I’ve recently had the opportunity to learn a little more about administering SAS Visual Analytics. The sessions introduced me to two new GUI interfaces that simplify the work for SAS administrators. In my last post, I shared how to load data into memory using the SAS Visual Data Builder.
After building the table, loading into memory and scheduling the query, you will want to work on the user or group permissions for the dataset. You can use the SAS Visual Analytics Administrator for this task.
Accessing the table
To access the SAS Visual Analytics Administrator, return to the SAS Visual Analytics home page by selecting the HOME icon and select Manage Environment from the right hand pane. Your userid must have the appropriate permissions to be able to utilize all of the features I am going to show below:
To view the current permissions on the table, expand the LASR directory tree in the left hand side pane. Double-click on the SampleClaims table that we’ve been using for this discussion. You’ll see the permissions listed by type of access permitted for each user role.
Setting permissions
Defining user groups can be done within SAS Management Console. Once I have my user groups, I can then set permissions within SAS Visual Analytics. In this particular situation, SASUSERS is the collection of all users who have access to SAS. SAS Administrators and SAS System Services are a subset of the SASUSERS group by definition. You may have other groups defined, such as Finance or Marketing. The following tasks can be done on any of your user groups as needed.
I want to give my SASUSERS read permissions, but I don’t want them to delete or overwrite the existing table. When I click on “grant” or “deny”, it becomes an explicit permission. An explicit permission is one that the administrator has expressly set. Implicit or inherited permissions will then be set for the subset of users within SASUSERS (my SAS Administrators and SAS System Services groups).
To change the permission explicitly, I select the icon I wish to change for the user or user group I wish to change.
When I make SASUSERS an explicit Deny for WriteMetadata access, the SAS System Services and SAS Administrators inherit a Deny as shown below. Explicit permissions are denoted by a yellow star.
Since SAS Administrators and SAS System Services should have WriteMetadata access, I will need to go in and give the SAS System Services and SAS Administrators groups an explicit grant.
The same process will need to be repeated for other permissions columns such as Write, Administer, and Delete. All the permissions should look like the table below, with explicit permissions denoted by a yellow star.
Testing the result
Once your query has been scheduled and you’ve set all your user permissions, it’s good practice to create an exploration to determine the table has loaded correctly and to see what end-users will see.
Returning to the Home page, select Create Exploration --> Select a Data Source. Scroll down to your table (here we're testing the SampleClaims table) and select Open.
Take advantage of the auto-charting feature in the SAS Visual Analytics Data Explorer by simply dragging and dropping whatever categories or measures you’d like to view onto the workspace. In this example, I’ve selected the variables Claim Amount and Type of Car, and the auto-charting facility automatically selects a bar chart for me.
I hope this has helped you get up and running with some common administrator tasks within SAS Visual Analytics!
11 Comments
hi, and its possible to know in sas va report (to use in any calculated items...) the "current user" id or group ?
Thanks for the article. Does the same apply for explorations and reports? I want my users to view and interact with my explorations but not overwrite them. I'd like for them to be able to save their own copies if they need to modify.
Thanks,
Matt
Is it possible in SAS VA to create permissions that will effect report filters instead of files or folders?I want the data in my report to be filtered by the end user login information so that the end user can only see summary data and detailed data associated with that user but no one else.
Hi Bonnie,
Thanks for your question! You can accomplish this with row-level security when you have Visual Analytics Administrator privileges.
Here is a paper that may help:
http://support.sas.com/resources/papers/proceedings15/SAS1779-2015.pdf
If you have other questions about that, please reach out to SAS Technical Support.
Thank you!
Wendy
Hi. A very interesting article. It describes the security on a table. I am interested to know if the same principal applies to folder permission. For example if I have folder A and folder b. I have two groups "all_users" and "report_writers" where report_writers is a subset of all_users. All_users has read only permissions and report_writers has read write access. All users_users has access to both folders and report_writers has access to folder B only. Will that work so the report writes can develop reports in folder b, and the rest of all_users can look at the reports developed in folder B.
Yes, you can set user and group permissions at the folder level! Thank you!
Wendy
Hi there,
Nice, informative article. Thanks.
I am new to the world of SAS VA administration. I am asked to assign access to three sets of groups to access SAS VA. Member of one group can see each other work but should not be able to access other group's work. To do that I created three different groups in SAS Management consoles and assigned them SAS Visual analyst role at each group level. I created individual users with no roles and assigned them respective groups. Access will be activated from next week and I am wondering if I did right thing or missed out on any? Appreciate your help. Thanks.
Hi,
That sounds like you've thought about the right things!
The next step you might want to consider is adding the group level permissions to folders- so group A has permission for Read/Write on folder A, but group B and C do not have permission for Folder A. That way everyone in Group A can work with each other's work in Folder A, but groups B and C cannot see it.
Group B has permission for Read/Write on folder B, but group A and C do not have permission for folder B; etc. In my experience that is the easiest way to have those group permissions working.
For any troubleshooting you may run into, please do reach out to SAS Technical Support for assistance.
Thank you and have a good time with SAS Visual Analytics! I hope you all will enjoy it as much as I do!
Wendy
Thanks heaps Wendy
I AM A SAS ADMINSTRATOR AND I NEED HELP WITH PERMISSION ACESS. I AM TRYING TO DELETE A USER NAME WHERE THE WRITE META FOR THE USER IS MARKED DENY INSTEAD OF GRANTED. IS THERE A WAY TO REVERSE THE PERMISSION ACCESS FOR A USER NAME. CURRENTLY I DO NOT HAVE ACCESS TO CHANE THE PERMISSION OR DELETE THE USER ID
Hi! Thanks for writing. Do you have access to SAS Management Console? If so, I would go into the user manager in SAS Management Console, select the user, and change the metadata permissions appropriately in there. If you do not have access as an administrator, you will need to contact your site administrator to perform this task for you.
You can read more on the subject here: http://support.sas.com/documentation/cdl/en/mcsecug/64770/HTML/default/viewer.htm#n1onkjqqkpz6fin1k0rnufxp57ie.htm
If you reach out to SAS Technical Support, they can also provide further guidance.
Thank you so much!
Wendy