---

@RexDeus9 wrote:

Hi Kurt,

 

Working with SAS EG.

---

If the libraries are assigned with a basic libname statement (and not with the meta engine), then the metadata access control will not be active.

You can make sure that the access control works by converting to metadata bound libraries. 

The ultima ratio is always the operating system. Once the permissions are properly set, no other user can bypass them.

@RexDeus9

Alternatively to metadata bound libraries you can always secure tables on OS level and with a new SAS version you could also go for Sever Lockdown (but that requires quite a bit of planning/design to implement).

One option not mentioned is to do folder-level permissions where Group B have a separate folder / library with the two datasets they are allowed to see then another folder for Group A containing all of the datasets (2 being copies). Then it is easy to align OS and metadata permissions so users can't bypass them.

Hi SA Skiwi,

I've been contemplating that route, but still not sure of the outcome. The OS is Linux, so to put a very short example I think it should look like thisFrom the shared folder of data sets)

-rwxr-x---. sasadm sasPublic  publicData.sas7bdat
-rwxrwx---. sasadm sasPrivate privateDatasas7bdat

Users are assigned to Linux groups according to what they can have access to.

@Kurt_Bremser - is the Unix guru in this post  I'll leave it up to him.

---

@RexDeus9 wrote:

Hi SA Skiwi,

 

I've been contemplating that route, but still not sure of the outcome. The OS is Linux, so to put a very short example I think it should look like thisFrom the shared folder of data sets)

 

-rwxr-x---. sasadm sasPublic  publicData.sas7bdat
-rwxrwx---. sasadm sasPrivate privateDatasas7bdat

 

Users are assigned to Linux groups according to what they can have access to.

---

One big issue that jumps into my eyes are the x bits. Data files should never have the executable permission set.

That said:

what you get here is one .sas7bdat that is readable by group SASPublic and noone else (except the owner sasadm, of course), and another .sas7bdat that is read/writeable by group SASPrivate.

I'd try to solve such an issue this way:

The directory gets these permissions:

drwxr-x--- sasadm SASPublic

publicdata.sas7bdat gets these:

-rw-r----- sasadm SASPublic

privatedata.sas7bdat gets these:

-rw-r----- sasadm SASPrivate

(add group write permission if required)

For this to work, all members of SASPrivate must also be members of SASPublic.

But my preferred method would be to keep separate libraries in separate physical directories for the groups.