Business Context
An MLOps pipeline, running under a service account, needs to deploy a new version of a custom scoring action set ('customScoring'). The service account has minimal permissions but is authorized to temporarily assume the 'ACTION' role to manage action sets.
About the Set : accessControl
Management of access rights and data security.
Discover all actions of accessControl Data Preparation
Create a CAS table containing the definition of a new, simple custom action set.
Copied!
| 1 | DATA public.actionset_source; |
| 2 | LENGTH definition $ 500; |
| 3 | definition = 'action customScoring.simpleScore;'; OUTPUT; |
| 4 | definition = ' input {table {name="DATA"}};'; OUTPUT; |
| 5 | definition = ' output {table {name="scored_data"}};'; OUTPUT; |
| 6 | definition = ' /* A simple scoring logic placeholder */'; OUTPUT; |
| 7 | definition = ' data.score = data.value * 1.1;'; OUTPUT; |
| 8 | definition = 'endaction;'; OUTPUT; |
| 9 | RUN; |
Étapes de réalisation
1
Load Action Set Definition: Load the data containing the action set definition into a global CAS table.
Copied!
| 1 | |
| 2 | PROC CAS; |
| 3 | TABLE.loadTable / caslib='PUBLIC' path='actionset_source.sashdat' casOut={name='actionset_source', caslib='PUBLIC', promote=true}; |
| 4 | RUN; |
| 5 |
2
Initial State: Attempt to install the action set without elevated privileges. This is expected to fail.
Copied!
| 1 | PROC CAS; |
| 2 | /* This step should fail with an authorization error */ |
| 3 | BUILTINS.installActionSet / actionSet='customScoring' TABLE={caslib='PUBLIC', name='actionset_source'}; |
| 4 | RUN; |
3
Assume ACTION Role: The service account assumes the 'ACTION' role to get permissions for managing action sets.
Copied!
| 1 | |
| 2 | PROC CAS; |
| 3 | ACCESSCONTROL.assumeRole / adminRole='ACTION'; |
| 4 | RUN; |
| 5 |
4
Deploy Action Set: With the 'ACTION' role assumed, install the new custom action set. This should now succeed.
Copied!
| 1 | |
| 2 | PROC CAS; |
| 3 | BUILTINS.installActionSet / actionSet='customScoring' TABLE={caslib='PUBLIC', name='actionset_source'}; |
| 4 | RUN; |
| 5 |
5
Verify Deployment: Check that the new action set and its action are available.
Copied!
| 1 | PROC CAS; |
| 2 | BUILTINS.actionSetInfo / actionSet='customScoring'; |
| 3 | BUILTINS.help / ACTION='customScoring.simpleScore'; |
| 4 | RUN; |
6
Cleanup: Drop the assumed role and unload the action set to return the server to its original state.
Copied!
| 1 | PROC CAS; |
| 2 | ACCESSCONTROL.dropRole / adminRole='ACTION'; |
| 3 | /* As an admin, you would unload the action set */ |
| 4 | /* accessControl.assumeRole / adminRole='ACTION'; */ |
| 5 | /* builtins.uninstallActionSet / actionSet='customScoring'; */ |
| 6 | RUN; |
Expected Result
The scenario succeeds if the action set installation fails initially (step 2), but succeeds after assuming the 'ACTION' role (step 4). The verification in step 5 must show that the 'customScoring' action set and its 'simpleScore' action are correctly loaded and visible. This validates that the 'ACTION' role correctly grants the necessary permissions for this MLOps workflow.