Your SAS programs, embedded in web apps and elsewhere

Metadata permissions on folders

Reply
Occasional Contributor
Posts: 11

Metadata permissions on folders

All,

We have built a web application using the Stored Process Server in which the Open Metadata Interface is used to display folders (and subtrees) defined in the metadataserver.
Some users or usergroups are restricted to see certain folders, so permissions are set by access control templates.

The thing I want to do is do display only those folders from the metadata that the user is permitted to see, using the open metadata interface. I know it has something to do with the AccessControlTemplate and AccessControlEntry metadata types, but it is kinda hard to ask the proper questions to the metadataserver.

I know a Tree metadatatype is associated to 0 or more AccessControlEntry elements.
I also know a Person metadatatype is associated to 0 or more AccessControlEntry elements.
But how to get the right permission on a Tree, that is somewhat difficult.

Can anyone give me some directions to perform this "trick".
Any help is greatly appreciated.

Regards, Raoul.
Super Contributor
Posts: 356

Re: Metadata permissions on folders

Hi Raoul.

Wouldn't the Metadata server only return the folders that the user can see, or are you using a generic userid to access?

Barry
Occasional Contributor
Posts: 11

Re: Metadata permissions on folders

Barry,

Because the application runs in the Stored Process Server (we are using SAS 9.1.3), it is executed with a general user (in our specific case we call it a systemaccount). When using the Stored Process Server it is possible to store session data (in the SAVE library) and session variables (prefix ' save_').

I guess I need to do the following steps.
1. Get the AccessControlEntry metadata types for the user (defined in _METAUSER or _METAPERSON) for which the user has read permissions.
2. Get the AccessControlEntry metadata types associated with each folder (Tree)
3. Combine step 1 and 2

Maybe these steps are all too simple, since there is quiet some metadata to retrieve. Again: i can't figure out what the appropriate questions are to ask to the metadataserver.

Regards, Raoul.
Super Contributor
Posts: 356

Re: Metadata permissions on folders

if you are using 9.2 have a look at the %mdsecds() macro

Barry
SAS Employee
Posts: 284

Re: Metadata permissions on folders

Also for 9.2, see this thread:

http://support.sas.com/forums/thread.jspa?messageID=34396

Vince DelGobbo
SAS R&D
Occasional Contributor
Posts: 11

Re: Metadata permissions on folders

Vince,

We are using SAS 9.1.3. The thread you referred to shows an example of determining the IdentityGroups a user is associated with.
What I need to know is which associations are needed to determine whether a user is allowed to see a Tree or not.

Suppose I have a tree (or folder), do I need to look at the AccessControlEntry metadatatypes? What I know is that an AccessControlEntry has 0 or more Permission elements, each with attributes Name and Type, e.g. Name = 'ReadMetadata' and Type = 'GRANT'.
And let's assume there are two AccessControlEntry elements associated with this tree. The first one has a permission Name = 'ReadMetadata' and Type='GRANT', but the second one has a permission Name = 'ReadMetadata' and Type=DENY'. Does this mean that the use can or cannot see the tree?

Am I looking in the right direction?

Regards, Raoul.
Occasional Contributor
Posts: 11

Re: Metadata permissions on folders

@ Barry,

Can you give me the contents of this macro?
I don't know if it'll work in 9.1.3, but it is worth a try...

Raoul.
Super Contributor
Posts: 356

Re: Metadata permissions on folders

the macro, and subsequent called macros came with 9.2, I am sure if you request from Tech support they'll supply.
Ask a Question
Discussion stats
  • 7 replies
  • 324 views
  • 0 likes
  • 3 in conversation