BookmarkSubscribeRSS Feed
🔒 This topic is solved and locked. Need further help from the community? Please sign in and ask a new question.
infmja
Obsidian | Level 7

Hello everyone

 

A lot of our customers get the error mentioned in the subject line when they open a report. The report opens properly, but the error is shown everywhere where the actual data should be.

I was not yet able to reproduce the error on purpose, but I've seen it myself too from time to time. Not sure where it's coming from. One important side note might be, that I was changing the permissions of my user to test some settings. If I've seen the error, it was after changing my permissions. The problem with this; it doesn't happen always...

As already mentioned in the subject line, the error is the following; "You are not allowed to view data used in this report".

Maybe I missed something with the permissions? The users, groups to be exact, have the ReadMetadata permission on the folder which contains the reports and therefore also on the reports in the folder. Everything else, WriteMetadata, Read, Administer etc., is denied.

 

SAS Version: 9.4

 

Every help is very well appreciated.

Kind regards

Martin

1 ACCEPTED SOLUTION

Accepted Solutions
PaulHomes
Rhodochrosite | Level 12

I suspect this is because they don't have an effective grant of the Read (R) permission. An effective grant of ReadMetadata (RM) lets them see the table exists, but it is the R permission that lets them see the contents. Add a grant for the group that includes both RM and R, ideally though an ACT, on the folder, or one of the other parent objects.

 

For more info on the permission requirements for various tasks in VA, see the Permissions section in the SAS Visual Analytics 7.4: Administration Guide.

 

Was that the exact text of the error message? Which VA version are you using? I replicated an effective +RM, -R with SAS VA 7.4 and I see "You are not authorized to view the data that is used in this report object". I'd be interested to hear if the message has changed between VA versions, or whether it's a different issue.

View solution in original post

5 REPLIES 5
PaulHomes
Rhodochrosite | Level 12

I suspect this is because they don't have an effective grant of the Read (R) permission. An effective grant of ReadMetadata (RM) lets them see the table exists, but it is the R permission that lets them see the contents. Add a grant for the group that includes both RM and R, ideally though an ACT, on the folder, or one of the other parent objects.

 

For more info on the permission requirements for various tasks in VA, see the Permissions section in the SAS Visual Analytics 7.4: Administration Guide.

 

Was that the exact text of the error message? Which VA version are you using? I replicated an effective +RM, -R with SAS VA 7.4 and I see "You are not authorized to view the data that is used in this report object". I'd be interested to hear if the message has changed between VA versions, or whether it's a different issue.

infmja
Obsidian | Level 7

Does it take a while before the permissions take effect? It seems so odd and completeley random to me...
I remove all my permissions - it obviously doesn't work anymore
RM permissions - it works
RM + R permissions - it works
Back to RM only - it doesn't work
RM + R again - it still doesn't work
After getting angry, giving up, wating for quite a while and changing the permissions again, it starts magically working again... Is there something like a reload happening? Can I trigger a reload or whatever it needs to acutally update the permissions?

And yes, you are right, it's "You are not authorized to view the data that is used in this report object.". I had that wrong in mind, sorry.
Looks like VA version is 7.3 if I'm reading the deploymentregistry txt file correctly.

PaulHomes
Rhodochrosite | Level 12

It looks like the permission info is cached. If you have a look in the Configuration Properties section of the SAS Visual Analytics 7.4: Administration Guide, you will see the following statement for the las.caching.permission.lifetime property.

sets the duration of time (in seconds) for which permission information is cached by the LASR authorization service. The default is 900 seconds (15 minutes). Do not set a custom value unless you are directed to do so by SAS Technical Support.

 

I logged into VA as a user that had no access, then as an admin in SAS Management Console granted them access. Every few minutes I refreshed the report as the user in SAS VA. The error disappeared and the report displayed correctly after about 15 minutes. I also tried logging out and re-logging in but that seemed to have no effect.

 

When I did my test earlier I don't remember waiting that long, but it may be because I reloaded the table or tried it as a different user. I'll leave it to you to test out those scenarios 😉

 

BTW you can find out the VA version when logged into VA by clicking on the question mark icon in the top right hand corner and selecting the About menu item.

infmja
Obsidian | Level 7
Thanks for the help so far! 🙂

Looks like that's the case. It's now working as expected again. Not sure if it's already working for our customers. I have to test that.
Do they need Read permissions on the report/parent folders of the report itself too or just on the tables/parent folders of the tables?

Checked the version now in the frontend, and yes, it's version 7.3.
PaulHomes
Rhodochrosite | Level 12

Have a look at the Permissions doc link I posted above. You'll see tables that show, for various tasks, what the minimum permissions required are, for the various parts (servers, libraries, folders, tables, reports, explorations etc) in order to be able to do that task. You will see that to view a report you only need RM for the report (and RM for the folders to be able to navigate to it). You need RM and R for the tables as the data source for the report. If you follow metadata security best practices, the required sets of permissions can flow consistently from standard ACTs applied to key objects/folders.

 

Those documentation tables are very useful. To confidently manage metadata security you will also need an understanding of identity hierarchies, object inheritance paths, conflict resolutions rules, and best practices. If you are not confident with those then I recommend reading the docs, attending the SAS Platform Administration Fast Track course, and reading best practice papers by the likes of @CecilyHoffritz & Johannes Jørgensen, @DavidStern, and @angieh.   There are also a couple of webinars on metadata security best practices coming up soon: Angie Hedberg and @MichelleHomes are doing one this week - see https://www.sas.com/en_us/events/users-groups/17q3/security-best-practices.html and David Stern and I are also doing one in October - see https://www.sas.com/en_gb/events/2017/user-webinars/security-model-designs.html

 

sas-innovate-2024.png

Join us for SAS Innovate April 16-19 at the Aria in Las Vegas. Bring the team and save big with our group pricing for a limited time only.

Pre-conference courses and tutorials are filling up fast and are always a sellout. Register today to reserve your seat.

 

Register now!

Tips for filtering data sources in SAS Visual Analytics

See how to use one filter for multiple data sources by mapping your data from SAS’ Alexandria McCall.

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 5 replies
  • 3247 views
  • 5 likes
  • 2 in conversation