SAS 9.1.3 Metadata Security – Go ask your mother

Posted by Shane Gibson on September 29, 2009 Leave a comment (0) Go to comments

So i’m attending the advanced metadata security course for SAS 9.1.3 at the moment.

It is a complex area and really does my head in. But here is a way that (I think) I understand how it works.

There are two different rules that are applied to any metadata object:

1) Direct – When security is applied directly to an object (i.e in Management Console you HAVE ticked a metadata security box for the object, so its white or green)

2) Inherited – When security is not applied to an object, it is inherited (i.e in Management Console you have NOT ticked a metadata security box for the object, so its grey)

So here is how I think the rules for each of these works:

1) Direct – when Security is directly applied to an object.

The identity hierarchy model applies. This means it looks at the levels permissions have been applied to the object and whether it is applied as an ACT or ACE.

Permissions closest to user wins
A deny always wins over a grant, if at the same level (and type)
ACE’s always win over ACT’s

Or in something I can understand:

If you ask your mother and she says yes, then you ask your father and he says no, the answer is no (deny at same level)
If you ask your mother and she says yes, then you ask your grandfather and he says no, the answer is yes (permission closest to user)
If you ask you mother (ACE) and she says yes, then you ask your teacher (ACT) and she says no, then the answer is yes (ACE always wins)

2) Inherited – When security is not applied to an object

The inheritance model applies. This means every permission is placed in a bucket and if a grant is found anywhere, you have got it.

Levels don’t count
A single grant always wins over any and all denies
ACE’s vs ACT’s have no impact

Or using the same analogy:

You are at a family reunion, you yell out a question, somebody yells yes, the answer is yes

And the last thing I learnt was if somebody said no (i.e you can’t see something as a user) then if you ask why, the only answer you will get is “because I said so”.

Which means it is very very hard to find out what stopped you seeing it. Although I believe Paul at metacoda.com has some cool tools in the pipeline to help with this.

* Thanks to Adam Player for a great course and even better analogy's!

All Things Metadata, Architecture and Administration, SAS 9.1SAS Metadata Security

← Does daylight savings effect LSF for you?

SAS Portal 4.2 open access (Public Kiosk part duex, the return of the Public Kiosk) →

Blogging about all things SAS

:: Sharing with the world everything we discover about SAS.