) then
authorization = "Denied Explicitly";
else
authorization = "Granted Explicitly";
end;

%MDSECDS Security Report Macro
https://go.documentation.sas.com/doc/en/bicdc/9.4/bisecag/n0l1mpdt430djgn1bl1c3euei85w.htm

I'll pass the documentation folks your feedback.
--
Greg Wootton | Principal Systems Technical Support Engineer

View solution in original post

8 REPLIES 8
LinusH
Tourmaline | Level 20

"Mask to extract indirect value.." - I don't understand the meaning of this.

I would send this question to SAS tech support, to clarify the documentation.

Data never sleeps
FrankPoppe
Quartz | Level 8

Yes, I have seen that page in the documentation, and that is where the problem is.

  • It is not correct, the name of macro variables that are created start with _SECAD_, not _SEC_
  • It could have listed the actual numeric values (1,2,3,4,8,12,16,32,48)
  • It does not explain what 'mask' means
gwootton
SAS Super FREQ
Have you considered using the MDSECDS macro instead? It uses METASEC_GETNAUTH for you (the code that does this is located in <SASHome>/SASFoundation/9.4/sasautos/mdsecgp.sas)

The way that code uses mask is (this is for explicit, but it does it for the others as well):

else if (band(authint, &_SECAD_PERM_EXPM) ) then do;
if (band(authint,&_SECAD_PERM_EXPD )) then
authorization = "Denied Explicitly";
else
authorization = "Granted Explicitly";
end;

%MDSECDS Security Report Macro
https://go.documentation.sas.com/doc/en/bicdc/9.4/bisecag/n0l1mpdt430djgn1bl1c3euei85w.htm

I'll pass the documentation folks your feedback.
--
Greg Wootton | Principal Systems Technical Support Engineer
FrankPoppe
Quartz | Level 8

Hi @gwootton Greg,


Sorry not to react earlier, in some way I missed your contribution.

Yes - I did look to the MDSECDS macro. And I do use it sometimes. But in this case I only want to know what the permissions are for a specific user for a specific table object, and then that MDSECDS is rather an overload. 

Just checking the different authorizations is simpler here.

 

I don't really understand (yet) what the function of the mask value is, but the piece of code you give shows how to handle it.

 

Regards,

Frank

gwootton
SAS Super FREQ
The mask gives us a way to be more efficient in code. The result of the function will only ever be the permission and never the mask, but instead of evaluating the response like if response = 1 then, else if response = 2 then, etc etc, we can more broadly evaluate the response as: step 1, is it a act, explicit or inherited permission, then is it a grant (if not its a deny). If you're only doing this for a single user/object the efficiency here is negligible, but if you're evaluating lots of objects / users it makes the code complete faster. There are also masks for grant and deny if you don't care about the source of the permission and only its effect.
--
Greg Wootton | Principal Systems Technical Support Engineer
FrankPoppe
Quartz | Level 8

I think I now understand how to interpret this.


I originally understood the table as a listing of all the values that can be returned by the function. But that is not the case. 

The returned value is composed of three bits: a deny or grant for explicit (1 or 2), a deny or grant for ACT (4 or 8 ) and for indirect (16 or 32).

The mask values (3, 12, 48) are just a helper to mask or select two bits if you are checking each of the three possible denies or grants.

SylviaPowell
SAS Employee

Hello Frank,

Thank you for your comments. I've updated the documentation for the METASEC_GETNAUTH= Function to show the correct prefix in the macro variable names. I've also added the integer associated with each macro variable to the table, and added a discussion of masks. The updated documentation will be available in the SAS 9.4M8 documentation update.

 

Until then, here is an explanation of masks:

 
A mask is a filter that returns an indirect result. A bitwise AND between the mask and a value within that mask produces the input value; otherwise, it produces a zero. Three masks  -- an explicit mask (3), ACT mask (12), and an indirect mask (48) --  are provided to test whether a METASEC_GETNAUTH output value applies to a given authorization category.
 
The masks can be used with the BAND function. Here is example code that
illustrates how the masks can be used:
rc=metasec_getnauth("",objuri,n,
identitytypes,identitynames,
auth,tmppermissions,condition,
&_SECAD_RETURN_ROLE_TYPE, identitydispname);
...
authint = input(auth, 16.);
...
if (band(authint, &_SECAD_PERM_EXPM) ) then do;
if (band(authint,&_SECAD_PERM_EXPD)) then
authorization = "Denied Explicitly";
else
authorization = "Granted Explicitly";
end;
else if (band(authint, &_SECAD_PERM_ACTM) ) then do;
if (band(authint,&_SECAD_PERM_ACTD)) then
authorization = "Denied by ACT";
else
authorization = "Granted by ACT";
end;
else if (band(authint,&_SECAD_PERM_NDRM) ) then do;
if (band(authint,&SECAD_PERM_NDRD)) then
authorization = "Denied Indirectly";
else
authorization = "Granted Indirectly";
end;
...
The documentation was updated with the help of Greg Wootton.

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

Get Started with SAS Information Catalog in SAS Viya

SAS technical trainer Erin Winters shows you how to explore assets, create new data discovery agents, schedule data discovery agents, and much more.

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 8 replies
  • 1468 views
  • 5 likes
  • 5 in conversation