Executive Summary

Modern data platforms built on SAS Viya 4 and Amazon Web Services often struggle with a key gap: data access is controlled at the system level, not at the individual user level. This creates challenges around fine-grained permissions, auditability, and alignment with enterprise identity systems.

This blog addresses that gap by introducing a modern approach using AWS IAM Identity Center, Trusted Identity Propagation, and S3 Access Grants to enable true user-level governance for data stored in Amazon S3.

With this model, organizations can enforce precise access controls, ensure every data interaction is tied to a real user identity, and significantly improve security and compliance. It also simplifies access management by aligning cloud permissions with existing enterprise identity frameworks.

In the sections that follow, we’ll break down the limitations of traditional approaches, explore how this new architecture works, and show how it transforms data access into a more secure, scalable, and user-aware experience.

Introduction

As enterprises accelerate their move to cloud-native data platforms, expectations around data access have changed dramatically. Modern analytics users no longer want coarse, platform-wide permissions. Instead, they expect granular, auditable, and identity-aware access, the same standards applied to applications, databases, and enterprise SaaS platforms.

SAS Viya 4, when deployed on Amazon EKS, has traditionally accessed Amazon S3 using IAM Roles for Service Accounts (IRSA). While IRSA provides strong infrastructure-level security, it was never designed to enforce user-level governance. Recent innovations from AWS, specifically IAM Identity Center Trusted Identity Propagation and Amazon S3 Access Grants, introduce a new access model that directly addresses this gap.

Together, these capabilities allow permissions to be defined centrally and applied directly to S3, granting access to users and groups rather than IAM roles, based on corporate identity. Trusted Identity Propagation enables AWS services to understand and act on end-user identities directly, while S3 Access Grants centralizes the mapping of users and groups to S3 data, eliminating the need for applications to implement and manage authorization logic themselves.

In this blog, we explore how combining these AWS capabilities with SAS Viya 4’s native DuckDB-based open data access enables a new paradigm: fine-grained, identity-aware, and auditable access to Amazon S3 data at the individual user level.

The Traditional Model: Secure, but Not User-Aware

In a typical SAS Viya deployment on Amazon EKS, access to S3 is managed using IRSA. Kubernetes service accounts are mapped to IAM roles, and those roles are granted permissions to specific S3 buckets. Any application running in a pod automatically inherits the permissions of the associated role.

From an infrastructure standpoint, this model is clean and secure. However, from a data governance perspective, several challenges emerge as organizations scale their analytics platforms.

1. No User-Level Granularity

Consider a scenario where access is granted to a bucket such as s3://data-bucket/*. With IRSA, this permission applies to the IAM role, not the individual user.

As a result, whether the user is a data scientist, analyst, or intern, everyone accessing data through that role receives the same level of access. There is no straightforward way to enforce folder-level restrictions, let alone row-level controls, based on user identity.

2. Access Control Becomes Operationally Heavy

Changing access is not as simple as updating a user or group. Instead, it typically involves modifying IAM policies, updating roles, and validating that nothing else is impacted.

There is also a disconnect with enterprise identity systems such as Active Directory or Microsoft Entra ID. Permissions in AWS do not naturally align with how users and groups are managed within the organization, leading to duplication, complexity, and operational overhead.

3. Limited Auditability

From a compliance and governance perspective, this limitation is significant.

When reviewing AWS CloudTrail logs, administrators can see that an IAM role accessed a specific S3 object, but not which actual user initiated the request.

When asked,
“Who accessed this dataset last week?”

The answer is often:
“We know the system did, but not the person.”

Open Data Access Changes the Stakes

With the introduction of SAS Access to DuckDB, SAS Viya’s data capabilities have expanded significantly. Viya can now query data directly from object storage platforms such as Amazon S3, Azure Data Lake Storage, and Google Cloud Storage, and natively read modern open formats including Parquet, Iceberg, and CSV.

This shift enables modern, decoupled data lake architectures, where more users interact directly with raw data in object storage. As a result, the need for the following becomes critical:

• Fine-grained access control
• Strong auditability
• Centralized identity enforcement

The Modern AWS Approach: Identity Propagation and Access Grants

To address these challenges, AWS introduced a new access pattern built around identity-aware authorization.

At the core of this approach are:

• AWS IAM Identity Center for authentication and identity management
• Amazon S3 Access Grants for fine-grained authorization

The fundamental principle is simple yet powerful:
Access decisions should be based on the user, not the infrastructure.

Understanding Trusted Identity Propagation

Instead of relying on static IAM roles, this model propagates the authenticated user identity from the application all the way to AWS services.

Conceptually, the flow changes as follows:

• A user logs into SAS Viya using single sign-on
• Their enterprise identity is preserved and propagated downstream
• AWS receives requests along with user identity context
• Authorization decisions are made dynamically based on that identity

This is what enables true user-aware access control.

What S3 Access Grants Brings to the Table

S3 Access Grants allows organizations to define permissions in a far more granular and intuitive manner.

Access can be controlled at multiple levels, from entire buckets down to specific folders or subfolders. These permissions can be assigned directly to users or groups, aligned with enterprise identity systems.

This replaces traditional broad role-based access with a model that is significantly more precise and manageable. Instead of granting a role blanket access, each user sees only the data they are explicitly authorized to access.

Applying This Architecture to SAS Viya 4

By integrating SAS Viya with IAM Identity Center, Trusted Identity Propagation, and S3 Access Grants, it becomes possible to enable true user-level data governance for SAS workloads on AWS.

When a user logs into SAS Viya through single sign-on, their enterprise identity is preserved as queries are executed against S3. AWS evaluates each request using that identity and enforces the appropriate access grants.

The result is a system where data access is no longer role-based and opaque, but identity-driven and transparent.

This architecture allows SAS Viya to enforce user-level data access policies, provide secure and governed access to object storage, and support fine-grained controls at both the bucket and folder levels. Just as importantly, every access is auditable and tied back to an individual user.

The figure below provides an architectural overview of this approach.

Real-World Business Use Cases

This capability unlocks several high-value use cases that align naturally with SAS Viya environments.

In self-service analytics scenarios, business users can access only the datasets they are authorized to use, without exposing entire S3 buckets. Platform teams no longer need to over-provision access to maintain productivity.

In multi-tenant platforms, different departments or customers can securely share the same S3 environment while maintaining strict isolation. Policies are enforced centrally, without duplicating infrastructure.

From a governance and compliance perspective, fine-grained access controls help protect sensitive datasets and meet regulatory requirements.

Most importantly, audit trails become meaningful. Every access is tied to a real user identity, improving traceability and accountability.

The below figure shows a sample use case,

Bringing It All Together

This modern architecture establishes a clean separation of responsibilities.

SAS Viya focuses on analytics and data processing. AWS manages identity and access control. S3 Access Grants dynamically enforces fine-grained permissions based on user identity.

The result is a system that is not only secure and scalable, but also aligned with how organizations manage users and data today.

Conclusion

The shift from role-based access using IRSA to identity-based access using Trusted Identity Propagation and S3 Access Grants represents a significant step forward.

As organizations adopt open data lake architectures and self-service analytics, the need for user-aware governance will only increase.

By aligning SAS Viya 4 with modern AWS access control mechanisms, organizations can build data platforms that are both powerful and secure, without compromising usability or governance.

In simple terms, this approach:

• Strengthens security and governance
• Enables fine-grained, user-level access control
• Aligns with modern data architectures
• Supports enterprise-grade SSO and auditability

And most importantly, it finally answers the question:

“Who accessed what data, and when?”