Architecting, installing and maintaining your SAS environment

provide permission to user to display only IMap which is based on Cubes, both are in same folder

Accepted Solution Solved
Reply
Contributor
Posts: 27
Accepted Solution

provide permission to user to display only IMap which is based on Cubes, both are in same folder

 

I have a folder that contents are Cubes, Jobs and Information Map. Information Map is based on OLAP Cubes. We require the provide the permission to client user to display only Information Map Icons, and they can also access information (not the OLAP Cube icons).
 
When I am deny the readmetadata permission to user of Cubes then user cann't able to see the Cubes icons, but Information Map icon can see. But major problem is in this case user can not able to fetch the data from information map.
 
DI Contenets:
 
Inline image 1
 
Presenet Access:
Inline image 2
 
 
Requirement :
Inline image 3

Accepted Solutions
Solution
‎08-10-2016 12:58 AM
SAS Super FREQ
Posts: 480

Re: provide permission to user to display only IMap which is based on Cubes, both are in same folder

Hello, Aneeket:

 

I think that there might be some confusion between permissions and roles.

 

Permissions control access to the data such as cubes.

Users need permission to access the cube data in order to view the report. At the following link, you will find a table that explains the metadata permissions that the users need. For maps and cubes, the users need ReadMetadata and Read, as well as ReadMetadata on the report, parent folder, and repository.

http://support.sas.com/documentation/cdl/en/bisecag/63082/HTML/default/viewer.htm#n0bxpw0fyk4srkn1xp...

 

Roles control access to application features.

Users do not need the ability to open a cube directly in Web Report Studio in order to access data in a cube. To stop them from opening the cubes directly, you put them in a role with Direct Access to Cubes disabled. For example, say that your users are members of the Web Report Studio: Report Viewing role, and this role does not have Direct Access to Cubes enabled. But, then, say that the SASUSERS group is a member of the Web Report Studio Advanced role and that role does have the Direct Access to Cubes enabled. Your users will be able to open cubes directly in Web Report Studio because they are members of the SASUSERS group. To resolve this, you must ensure that the users are not members of any group that is assigned to a role with the Direct Access to Cubes enabled.

 

To summarize:

  • To ensure that users have access to the data in the cube, grant them ReadMetadata and Read on the map and the cube, and also grant them ReadMetadata on the report, parent folder, and repository.
  • To prevent users from seeing the cube 'icons' in folders in Web Report Studio, make sure that they are not members of any role that has the Direct Access to Cubes enabled. This means checking their group memberships because they can inherit the capability from a group such as SASUSERS.

View solution in original post


All Replies
Super User
Posts: 5,424

Re: provide permission to user to display only IMap which is based on Cubes, both are in same folder

I can't open the pictures, at least from my mobile browser.

What is the reason for not provide access to the cubes?
If it is for the convenience for the user, perhaps you could just move the cubes to another folder?
You could probably bypass the inherited authorization some way, but is it really worth it? The users clearly have the right to see the data....

What client user tools are in use?
Data never sleeps
Contributor
Posts: 27

Re: provide permission to user to display only IMap which is based on Cubes, both are in same folder

Thank you Linush for your response; using the SAS WRS. I have already moved to Imap in different folder, but I am getting same error, not able to fetch the data.

 


DI.jpgWRS_ Admin User.jpgWRS_ Client User login.png
SAS Super FREQ
Posts: 480

Re: provide permission to user to display only IMap which is based on Cubes, both are in same folder

[ Edited ]

If your goal is to prevent SAS Web Report Studio users from opening cubes directly in SAS Web Report Studio, then you can control that access via a SAS Web Report Studio role. Simply add the users as members of a role that does not have the "Allow Direct Access to Cubes" capability enabled.

 

The users must still have permissions to access the cube data.


cube_access.jpg
Contributor
Posts: 27

Re: provide permission to user to display only IMap which is based on Cubes, both are in same folder

Posted in reply to Madelyn_SAS

Dear Madelyn_SAS, thanks for your response, already had uncheck box the 'Allow Direct Access to Cubes'.

SAS Super FREQ
Posts: 480

Re: provide permission to user to display only IMap which is based on Cubes, both are in same folder

If you have unchecked the Allow Direct Access to Cubes but your users can still see cubes when navigating in Web Report Studio, then the most likely reason is that either the PUBLIC or SASUSERS group is a member of a Web Report Studio role that has the Allow Direct Access to Cubes enabled. I would suggest checking memberships of the other roles.

