General Authorization Essentials Part 1: Content
In SAS Viya, there are two authorization systems, one for the Cloud Analytics Services server and other for the General Authorization components. The CAS authorization layer deals with access to the in-memory analytics engine and its data, while the General Authorization layer controls access to content and functionality in other parts of SAS Viya. Understanding both authorization systems will help ensure the security for the entire SAS Viya system. This series of posts will cover the essentials of securing content and controlling access to functionality so that you will be equipped to perform one of the common SAS Viya administration tasks: securing the environment.
Links
General Authorization Essentials Part 2
General Authorization Essentials Part 2: Functionality
Simple general authorization patterns
https://blogs.sas.com/content/sgf/2019/10/18/simple-general-authorization-patterns/
CAS Authorization Documentation
General Authorization Documentation
The Rules Page
https://documentation.sas.com/doc/en/sasadmincdc/default/evfun/n1uw3er96phzpfn1pxvnf01f6sw3.htm
Authorization Overview
Content in SAS Viya
SAS Viya content objects are information that you or other users save in SAS Viya. These objects can be SAS programs, reports, models, or anything else that SAS Viya users create and save within the SAS Viya folder structure. These objects are accessed through the SAS content interface in SAS web applications. The folders are virtual containers rather than an actual file system, the data being stored in the SAS Infrastructure Data server. Managing who can view or modify this content is important for maintaining data integrity, confidentiality, and compliance with regulations when using SAS Viya.
Select any image to see a larger version.
Mobile users: To view the images, select the "Full" version at the bottom of the page.
Because these objects are stored in a database, there is no physical file path to locate these objects on disk. This is by design, as SAS Viya is designed to run on cloud-based architecture where the file system might not be available for user access. (Note: Users can still access SAS content programmatically using the FILESRVC file access method. More information and examples here: https://go.documentation.sas.com/doc/en/pgmsascdc/default/lestmtsglobal/p0qapul7pyz9hmn0zfoefj0c278a...).
Objects in SAS content can be secured with permissions. But before diving into how to apply permissions, let’s go over some basics.
Principals
Principals are the identities to which access controls apply on an item of content. When someone tries to read (or change/delete/modify/move, et. cetera) a piece of content, general authorization makes sure that someone is allowed to perform that given action.
Principals refer to users, groups, or custom groups. A best practice is to use groups or custom groups and then adding or removing users from those groups, making maintenance of the system easier in the future.
There’s also an Authenticated Users principal which refers to all the users who can successfully sign-in to SAS Viya. Access controls on objects can be applied to this principal too.
More information here: SAS Help Center: General Authorization: Concepts
Removing principals from SAS Content: How to remove a principal from a SAS Content folder permission
Secure by Default
The general authorization security model inherently secures SAS Viya content. By design, access that is not granted is implicitly disallowed. When a new top-level folder is created within SAS Content, only the user who created those folders has access. This means that Authenticated Users (remember, this is everyone who can log in to SAS Viya) have no access to those folders by default, and the person who created the top-level folder would need to edit its authorization and grant other principals access to the folder.
Authenticated Users have access to their own personal folder and the Public folder, even if they have no other group memberships.
Permissions on Objects and Containers
The permissions that can be assigned to objects in SAS Content are listed below:
| Permission | Affected Activity |
| Create | Create a new object |
| Read | Read an object |
| Update | Update or edit an object |
| Delete | Delete an object |
| Secure | Set permissions on an object (also required to share) |
| Add | Add a member to a container |
| Remove | Move a member out of a container |
When permissions are viewed in SAS Environment Manager, icons are used to explain effective access, and where a permission is applied. A green check for authorized, a red no symbol for not authorized, a half-filled circle for a conditional or row-level permission, and a grey circle for an unknown permission (usually seen when a permission is removed but before the new effective access is previewed). There is also a black diamond symbol used when the access control is placed on the specific object that is being viewed. This means the permission is explicitly placed on this object, rather than inherited from somewhere above it.
And when I mean, “inherited from somewhere above it”, I mean from a folder that contains this object.
To understand access controls on folders, there are two different sets of permissions. There are permissions on the object itself, and a set of conveyed permissions on the container. The object permissions control whether a given principal can affect the folder itself. The container permissions become object permissions on any content stored within the folder. It is through this second set of permissions that the permissions cascade down and become inherited by reports, SAS programs, other folders stored within this one.
These permissions lend themselves to being applied in common patterns of access. You can learn more about these common patterns at this post: https://blogs.sas.com/content/sgf/2019/10/18/simple-general-authorization-patterns/
These patterns can be applied so that users may access a top-level folder and have different access for subfolders for different business units. These patterns can be combined to form a simple security model that can be effective in SAS Viya’s content tree.
Sharing Content
Not limited to administrators, SAS Viya users can collaborate on reports, SAS programs, and other content by sharing them with other users and groups. Prior to 2024.12, SAS Drive was where users shared content items, more info at this link: https://communities.sas.com/t5/SAS-Communities-Library/Sharing-in-SAS-Drive-part-2/ta-p/500442
With SAS Drive being deprecated, this functionality has moved to the Content Page in SAS Environment Manager. Users can right-click on a folder or item that they want to share and select Share. They can pick another principal to share with, and then grant which permissions to share with that principal. You can also edit or unshare these permissions on an item already shared.
A user needs the Secure permission to share content with other users and groups. Administrators can modify sharing settings, more information here: SAS Help Center: General Authorization: Concepts
Interfaces for Securing General Authorization
There are several interfaces that users and administrators can use to work with general authorization within SAS Viya. You can use the graphical user interface of SAS Environment Manager or the sas-viya command-line interface to secure SAS Content. Users can make use of the Sharing Window on the Content Page of SAS Environment manager for simple sharing with coworkers. Advanced methods would be to use either the Rules page in SAS Environment Manager or the SAS Viya REST APIs to work with authorization in SAS Viya.
More information here on using REST APIs for authorization: Authorization | SAS for Developers
Using the sas-viya command-line interface for general authorization: Updating SAS Viya general authorization permissions using the sas-viya command line
Rules Page and Content URIs
When access controls are applied to content in general authorization, a rule is created in the SAS Infrastructure Data Server to enforce those access controls. You can find a list of these rules on the Rules Page in SAS Environment Manager, or by using the authorization plug-in on the sas-viya command-line interface. The rules page is an advanced interface, and you can filter on existing rules, duplicate and modify them, or replace principals in rules. Administrators can also toggle the enforcement of a given rule on or off, which might be useful in troubleshooting access issues. See SAS Help Center: General Authorization: Troubleshooting for more information about troubleshooting using the rules page.
Uniform Resource Identifiers are the unique identifiers that allow rules to target a specific content object. When dealing with content, we call these Target URIs. Target URIs can be either an objectURI or a containerURI identifier. See here for more information on targeting content using URIs: SAS Help Center: General Authorization: Concepts
General Authorization Reminders
As a best practice, SAS documentation recommends minimizing the use of prohibit rules. Prohibit rules have absolute precedence and can even deny SAS Administrators from accessing content. Try to apply your access controls broadly and let them filter down using conveyed container permissions. Try to apply your permissions broadly to groups as well and add/remove members from those groups for easier maintenance in the future. Lastly, consider this your friendly reminder to perform backups before and after you make significant changes to your system.
General authorization manages content such as folders, reports, and stored SAS programs. It also governs functionality such as access to applications, features, and services. Head to part two of this series to learn about controlling access to functionality.
Find more articles from SAS Global Enablement and Learning here.
