Re: SAS security on SAS VA 7.2

Filipvdr · Posted 04-11-2018 09:24 AM

Hello all,

I have the following problem:

I've got 2 lasr Libraries LASR_A, LASR_B.

User Fred should be able to create only reports on data in LASR_A. Though, he can ONLY view the reports from user Sara on data coming from LASR_B. He should NOT be able to create reports on data coming from LASR_B.

How does my folder structur should look like? Which authorizations will i have to set?

Is it even possible? I don't want user Fred to make reports on data which he does not know well enough.

Thanks!

Erik_Zencos · Posted 04-12-2018 09:33 AM

Security is a complex and big area, but the short answer is yes - you can achieve what you want. Best practice would be: put your user in different groups (based on what the groups should be able to do), create two different ACTs per groups (one ATC with read permissions r, rm, and one with write permissions w, wm). Create a folder structure that reflects the permission pattern you try to achieve, and add the ACT's to the folder structure (top level, object inheritance will take care of metadata objects at a lower level, including your libraries). Not possible to give a detailed answer in a comment, so I recommend you to read up a bit - here are a couple of good links:

Design for Success: An Approach to Metadata Architecture for Distributed Visual Analytics

Security Scenario for SAS® Visual Analytics

Filipvdr · Posted 04-12-2018 09:54 AM

Thanks Erik, i will read through your documents.

In your example, Fred will still be able to create reports on the data (coming from LASR_B) he is only allowed to see. Though he will not be able to save this reports in the folder reports_B, but he can in the folder reports_A. Or am I missing something?

Erik_Zencos · Posted 04-12-2018 03:39 PM

Hi Filip, you are correct - with read access to a table you can create a report based on it, but you are not able to save the report unless you have write access to the folder you want to save it to. Unless the data are sensitive, I give all users read access - but create a separate folder for "official reports" that only data administrators have write access to. That way users can get to know the data, play around with it, but only save the results/reports to their own personal folder (or a shared folder for drafts). Re-reading your original question, I see I was to quick - to open a report (view), you also need read permission on the table. That implies you can create a report based on the table, you are only able to restrict where the report can be saved.