BookmarkSubscribeRSS Feed

SAS Admin Notebook: Folder Security - SAS Viya vs. SAS 9

Started ‎08-22-2018 by
Modified ‎08-27-2018 by
Views 7,316

You may have noticed that there are many similarities as well as differences between SAS 9 metadata security and the SAS Viya General Authorization system. One thing that has not changed is that it is still a good practice to set permissions on folders whenever possible (as opposed to individual objects). One thing that has changed in Viya is the permissions that are available on folders.


In SAS 9, permissions on metadata folders (except for WriteMemberMetadata) perform double duty: control what you can do to the folder itself and get inherited by the objects in the folder. In Viya, folders now have two distinct sets of permissions: one set of permissions only applies to the folder itself and the other set of permissions is passed on to the child members of the folder.


In my environment, I have created a Marketing folder to use as an example. Looking at the properties of the Marketing folder in SAS Environment Manager's Content page and expanding the Advanced section, you can see that the folder was created by sasadm. sasadm is the user id for the SAS Administrator user.




To view the permissions for the Marketing folder, right-click on the folder and select View Authorization.


Note: You have two options when it comes to looking at permissions, View Authorization and Edit Authorization. It's generally best to start with the View Authorization option unless you know you'll be changing permissions. The View Authorization window has an Edit button that will let you quickly switch to edit mode.


The first set of permissions in the Authorization window (Read, Update, Delete, Secure, Add, Remove) affect the folder itself. The second set of permissions listed (Read (convey), Update (convey), Delete (convey), Secure (convey), Add (convey), Remove (convey)) are the permissions the folder passes on to its child members. For more details on the specific permissions, refer to the SAS Viya 3.4 Administration documentation.




Note: The Show horizontal column headings option is new in SAS Viya 3.4.


The Marketing folder effective access settings include:

  • The creator of the folder (SAS Administrator) is automatically directly granted all permissions on the folder.
  • The SAS Administrators group by default is given broad access throughout the General Authorization system. This access is granted through predefined rules. We'll see more about rules later.
  • The Marketing group has been directly granted Read on the folder object (so members of the group can see the folder) and the conveyed permissions to give the members of the group access and control over the contents of the folder.
Note: A directly applied permission shows this imagenext to the effective access indicator:



If you want to see the effect of the Marketing group permissions on its members, you can edit the Authorization settings and add one of the members, for example Sophia.


Note that Sophia's permissions match those of the Marketing group.




It seems likely that Sophia's permissions come from the Marketing group settings but you can verify the source of her effective access. Left-mouse click on the specific permission, in this example I clicked on Sophia's Read permission. In the pop-up window, select the Contributing Rules tab.




There is only one rule contributing to Sophia's Read permission setting, the rule granting the Marketing group Read permission on the Marketing folder. How can you tell this rule is for the Read permission and not the Read (convey) permission? The rule is applied to the Object URI and not the Container URI. The Object URI refers to the permissions that affect the folder itself, the first set of permissions listed in the Authorization window. The Container URI refers to the conveyed permissions.


Note: The Contributing Shares tab is tied to new functionality in Viya 3.4 that allows users to share certain content. It's a big topic I'm not even going to broach here.


Note: In Viya 3.3, identifying the source of effective access is a little different.


Let's examine the origin of Sophia's Read (convey) setting.




Sophia's Read (convey) grant also comes from a setting for the Marketing group on the Marketing folder, but this time on the Container URI.


Note: Since we did not alter Sophia's permissions, you will find that if you close and reopen the Authorization window for the Marketing folder, she will no longer be listed.


As you might expect, the conveyed permissions only show up on folders. For example, here is the Authorization window for the Marketing Campaigns 2018 report.




If you are only going to use the Authorization window in SAS Environment Manager to set general authorization permissions, you need to understand the difference between the two sets of permissions that can be set on folders.


If you are going to use either the Rules page in SAS Environment Manager or the sas-admin command line interface (CLI) to set and manage general authorization permissions, you'll need to explore the object and container URIs a bit more.


