Let's look at the SAS Drive sharing feature in use.
This article is a continuation of Sharing in SAS Drive (part 1) and provides a more detailed look at the SAS Drive sharing feature. We'll see an illustrated story describing how it is intended to be used, and I'll give my observed answers to some questions I had about Sharing.
We'll also discuss the benefits and potential concerns that a SAS Administrator might have for sharing in SAS Drive and how to disable re-sharing or the sharing entirely for customers (or SAS Administrators!) who do not want to use it.
The examples which follow use a SAS Visual Analytics deployment which was built for the Administration topics in a SAS Global Enablement and Learning (GEL) Viya 3.4 Implementers Workshop. In that workshop, the hands-on environment has users and groups, a folder structure and a security model for the permissions on those folders that were designed for a fictional organisation called GELCorp.
Hamish is a member of the HR department, and he's considered a SAS Visual Analytics expert by his GELCorp colleagues. He creates an example report which he thinks will be useful to others within GELCorp, illustrating how to use a particular feature in Visual Analytics 8.3. For this example, it doesn't matter what that feature is.
His example report displays data sourced from a table in an HR-managed CAS library, which is accessible to users outside HR, but has a row-level filter applied so that users only see data for their own department of GELCorp. So, Hamish sees only HR data:
|Click any image to see a larger version.|
He saves it in his own personal folder; his 'My Folder', as 'Hamish's example report':
This report is not intended to be an 'official' deliverable. Its purpose is not so much to present data for interpretation, but rather to be a working example of some feature in Visual Analytics that could be useful to others.
Hazel, Hamish's colleague in HR, sees this report and encourages Hamish to share the report with everyone in HR, so that anyone who is interested in it can take a look at how it works and learn about the interesting features it uses.
Inevitably, not everyone in HR is actually interested in Hamish's report. Hugh would prefer not to see it.
The GELCorp corporate folder structure includes folders for the HR department to use, and it has folders for ad-hoc 'Analyses', 'Data plans' and 'Work in Progress' (reports being developed for publication). As a member of HR, the security model grants Hamish permission to save a copy of his report into any of these folders, and he often does:
As an aside, the structure also has a 'Reports' folder for published HR reports, to which Hamish does not have write access to save or move reports. He needs a content administrator such as Alex, or the SAS Administrator, to publish - i.e. move or copy - reports into that folder for him.
Hamish decides that none of the available folders in the corporate folder structure are really the right place for a working example of some cool feature in Visual Analytics. The existing GELCorp folder structure was not designed with that use case in mind.
Hamish could ask Alex or a SAS Administrator to create and properly secure a new folder in the GELCorp folder structure for this purpose. But at that moment, he does not know whether he will ever want to share this kind of sample report with others again, or whether he will want to share it with the same group next time. Next time it might be someone in Sales who needs the example. Should he ask for a folder with a very generic name this time, just in case? Or will he ask for another folder next time? Or ask the administrator to change the permissions on the original folder if he wants to change the set of users with whom it is shared? There are formal processes for answering these questions, and they may result in the decision not to do something because it is too much effort, or too slow.
My point here is that users in real customer organisations come across perfectly valid reasons to share their work with others all the time, in ways that the corporate security model does not support, and cannot be efficiently adapted to support. In some organizations who follow a very formal way of working - usually for good reasons - this means the ad-hoc sharing is not appropriate. But in other organisations, enabling user-led, ad-hoc sharing will do more good than harm.
This is where SAS Drive is useful. Instead of saving a copy of his report in one of the 'official' GELCorp HR folders, Hamish opens SAS Drive, finds his report, and shares it with all of HR:
As you can see, Hamish has a choice of two types of permissions when he shares the report; 'Can read', or 'Can read and edit'. In this case, 'Can read' seems the better choice; he doesn't wish to allow other users to modify his report.
If a user reshares an object, he can give the recipients no greater permissions than he has been given, in other words:
Here, Hazel has shared one of her reports with Hamish, with only 'Can read' permission. When Hamish tries to share the report, the Share dialog still appears to allow him to share the report with someone else with either 'Can read' or 'Can read and edit' permissions:
However, if Hamish tries to share with 'Can read and edit' permissions, SAS Drive will not allow him to:
Sharing and resharing are globally enabled by default, in the sas.authorization configuration instance for the Authorization service. An administrator can globally disable resharing only, or sharing altogether. I return to this at the end of this post.
While sharing is globally enabled, Hamish can share his report because he saved it in his 'My Folder', and he has the secure permission on everything in his own 'My Folder':
While both sharing and resharing are globally enabled, Hamish is also able to reshare any object that has been shared with him or with a group to which he belongs.
In summary, for the Share... menu item to be enabled for an object in SAS Drive, sharing (and if relevant, resharing) have to be enabled, and either:
Now that Hamish has shared his report with HR, Hazel, Hamish's colleague in HR, can see his report in SAS Drive. She can open it and if she wishes to, save her own copy:
Hazel can see in SAS Drive who the report was shared with, by choosing the Share... menu option from the report object's menu in SAS Drive, if it is enabled. And as we discussed a few paragraphs above, she can also reshare the report with other users or groups.