SAS Super FREQ
Posts: 299

Re: provide permission to user to display only IMap which is based on Cubes, both are in same folder

The behavior you describe could also be caused by conflicting permissions.
You mentioned that you already moved data to different folders. If groups applied to folders would include the same users yet with different permissions, you'll have a conflict.
(Just an example).

Metacoda provides some fantastic features that allow you to see which permissions are applied on which objects.
Maybe this could help in evaluating the permission settings.

Also, as Madelyn mentioned, checking how the implicit groups SASUSERS and PUBLIC are used is key.

Did you modify any of the default roles, such as modifying capabilities?

What SAS version are you using?
Contributor
Posts: 27

Re: provide permission to user to display only IMap which is based on Cubes, both are in same folder

Hi Anja, thanks for your response, I am using SAS9.3. SASUSERS and PUBLIC have bydefault permission. But I am facing sam problem.

Solution
‎08-10-2016 12:58 AM
SAS Super FREQ
Posts: 480

Re: provide permission to user to display only IMap which is based on Cubes, both are in same folder

Hello, Aneeket:

 

I think that there might be some confusion between permissions and roles.

 

Permissions control access to the data such as cubes.

Users need permission to access the cube data in order to view the report. At the following link, you will find a table that explains the metadata permissions that the users need. For maps and cubes, the users need ReadMetadata and Read, as well as ReadMetadata on the report, parent folder, and repository.

http://support.sas.com/documentation/cdl/en/bisecag/63082/HTML/default/viewer.htm#n0bxpw0fyk4srkn1xp...

 

Roles control access to application features.

Users do not need the ability to open a cube directly in Web Report Studio in order to access data in a cube. To stop them from opening the cubes directly, you put them in a role with Direct Access to Cubes disabled. For example, say that your users are members of the Web Report Studio: Report Viewing role, and this role does not have Direct Access to Cubes enabled. But, then, say that the SASUSERS group is a member of the Web Report Studio Advanced role and that role does have the Direct Access to Cubes enabled. Your users will be able to open cubes directly in Web Report Studio because they are members of the SASUSERS group. To resolve this, you must ensure that the users are not members of any group that is assigned to a role with the Direct Access to Cubes enabled.

 

To summarize:

  • To ensure that users have access to the data in the cube, grant them ReadMetadata and Read on the map and the cube, and also grant them ReadMetadata on the report, parent folder, and repository.
  • To prevent users from seeing the cube 'icons' in folders in Web Report Studio, make sure that they are not members of any role that has the Direct Access to Cubes enabled. This means checking their group memberships because they can inherit the capability from a group such as SASUSERS.
Contributor
Posts: 27

Re: provide permission to user to display only IMap which is based on Cubes, both are in same folder

Posted in reply to Madelyn_SAS

Thank you very much Madelyn_SAS. I got solution, I am thankful for you. Everything was ok but SASUSERS group have the access of SAS WRS have  Direct Access to Cubes enabled. Now SASUSER have not permission of SAS WRS access and its working fine. 

SAS Super FREQ
Posts: 299

Re: provide permission to user to display only IMap which is based on Cubes, both are in same folder

Hi,

Did you make any changes in
SAS Management Console, Authorization Manager, Resource Managements, Location ... <server> <OLAP schema>?

To make sure I understand you correctly:
Your users have to access info maps but are not allowed to access cubes? Are we talking "seeing cubes" or "updating cubes"?

Did you make changes on SASTRUST? Has to have RM!

What error messages are you getting (if any).

Log files might give an indication of what might go wrong.

What are the current effective permissions on the folders and its content?

When you go on the Authorization tab of an object's properties, Access Control, make sure the Default ACT is the only one applied (Foundation).
Goal here is to make sure that you do not have any other ACTs applied.

All these points could effect how objects "behave", and consequently, how users can interact with it.

If the problem persists, I'd recommend to contact Tech Sup.

Thanks
Anja
☑ This topic is solved.

Need further help from the community? Please ask a new question.

Discussion stats
  • 10 replies
  • 1090 views
  • 10 likes
  • 4 in conversation