8 thoughts on “Testing Conditional Grants in SAS Visual Analytics”

  1. Excellent stuff as usual Paul.

    Using all the new stuff in anger at your latest client site in Western Australia and saving a lot of time while allowing the administrators to better understand the impact of actions taken.


    Thanks again.

  2. Thanks Bob! That’s great to hear. Please let me know if you have any questions.

  3. Hello Paul, Thank you for this topic. I’m facing a issue with SAS VA conditional grants. I’m ussing SAS VA 7.4 and I’m aiming to filter data by sas userid.

    I tried in SAS VA administrator and in batch tool but it doesn’t work.

    Here is my code in batch tools:

    sas-set-metadata-access -host XXX -port XXX -user XXX -password “XXX” “/Shared Data/SAS Visual Analytics/Public/LASR/Toto(Table)” -grant sasusers:Read -condition “Parent_UserIdSAS=’SUB::SAS.Userid'”

    In SAS VA administrator, I put the following conditions:


    I tried with userid and userid@domain in capital letter, trim left, etc… but I think in my condition, It is impossible to find the macro variable.

    Could you help me? Thanks a lot.

  4. You condition looks ok to me. As long as your Parent_UserIdSAS values are uppercase to match the USERID or USERID@DOMAIN format that will be substituted I can’t see why it shouldn’t work. Have you tried manually applying a Parent_UserIdSAS=”MYUSERID” or Parent_UserIdSAS=”MYUSERID@MYDOMAIN” filter in VA to see if you get any rows returned? When you say it doesn’t work what happens? Do you see all unfiltered rows or no rows? Do you have any other explicit +R grants on the same table to any other users or groups (that the users might be members of)? SASUSERS is low-down in the identity hierarchy so any others (except for PUBLIC) would be above it and take precedence.

    You may also want to ask SAS Tech Support on where you can see debug/troubleshooting logging of the filter that has been applied (after substitution of SUB::SAS.Userid). It’s been a while since I last did this so I can’t remember if that info was available. If I get some time to have a look after SAS Global Forum I’ll report back here.

  5. Paul,
    I need to open a report as if I’m ‘another person’, in order to test the Row Level Security. That is, I want to
    pretend I’m John Smith, CFO, or Bob Smith, CIO, etc.

    What is the simplest method, short of having the users actual logon info, to accomplish this.

  6. Hi Gerry,

    Ordinarily I would recommend using our Metacoda Object and Identity Permissions Explorer plug-ins to answer “who has access to this” and “what does this person have access to” type questions, but in this instance where you are trying to test row-level security, you could either work with the user to verify it, or look into user impersonation. Given sufficient privileges, as a SAS admin, it is possible to add another user id to a SAS identity and use it to log in and impersonate that user (there are limitations). There is a longer description of this in the following SAS Communities post:

    I hope you find this useful.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.