I would prefer your solution 2.

I will always try to set the security on as high a folder level as possible and since solution 2 only requires you to set it on the DWH_confident folder.

Another variation might be this:

DWH

  -subject1

     - data

     - jobs 

  -subject2

     - data

     - jobs 

  -subject3

     - data

     - jobs 

  -confident_subject1

     - data

     - jobs 

  -confident_subject2

     - data

     - jobs 

Then security would be DI Developers on the DWH folder and on the confident_subjectX folders.

I still like the solution 2 the best.

Solution 2 is nice, as long as you know that:

1. you will always want all developers to be able to see all of the DWH data.
2. you will always want the same subset of developers to be able to view all of the DWH_confident data

So solution 2 would break down if you add a third confidential subject, and it's you want a different subset of developers to be able to see that data than can see confidential subject1.

If the number of subjects is low, I tend to use:

DWH

  -subject1

     - data

     - jobs 

  -subject2

     - data

     - jobs 

  -subject3

     - data

     - jobs 

  -confident_subject1

     - data

     - jobs 

  -confident_subject2

     - data

     - jobs

That way all of the subjects can inherit security from the DWH folder, and each subject can impose stricter security. The cost is that each time you create a new confidential subject, you need to specify the group(s) that can see it rather than rely on the inherited security.

Hi @ANLYNG 

We use a structure, where we rely on heritance from the top level, and it works very well. We never need to set individual permissions on any object apart from defining and setting a new Protected-AD group on a new subject in the protected area. All Protected-AD groups contain an Administrator group together with individual members or Organizational groups, and all group maintenance is done i AD by the user Administration Department and updated i SAS in daily batch.

The logical structure is mirrored in the physical data structure, where we use inheritance as well, and the maintenance is limited to setting the new AD group on a new subject folder in the protected area.

The protected area (SAS Data Beskyt) is separate from the unprotected (SAS Data Integration Studio Custom Tree) area at root level.

Note: Beskyt means protect in danish.

Basically we work with 3 main levels in the data warehouse: Staging, Data Warehouse and Data Mart.

The organization is different in the protected and the unprotected area, because of the need for inheritance in the protected area:

The protected area is organized as Subject - DWH Level - Data/Jobs.

The unprotected area  is organized as DWH Level - Subject - Data/Jobs.

So in principle, the structure is as follows:

Example of a structure in the protected area:

This may not be specific enough for what you are trying to achieve but i think it's worth mentioning in the grand discussion of authorization.

There are some useful materials which talk about this subject. See:

SUGA presentation SAS® Security Design Best Practices, Validation and Monitoring: 

https://communities.sas.com/kntur85557/attachments/kntur85557/library/2413/1/SEP2017SUGA-Presentatio...

Five papers on Recommended SAS 9.4 Security Model Design:

https://communities.sas.com/t5/SAS-Communities-Library/Five-papers-on-Recommended-SAS-9-4-Security-M...

https://communities.sas.com/t5/SAS-Communities-Library/Five-papers-on-Recommended-SAS-9-4-Security-M...

Thanks @SimonWilliams for mentioning @angieh and my SUGA presentation.

@ANLYNG you may also want to look at Angie's 2017 SAS Global Forum paper (and supporting document) , "Getting Started with Designing and Implementing a SAS 9.4 Metadata and File System Security Design", that goes into more detail

https://communities.sas.com/t5/SAS-Global-Forum-2017/If-you-are-interested-in-SAS-Metadata-Security-...

Kind Regards,

Michelle

Just a suggestion from experience and practical customer applications.  Data usually lives longer than a project or could cross many projects/departments.  I usually separate my data libraries away from any projects or departments and then assign the security as interest in the data grows (morphs).  I document who the owns the data such as using the description to put in business owner name for the folder or library for a quick reference so that I can contact them for approval grants of access of the data and for auditing.   If you move the data under projects or departments, you run the risk of lots of duplicate data, stale data and inaccurate reporting, and hard to manage security as well.  I just try to think of each data library as like a datamart and treat it as such.

- Data

  - library

  - library2

  -etc

projects (cross dept)

  -project

  -project2

department (only)

    - branch or group

    - branch 

        - project

        - project2