BookmarkSubscribeRSS Feed
🔒 This topic is solved and locked. Need further help from the community? Please sign in and ask a new question.
roy_walter
Fluorite | Level 6

Hi all,

As I am working my way to create the reports needed for management, we are also getting the need to protect data.

In the datamart the reports are created from, we have a hierarchy defined at organisational units (in this case locations).

I would expect it to be possible to create a Conditional Grant on the dataset that would check the value of the OU field against the groups the logged in user is a member of.

It surprises me that is not (or no longer) possible in SAS VA 7.1 to use (for example) IN in your condition.

Basically I would need a restriction as : OU IN SUB::SAS.IdentityGroups.

When I try this on report level (where IN is available), I simply get either all records or none at all.

Somehow, I don't understand which editor uses SUB:: and if it should be in parenthesis or not.

Does anyone have experience in how to enable row-level security for groups where a manager can be in multiple groups?

The Conditional Grants in SAS Visual Analytics has helped a lot with understanding how the row-level security works, but I can't get this next step going.

Regards,

Roy

1 ACCEPTED SOLUTION

Accepted Solutions
Allan_dk
Quartz | Level 8

From thread https://communities.sas.com/thread/62416

You can activate the old editor on a table with a command like this

./sas-set-metadata-access -host servername -port 8561 -user USERNAME -password PASSWORD "Analytical LASR Data - Sandbox/SALES(Table)" -grant "SalesUsers":Read -condition '("rbs-"|| departmentname) IN ("SUB::SAS.IdentityGroups") OR "rbs-FullAccess" IN ("SUB::SAS.IdentityGroups")'

Works for VA 6.4

View solution in original post

3 REPLIES 3
PeterWijers
Lapis Lazuli | Level 10

Roy,

assign the row-level security on user level using a group by user.

this way I assign the access restrictions by table and user.

this way you have one access group by user and the rules are assigned at table level.

works for me.

greetings

Allan_dk
Quartz | Level 8

From thread https://communities.sas.com/thread/62416

You can activate the old editor on a table with a command like this

./sas-set-metadata-access -host servername -port 8561 -user USERNAME -password PASSWORD "Analytical LASR Data - Sandbox/SALES(Table)" -grant "SalesUsers":Read -condition '("rbs-"|| departmentname) IN ("SUB::SAS.IdentityGroups") OR "rbs-FullAccess" IN ("SUB::SAS.IdentityGroups")'

Works for VA 6.4

roy_walter
Fluorite | Level 6

Hello Allan, Peter,

The batchtool did the job (though it needed some extra tweaking). I had come across this earlier, but could not get it working.

The -condition option failed from the example (after personallising it ofcourse). When I switched around the condition to: "(departmentname) IN ('SUB::SAS.IdentityGroups')", meaning I switched around the single and double qoutes, it worked like a charm. If not, I get the message: "Invalid commandline syntax. Too many objects specified.".

As for Peter's solution: The amount of tables we have and the changes in responsibilities would make this a hard method to maintain. With each change in responsibility, we would need to change a lot of tables. I fine solution, but too maintenance heavy for our organisation.

With the implemented solution, we can just shift users from one group/department to another and let the one time implementation on table level take over.

hackathon24-white-horiz.png

The 2025 SAS Hackathon has begun!

It's finally time to hack! Remember to visit the SAS Hacker's Hub regularly for news and updates.

Latest Updates

Tips for filtering data sources in SAS Visual Analytics

See how to use one filter for multiple data sources by mapping your data from SAS’ Alexandria McCall.

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 3 replies
  • 3592 views
  • 0 likes
  • 3 in conversation