SAS Environment Manager 2.1 (which was released with SAS 9.4 M1), has new features to make it easier to manage your SAS environment. For example, it now supports metadata clusters, and it has an improved method for handling access to the application. But the biggest change is in metadata access.
SAS provides a robust model for managing access to objects in metadata. By using Access Control Templates (ACTs), you can grant or deny access to users or groups of users for everything from folders to tables. Objects can inherit permissions from parent objects, making it easier to set up permissions on large groups of objects.
But the flexibility of the access controls can also make it hard to figure things out. Are the permissions on an object set directly, or are they inherited from something else? If they’re inherited, where are they inherited from? If I want to change something, where can I change it? Up until now, it’s been hard to answer questions like these. SAS Environment Manager 2.1 helps you answer these questions and makes it easier than ever to manage the access permissions.
Finding the access controls for an object
If you want to look at the access controls for an object, you only have to go to the Administration tab in SAS Environment Manager, select the object from the tree, and click the Authorization tab. Right away, you’ll see a summary of the authorization controls for the object (in this case the Visual Analytics Public Data Provider library).
The table and the symbols make it easy to see what permissions are in effect for each identity. For example, here we can see that the ReadMetadata permission is denied for the PUBLIC identity, and it’s granted for the SAS Administrators, SAS System Services, and SASUSERS identities. Yellow squares next to some of the permissions quickly let you know that the permission has been applied by a direct control on the object, rather than being inherited. You can also hover your mouse over the control to see whether it was applied directly or inherited.
Here we can see that the SASUSERS identity has had several permissions directly granted. But that also means that all of the other permissions for this library were inherited from somewhere else. Where did they come from?
Two ways to trace the source of inherited access controls
Figuring out inherited permissions has often been a challenge. You could trace an object’s inheritance tree using SAS Management Console, but you couldn’t see exactly what permissions were inherited from where. But by using SAS Environment Manager, we can easily figure out where all of those access controls were inherited from. There are a couple of ways to do this.
Method 1. First, let’s look at the big picture. When we’re looking at the permissions for an object, we just click the Explore Object Inheritance icon to see an inheritance diagram for the object’s controls.
In this example, you can see that the library we’re looking at inherits permissions from a series of folders, from Public through SAS Folders, and then from the default ACT for the metadata repository. That’s a start, but we need to know exactly what was inherited at each step.
Let’s start by expanding all of the nodes in the diagram.
Now we can see which identities had permissions set by each node. Next, let’s see specifics about which permissions were set. We can explore the permissions by expanding the identities in each node. By expanding the identities in each node, we can see exactly what permissions are granted or denied at each point in the inheritance. We can see that the Default ACT grants the ReadMetadata, WriteMetadata, and CheckinMetadata permissions for the SASUSERS group, and that the Administer, Read, and Write permissions are explicitly granted on the object.
Method 2. The second way of understanding where permissions are applied is ever easier. When you’re looking at all of the permissions for the object, just click on the icon for a permission you’d like to know more about, and then select Show Origins from the pop-up menu (left). A new window shows you where the permission was set (right).
If you’re an unrestricted user, the pop-up menu (left above) also lets you quickly and easily change the permissions for the object.
SAS Environment Manager offers other authorization features that aren’t covered here. You can manage authorization at a detailed level by adding users or groups to an object. This lets you control how smaller groups of users can access the object. Or you can implement wider-reaching access controls by applying already-defined ACTs to the object. This lets you easily implement a set of controls without having to specify explicit controls on the object.
Although metadata access controls can weave a complex web, SAS Environment Manager gives you an unprecedented ability to untangle the strands and understand how everything fits together.