The sas-admin cas plugin in SAS Viya 3.5 introduces a feature I've wanted for a long time: bulk addition and removal of specific CAS access controls without entirely replacing existing access controls. This may not sound exciting, but it does make code to maintain access controls smaller and faster.
If you use scripts to maintain authorization for CAS data, you'll want to start using sas-admin cas caslibs add-controls and remove-controls and their equivalent commands for CAS tables.
The table below lists the sub-commands listed in the help text output by the sas-admin cas caslibs command in a SAS Viya 3.4 and SAS Viya 3.5 deployment:
sas-admin cas caslibs command | Purpose | SAS Viya 3.4 | SAS Viya 3.5 |
add-control | Adds the specified direct access control to the requested caslib. | • | • |
add-controls | Adds the direct access controls in the specified source file to the requested caslib. | • | |
clear-controls | Deletes all of the direct access controls for the specified caslib. | • | • |
create | Adds caslibs. | • | • |
delete | Deletes the specified caslib. | • | • |
help, h | Shows a list of commands or help for one command. | • | • |
list | Lists all caslibs in a specified CAS server or all caslibs in the system. | • | • |
list-controls | Provides access information for the specified caslib. | • | • |
remove-control | Deletes the specified direct access control. | • | • |
remove-controls | Deletes the direct access controls in the specified source file from the requested caslib. | • | |
replace-controls | Replaces the direct access controls on the specified caslib. | • | • |
show-info | Shows information for the specified caslib. | • | • |
sources | Manages the data sources for a caslib in a CAS server. | • | • |
While we're at it, let's also compare the sub-commands listed in the help text output by the sas-admin cas tables command in a SAS Viya 3.4 and SAS Viya 3.5 deployment:
sas-admin cas tables command | Purpose | SAS Viya 3.4 | SAS Viya 3.5 |
add-control | Adds the specified access control to the requested table. | • | • |
add-controls | Adds the direct access controls in the specified source file to the requested table. | • | |
clear-controls | Deletes all of the direct access controls for the specified table. | • | • |
delete | Deletes the specified table. | • | |
help, h | Shows a list of commands or help for one command. | • | • |
import | Imports and loads a specified file into CAS as a table. | • | |
list | Lists all tables in a specified caslib or all tables in the system. To list all tables in a specified caslib, the caslib must be specified. | • | • |
list-controls | Lists the access controls for the specified table. | • | • |
load | Loads either the specified table or all of the tables in the specified CAS server and caslib. | • | • |
remove-control | Deletes the specified direct access control. | • | • |
remove-controls | Deletes the direct access controls in the specified source file from the requested table. | • | |
replace-controls | Replaces the direct access controls on the specified table. | • | • |
show-info | Shows information for the specified table. | • | • |
unload | Unloads either a specific table or all tables from the specified caslib. | • | • |
So the sas-admin cas tables command also gained add-controls and remove-controls sub-commands, as well as a couple of other useful sub-commands that are not the subject of this post: delete and import.
As a SAS Viya administrator, when you create a new CAS library (or table), one of the most common things you need to do is add multiple access controls (perhaps 12 or 13 of them!) which grant permissions to one or more groups of administrators. This enables them to see and administer the new caslib (or table) without having to assume the CAS superuser role. Assuming the CAS superuser role should be viewed a bit like becoming root or using sudo on a UNIX or Linux host: it's for special occasions only, not for basic data management work.
When you onboard a new team into an existing SAS Viya deployment, you may need to add multiple access controls (usually somewhere between 2 and 11) to one or more existing corporate caslibs (or tables), to grant the group that represents the team access to see and work with data in the existing corporate caslibs (or tables).
That's quite a bit of admin overhead to implement and document, for adding a new caslib or team to your deployment.
Before Viya 3.5, your options for doing this were:
Running the following series of 13 individual sas-admin cas caslibs add-control commands takes about 31 seconds on my low-spec test system:
# Grant all permissions on salesdl for SASAdministrators
/opt/sas/viya/home/bin/sas-admin cas caslibs add-control --server cas-shared-default --caslib salesdl --group SASAdministrators --grant ReadInfo
/opt/sas/viya/home/bin/sas-admin cas caslibs add-control --server cas-shared-default --caslib salesdl --group SASAdministrators --grant Select
/opt/sas/viya/home/bin/sas-admin cas caslibs add-control --server cas-shared-default --caslib salesdl --group SASAdministrators --grant LimitedPromote
/opt/sas/viya/home/bin/sas-admin cas caslibs add-control --server cas-shared-default --caslib salesdl --group SASAdministrators --grant Promote
/opt/sas/viya/home/bin/sas-admin cas caslibs add-control --server cas-shared-default --caslib salesdl --group SASAdministrators --grant CreateTable
/opt/sas/viya/home/bin/sas-admin cas caslibs add-control --server cas-shared-default --caslib salesdl --group SASAdministrators --grant DropTable
/opt/sas/viya/home/bin/sas-admin cas caslibs add-control --server cas-shared-default --caslib salesdl --group SASAdministrators --grant DeleteSource
/opt/sas/viya/home/bin/sas-admin cas caslibs add-control --server cas-shared-default --caslib salesdl --group SASAdministrators --grant Insert
/opt/sas/viya/home/bin/sas-admin cas caslibs add-control --server cas-shared-default --caslib salesdl --group SASAdministrators --grant Update
/opt/sas/viya/home/bin/sas-admin cas caslibs add-control --server cas-shared-default --caslib salesdl --group SASAdministrators --grant Delete
/opt/sas/viya/home/bin/sas-admin cas caslibs add-control --server cas-shared-default --caslib salesdl --group SASAdministrators --grant AlterTable
/opt/sas/viya/home/bin/sas-admin cas caslibs add-control --server cas-shared-default --caslib salesdl --group SASAdministrators --grant AlterCaslib
/opt/sas/viya/home/bin/sas-admin cas caslibs add-control --server cas-shared-default --caslib salesdl --group SASAdministrators --grant ManageAccess
It's the most tedious part of the solution scripts from the 'Securing CAS Data' section of our GEL Viya 3.4 administration workshop, and we need a LOT more than just these access controls to secure even a small workshop deployment.
