BookmarkSubscribeRSS Feed
Raoul
Calcite | Level 5
All,

We have built a web application using the Stored Process Server in which the Open Metadata Interface is used to display folders (and subtrees) defined in the metadataserver.
Some users or usergroups are restricted to see certain folders, so permissions are set by access control templates.

The thing I want to do is do display only those folders from the metadata that the user is permitted to see, using the open metadata interface. I know it has something to do with the AccessControlTemplate and AccessControlEntry metadata types, but it is kinda hard to ask the proper questions to the metadataserver.

I know a Tree metadatatype is associated to 0 or more AccessControlEntry elements.
I also know a Person metadatatype is associated to 0 or more AccessControlEntry elements.
But how to get the right permission on a Tree, that is somewhat difficult.

Can anyone give me some directions to perform this "trick".
Any help is greatly appreciated.

Regards, Raoul.
7 REPLIES 7
twocanbazza
Quartz | Level 8
Hi Raoul.

Wouldn't the Metadata server only return the folders that the user can see, or are you using a generic userid to access?

Barry
Raoul
Calcite | Level 5
Barry,

Because the application runs in the Stored Process Server (we are using SAS 9.1.3), it is executed with a general user (in our specific case we call it a systemaccount). When using the Stored Process Server it is possible to store session data (in the SAVE library) and session variables (prefix ' save_').

I guess I need to do the following steps.
1. Get the AccessControlEntry metadata types for the user (defined in _METAUSER or _METAPERSON) for which the user has read permissions.
2. Get the AccessControlEntry metadata types associated with each folder (Tree)
3. Combine step 1 and 2

Maybe these steps are all too simple, since there is quiet some metadata to retrieve. Again: i can't figure out what the appropriate questions are to ask to the metadataserver.

Regards, Raoul.
twocanbazza
Quartz | Level 8
if you are using 9.2 have a look at the %mdsecds() macro

Barry
Vince_SAS
Rhodochrosite | Level 12
Also for 9.2, see this thread:

http://support.sas.com/forums/thread.jspa?messageID=34396

Vince DelGobbo
SAS R&D
Raoul
Calcite | Level 5
Vince,

We are using SAS 9.1.3. The thread you referred to shows an example of determining the IdentityGroups a user is associated with.
What I need to know is which associations are needed to determine whether a user is allowed to see a Tree or not.

Suppose I have a tree (or folder), do I need to look at the AccessControlEntry metadatatypes? What I know is that an AccessControlEntry has 0 or more Permission elements, each with attributes Name and Type, e.g. Name = 'ReadMetadata' and Type = 'GRANT'.
And let's assume there are two AccessControlEntry elements associated with this tree. The first one has a permission Name = 'ReadMetadata' and Type='GRANT', but the second one has a permission Name = 'ReadMetadata' and Type=DENY'. Does this mean that the use can or cannot see the tree?

Am I looking in the right direction?

Regards, Raoul.
Raoul
Calcite | Level 5
@ Barry,

Can you give me the contents of this macro?
I don't know if it'll work in 9.1.3, but it is worth a try...

Raoul.
twocanbazza
Quartz | Level 8
the macro, and subsequent called macros came with 9.2, I am sure if you request from Tech support they'll supply.

sas-innovate-2024.png

Join us for SAS Innovate April 16-19 at the Aria in Las Vegas. Bring the team and save big with our group pricing for a limited time only.

Pre-conference courses and tutorials are filling up fast and are always a sellout. Register today to reserve your seat.

 

Register now!

How to Concatenate Values

Learn how use the CAT functions in SAS to join values from multiple variables into a single value.

Find more tutorials on the SAS Users YouTube channel.

Click image to register for webinarClick image to register for webinar

Classroom Training Available!

Select SAS Training centers are offering in-person courses. View upcoming courses for:

View all other training opportunities.

Discussion stats
  • 7 replies
  • 1183 views
  • 0 likes
  • 3 in conversation