Solved: User Groups Access

Albert0 · Posted 11-07-2017 01:28 AM

Hi All,

I have this problem setting up an access to a user that belongs to many group in SAS Management Console. There are 10 folders in the environment and each folder represent a group. The scenario is that Folder1 belong to Group1 and all groups have deny access to this folder except Group1 and Folder2 belongs to Group2 and all groups have deny access to this folder except Group2. Now User1 is involved in a Project to Group1 and Group2 so User1 will be added to both groups. In a way I'm thinking that User1 can still access both folders since User1 belongs to the 2 groups but upon checking User1 cannot access those 2 Folders.

Can anyone help me find a solution that when I add 2 groups to a User the user can still see the Folder in which the Group has access to?

Btw, creating new groups is not applicable since there are a lot of situation a User can be involved in different sets of Folders as this may result in almost 1 group only contains 1 or 2 Users. There are a lot of folders in our environment it's just that I put 10 folders in order for me to show the situation.

Thanks.

-Albert0

PaulHomes · Posted 11-11-2017 01:10 AM

As @Kurt_Bremser mentioned, your conflicts can be avoided by denying broadly to implicit groups (PUBLIC or SASUSERS) and then granting narrowly to those groups that should have access (remembering admins too). Those are examples of SAS metadata security best practices described in several papers over the years. The most recent of these are the Recommended SAS 9.4 Security Model Design papers from @DavidStern in the SAS Global Enablement and Learning (GEL) group. I encourage you to read the GEL papers and watch the webinar that I did with David a few weeks ago. By following those practices you should find SAS metadata security much simpler to implement and understand and ultimately avoid conflicts like these. You can find links to the papers and the webinar at http://bit.ly/SASUKMetacodaWebinar

View solution in original post

Kurt_Bremser · Posted 11-07-2017 02:04 AM

Do not set "deny" for your groups. Deny for a higher level group (SASUSERS) and then specifically allow all your groups that shall have access.

Maxims of Maximally Efficient SAS Programmers
How to convert datasets to data steps
The macro for direct download as ZIP
How to post code
Please vote for Provide Sequential Search Capability for Hash Objects
How to deal with locked files on UNIX

PaulHomes · Posted 11-11-2017 01:10 AM

As @Kurt_Bremser mentioned, your conflicts can be avoided by denying broadly to implicit groups (PUBLIC or SASUSERS) and then granting narrowly to those groups that should have access (remembering admins too). Those are examples of SAS metadata security best practices described in several papers over the years. The most recent of these are the Recommended SAS 9.4 Security Model Design papers from @DavidStern in the SAS Global Enablement and Learning (GEL) group. I encourage you to read the GEL papers and watch the webinar that I did with David a few weeks ago. By following those practices you should find SAS metadata security much simpler to implement and understand and ultimately avoid conflicts like these. You can find links to the papers and the webinar at http://bit.ly/SASUKMetacodaWebinar

User Groups Access

Re: User Groups Access

Re: User Groups Access

Re: User Groups Access