A very nice general introduction to URIs in SAS Viya can be found here: Uniform Resource Identifiers (URI) in SAS Viya.


The general authorization settings you create in the Authorization window or through the sas-admin CLI translate to rules. You can use the Rules page in SAS Environment Manager to manage authorization rules directly.




As I alluded to earlier, some rules apply to just Object URIs or to Container URIs and some rules apply to both. By default, the Rules page does not show the Container URI information so I like to add that to the view.


Select the following icon and then select Manage Columns to add and reorder the columns as you like:



I like to add the Container URI column and put it right after the Object URI column. This matches the order in which the permissions are listed in the Authorization window we were looking at earlier.




You will find that even out of the box there are quite a few rules. The best approach to locate a specific rule is to use the search functionality provided. As you can see on the Rules page, there are several options when it comes to searching for specific rules. For example, to find the rules that apply to the Marketing folder directly I like to use the drop down next to either the Object URI or the Container URI fields.


Let's start by looking for the rules that apply to the Marketing folder Object URI. Right-click on the drop-down arrow next to Object URI and select URI.




Navigate to the folder, select the folder and click OK.




If, like me, you find yourself surprised when the Rules page doesn't change, don't forget to click the Apply button: Rules_Apply.png


The rules that apply to the Marketing folder as an object are returned:

  • A rule granting sasadm all of the permissions on the object and container.
  • A rule granting the Marketing group Read access to the Marketing folder as an object.


You can tell which set of permissions (object or container) are controlled by a given rule if there is a URI in the Object URI column or in the Container URI column or in both columns.




To find the rule that grants the Marketing group the conveyed permissions:

  1. Click Reset all.
  2. Use the drop-down arrow next to the Container URI search field and navigate to the Marketing folder.
  3. Click Apply.




If you are using the Rules page to search, manage, or create rules for folders, I find it incredibly helpful to include the Container URI column in the view. In addition, if you plan to use the command line interface (CLI) to view or set rules, the syntax requires the use of the object URIs and container URIs.


For example, if I wanted to use the sas-admin CLI to grant the Marketing group Read on the Marketing folder object, the command would be:


sas-admin authorization grant --permissions Read --object-uri /folders/folders/186d4781-
e8c1-4395-8c47-513060f2dedd/** --group marketing


Note: The object URI listed is specific to the Marketing folder in my environment. When using CLIs you will need to identify the specific URIs for the objects in your environment.


The command to grant the Marketing group the conveyed permissions on the Marketing folder would be:


sas-admin authorization grant --permissions delete,read,update,remove,secure,add 
--container-uri /folders/folders/186d4781-e8c1-4395-8c47-513060f2dedd --group marketing


If you're wondering why I didn't use a simpler way of referring to the Marketing folder, say by name, it is not an option at this time.


If you're interested in using the sas-admin CLI, you'll definitely want to read up on it. One thing that took me a while to grasp is that in order to refer to a folder as an object you need to include /** at the end of the object URI, for example /folders/folders/186d4781-e8c1-4395-8c47-513060f2dedd/**. If you want to refer to the folder as a container, you do not put anything at the end of the URI, for example /folders/folders/186d4781-e8c1-4395-8c47-513060f2dedd. In other circumstances, like a service, the /** at the end refers to the service and all of its endpoints (or subfunctionality within the service).


If you'd like to do some more reading, here are some additional resources:

Version history
Last update:
‎08-27-2018 10:54 AM
Updated by:


Don't miss out on SAS Innovate - Register now for the FREE Livestream!

Can't make it to Vegas? No problem! Watch our general sessions LIVE or on-demand starting April 17th. Hear from SAS execs, best-selling author Adam Grant, Hot Ones host Sean Evans, top tech journalist Kara Swisher, AI expert Cassie Kozyrkov, and the mind-blowing dance crew iLuminate! Plus, get access to over 20 breakout sessions.


Register now!

Free course: Data Literacy Essentials

Data Literacy is for all, even absolute beginners. Jump on board with this free e-learning  and boost your career prospects.

Get Started

Article Tags