cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
BookmarkSubscribeRSS Feed
☑ This topic is solved. Need further help from the community? Please sign in and ask a new question.
FrankPoppe
Quartz | Level 8 FrankPoppe
Quartz | Level 8
Go to Solution

The METASEC_GETNAUTH function return 'deny', 'grant' or 'mask'. How to interpret 'mask'?

Posted 09-05-2022 04:36 AM (1366 views)

Hi,
I am trying to use the METASEC_GETNAUTH function to determine what the permissions on specific objects (tables) are, for a user running my web application.
The documentation (SAS Help Center: METASEC_GETNAUTH Function) refers to the values of macro variables set by the %MDSECCON() and lists the meaning. First problem is that the documentation gives the prefix _SEC_ but using MPRINT reveals it is in fact _SECAD_.
And programming would have been easier if the documentation would give the actual values (1, 2, 3, 4, 8 , 12, 16, 32, 48).

But my question it this. 
There are nine possible values, three each for direct, indirect and ACT permissions. That's clear.
For each they mean 'grant', 'deny'  or 'mask'.
I don't really know how to interpret 'mask' ??

0 Likes
Reply
1 ACCEPTED SOLUTION

Accepted Solutions
gwootton
SAS Super FREQ gwootton
SAS Super FREQ

Re: The METASEC_GETNAUTH function return 'deny', 'grant' or 'mask'. How to interpret 'mask'?

Posted 09-06-2022 09:46 AM (1280 views)  |   In reply to FrankPoppe
Have you considered using the MDSECDS macro instead? It uses METASEC_GETNAUTH for you (the code that does this is located in <SASHome>/SASFoundation/9.4/sasautos/mdsecgp.sas)

The way that code uses mask is (this is for explicit, but it does it for the others as well):

else if (band(authint, &_SECAD_PERM_EXPM) ) then do;
if (band(authint,&_SECAD_PERM_EXPD )) then
authorization = "Denied Explicitly";
else
authorization = "Granted Explicitly";
end;

%MDSECDS Security Report Macro
https://go.documentation.sas.com/doc/en/bicdc/9.4/bisecag/n0l1mpdt430djgn1bl1c3euei85w.htm

I'll pass the documentation folks your feedback.
--
Greg Wootton | Principal Systems Technical Support Engineer

View solution in original post

0 Likes
Reply
8 REPLIES 8
LinusH
Tourmaline | Level 20 LinusH
Tourmaline | Level 20

Re: The METASEC_GETNAUTH function return 'deny', 'grant' or 'mask'. How to interpret 'mask'?

Posted 09-05-2022 08:51 AM (1340 views)  |   In reply to FrankPoppe

"Mask to extract indirect value.." - I don't understand the meaning of this.

I would send this question to SAS tech support, to clarify the documentation.

Data never sleeps
0 Likes
Reply
FrankPoppe
Quartz | Level 8 FrankPoppe
Quartz | Level 8

Re: The METASEC_GETNAUTH function return 'deny', 'grant' or 'mask'. How to interpret 'mask'?

Posted 09-06-2022 05:00 AM (1298 views)  |   In reply to Patrick

Yes, I have seen that page in the documentation, and that is where the problem is.

  • It is not correct, the name of macro variables that are created start with _SECAD_, not _SEC_
  • It could have listed the actual numeric values (1,2,3,4,8,12,16,32,48)
  • It does not explain what 'mask' means
0 Likes
Reply
gwootton
SAS Super FREQ gwootton
SAS Super FREQ

Re: The METASEC_GETNAUTH function return 'deny', 'grant' or 'mask'. How to interpret 'mask'?

Posted 09-06-2022 09:46 AM (1281 views)  |   In reply to FrankPoppe
Have you considered using the MDSECDS macro instead? It uses METASEC_GETNAUTH for you (the code that does this is located in <SASHome>/SASFoundation/9.4/sasautos/mdsecgp.sas)

The way that code uses mask is (this is for explicit, but it does it for the others as well):

else if (band(authint, &_SECAD_PERM_EXPM) ) then do;
if (band(authint,&_SECAD_PERM_EXPD )) then
authorization = "Denied Explicitly";
else
authorization = "Granted Explicitly";
end;

%MDSECDS Security Report Macro
https://go.documentation.sas.com/doc/en/bicdc/9.4/bisecag/n0l1mpdt430djgn1bl1c3euei85w.htm

I'll pass the documentation folks your feedback.
--
Greg Wootton | Principal Systems Technical Support Engineer
0 Likes
Reply
FrankPoppe
Quartz | Level 8 FrankPoppe
Quartz | Level 8

Re: The METASEC_GETNAUTH function return 'deny', 'grant' or 'mask'. How to interpret 'mask'?

