BookmarkSubscribeRSS Feed
Pylon53
Calcite | Level 5

Is there a way to make a stored process prompt dependent on the value of _METAUSER?

12 REPLIES 12
Quentin
Super User

Not quite sure what you want to do.   When you say make a stored process prompt dependent on _METAUSER, do you mean that you want different users to see different prompts when they run a stored process?

I wouldn't know how to do that, but of course in the stored process code you could always reset prompt values based on _METAUSER to whatever you want, i.e. over-riding values selected by the user.

--Q.

BASUG is hosting free webinars Next up: Jane Eslinger presenting PROC REPORT and the ODS EXCEL destination on Mar 27 at noon ET. Register now at the Boston Area SAS Users Group event page: https://www.basug.org/events.
Pylon53
Calcite | Level 5

Yes, I want the prompts they see to be dependent on their _METAUSER assignment.   Here's what I'm doing:   I have a group of academic department(s) users who want to select eligible students for one of their scholarships(s).   These people are only allowed to see the scholarship(s) that are assigned to their department(s).   So, my ideal solution is to use my security table that has ID, Department and Fund assigned for the users as my prompt source table and then by matching the ID to _METAUSER just display the department(s) they can see in one prompt and then display the funds that are tied to that department in another prompt.   I want them to be able to select one or many departments and/or funds as they wish, but only if they have security for them.    

Quentin
Super User

Makes sense.  I don't think I'll be much help.  But just for the sake of discussion...

Assume since you posted this in EG forum that users will be using EG to run the stored process?  Certainly in the SAS IntRNet/Stored Process Web App you would have a lot of options for building these dynamic prompts.

I don't have my favorite stored process book near me right now.  But off the top of my head can't think how to do what you want.  If you didn't mind asking users to select their name from a list, then I would think you could use that to filter the lookup table used by a dynamic prompt.  But of course that is silly, and wouldn't be secure....

I guess my ugly workaround might be to check against your table on the back-end, so that if a user selects something they shouldn't be able to see they get a message or page saying "ha ha, you can't see me".

But hopefully someone else will have better ideas.

BASUG is hosting free webinars Next up: Jane Eslinger presenting PROC REPORT and the ODS EXCEL destination on Mar 27 at noon ET. Register now at the Boston Area SAS Users Group event page: https://www.basug.org/events.
Pylon53
Calcite | Level 5

Actually, the user will be invoking the stored process from Web Report Studio.   I use Enterprise Guide for developing and testing the stored process prompts.   When I run my test, I can see that _METAUSER value (in this case - me).   I just can't make the other prompts dependent on it.

TomKari
Onyx | Level 15

Unfortunately I don't have the tools in front of me, so this is just a thought experiment.

Can you create a view on a database table that is dependent on the user's identity (in other words using a "where" clause to select only the rows that match them), and then use the view for a dynamic prompt?

Tom

Quentin
Super User

Interesting idea from Tom.

Similar idea, use SAS datasets registered in the metadata to populate  dynamic prompts listing the departments / scholarship funds.  The tables should list all possible departments/funds.  THen using metadata permissions, limit read access to those tables so that users can only read the rows you want.

I think that might work. (?)

BASUG is hosting free webinars Next up: Jane Eslinger presenting PROC REPORT and the ODS EXCEL destination on Mar 27 at noon ET. Register now at the Boston Area SAS Users Group event page: https://www.basug.org/events.
Pylon53
Calcite | Level 5

I did try this early on.   Using the same table that is the source for my EG prompts, I did make an info map for WRS to use to restrict what departments and funds a person sees based on his/her online ID (i.e _METAUSER).  That works great except for one thing.   The resulting report lists the funds as separate rows.   If I hyperlink funds to the stored process, I can only process one fund at a time.   My ideal goal is to allow multiple funds to be evaluated with one row per student listing which of the funds s/he has eligibility for.  So, I can provide good security, but it means evaluating one fund at a time, or I can process many funds at once, but the person gets to pick from a dynamic list of users, thus allowing the user to pick any of the users in the table.  Ouch.   This is why I reached out for help.  I appreciate the feedback.

Quentin
Super User

I feel like I may be "leading you on", as I'm not confident that I'll be able to help much.  That said...

I'm confused now about the big picture about the prompts you want to create, and what you have been able to do so far (and how they relate to problems with the resulting report).

Am I right that:

1. You have a dynamic multiple selection prompt for department.

2. You have a dynamic multiple selection prompt for fund, which will show only the funds applicable to the department(s) selected in the department prompt.

