Previously, I wrote about the case for content and data administrator groups in your SAS platform. Members of these groups are not full SAS Administrators, and have less (li-)ability to mess up the configuration and stability of your SAS deployment, but you still want to allow them to do their jobs.

One of the key parts of their job is usually managing global libraries. In SAS 9, it is established good practice to apply ACTs featuring the content or data administrator group to the folder containing the library and tables, so that the members of the group get WriteMetadata on the libraries and tables, and of course other permissions too.

In the SAS Viya world, specifically in CAS, you need to give the group the ability to manage global caslibs. Here's how.

In CAS, the ability to manage global CAS libraries is controlled by the ManageAccess permission on an imaginary global caslib called '_GLOBAL'. Users who have been granted the ManageAccess permission on _GLOBAL can create and delete global CAS libraries, users who haven't cannot.

_GLOBAL is not a real caslib. It doesn't have any tables. It exists only as a figment of the permissions system's imagination, for the sole purpose of managing who can and cannot create and delete global caslibs. The documentation describes _GLOBAL as 'construct that represents all global caslibs'.

Unlike real global casibs, granting someone ManageAccess on it does not give them any ability to grant other people access to it. You must be a CAS administrator (i.e. superuser) or a CAS Data administrator to grant a user or a group ManageAccess on it.

So, how to you grant someone - or far better, some group - the this ability? There are many ways, which is nice because you can pick the one which suits you best.

As mentioned above, for those who like to manage a deployment using scripts, the documentation gives code examples in CASL, LUA, Python and R. Here's the CASL version. You will need to be a CAS or Data administrator for this to work:

accessControl.updSomeAcsCaslib /
   acs={
      {caslib="_GLOBAL",
       identity="groupA",
       identitytype="group",
       permission="manageaccess",
       permType="grant"}};

Look at the doc for the examples in the other languages. Personally, I really like the new admin command line interface available in Viya 3.3. Once you have initialized a profile, and authenticated, it lets you do the same thing like this - here in the context of a shell session, complete with prompts and command output:

[sasadm@intviya01 ~]# clidir=/opt/sas/viya/home/bin
[sasadm@intviya01 ~]# $clidir/sas-admin cas caslibs add-control  \
    --server cas-shared-default --caslib _GLOBAL \
    --group GroupA --grant manageAccess --superuser

The requested permission, "manageAccess", and type, "grant", was
applied to the identity, "GroupA" on the caslib "_GLOBAL".

[sasadm@intviya01 ~]#

Prefer a visual interface? You can also grant this ability to a group in SAS Environment Manager. Again, you must be logged in as a CAS superuser or a Data administrator. Go to the Data page. Choose the Servers view, right-click a CAS server (e.g. 'cas-shared-default'), and assume the Superuser role. Then, right-click the CAS server again, choose Properties and expand Caslib Management Privileges. Edit the list of principals allowed to manage global caslibs by clicking the icon circled in red. You won't be able to edit the list unless you have assumed the Superuser role for this CAS server:

Or, if you like you can do it in CAS Server Monitor, again, signed in as a CAS or Data administrator. On the Configuration page, choose the Access Controls tab, and find Global Caslib Creation in the list of CAS libraries on the left hand side:

As you can see, it's very easy to delegate the ability to manage global CAS libraries to groups (or users if you must) who don't have to be a full SAS or CAS administrator.