Desktop productivity for business analysts and programmers

SAS Management Console Authorization Tab- permission

Regular Contributor
Posts: 225

SAS Management Console Authorization Tab- permission

Hi all, i am sorry to post SAS MC inssue under EG but didn't find any individual pan for SAS MC.

I would really appreciate if someone can tell me what difference follwoing sings can make when you are giving permission to individual user or a group on AUTHORIZATION tab in SAS MC?




ExplicitThe permission is set on the current item and individually assigned to the selected identity.


ACTThe permission comes from an applied ACT whose pattern explicitly assigns the grant or denial to the selected identity.

IndirectThe permission comes from someone else (a group that has an explicit or ACT setting) or somewhere else (a parent item or the repository ACT).2
1 Explicit settings are usually white because the background color for the permissions list is usually white. 

2 For the WriteMemberMetadata permission, gray can indicate that the setting mirrors the WriteMetadata setting. For an unrestricted user, gray indicates a grant that can't be removed.

Posts: 485

Re: SAS Management Console Authorization Tab- permission


Explicit settings (also known as Access Control Entries or ACEs) are applied specifically to that object for that identity (user or group).  It is recommended that these be used sparingly at best (and some might say not at all).

Access Control Templates (ACTs) allow you to define commonly used patterns of permissions and identities as a bundle and apply them to one or more objects.  These have the benefit of defining the rules in one place so that when the rules change the ACT can be changed and the permissions it imparts automatically flow to those objects to which it was originally applied (and indirectly to child objects too).  ACTs are commonly applied to metadata folders to protect entire branches of sub folders and the objects they contain (indirectly).

Indirect permissions are the result of permissions applied elsewhere (either on the same object for another group in the users identity hierarchy, or from another parent object in the object's inheritance path).

For a much more thorough understanding I would recommend reading through the Authorization Model section in the SAS 9.3 Intelligence Platform: Security Administration Guide.

I'd also suggest attending the SAS Platform Administration: Fast Track course if you will be regularly managing the security for a SAS platform installation.  It has an entire chapter on authorization with lots of examples and exercises.

I would also suggest reading an excellent paper on best practices by Cecily Hoffritz & Johannes Jørgensen: SAS Global Forum 2011 Paper 376-2011 Best Practice Implementation of SAS® Metadata Security at Custo.... The paper presents a few golden rules which, when followed, make metadata security much easier and more manageable.  I also had an example of the type of thing that can go wrong when you deny permissions to identities other than the implicit groups (SASUSERS and PUBLIC) in a SAS Forum Australia & New Zealand 2010 presentation on Best Practices with SAS® 9 Metadata Security (specifically Slides 15 & 16: Wide Denials, Narrow Grants).

Hope this helps.



Regular Contributor
Posts: 225

Re: SAS Management Console Authorization Tab- permission

Posted in reply to PaulHomes

Thanks for your reply Paul. There are lots of article out there regarding security and permission and al...but i am assuming best way to learn is from colleagues and comunity. I will also use some more reply on this.


Ask a Question
Discussion stats
  • 2 replies
  • 1 like
  • 2 in conversation