-
Latest Tweets
Tags
Accounts/Logins Active Directory Backup Base SAS Best Practices Blogging I/O IWA Kerberos Linux Logging Metacoda Security Plug-ins Metadata API Metadata Migration Metadata Promotion Mid-Tier ODBC ODS OLEDB PAM platformadmin.com Roles & Capabilities SAS SAS/ACCESS SAS 9.1 SAS 9.2 SAS 9.3 SAS Architecture SAS Configuration SAS Enterprise Guide SAS Hotfixes SAS Information Delivery Portal SAS Installation SAS Management Console SAS Metadata Security SAS Training SAS Usage Notes SASware Ballot SPN SQL Server Support Resources Ubuntu UNIX Windows Windows 2008 R2Metacoda Links
SAS Institute Links
Blog Roll [ ... and links to blog rolls]
SAS Communities
SAS User Groups
Categories
- General
- Interesting SAS Usage Notes
- Linux
- Metacoda Security Plug-ins
- SAS Architecture
- SAS Configuration
- SAS Documentation
- SAS Enterprise Guide
- SAS Installation
- SAS Management Console
- SAS Metadata
- SAS Metadata Security
- SAS Open Metadata API
- SAS Software
- SAS Support Resources
- SAS Training
- SAS User Groups
- Solaris
- VirtualBox
- Windows
Archives
Roles (or not) in Access Controls: SAS® 9.1.3 vs SAS® 9.2
Today I noticed a difference between SAS 9.1.3 and SAS 9.2 with respect to the use of roles in metadata security access controls.
In SAS 9.1.3 it was possible, though not recommended, to use roles in access controls such as Access Control Entries (ACEs) and Access Control Templates (ACTs). Here is a screenshot of SAS Management Console 9.1 where I am in the process of adding a group to an ACT. Notice that the SAS Web Report Studio roles are available for use (I have highlighted them with a red square).
I noticed today that SAS 9.2 prevents you, at least from within SAS Management Console, from using roles in access controls. Here is an equivalent screenshot of SAS Management Console 9.2, where I am also in the process of adding a group to an ACT. This time only the normal groups are available for use, none of the roles are available.
It was good to see this enhancement in SAS 9.2, as it helps promote good practices. Roles exist to provide a container for groups of users to gain access to application functionality. It is not recommended that they be used in access controls that secure general metadata objects such as folders, servers etc. SAS 9.1.3 introduced roles, with hard-coded or implicit capabilities, where they were used only by SAS Web Report Studio as far as I am aware. The use of roles was significantly expanded in SAS 9.2, with configurable/customizable capabilities to allow administrators to control the availability of application functionality in SAS Management Console, SAS Enterprise Guide, SAS Add-In for Microsoft Office, SAS Web Report Studio and SAS BI Dashboard.
I was surprised I hadn’t noticed this improvement until today, but then I guess I am not usually inclined to use roles in access controls
If you want to find out more about roles and capabilities in SAS 9.2, I would definitely recommend reading Kathy Wisniewski‘s paper Be All That You Can Be: Best Practices in Using Roles to Control Functionality in SAS® 9.2 from SAS Global Forum 2010 available from http://support.sas.com/resources/papers/proceedings10/324-2010.pdf