Exploring, predicting and reporting with SAS Visual Analytics and SAS Visual Statistics

SAS.IdentityGroups in Conditional Grants

Accepted Solution Solved
Reply
Occasional Contributor
Posts: 10
Accepted Solution

SAS.IdentityGroups in Conditional Grants

Hi all,

As I am working my way to create the reports needed for management, we are also getting the need to protect data.

In the datamart the reports are created from, we have a hierarchy defined at organisational units (in this case locations).

I would expect it to be possible to create a Conditional Grant on the dataset that would check the value of the OU field against the groups the logged in user is a member of.

It surprises me that is not (or no longer) possible in SAS VA 7.1 to use (for example) IN in your condition.

Basically I would need a restriction as : OU IN SUB:Smiley FrustratedAS.IdentityGroups.

When I try this on report level (where IN is available), I simply get either all records or none at all.

Somehow, I don't understand which editor uses SUB:: and if it should be in parenthesis or not.

Does anyone have experience in how to enable row-level security for groups where a manager can be in multiple groups?

The Conditional Grants in SAS Visual Analytics has helped a lot with understanding how the row-level security works, but I can't get this next step going.

Regards,

Roy


Accepted Solutions
Solution
‎07-07-2015 02:19 AM
Contributor
Posts: 40

Re: SAS.IdentityGroups in Conditional Grants

From thread https://communities.sas.com/thread/62416

You can activate the old editor on a table with a command like this

./sas-set-metadata-access -host servername -port 8561 -user USERNAME -password PASSWORD "Analytical LASR Data - Sandbox/SALES(Table)" -grant "SalesUsers":Read -condition '("rbs-"|| departmentname) IN ("SUB:Smiley FrustratedAS.IdentityGroups") OR "rbs-FullAccess" IN ("SUB:Smiley FrustratedAS.IdentityGroups")'

Works for VA 6.4

View solution in original post


All Replies
Regular Contributor
Posts: 173

Re: SAS.IdentityGroups in Conditional Grants

Roy,

assign the row-level security on user level using a group by user.

this way I assign the access restrictions by table and user.

this way you have one access group by user and the rules are assigned at table level.

works for me.

greetings

Solution
‎07-07-2015 02:19 AM
Contributor
Posts: 40

Re: SAS.IdentityGroups in Conditional Grants

From thread https://communities.sas.com/thread/62416

You can activate the old editor on a table with a command like this

./sas-set-metadata-access -host servername -port 8561 -user USERNAME -password PASSWORD "Analytical LASR Data - Sandbox/SALES(Table)" -grant "SalesUsers":Read -condition '("rbs-"|| departmentname) IN ("SUB:Smiley FrustratedAS.IdentityGroups") OR "rbs-FullAccess" IN ("SUB:Smiley FrustratedAS.IdentityGroups")'

Works for VA 6.4

Occasional Contributor
Posts: 10

Re: SAS.IdentityGroups in Conditional Grants

Hello Allan, Peter,

The batchtool did the job (though it needed some extra tweaking). I had come across this earlier, but could not get it working.

The -condition option failed from the example (after personallising it ofcourse). When I switched around the condition to: "(departmentname) IN ('SUB:Smiley FrustratedAS.IdentityGroups')", meaning I switched around the single and double qoutes, it worked like a charm. If not, I get the message: "Invalid commandline syntax. Too many objects specified.".

As for Peter's solution: The amount of tables we have and the changes in responsibilities would make this a hard method to maintain. With each change in responsibility, we would need to change a lot of tables. I fine solution, but too maintenance heavy for our organisation.

With the implemented solution, we can just shift users from one group/department to another and let the one time implementation on table level take over.

🔒 This topic is solved and locked.

Need further help from the community? Please ask a new question.

Discussion stats
  • 3 replies
  • 771 views
  • 0 likes
  • 3 in conversation