Business Context
A Data Steward, who normally has read-only access to production data, needs to perform an audit on a sensitive HR table containing employee salaries. To do this, they must temporarily elevate their permissions to manage and verify access controls on the table without having permanent admin rights.
About the Set : accessControl
Management of access rights and data security.
Discover all actions of accessControl Data Preparation
Create a sensitive employee salary table and a restricted production caslib to house it.
Copied!
| 1 | DATA sensitive_hr.salaries; |
| 2 | LENGTH EmployeeID $10 Name $50; |
| 3 | EmployeeID = 'E1001'; Name = 'John Smith'; Salary = 120000; OUTPUT; |
| 4 | EmployeeID = 'E1002'; Name = 'Jane Doe'; Salary = 135000; OUTPUT; |
| 5 | EmployeeID = 'E1003'; Name = 'Peter Jones'; Salary = 95000; OUTPUT; |
| 6 | RUN; |
Étapes de réalisation
1
Setup: As an administrator, create a path-based caslib 'sensitive_hr' and load the salary data. Promote the table to global scope.
Copied!
| 1 | PROC CAS; |
| 2 | addCaslib / caslib='sensitive_hr' dataSource={srcType='PATH'} path='/cas/data/sensitive_hr'; |
| 3 | TABLE.loadTable / caslib='sensitive_hr' path='salaries.sashdat' casOut={name='salaries', caslib='sensitive_hr', promote=true}; |
| 4 | RUN; |
2
Initial State (As Data Steward): Attempt to view access controls on the table. This should fail due to insufficient permissions.
Copied!
| 1 | PROC CAS; |
| 2 | /* This step is expected to produce an error note in the log */ |
| 3 | ACCESSCONTROL.listControls / TABLE={caslib='sensitive_hr', name='salaries'}; |
| 4 | RUN; |
3
Assume Role: The Data Steward assumes the 'DATA' role to gain temporary administrative privileges over data objects.
Copied!
| 1 | |
| 2 | PROC CAS; |
| 3 | ACCESSCONTROL.assumeRole / adminRole=' |
| 4 | DATA'; |
| 5 | RUN; |
| 6 |
4
Perform Audit: While in the 'DATA' role, list the access controls on the table. This time, the action should succeed.
Copied!
| 1 | |
| 2 | PROC CAS; |
| 3 | ACCESSCONTROL.listControls / TABLE={caslib='sensitive_hr', name='salaries'}; |
| 4 | RUN; |
| 5 |
5
Revert Permissions: Drop the assumed role to return to the original, limited permission set.
Copied!
| 1 | PROC CAS; |
| 2 | ACCESSCONTROL.dropRole / adminRole='DATA'; |
| 3 | /* Verify permissions are reverted by attempting the admin action again, expecting failure */ |
| 4 | ACCESSCONTROL.listControls / TABLE={caslib='sensitive_hr', name='salaries'}; |
| 5 | RUN; |
Expected Result
The scenario is successful if the Data Steward can only list access controls (step 4) after assuming the 'DATA' role. The attempts in step 2 and the final check in step 5 must fail, proving that the elevated permissions are temporary and correctly scoped to the assumed role.