BookmarkSubscribeRSS Feed
🔒 This topic is solved and locked. Need further help from the community? Please sign in and ask a new question.
Albert0
Quartz | Level 8

Hi All,

 

I have this problem setting up an access to a user that belongs to many group in SAS Management Console. There are 10 folders in the environment and each folder represent a group. The scenario is that Folder1 belong to Group1 and all groups have deny access to this folder except Group1 and Folder2 belongs to Group2 and all groups have deny access to this folder except Group2. Now User1 is involved in a Project to Group1 and Group2 so User1 will be added to both groups. In a way I'm thinking that User1 can still access both folders since User1 belongs to the 2 groups but upon checking User1 cannot access those 2 Folders.

 

Can anyone help me find a solution that when I add 2 groups to a User the user can still see the Folder in which the Group has access to?

 

Btw, creating new groups is not applicable since there are a lot of situation a User can be involved in different sets of Folders as this may result in almost 1 group only contains 1 or 2 Users. There are a lot of folders in our environment it's just that I put 10 folders in order for me to show the situation.

 

Thanks.

-Albert0

 

1 ACCEPTED SOLUTION

Accepted Solutions
PaulHomes
Rhodochrosite | Level 12

As @Kurt_Bremser mentioned, your conflicts can be avoided by denying broadly to implicit groups (PUBLIC or SASUSERS) and then granting narrowly to those groups that should have access (remembering admins too).  Those are examples of SAS metadata security best practices described in several papers over the years. The most recent of these are the Recommended SAS 9.4 Security Model Design papers from @DavidStern in the SAS Global Enablement and Learning (GEL) group. I encourage you to read the GEL papers and watch the webinar that I did with David a few weeks ago. By following those practices you should find SAS metadata security much simpler to implement and understand and ultimately avoid conflicts like these. You can find links to the papers and the webinar at http://bit.ly/SASUKMetacodaWebinar

View solution in original post

2 REPLIES 2
Kurt_Bremser
Super User

Do not set "deny" for your groups. Deny for a higher level group (SASUSERS) and then specifically allow all your groups that shall have access.

PaulHomes
Rhodochrosite | Level 12

As @Kurt_Bremser mentioned, your conflicts can be avoided by denying broadly to implicit groups (PUBLIC or SASUSERS) and then granting narrowly to those groups that should have access (remembering admins too).  Those are examples of SAS metadata security best practices described in several papers over the years. The most recent of these are the Recommended SAS 9.4 Security Model Design papers from @DavidStern in the SAS Global Enablement and Learning (GEL) group. I encourage you to read the GEL papers and watch the webinar that I did with David a few weeks ago. By following those practices you should find SAS metadata security much simpler to implement and understand and ultimately avoid conflicts like these. You can find links to the papers and the webinar at http://bit.ly/SASUKMetacodaWebinar

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

Get Started with SAS Information Catalog in SAS Viya

SAS technical trainer Erin Winters shows you how to explore assets, create new data discovery agents, schedule data discovery agents, and much more.

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 2 replies
  • 1182 views
  • 3 likes
  • 3 in conversation