3 thoughts on “Inheritance Paths”

  1. Hi Paul,

    Thanks a lot for posting such insightful knowledge. As a SAS BI administrator, I fully acknowledge the awareness of inheritance path mechanisms to solve tricky permissions issues. In the 9.1 SMC, for instance, when the inheritance paths were involved, the *effective* rights permissions were sometimes not displayed at all (the notorious grey ticking boxes of authorization tab …) thus misleading the administrator into wrong guesses if he had no inheritance plug-in installed… Since in the 9.2 SMC, only effective permissions are displayed we can be more confident in the same cases.

    NTFS file permissions inheritance mechanisms are more complete in this regard, yet quite difficult to manage also. For instance, inheritance can be disabled at any folder level and the initial permission sets can be applied directly (“retained”) to the now orphaned folder.

    A new feature in the SAS 9.2 metadata inheritance scheme is the WriteMemberMetadata permission. It is quite unique since it applies specifically to Folders, as far as I know and I must admit I don’t fully understand how it works still…

    For your question, I have found at least one example of multiple inheritance case (by default) in 9.2, but I am conscious it is far-fetched and and looks quite useless (but who knows) : SMC / Environment Management / Authorization Manager / Resource Management / By Application / Remote Services / Core / Authentication Service.

    I think the inheritance view could be misleading here : it might be the result of java classes inheritance “translated” in metadata permissions somehow, like the Portal BIP Tree wich holds the securization of portal pages in folder-like manner.

    Best Regards & Good Luck for your presentation,

    Ronan

  2. Hi Ronan,

    Thanks for pointing out that example of multiple inheritance in SAS 9.2. I also found another one under the Table Server Manager plug-in. I have posted a new blog entry showing both of these examples. Even though they may not be of concern to most people, it feels better to know of some concrete examples. I always felt a bit uncomfortable knowing that multiple inheritance was still catered for, but not knowing when it might occur. Now I at least have 1 or 2, albeit obscure, examples when students ask questions about it 🙂

    I know what you mean about NTFS security. I always found it a bit odd that you could break the inheritance at any node in the tree. If we had that in SAS metadata as well, it might be a bit too confusing perhaps?

    You are right about the WriteMemberMetadata permission. It was a great enhancement in SAS 9.2 as it allowed you to grant access to manage the content of a folder but not to manage the folder itself. As you say it only applies to tree folders and is also unique in that it is a permission that inherits from another permission on the same object. WriteMemberMetadata inherits from WriteMetadata on the same (folder) object and the WriteMetadata permission inherits from the WriteMemberMetadata permission on the parent object (folder). I was thinking I might do a blog post about this interesting new permission. I did an odd test a little while ago where I granted WriteMetadata and denied WriteMemberMetadata – not recommended but still an interesting exercise 😉 – I might even see it in the ‘wild’ sometime.

    Once again thanks for taking the time to comment and also for finding the multiple inheritance example.

    Cheers
    Paul

  3. Oops – just corrected my previous comment about the ‘odd test’. I originally said “denied WM and granted WMM” when I meant to say “granted WM and denied WMM”. Using “-WM +WMM” is normal, whereas it’s “+WM -WMM” that’s not recommended.

Leave a Reply

Your email address will not be published. Required fields are marked *