12-06-2013 01:22 PM
Not quite sure what you want to do. When you say make a stored process prompt dependent on _METAUSER, do you mean that you want different users to see different prompts when they run a stored process?
I wouldn't know how to do that, but of course in the stored process code you could always reset prompt values based on _METAUSER to whatever you want, i.e. over-riding values selected by the user.
12-06-2013 01:36 PM
Yes, I want the prompts they see to be dependent on their _METAUSER assignment. Here's what I'm doing: I have a group of academic department(s) users who want to select eligible students for one of their scholarships(s). These people are only allowed to see the scholarship(s) that are assigned to their department(s). So, my ideal solution is to use my security table that has ID, Department and Fund assigned for the users as my prompt source table and then by matching the ID to _METAUSER just display the department(s) they can see in one prompt and then display the funds that are tied to that department in another prompt. I want them to be able to select one or many departments and/or funds as they wish, but only if they have security for them.
12-06-2013 04:14 PM
Makes sense. I don't think I'll be much help. But just for the sake of discussion...
Assume since you posted this in EG forum that users will be using EG to run the stored process? Certainly in the SAS IntRNet/Stored Process Web App you would have a lot of options for building these dynamic prompts.
I don't have my favorite stored process book near me right now. But off the top of my head can't think how to do what you want. If you didn't mind asking users to select their name from a list, then I would think you could use that to filter the lookup table used by a dynamic prompt. But of course that is silly, and wouldn't be secure....
I guess my ugly workaround might be to check against your table on the back-end, so that if a user selects something they shouldn't be able to see they get a message or page saying "ha ha, you can't see me".
But hopefully someone else will have better ideas.
12-06-2013 04:28 PM
Actually, the user will be invoking the stored process from Web Report Studio. I use Enterprise Guide for developing and testing the stored process prompts. When I run my test, I can see that _METAUSER value (in this case - me). I just can't make the other prompts dependent on it.
12-06-2013 07:34 PM
Unfortunately I don't have the tools in front of me, so this is just a thought experiment.
Can you create a view on a database table that is dependent on the user's identity (in other words using a "where" clause to select only the rows that match them), and then use the view for a dynamic prompt?
12-06-2013 09:34 PM
Interesting idea from Tom.
Similar idea, use SAS datasets registered in the metadata to populate dynamic prompts listing the departments / scholarship funds. The tables should list all possible departments/funds. THen using metadata permissions, limit read access to those tables so that users can only read the rows you want.
I think that might work. (?)
12-06-2013 10:13 PM
I did try this early on. Using the same table that is the source for my EG prompts, I did make an info map for WRS to use to restrict what departments and funds a person sees based on his/her online ID (i.e _METAUSER). That works great except for one thing. The resulting report lists the funds as separate rows. If I hyperlink funds to the stored process, I can only process one fund at a time. My ideal goal is to allow multiple funds to be evaluated with one row per student listing which of the funds s/he has eligibility for. So, I can provide good security, but it means evaluating one fund at a time, or I can process many funds at once, but the person gets to pick from a dynamic list of users, thus allowing the user to pick any of the users in the table. Ouch. This is why I reached out for help. I appreciate the feedback.
12-07-2013 08:56 AM
I feel like I may be "leading you on", as I'm not confident that I'll be able to help much. That said...
I'm confused now about the big picture about the prompts you want to create, and what you have been able to do so far (and how they relate to problems with the resulting report).
Am I right that:
1. You have a dynamic multiple selection prompt for department.
2. You have a dynamic multiple selection prompt for fund, which will show only the funds applicable to the department(s) selected in the department prompt.
3. You have been able to use an info map to limit access by _METAUSER to the values displayed in the department prompt, so that it shows only the department(s) you want them to see.
If so, then I would think the original problem of creating prompts based on _METAUSER has been solved (?)
In your last response you mentioned problems with the report produced when you tried this approach early on. And only being able to proces funds one at a time if you hyperlink to them. I don't understand the context for these concerns. Maybe you could give more background to that? If the prompts themselves are working as you like, I would think it would be feasible to get hyperlinks working which pass they same values.... Certainly it is possible to pass a list of funds in a URL. I typically pass a single prompt with a pipe-delimited list.
12-07-2013 09:39 AM
All depends on the level of being sure of your controls Confidentality Integrity Availability (CIA-rating) and possible impact on failures the "Business Impact" analyses.
Coding your security in your programs was the way it was commonly done before 1980 without any further security awareness and using only predefined menu-s.
With the RBAC hype it has become normal to define a role by HR and that will lead to all your needed access to data. That is modern time.
You cannot trust the SAS metadata for security on data: SAS(R) 9.4 Intelligence Platform: Security Administration Guide (About Access Management)
If gives you quick links to the "mediated access" and "metadata bound libraries" It will get security on those parts level.you would
If you would have segregated datasets for the students/departments it would be a no brainer.
Can the question be translated that ways. The approach of Views by Tom is an approach.
When every department would used their own segregated app-server it could be solved on the appserver context usermods.....
12-07-2013 11:19 PM
I figured out a method that works. I use a prompt for ID first where the person has to enter his/her ID. Based on that response, the other dependent prompts are processed and then sent to the stored process. The stored process main looping macro will not run unless that user-provided ID matches a macro variable that I create in the stored process to capture the _METAUSER. If a person attempts to enter someone else's ID, then the process aborts when the prompted ID fails to match _METAUSER.
Fortunately for me, people have to pass through two levels of security filtering to even get to my report. My security is built to just keep people focused on the funds that are assigned to their departments. Unfortunately for the user, s/he ends up having to log in just to get to my report, then s/he must enter that ID again to run the stored process. Hopefully the benefits outweigh the irritation of entering the ID again. Thanks to Quentin, TomKari and Jaap for their feedback.
12-09-2013 10:03 AM
It is indeed an option, but how do you cover your security ground? If your users are SAS savvy enough, they could always do:
1. change the value of _metauser to others' login id before running your STP: %let _metauser=IDofOthers;
2. if your subset your data on the fly instead of subset in advance and having security rules applied accordingly, your users can always find a way to go around, and get to the mother table directly.
In my opinion, tricks like this may work in some unofficial/informal settings or for the purpose of teaching, however, it won't pass the security audit in government or modern industries.
Just my 2 cents,
05-08-2015 11:23 AM
I know this is a year and a half late, but I had a similar issue and just found a solution!
Create a new 'text' prompt _metauser - I've made it hidden, required, and used throughout the project. Then in the default field put: &_metauser. Now in the dynamic prompt, you can make it dependent on the _metauser prompt. Only the departments that metauser is associated with in your registered table should show up.
I'm using SAS 9.4 and EG 6.1 - not sure if it works the same for other versions. It seems to work in both EG and the stored process web application for me.