In this blog post I’d like to explore how to create a custom group in SAS Viya to restrict access to functionality. To illustrate my points, we will create a report developers custom group and ensure that only users of that group can create reports and analysis in SAS Visual Analytics.
What a user or group can do (and see) is controlled by rules. A rule is a composite of authorization elements including:
- Principal: user or group.
- Target: a resource for example a service, folder or report.
- Permissions: type of access for example read or write.
- Setting: indication of whether access is provided, for example grant or prohibit.
The target of a rule is identified using a uniform resource identifier (uri). The uri can represent a folder, content such as a report or data plan, or functionality and features such as being able to import data. Here are some examples of uri’s in SAS Viya:
- Data Plan: /dataPreparationPlans/plans/810e2c6b-4733-4d53-94fd-dfeb4df0de9e
- Folder: /folders/folders/e28e35af-2673-4fc7-81fa-1a074f4c0de9
- Functionality: /SASVisualAnalytics/**
In our example, we will look at restricting access SAS Visual Analytics for a subset of users. In SAS 9.4 this would have been accomplished using roles and capabilities. In SAS Viya, we will:
- Create a custom group.
- Govern that groups access to functionality using rules.
Create a New Custom Group
In SAS Environment Manager, as an administrator (only administrators can manage users and groups) select Users > Custom Groups > New.
In the new custom group screen give the group a name, a unique id and a description. We will call our group Report Developers.
After the new group is created, click the edit button to add new members to the group. You can add users or other groups as members of the new group.
Change the Rules so that Only Report Developers can Access the SAS Visual Analytics Application
Now that we have a new group called Report Developers, the next step is to create or update the rule that determines who can access this functionality. First, we will look at what rules currently apply to SAS Visual Analytics.
In SAS Environment Manager select the Security menu item and select the Rules view.
Select Filter by: ObjectURI and enter SASVisualA in the search box.
The second rule listed is the one we are interested in. Notice that URI ends with /**. URI’s can end with /* or / **. An objectUri that includes the /** suffix affects access to all descendant functionality. For example, the /SASVisualAnalytics/** means all functionality in the SAS Visual Analytics application.
Select /SASVisualAnalytics/** and click the Edit icon. The attributes show that this rule determines who can use SAS Visual Analytics. Currently you’ll see:
- Grants Read access
- to /SASVisualAnalytics/** and all its descendent functionality
- to all authenticated users.
- to /SASVisualAnalytics/** and all its descendent functionality
The rule works because the general authorization system implicitly disallows any access that is not granted. The current rule overrides the implicit deny to allow authenticated users to access SAS Visual Analytics. We will edit the rule and change the principal from Authenticated Users to ReportDevelopers.
In the edit rule screen under Principal, select ReportDevelopers.
The impact of the change is that now only users who are members of the Report Developers group can access the Visual Analytics application to create reports.
To test this, you can logon as a user who is not a member of the group. Those users will be able to navigate to reports and open then using the report viewer, but they will not be able to access SAS Visual Analytics to create new reports.
That is a quick look at using custom groups and rules to dictate what users can do in SAS Viya. There is much more detail on these topics in the SAS® Viya 3.2 Administration Guide:
8 Comments
Very good Garry, see how I can prohibit them from exporting data in excel format
The endpoints and their meaning are documented in the Admin Guide:
https://go.documentation.sas.com/?cdcId=calcdc&cdcVersion=3.5&docsetId=calatf&docsetTarget=n0o6xx292jn2jmn1pnj3s3oqcebw.htm&locale=en
I believe it is one or both of these:
Export data from reports.
/reportData_capabilities/exportData
Export detail data from reports.
/reportData_capabilities/exportDetailData
Hello Gerry,
great article, thank you very much!
As you might know, by default after a deployment of SAS Viya, the system is way too open for Authenticate Users, specially for Viya environments with access from internet, and such
Yours is a great example of how to close part of this gap. Is there or could it be created a document to set some best recommendations on rules in Viya?
Also, a tool to set authorization matrix would be very useful. The current list provided by the CLI, or the SAS Environment Manager GUI, is very hard to process, having more than a thousand (1000) entries.
Thank you in advance,
Kind regards,
Juan
Thanks Juan,
I am glad you found the blog useful.
There are some efforts ongoing to both make the interfaces easier, and standardize the default set of rules.
I think your suggestion for best practices is a good one too and I will pass it on.
Gerry
Hi Gerry,
I have a customer who would like to block access to VA 8.2 from SAS Office Add-In. I cannot find any rules that allows it. Is it perhaps accomplished by denying access to SAS Mobile BI (that would be OK for this customer).
Regards
I don't see a relevant rule in the documentation either. I am not sure if /SASMobileBI/** would do it. It might be worth a test.
Hi Gerry - great article! One small bit of feedback - those links didn't work for me..
Thanks Allan, the links should be fixed.