The permissions required/enforced depend on where the data resides and the manner in which it is accessed. Consideration needs to be given to permissions at multiple layers: the metadata layer (for the metadata objects that describe the physical objects), permissions at the data layer and permissions at the storage layer - this could be 3rd party database, file system, etc.
Some examples/options:
1) When using a 3rd party database using a SAS/ACCESS engine: metadata permissions on folder, table and library objects govern who can see and manipulate the metadata "view" of those external tables but not the content of those tables. Permissions at the database authorization layer will determine who can do CRUD and DDL operations.
2) When using the SAS BASE engine WITHOUT the Metadata Libname Engine (MLE): metadata permissions on folder, table and library objects govern who can see and manipulate the metadata "view" of those SAS datasets but not the content of those SAS datasets. Metadata permissions RM, WM/WMM, CM will control who can register and unregister the data (the data permissions R,W,C,D will be ignored). File system access controls will determine who can manipulate the SAS dataset files (where it's effectively read-only or read/write).
3) When using the SAS BASE engine WITH the Metadata Libname Engine: metadata permissions on folder, table and library objects govern who can see and manipulate the metadata "view" of those SAS datasets and the content of those SAS datasets - i.e. in addition to metadata RM, WM/WMM, CM permissions, the data permissions R,W,C,D will also be enforced (but only when accessing through the MLE). File system access controls will still determine who can manipulate the physical SAS dataset files. The main thing to beware of here is that whilst you may present an MLE view, savvy users with file system write permissions will be able to bypass it by coding their own libname statements ... if this is a concern then Metadata-Bound Libraries may be of interest.
4) For more control you can secure the underlying storage for a BASE engine library by converting it to a Metadata Bound Library (MBL). This protects the SAS datasets and contents with more traditional DB-style permissions(S, I, U, D, AT, CT, DT), maintained in metadata and always enforced. A savvy SAS user will not be able to bypass the metadata layer permissions by coding their own libname statement. You may however still need to consider file system access for users that can access the op-sys and do file system level operations (rm, mv etc).
There is also the potential of adding in mediated-access for file-system access control but this is already a long response so I'll just add it as a additional point of interest that may be worth looking into 🙂
From your description I imagine that option 4 (MBL), or possibly option 1 (DB), will give you the level of control you need (as others have suggested) but there are always pros/cons to each approach that need to be considered against requirements so your situation may warrant something different or a hybrid. If you need more help in planning/testing this then I'd definitely recommend getting SAS Professional Services or a local SAS Partner in to advise further.
... View more
![SASGF 2020 [Virtual] Attendee](/html/@A53A708409112314CE528E074D4C8C1F/badge_icons/badge_sasgf20_attendee.png "SASGF 2020 [Virtual] Attendee"){kind=icon}
