BookmarkSubscribeRSS Feed
🔒 This topic is solved and locked. Need further help from the community? Please sign in and ask a new question.
Aneeket
Obsidian | Level 7

 

I have a folder that contents are Cubes, Jobs and Information Map. Information Map is based on OLAP Cubes. We require the provide the permission to client user to display only Information Map Icons, and they can also access information (not the OLAP Cube icons).
 
When I am deny the readmetadata permission to user of Cubes then user cann't able to see the Cubes icons, but Information Map icon can see. But major problem is in this case user can not able to fetch the data from information map.
 
DI Contenets:
 
Inline image 1
 
Presenet Access:
Inline image 2
 
 
Requirement :
Inline image 3
1 ACCEPTED SOLUTION

Accepted Solutions
Madelyn_SAS
SAS Super FREQ

Hello, Aneeket:

 

I think that there might be some confusion between permissions and roles.

 

Permissions control access to the data such as cubes.

Users need permission to access the cube data in order to view the report. At the following link, you will find a table that explains the metadata permissions that the users need. For maps and cubes, the users need ReadMetadata and Read, as well as ReadMetadata on the report, parent folder, and repository.

http://support.sas.com/documentation/cdl/en/bisecag/63082/HTML/default/viewer.htm#n0bxpw0fyk4srkn1xp...

 

Roles control access to application features.

Users do not need the ability to open a cube directly in Web Report Studio in order to access data in a cube. To stop them from opening the cubes directly, you put them in a role with Direct Access to Cubes disabled. For example, say that your users are members of the Web Report Studio: Report Viewing role, and this role does not have Direct Access to Cubes enabled. But, then, say that the SASUSERS group is a member of the Web Report Studio Advanced role and that role does have the Direct Access to Cubes enabled. Your users will be able to open cubes directly in Web Report Studio because they are members of the SASUSERS group. To resolve this, you must ensure that the users are not members of any group that is assigned to a role with the Direct Access to Cubes enabled.

 

To summarize:

  • To ensure that users have access to the data in the cube, grant them ReadMetadata and Read on the map and the cube, and also grant them ReadMetadata on the report, parent folder, and repository.
  • To prevent users from seeing the cube 'icons' in folders in Web Report Studio, make sure that they are not members of any role that has the Direct Access to Cubes enabled. This means checking their group memberships because they can inherit the capability from a group such as SASUSERS.

View solution in original post

10 REPLIES 10
LinusH
Tourmaline | Level 20
I can't open the pictures, at least from my mobile browser.

What is the reason for not provide access to the cubes?
If it is for the convenience for the user, perhaps you could just move the cubes to another folder?
You could probably bypass the inherited authorization some way, but is it really worth it? The users clearly have the right to see the data....

What client user tools are in use?
Data never sleeps
Aneeket
Obsidian | Level 7

Thank you Linush for your response; using the SAS WRS. I have already moved to Imap in different folder, but I am getting same error, not able to fetch the data.

 


DI.jpgWRS_ Admin User.jpgWRS_ Client User login.png
Madelyn_SAS
SAS Super FREQ

If your goal is to prevent SAS Web Report Studio users from opening cubes directly in SAS Web Report Studio, then you can control that access via a SAS Web Report Studio role. Simply add the users as members of a role that does not have the "Allow Direct Access to Cubes" capability enabled.

 

The users must still have permissions to access the cube data.


cube_access.jpg
Aneeket
Obsidian | Level 7

Dear Madelyn_SAS, thanks for your response, already had uncheck box the 'Allow Direct Access to Cubes'.

Madelyn_SAS
SAS Super FREQ

If you have unchecked the Allow Direct Access to Cubes but your users can still see cubes when navigating in Web Report Studio, then the most likely reason is that either the PUBLIC or SASUSERS group is a member of a Web Report Studio role that has the Allow Direct Access to Cubes enabled. I would suggest checking memberships of the other roles.

anja
SAS Employee
The behavior you describe could also be caused by conflicting permissions.
You mentioned that you already moved data to different folders. If groups applied to folders would include the same users yet with different permissions, you'll have a conflict.
(Just an example).

Metacoda provides some fantastic features that allow you to see which permissions are applied on which objects.
Maybe this could help in evaluating the permission settings.

Also, as Madelyn mentioned, checking how the implicit groups SASUSERS and PUBLIC are used is key.

Did you modify any of the default roles, such as modifying capabilities?

What SAS version are you using?
Aneeket
Obsidian | Level 7

Hi Anja, thanks for your response, I am using SAS9.3. SASUSERS and PUBLIC have bydefault permission. But I am facing sam problem.

Madelyn_SAS
SAS Super FREQ

Hello, Aneeket:

 

I think that there might be some confusion between permissions and roles.

 

Permissions control access to the data such as cubes.

Users need permission to access the cube data in order to view the report. At the following link, you will find a table that explains the metadata permissions that the users need. For maps and cubes, the users need ReadMetadata and Read, as well as ReadMetadata on the report, parent folder, and repository.

http://support.sas.com/documentation/cdl/en/bisecag/63082/HTML/default/viewer.htm#n0bxpw0fyk4srkn1xp...

 

Roles control access to application features.

Users do not need the ability to open a cube directly in Web Report Studio in order to access data in a cube. To stop them from opening the cubes directly, you put them in a role with Direct Access to Cubes disabled. For example, say that your users are members of the Web Report Studio: Report Viewing role, and this role does not have Direct Access to Cubes enabled. But, then, say that the SASUSERS group is a member of the Web Report Studio Advanced role and that role does have the Direct Access to Cubes enabled. Your users will be able to open cubes directly in Web Report Studio because they are members of the SASUSERS group. To resolve this, you must ensure that the users are not members of any group that is assigned to a role with the Direct Access to Cubes enabled.

 

To summarize:

  • To ensure that users have access to the data in the cube, grant them ReadMetadata and Read on the map and the cube, and also grant them ReadMetadata on the report, parent folder, and repository.
  • To prevent users from seeing the cube 'icons' in folders in Web Report Studio, make sure that they are not members of any role that has the Direct Access to Cubes enabled. This means checking their group memberships because they can inherit the capability from a group such as SASUSERS.
Aneeket
Obsidian | Level 7

Thank you very much Madelyn_SAS. I got solution, I am thankful for you. Everything was ok but SASUSERS group have the access of SAS WRS have  Direct Access to Cubes enabled. Now SASUSER have not permission of SAS WRS access and its working fine. 

anja
SAS Employee
Hi,

Did you make any changes in
SAS Management Console, Authorization Manager, Resource Managements, Location ... <server> <OLAP schema>?

To make sure I understand you correctly:
Your users have to access info maps but are not allowed to access cubes? Are we talking "seeing cubes" or "updating cubes"?

Did you make changes on SASTRUST? Has to have RM!

What error messages are you getting (if any).

Log files might give an indication of what might go wrong.

What are the current effective permissions on the folders and its content?

When you go on the Authorization tab of an object's properties, Access Control, make sure the Default ACT is the only one applied (Foundation).
Goal here is to make sure that you do not have any other ACTs applied.

All these points could effect how objects "behave", and consequently, how users can interact with it.

If the problem persists, I'd recommend to contact Tech Sup.

Thanks
Anja

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

CLI in SAS Viya

Learn how to install the SAS Viya CLI and a few commands you may find useful in this video by SAS’ Darrell Barton.

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 10 replies
  • 2436 views
  • 10 likes
  • 4 in conversation