If you use conditional grants in SAS® Visual Analytics for row level security, then you might be interested in one of the enhancements available in our recent Metacoda Plug-ins 5.0 release. This new release adds support for automated metadata security testing of the permission conditions behind conditional grants. Conditional grants, sometimes known as row-level permissions or row-level security, allow you to grant limited access to a subset of data based on an expression. If someone is in a constrained group then they only get to see the rows where the expression evaluates to true.
If you’re using conditional grants to restrict certain groups of users to specific subsets of data then you’d probably be keenly interested in making sure those conditional grants remain in place. You wouldn’t want to discover at some future time that, due to unexpected changes in the permission conditions, those groups of users have been getting much broader access to data than should have been allowed.
We’ve enhanced Metacoda Plug-ins in version 5 to help people maintain the integrity of their permission conditions in the following areas:
- The Protected Object Reviewer can now generate metadata security test XML files containing tests for any permission conditions found in metadata (which includes conditional grants applied to any VA tables).
- The Metadata Security Testing Framework will run any tests for permission conditions (including VA conditional grants) that it finds in a metadata security test XML file. These tests can be run interactively via the Test Runner plug-in, or in batch for automated regular testing with email alerts when any test failures are detected.
To illustrate here’s a screenshot of the Authorization tab in SAS Visual Analytics Administrator for a table that has 2 conditional grants applied – one each for the Canada and USA groups:
Looking at the Permission Condition for the Canada group we can see that members of that group are limited to rows where the customer_attribute_1 column has the value “CANADA”:
We can also see those permission conditions in the Metacoda Plug-ins Protected Object Reviewer:
Exporting Metadata Security Test XML from the Protected Object Reviewer in Metacoda Plug-ins 5.0 will now export additional tests to check those permission conditions. If we look at the exported test XML it looks something like this:
<SecTest ... > <Objects> <Object name="VA_SAMPLE_WARRANTY_CLAIMS" publicType="Table" parentFolder="Visual Analytics Public LASR"> <AccessControls complete="true"> <Group name="Vegas_CA" permissions="+RM,+R" condition="customer_attribute_1 = 'CANADA' ... " /> <Group name="Vegas_US" permissions="+RM,+R" condition="customer_attribute_1 = 'USA' ... /> </AccessControls> </Object> </Objects> </SecTest>
If we immediately run those tests interactively in the Metacoda Plug-ins Test Runner they should pass (the conditional grants haven’t been modified yet):
Then at some point in the future our regular scheduled batch testing might alert us to the fact that some tests are failing. If we run the conditional grant tests in the Test Runner plug-in again we might see the tests failing because someone has accidentally removed the conditional grant we expect to be in place for Canada:
… or perhaps when they were adding a new conditional grant for France they accidentally modified the conditional grant for the Canada group and changed the country name from “CANADA” to “FRANCE”:
I hope this has shown you how the new permission condition tests in Metacoda Plug-ins 5.0 can help ensure row-level security access controls are correctly maintained for tables in SAS Visual Analytics. If you’d like to find out more about our metadata security testing framework, these new tests, or any of our other Metacoda Plug-ins, please contact me, or visit the metacoda.com web site.