3. You have been able to use an info map to limit access by _METAUSER to the values displayed in the department prompt, so that it shows only the department(s) you want them to see.

????

If so, then I would think the original problem of creating prompts based on _METAUSER has been solved (?)

In your last response you mentioned problems with the report produced when you tried this approach early on.  And only being able to proces funds one at a time if you hyperlink to them.  I don't understand the context for these concerns.  Maybe you could give more background to that?  If the prompts themselves are working as you like, I would think it would be feasible to get hyperlinks working which pass they same values....  Certainly it is possible to pass a list of funds in a URL.  I typically pass a single prompt with a pipe-delimited list.


BASUG is hosting free webinars Next up: Jane Eslinger presenting PROC REPORT and the ODS EXCEL destination on Mar 27 at noon ET. Register now at the Boston Area SAS Users Group event page: https://www.basug.org/events.
jakarman
Barite | Level 11

All depends on the level of being sure of your controls Confidentality Integrity Availability (CIA-rating) and possible impact on failures the "Business Impact" analyses.

Coding your security in your programs was the way it was commonly done before 1980 without any further security awareness and using only predefined menu-s.

With the RBAC hype it has become normal to define a role by HR and that will lead to all your needed access to data. That is modern time.

You cannot trust the SAS metadata for security on data: SAS(R) 9.4 Intelligence Platform: Security Administration Guide (About Access Management)

If gives you quick links to the "mediated access" and "metadata bound libraries" It will get security on those parts level.you would

If you would have segregated datasets for the students/departments it would be a no brainer.

Can the question be translated that ways. The approach of Views by Tom is an approach.

When every department would used their own segregated app-server it could be solved  on the appserver context usermods.....     

---->-- ja karman --<-----
Pylon53
Calcite | Level 5

I figured out a method that works.   I use a prompt for ID first where the person has to enter his/her ID.   Based on that response, the other dependent prompts are processed and then sent to the stored process.   The stored process main looping macro will not run unless that user-provided ID matches a macro variable that I create in the stored process to capture the _METAUSER.    If a person attempts to enter someone else's ID, then the process aborts when the prompted ID fails to match _METAUSER.

Fortunately for me, people have to pass through two levels of security filtering to even get to my report.   My security is built to just keep people focused on the funds that are assigned to their departments.   Unfortunately for the user, s/he ends up having to log in just to get to my report, then s/he must enter that ID again to run the stored process. Hopefully the benefits outweigh the irritation of entering the ID again.    Thanks to Quentin, TomKari and Jaap for their feedback.

Haikuo
Onyx | Level 15

It is indeed an option, but how do you cover your security ground? If your users are SAS savvy enough, they could always do:

1. change the value of _metauser to others' login id before running your STP: %let _metauser=IDofOthers;

2. if your subset your data on the fly instead of subset in advance and having security rules applied accordingly, your users  can always find a way to go around, and get to the mother table directly.

In my opinion, tricks like this may work in some unofficial/informal settings or for the purpose of teaching, however, it won't pass the security audit in government or modern industries.

Just my 2 cents,

Haikuo

cstegeman
Fluorite | Level 6

I know this is a year and a half late, but I had a similar issue and just found a solution!

Create a new 'text' prompt _metauser - I've made it hidden, required, and used throughout the project.  Then in the default field put: &_metauser.  Now in the dynamic prompt, you can make it dependent on the _metauser prompt.  Only the departments that metauser is associated with in your registered table should show up.

I'm using SAS 9.4 and EG 6.1 - not sure if it works the same for other versions.  It seems to work in both EG and the stored process web application for me.

sas-innovate-2024.png

Join us for SAS Innovate April 16-19 at the Aria in Las Vegas. Bring the team and save big with our group pricing for a limited time only.

Pre-conference courses and tutorials are filling up fast and are always a sellout. Register today to reserve your seat.

 

Register now!

SAS Enterprise Guide vs. SAS Studio

What’s the difference between SAS Enterprise Guide and SAS Studio? How are they similar? Just ask SAS’ Danny Modlin.

Find more tutorials on the SAS Users YouTube channel.

Click image to register for webinarClick image to register for webinar

Classroom Training Available!

Select SAS Training centers are offering in-person courses. View upcoming courses for:

View all other training opportunities.

Discussion stats
  • 12 replies
  • 1888 views
  • 2 likes
  • 6 in conversation