But now, with sas-admin cas caslibs add-controls and remove-controls, there is a better option, documented in the SAS Viya 3.5 Administration Guide, under Security > Authorization > CAS Authorization > How To (CLI).... We can now make a JSON file like this, named e.g. controls.json (formatted here for readability - you can format your JSON however you like):
{
"items": [
{
"identity": "SASAdministrators",
"identityType": "group",
"permission": "readInfo",
"type": "grant",
"version": 1
},
{
"identity": "SASAdministrators",
"identityType": "group",
"permission": "select",
"type": "grant",
"version": 1
},
{
"identity": "SASAdministrators",
"identityType": "group",
"permission": "limitedPromote",
"type": "grant",
"version": 1
},
{
"identity": "SASAdministrators",
"identityType": "group",
"permission": "promote",
"type": "grant",
"version": 1
},
{
"identity": "SASAdministrators",
"identityType": "group",
"permission": "createTable",
"type": "grant",
"version": 1
},
{
"identity": "SASAdministrators",
"identityType": "group",
"permission": "dropTable",
"type": "grant",
"version": 1
},
{
"identity": "SASAdministrators",
"identityType": "group",
"permission": "deleteSource",
"type": "grant",
"version": 1
},
{
"identity": "SASAdministrators",
"identityType": "group",
"permission": "insert",
"type": "grant",
"version": 1
},
{
"identity": "SASAdministrators",
"identityType": "group",
"permission": "update",
"type": "grant",
"version": 1
},
{
"identity": "SASAdministrators",
"identityType": "group",
"permission": "delete",
"type": "grant",
"version": 1
},
{
"identity": "SASAdministrators",
"identityType": "group",
"permission": "alterTable",
"type": "grant",
"version": 1
},
{
"identity": "SASAdministrators",
"identityType": "group",
"permission": "alterCaslib",
"type": "grant",
"version": 1
},
{
"identity": "SASAdministrators",
"identityType": "group",
"permission": "manageAccess",
"type": "grant",
"version": 1
}
]
}
That done, we can run this single command, which only takes 2 seconds:
sas-admin cas caslibs add-controls --server cas-shared-default --caslib salesdl --source-file controls.json
And even better, we can do the same for another caslib that also needs SAS Administrators to have full control in another 2 seconds:
sas-admin cas caslibs add-controls --server cas-shared-default --caslib hrdl --source-file controls.json
I'd never update multiple CAS access controls on the same caslib or table any other way, now. And if you need to remove these access controls (if you can add something, you should know how to remove it, if you create something you should know how to delete it), the command to do that is equally simple:
sas-admin cas caslibs remove-controls --server cas-shared-default --caslib salesdl --source-file controls.json
This prompts you to confirm you really want to continue with the operation, which is sensible as it is potentially a little bit destructive. But as my colleague @GerryNelson showed me yesterday, there is a Linux package called yes which can help with that if you want to do this non-interactively in a script:
yes y | sas-admin cas caslibs remove-controls --server cas-shared-default --caslib salesdl --source-file controls.json
I've been omitting the /opt/sas/viya/home/bin path in some of my examples above, so let's finish with an example of this from a real machine, showing that path in the command. The remove-controls command did not wait for input because the 'yes' command output piped to it took care of that:
Select any image to see a larger version.
Mobile users: To view the images, select the "Full" version at the bottom of the page.
Sometimes the little things can make a huge difference to our end-user experience. Well done to whoever added this feature. See you next time!
Search for more content from our group: SAS Global Enablement & Learning.
SAS Innovate 2025 is scheduled for May 6-9 in Orlando, FL. Sign up to be first to learn about the agenda and registration!
Data Literacy is for all, even absolute beginners. Jump on board with this free e-learning and boost your career prospects.