Architecting, installing and maintaining your SAS environment

User Groups Access

Accepted Solution Solved
Reply
Contributor
Posts: 26
Accepted Solution

User Groups Access

Hi All,

 

I have this problem setting up an access to a user that belongs to many group in SAS Management Console. There are 10 folders in the environment and each folder represent a group. The scenario is that Folder1 belong to Group1 and all groups have deny access to this folder except Group1 and Folder2 belongs to Group2 and all groups have deny access to this folder except Group2. Now User1 is involved in a Project to Group1 and Group2 so User1 will be added to both groups. In a way I'm thinking that User1 can still access both folders since User1 belongs to the 2 groups but upon checking User1 cannot access those 2 Folders.

 

Can anyone help me find a solution that when I add 2 groups to a User the user can still see the Folder in which the Group has access to?

 

Btw, creating new groups is not applicable since there are a lot of situation a User can be involved in different sets of Folders as this may result in almost 1 group only contains 1 or 2 Users. There are a lot of folders in our environment it's just that I put 10 folders in order for me to show the situation.

 

Thanks.

-Albert0

 


Accepted Solutions
Solution
‎11-11-2017 01:11 AM
PROC Star
Posts: 428

Re: User Groups Access

Posted in reply to KurtBremser

As @KurtBremser mentioned, your conflicts can be avoided by denying broadly to implicit groups (PUBLIC or SASUSERS) and then granting narrowly to those groups that should have access (remembering admins too).  Those are examples of SAS metadata security best practices described in several papers over the years. The most recent of these are the Recommended SAS 9.4 Security Model Design papers from @DavidStern in the SAS Global Enablement and Learning (GEL) group. I encourage you to read the GEL papers and watch the webinar that I did with David a few weeks ago. By following those practices you should find SAS metadata security much simpler to implement and understand and ultimately avoid conflicts like these. You can find links to the papers and the webinar at http://bit.ly/SASUKMetacodaWebinar

View solution in original post


All Replies
Super User
Posts: 8,061

Re: User Groups Access

Do not set "deny" for your groups. Deny for a higher level group (SASUSERS) and then specifically allow all your groups that shall have access.

---------------------------------------------------------------------------------------------
Maxims of Maximally Efficient SAS Programmers
Solution
‎11-11-2017 01:11 AM
PROC Star
Posts: 428

Re: User Groups Access

Posted in reply to KurtBremser

As @KurtBremser mentioned, your conflicts can be avoided by denying broadly to implicit groups (PUBLIC or SASUSERS) and then granting narrowly to those groups that should have access (remembering admins too).  Those are examples of SAS metadata security best practices described in several papers over the years. The most recent of these are the Recommended SAS 9.4 Security Model Design papers from @DavidStern in the SAS Global Enablement and Learning (GEL) group. I encourage you to read the GEL papers and watch the webinar that I did with David a few weeks ago. By following those practices you should find SAS metadata security much simpler to implement and understand and ultimately avoid conflicts like these. You can find links to the papers and the webinar at http://bit.ly/SASUKMetacodaWebinar

☑ This topic is solved.

Need further help from the community? Please ask a new question.

Discussion stats
  • 2 replies
  • 173 views
  • 3 likes
  • 3 in conversation