accessControl

assumeRole

#set_accesscontrol#security#admin

Description

The assumeRole action allows a user to temporarily adopt a specific administrative role within the CAS session. This is a powerful feature for administrators who need to perform tasks requiring elevated permissions without permanently changing their user rights. By assuming a role like 'SUPERUSER', 'DATA', or 'ACTION', the user gains unrestricted access to specific areas of the CAS server for the duration of the role assumption. This is crucial for managing access controls, data, or actions securely and efficiently.

accessControl.assumeRole <result=results> <status=rc> / adminRole="ACTION" | "DATA" | "SUPERUSER";
Settings
ParameterDescription
adminRoleSpecifies the administrative role to assume. 'ACTION' provides unrestricted access to actions and action sets. 'DATA' provides unrestricted access to caslibs, tables, and columns. 'SUPERUSER' combines the privileges of both ACTION and DATA roles, and adds the ability to manage roles and paths.
Data Preparation View data prep sheet
No Data Creation Needed

The `assumeRole` action does not directly interact with or create data tables. It is an administrative action used to manage session permissions.

Copied!
1/* No
2data creation code is necessary for this action. */

Examples

This example demonstrates how to assume the 'SUPERUSER' role. This grants the highest level of permissions for the current session.

SAS® / CAS Code Code awaiting community validation
Copied!
1 
2PROC CAS;
3 
4ACCESSCONTROL.assumeRole / adminRole='SUPERUSER';
5 
6RUN;
7 
Result :
The action will execute and, if successful, the user's session will have Superuser privileges. A confirmation note is typically printed in the SAS log.

This example shows how to first assume the 'DATA' administrator role to perform data-related administrative tasks, and then how to drop that role to revert to the original permissions.

SAS® / CAS Code Code awaiting community validation
Copied!
1PROC CAS;
2 /* Assume the DATA role to manage data access controls */
3 ACCESSCONTROL.assumeRole / adminRole='DATA';
4 PRINT 'Current session has assumed the DATA role.';
5 
6 /* ... perform administrative tasks on caslibs or tables ... */
7 
8 /* Drop the assumed role to return to normal permissions */
9 ACCESSCONTROL.dropRole / adminRole='DATA';
10 PRINT 'The DATA role has been dropped.';
11RUN;
Result :
The log will first show a confirmation of assuming the 'DATA' role. After the administrative tasks are performed, a second confirmation will appear, indicating that the 'DATA' role has been dropped and the session has returned to its original permission level.

This example illustrates how permissions change by first checking authorization for a specific action, then assuming the 'ACTION' role, and finally re-checking the authorization. This is useful for verifying the effect of `assumeRole`.

SAS® / CAS Code Code awaiting community validation
Copied!
1PROC CAS;
2 /* 1. Check if the user is authorized for a specific action before assuming a role */
3 ACCESSCONTROL.isAuthorizedActions / actions={{name='serverstatus', actionSet='builtins'}};
4 
5 /* 2. Assume the ACTION role */
6 ACCESSCONTROL.assumeRole / adminRole='ACTION';
7 
8 /* 3. Check authorization again to see the change in permissions */
9 ACCESSCONTROL.isAuthorizedActions / actions={{name='serverstatus', actionSet='builtins'}};
10 
11 /* 4. Drop the role to clean up the session state */
12 ACCESSCONTROL.dropRole / adminRole='ACTION';
13RUN;
Result :
The output will show two tables. The first `isAuthorizedActions` result might show 'false' for authorization if the user does not normally have permission. After assuming the 'ACTION' role, the second result for the same check will show 'true', demonstrating the elevated privileges.

FAQ

What is the purpose of the assumeRole action?
What are the different administrative roles available in the assumeRole action?
What privileges does the 'SUPERUSER' role grant?
What is the default value for the 'adminRole' parameter?
How does the 'ACTION' role differ from the 'DATA' role?

Associated Scenarios

Use Case
Data Steward Temporary Access for HR Data Audit

A Data Steward, who normally has read-only access to production data, needs to perform an audit on a sensitive HR table containing employee salaries. To do this, they must tempo...

View scenario
Use Case
Failed Privilege Escalation Attempt by a Limited User

A security team wants to ensure that a user in a 'LimitedAnalysts' group cannot escalate their privileges to 'SUPERUSER'. The test must verify that the `assumeRole` action is pr...

View scenario
Use Case
Automated Deployment of a Custom Action Set via MLOps Pipeline

An MLOps pipeline, running under a service account, needs to deploy a new version of a custom scoring action set ('customScoring'). The service account has minimal permissions b...

View scenario
Copyright © WeAreCAS 2014-2026
SAS and all other SAS Institute Inc. product or service names are registered trademarks or trademarks of SAS Institute Inc. in the USA and other countries. ® indicates USA registration. WeAreCAS is an independent community site and is not affiliated with SAS Institute Inc.