Posted 10-04-2022 05:48 AM (1240 views)  |   In reply to gwootton

Hi @gwootton Greg,


Sorry not to react earlier, in some way I missed your contribution.

Yes - I did look to the MDSECDS macro. And I do use it sometimes. But in this case I only want to know what the permissions are for a specific user for a specific table object, and then that MDSECDS is rather an overload. 

Just checking the different authorizations is simpler here.

 

I don't really understand (yet) what the function of the mask value is, but the piece of code you give shows how to handle it.

 

Regards,

Frank

0 Likes
Reply
gwootton
SAS Super FREQ gwootton
SAS Super FREQ

Re: The METASEC_GETNAUTH function return 'deny', 'grant' or 'mask'. How to interpret 'mask'?

Posted 10-04-2022 09:01 AM (1224 views)  |   In reply to FrankPoppe
The mask gives us a way to be more efficient in code. The result of the function will only ever be the permission and never the mask, but instead of evaluating the response like if response = 1 then, else if response = 2 then, etc etc, we can more broadly evaluate the response as: step 1, is it a act, explicit or inherited permission, then is it a grant (if not its a deny). If you're only doing this for a single user/object the efficiency here is negligible, but if you're evaluating lots of objects / users it makes the code complete faster. There are also masks for grant and deny if you don't care about the source of the permission and only its effect.
--
Greg Wootton | Principal Systems Technical Support Engineer
0 Likes
Reply
FrankPoppe
Quartz | Level 8 FrankPoppe
Quartz | Level 8

Re: The METASEC_GETNAUTH function return 'deny', 'grant' or 'mask'. How to interpret 'mask'?

Posted 10-04-2022 12:13 PM (1220 views)  |   In reply to FrankPoppe

I think I now understand how to interpret this.


I originally understood the table as a listing of all the values that can be returned by the function. But that is not the case. 

The returned value is composed of three bits: a deny or grant for explicit (1 or 2), a deny or grant for ACT (4 or 8 ) and for indirect (16 or 32).

The mask values (3, 12, 48) are just a helper to mask or select two bits if you are checking each of the three possible denies or grants.

Reply
SylviaPowell
SAS Employee SylviaPowell
SAS Employee

Re: The METASEC_GETNAUTH function return 'deny', 'grant' or 'mask'. How to interpret 'mask'?

Posted 10-13-2022 11:14 AM (1156 views)  |   In reply to FrankPoppe

Hello Frank,

Thank you for your comments. I've updated the documentation for the METASEC_GETNAUTH= Function to show the correct prefix in the macro variable names. I've also added the integer associated with each macro variable to the table, and added a discussion of masks. The updated documentation will be available in the SAS 9.4M8 documentation update.

 

Until then, here is an explanation of masks:

 
A mask is a filter that returns an indirect result. A bitwise AND between the mask and a value within that mask produces the input value; otherwise, it produces a zero. Three masks  -- an explicit mask (3), ACT mask (12), and an indirect mask (48) --  are provided to test whether a METASEC_GETNAUTH output value applies to a given authorization category.
 
The masks can be used with the BAND function. Here is example code that
illustrates how the masks can be used:
rc=metasec_getnauth("",objuri,n,
identitytypes,identitynames,
auth,tmppermissions,condition,
&_SECAD_RETURN_ROLE_TYPE, identitydispname);
...
authint = input(auth, 16.);
...
if (band(authint, &_SECAD_PERM_EXPM) ) then do;
if (band(authint,&_SECAD_PERM_EXPD)) then
authorization = "Denied Explicitly";
else
authorization = "Granted Explicitly";
end;
else if (band(authint, &_SECAD_PERM_ACTM) ) then do;
if (band(authint,&_SECAD_PERM_ACTD)) then
authorization = "Denied by ACT";
else
authorization = "Granted by ACT";
end;
else if (band(authint,&_SECAD_PERM_NDRM) ) then do;
if (band(authint,&SECAD_PERM_NDRD)) then
authorization = "Denied Indirectly";
else
authorization = "Granted Indirectly";
end;
...
The documentation was updated with the help of Greg Wootton.
Reply

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

Get Started with SAS Information Catalog in SAS Viya

SAS technical trainer Erin Winters shows you how to explore assets, create new data discovery agents, schedule data discovery agents, and much more.

Watch Get Started with SAS Information Catalog in SAS Viya on YouTube

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 8 replies
  • ‎09-05-2022 04:36 AM
  • 1367 views
  • 5 likes
  • 5 in conversation