Solved: Re: SAS.IdentityGroups in Conditional Grants

roy_walter · Posted 07-06-2015 09:16 AM

Hi all,

As I am working my way to create the reports needed for management, we are also getting the need to protect data.

In the datamart the reports are created from, we have a hierarchy defined at organisational units (in this case locations).

I would expect it to be possible to create a Conditional Grant on the dataset that would check the value of the OU field against the groups the logged in user is a member of.

It surprises me that is not (or no longer) possible in SAS VA 7.1 to use (for example) IN in your condition.

Basically I would need a restriction as : OU IN SUB::SAS.IdentityGroups.

When I try this on report level (where IN is available), I simply get either all records or none at all.

Somehow, I don't understand which editor uses SUB:: and if it should be in parenthesis or not.

Does anyone have experience in how to enable row-level security for groups where a manager can be in multiple groups?

The Conditional Grants in SAS Visual Analytics has helped a lot with understanding how the row-level security works, but I can't get this next step going.

Regards,

Roy

Allan_dk · Posted 07-07-2015 02:19 AM

From thread https://communities.sas.com/thread/62416

You can activate the old editor on a table with a command like this

./sas-set-metadata-access -host servername -port 8561 -user USERNAME -password PASSWORD "Analytical LASR Data - Sandbox/SALES(Table)" -grant "SalesUsers":Read -condition '("rbs-"|| departmentname) IN ("SUB::SAS.IdentityGroups") OR "rbs-FullAccess" IN ("SUB::SAS.IdentityGroups")'

Works for VA 6.4

View solution in original post

PeterWijers · Posted 07-06-2015 03:34 PM

Roy,

assign the row-level security on user level using a group by user.

this way I assign the access restrictions by table and user.

this way you have one access group by user and the rules are assigned at table level.

works for me.

greetings

Allan_dk · Posted 07-07-2015 02:19 AM

From thread https://communities.sas.com/thread/62416

You can activate the old editor on a table with a command like this

./sas-set-metadata-access -host servername -port 8561 -user USERNAME -password PASSWORD "Analytical LASR Data - Sandbox/SALES(Table)" -grant "SalesUsers":Read -condition '("rbs-"|| departmentname) IN ("SUB::SAS.IdentityGroups") OR "rbs-FullAccess" IN ("SUB::SAS.IdentityGroups")'

Works for VA 6.4

roy_walter · Posted 07-07-2015 03:31 AM

Hello Allan, Peter,

The batchtool did the job (though it needed some extra tweaking). I had come across this earlier, but could not get it working.

The -condition option failed from the example (after personallising it ofcourse). When I switched around the condition to: "(departmentname) IN ('SUB::SAS.IdentityGroups')", meaning I switched around the single and double qoutes, it worked like a charm. If not, I get the message: "Invalid commandline syntax. Too many objects specified.".

As for Peter's solution: The amount of tables we have and the changes in responsibilities would make this a hard method to maintain. With each change in responsibility, we would need to change a lot of tables. I fine solution, but too maintenance heavy for our organisation.

With the implemented solution, we can just shift users from one group/department to another and let the one time implementation on table level take over.