cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
BookmarkSubscribeRSS Feed
🔒 This topic is solved and locked. Need further help from the community? Please sign in and ask a new question.
PhiSlogan
Obsidian | Level 7 PhiSlogan
Obsidian | Level 7
Go to Solution

User Roles and How to restrict server access from user group

Posted 11-14-2018 04:28 AM (3965 views)

Hello SAS community, 
My objective is to restrict access for a group of users - using SAS Enterprise Guide and Management Console. So i have gotten this far and just realized that the user can actually just click on the server tab and the user has permissions and access to files on the server...

How i restricted the user group:
[1] In management console

  • i created a user group and then added user/members to the group.  
  • then i clicked on to the folders tab and added the newly created user group in all folders paths, libraries and datasets that i do not want the group to access - hence i add the group to the user group list and deny all permissions.

[2] The result is what i want and inside Enterprise Guide i see that the restricted user group will not even see the directory/paths, libraries and datasets restricted. 

The only issue i have now is that the user is still able to access the Servers and has permission to write and update any files on the server... I tried adding the group on to the server icon(by right clicking the SASApp server icon and selecting properties>authorization and adding the user group with deny in all permissions) this denies access and permission of users on all dirs, libraries and datasets. 

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions
Kurt_Bremser
Super User Kurt_Bremser
Super User

Re: User Roles and How to restrict server access from user group

Posted 11-14-2018 04:55 AM (3956 views)  |   In reply to PhiSlogan

If you want to prevent users from writing to/reading from a specific location on the server, you either have to restrict them from using the relevant code elements (impractical, as these are needed for eg import/export tasks), or you have to make sure that those locations are made secure on the operating system level.

Library permissions can be handled in SAS metadata, but in order to make them "stick" you need to define those libraries as "metadata bound". Otherwise executing a simple libname can always undercut the metadata, unless you also restrict permissions on the OS level (see above).

 

My preferred path is to use the proper permissions in the operating system. If a user does not have read/execute permissions on the directory of a library, a libname for that directory will fail, and the library will not appear in the server list.

 

Note that relying on third-party tools (SAS in this case) to keep your operating system safe is foolish at best. Use the tools provided by the system itself (see Maxims 14 & 15).

Maxims of Maximally Efficient SAS Programmers
How to convert datasets to data steps
The macro for direct download as ZIP
How to post code
Please vote for Provide Sequential Search Capability for Hash Objects
How to deal with locked files on UNIX

View solution in original post

1 REPLY 1
Kurt_Bremser
Super User Kurt_Bremser
Super User

Re: User Roles and How to restrict server access from user group

Posted 11-14-2018 04:55 AM (3957 views)  |   In reply to PhiSlogan

If you want to prevent users from writing to/reading from a specific location on the server, you either have to restrict them from using the relevant code elements (impractical, as these are needed for eg import/export tasks), or you have to make sure that those locations are made secure on the operating system level.

Library permissions can be handled in SAS metadata, but in order to make them "stick" you need to define those libraries as "metadata bound". Otherwise executing a simple libname can always undercut the metadata, unless you also restrict permissions on the OS level (see above).

 

My preferred path is to use the proper permissions in the operating system. If a user does not have read/execute permissions on the directory of a library, a libname for that directory will fail, and the library will not appear in the server list.

 

Note that relying on third-party tools (SAS in this case) to keep your operating system safe is foolish at best. Use the tools provided by the system itself (see Maxims 14 & 15).

Maxims of Maximally Efficient SAS Programmers
How to convert datasets to data steps
The macro for direct download as ZIP
How to post code
Please vote for Provide Sequential Search Capability for Hash Objects
How to deal with locked files on UNIX

sas-innovate-2024.png

Available on demand!

Missed SAS Innovate Las Vegas? Watch all the action for free! View the keynotes, general sessions and 22 breakouts on demand.

 

Register now!

Mastering the WHERE Clause in PROC SQL

SAS' Charu Shankar shares her PROC SQL expertise by showing you how to master the WHERE clause using real winter weather data.

Watch Mastering the WHERE Clause in PROC SQL on YouTube

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 1 reply
  • ‎11-14-2018 04:28 AM
  • 3966 views
  • 1 like
  • 2 in conversation