Those other users or members of those groups could in turn reshare Hamish's report, and so on, creating a potential chain of shares for this report.
Here Hazel reshares Hamish's report with Sales:
Now Sasha in Sales can see Hamish's report too - and could re-share it if she wanted to. But notice that Sasha cannot see any HR data in the report, only Sales data:
This is because there is a row-level filter on the source table, limiting the data which can be seen by members of HR and Sales.
In this story, Hugh (also in HR) would prefer not to see Hamish's shared report among his list of items 'Shared with me' in SAS Drive. Perhaps one person has shared something with Hugh that he would like to see, and 100 other people have each shared 10 things with HR which he is not particularly interested in. He considers them 'spam'.
Can a user refuse or hide some shared items in the Shared view in SAS Drive?
From what I can find in the current version of Viya 3.4, it seems that there is not currently a way to do this:
Suppose that Hamish would like to share the design of (though not the data presented in) another report he developed, with all of the Sales group. But this time the report is in the GELCorp/HR/Analyses folder. Members of the Sales group cannot normally see that folder.
What are Hamish's options?
If Hamish navigates to his report n the GELCorp/HR/Analyses folder in SAS Drive, he will notice that the Share... button is disabled, because:
There is nothing to stop Hamish from opening the report in SAS Visual Analytics or SAS Report Viewer, choosing Save As... from the menu, making a copy of his report in his own 'My Folder' where he has the secure permission, and sharing it just as he did above.
SAS Administrators should be aware of this. When Sharing is enabled, ANY report, or data plan, or other object accessible to a user can be shared using this method, even if it cannot be shared directly from its original location.
Every user has somewhere that they can share a report from: their 'My Folder'.
Hamish does not have the secure permission on the report in its current location in the corporate folder structure, but some other users do.
One is the SAS Administrator, sasadm. Another is Alex, a member of the group GELCorp Content Administrators. Both are granted all permissions on GELCorp folder structure, which means they have the secure permission on the report and can share it.
Note that in neither of these cases would a member of Sales automatically get access to the wrong data in Hamish's HR report. The Sales person would only get access to the data they have been granted access to in CAS, if any. In the example I chose here, they see Sales-specific data in the report because Sales does the ReadInfo permission on the CAS library and table, and a row-filtered Select permission on the table, but if Sales did not have any access to the data in the report, someone in Sales could still open the report, but would see no data at all inside it.
There could, of course, be some members of the Sales group - such as Sophia who is a Manager - who do have access to the HR data because another group to which they belong (in Sophia's case the Managers group) is granted access to that data by design in the security model. But access to the HR data is not shared a result of the report having been shared with them.
A SAS Administrator can disable part of all of the Sharing system in Viya 3.4, from the Environment Manager > Configuration page, under All Services > Authorization Service. There they can change either or both of the following settings to 'off':
Both of these configuration properties are 'on' by default when Viya is first deployed.
I tried some experiments with my SAS Visual Analytics environment, asking some questions and finding answers as best I could. Here is what I found - some of this is explained in the documentation, but I wanted to try it for myself too:
Sharing in this sense presents SAS Administrators with a huge opportunity to free up their time for other work, but it also potentially presents a bit of a security concern and maintenance burden.
As we have discussed, the security concern is not really with data, because access to data cannot be shared, only access to other Viya objects such as reports and data plans.
But the fact that report even exists could be of concern to the SAS Administrator, in some situations. Hamish may have a legitimate reason to develop a report titled 'Employees likely to be fired'. But one hopes that he would not be irresponsible enough to share such a report, any more than he would be to give a copy of it to a colleague not authorized to see such sensitive content. But this is probably a niche concern.
The greater challenges for a SAS Administrator, as I see them, could be these:
Sharing is a very nice new feature in SAS Viya. SAS Administrators should be familiar with how it works and monitor its use in organizations.
I would expect that over time, SAS Drive in general, and the sharing feature, in particular, will evolve and become richer and more consistently supported across the SAS Viya visual interfaces.
I also expect that as more large organizations discover the impact that Sharing has on their user's experience and on their ability to effectively manage and maintain a good security model, we will learn what practices to recommend. At the time of writing, this capability is so new that it is difficult to anticipate what we should recommend to customers, but the SAS administration community will certainly be paying attention to this!
Registration is open! SAS is returning to Vegas for an AI and analytics experience like no other! Whether you're an executive, manager, end user or SAS partner, SAS Innovate is designed for everyone on your team. Register for just $495 by 12/31/2023.
If you are interested in speaking, there is still time to submit a session idea. More details are posted on the website.
Data Literacy is for all, even absolute beginners. Jump on board with this free e-learning and boost your career prospects.