10 thoughts on “Testing Conditional Grants in SAS Visual Analytics”

  1. Excellent stuff as usual Paul.

    Using all the new stuff in anger at your latest client site in Western Australia and saving a lot of time while allowing the administrators to better understand the impact of actions taken.


    Thanks again.

  2. Thanks Bob! That’s great to hear. Please let me know if you have any questions.

  3. Hello Paul, Thank you for this topic. I’m facing a issue with SAS VA conditional grants. I’m ussing SAS VA 7.4 and I’m aiming to filter data by sas userid.

    I tried in SAS VA administrator and in batch tool but it doesn’t work.

    Here is my code in batch tools:

    sas-set-metadata-access -host XXX -port XXX -user XXX -password “XXX” “/Shared Data/SAS Visual Analytics/Public/LASR/Toto(Table)” -grant sasusers:Read -condition “Parent_UserIdSAS=’SUB::SAS.Userid'”

    In SAS VA administrator, I put the following conditions:


    I tried with userid and userid@domain in capital letter, trim left, etc… but I think in my condition, It is impossible to find the macro variable.

    Could you help me? Thanks a lot.

  4. You condition looks ok to me. As long as your Parent_UserIdSAS values are uppercase to match the USERID or USERID@DOMAIN format that will be substituted I can’t see why it shouldn’t work. Have you tried manually applying a Parent_UserIdSAS=”MYUSERID” or Parent_UserIdSAS=”MYUSERID@MYDOMAIN” filter in VA to see if you get any rows returned? When you say it doesn’t work what happens? Do you see all unfiltered rows or no rows? Do you have any other explicit +R grants on the same table to any other users or groups (that the users might be members of)? SASUSERS is low-down in the identity hierarchy so any others (except for PUBLIC) would be above it and take precedence.

    You may also want to ask SAS Tech Support on where you can see debug/troubleshooting logging of the filter that has been applied (after substitution of SUB::SAS.Userid). It’s been a while since I last did this so I can’t remember if that info was available. If I get some time to have a look after SAS Global Forum I’ll report back here.

  5. Paul,
    I need to open a report as if I’m ‘another person’, in order to test the Row Level Security. That is, I want to
    pretend I’m John Smith, CFO, or Bob Smith, CIO, etc.

    What is the simplest method, short of having the users actual logon info, to accomplish this.

  6. Hi Gerry,

    Ordinarily I would recommend using our Metacoda Object and Identity Permissions Explorer plug-ins to answer “who has access to this” and “what does this person have access to” type questions, but in this instance where you are trying to test row-level security, you could either work with the user to verify it, or look into user impersonation. Given sufficient privileges, as a SAS admin, it is possible to add another user id to a SAS identity and use it to log in and impersonate that user (there are limitations). There is a longer description of this in the following SAS Communities post:

    I hope you find this useful.


  7. Hi Paul,
    I have a table on which I have used a conditional grant by -condition “column1 in (‘USA’)”. But I want to disable/remove this grant and I wanted to view all the rows in the table back. I used -remove option in sas-ser-metadata-access but I can see the previous granted permission and unable to view all records back. Can you please help me on this?

    Thanks in Advance for taking time to read my question! :-)

  8. Hi,
    You didn’t post the full command you used to remove the permission condition so I can’t comment on that. Assuming that it worked without error, then I would expect you to be able to see it has been removed when looking at the Authorization tab in SAS Management Console. If you can see it removed in SAS Management Console but it is still applied in another application then I understand some applications cache access controls so you may also want to try logout/login or restart. If the command had no errors, the condition is visibly removed when seen in SAS MC, but the condition is still applied, then your best option is to contact SAS Technical Support for further assistance.
    Best of luck.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.