Hi all,
As I am working my way to create the reports needed for management, we are also getting the need to protect data.
In the datamart the reports are created from, we have a hierarchy defined at organisational units (in this case locations).
I would expect it to be possible to create a Conditional Grant on the dataset that would check the value of the OU field against the groups the logged in user is a member of.
It surprises me that is not (or no longer) possible in SAS VA 7.1 to use (for example) IN in your condition.
Basically I would need a restriction as : OU IN SUB::SAS.IdentityGroups.
When I try this on report level (where IN is available), I simply get either all records or none at all.
Somehow, I don't understand which editor uses SUB:: and if it should be in parenthesis or not.
Does anyone have experience in how to enable row-level security for groups where a manager can be in multiple groups?
The Conditional Grants in SAS Visual Analytics has helped a lot with understanding how the row-level security works, but I can't get this next step going.
Regards,
Roy
From thread https://communities.sas.com/thread/62416
You can activate the old editor on a table with a command like this
./sas-set-metadata-access -host servername -port 8561 -user USERNAME -password PASSWORD "Analytical LASR Data - Sandbox/SALES(Table)" -grant "SalesUsers":Read -condition '("rbs-"|| departmentname) IN ("SUB::SAS.IdentityGroups") OR "rbs-FullAccess" IN ("SUB::SAS.IdentityGroups")'
Works for VA 6.4
Roy,
assign the row-level security on user level using a group by user.
this way I assign the access restrictions by table and user.
this way you have one access group by user and the rules are assigned at table level.
works for me.
greetings
From thread https://communities.sas.com/thread/62416
You can activate the old editor on a table with a command like this
./sas-set-metadata-access -host servername -port 8561 -user USERNAME -password PASSWORD "Analytical LASR Data - Sandbox/SALES(Table)" -grant "SalesUsers":Read -condition '("rbs-"|| departmentname) IN ("SUB::SAS.IdentityGroups") OR "rbs-FullAccess" IN ("SUB::SAS.IdentityGroups")'
Works for VA 6.4
Hello Allan, Peter,
The batchtool did the job (though it needed some extra tweaking). I had come across this earlier, but could not get it working.
The -condition option failed from the example (after personallising it ofcourse). When I switched around the condition to: "(departmentname) IN ('SUB::SAS.IdentityGroups')", meaning I switched around the single and double qoutes, it worked like a charm. If not, I get the message: "Invalid commandline syntax. Too many objects specified.".
As for Peter's solution: The amount of tables we have and the changes in responsibilities would make this a hard method to maintain. With each change in responsibility, we would need to change a lot of tables. I fine solution, but too maintenance heavy for our organisation.
With the implemented solution, we can just shift users from one group/department to another and let the one time implementation on table level take over.
Join us for SAS Innovate 2025, our biggest and most exciting global event of the year, in Orlando, FL, from May 6-9. Sign up by March 14 for just $795.
See how to use one filter for multiple data sources by mapping your data from SAS’ Alexandria McCall.
Find more tutorials on the SAS Users YouTube channel.