accessControl assumeRole

Failed Privilege Escalation Attempt by a Limited User

Scénario de test & Cas d'usage

Business Context

A security team wants to ensure that a user in a 'LimitedAnalysts' group cannot escalate their privileges to 'SUPERUSER'. The test must verify that the `assumeRole` action is properly secured and that unauthorized attempts are blocked and auditable.
About the Set : accessControl

Management of access rights and data security.

Discover all actions of accessControl
Data Preparation

No specific data table is needed. This scenario focuses purely on session permissions and server state.

Copied!
1/* No
2data creation is necessary. The test relies on pre-existing user/group definitions on the CAS server. We simulate running as 'limited_user'. */

Étapes de réalisation

1
Simulated User Session: A session is initiated for a user, 'limited_user', who is not a CAS administrator.
Copied!
1/* This step represents the context of the test, running as a non-admin user. */
2
Escalation Attempt: The 'limited_user' attempts to assume the 'SUPERUSER' role.
Copied!
1PROC CAS;
2 /* This action is expected to fail with an authorization error. */
3 ACCESSCONTROL.assumeRole / adminRole='SUPERUSER';
4RUN;
3
Verify Failure: The user attempts to perform a superuser-only action, like listing server loggers. This must fail, confirming the previous step failed.
Copied!
1PROC CAS;
2 /* This action should also fail, proving no privileges were gained. */
3 loggers.listLoggers;
4RUN;
4
Admin Audit: A separate, administrative session checks the session status of the 'limited_user' to confirm no administrative role is active.
Copied!
1PROC CAS;
2 /* Run as an admin in a different session */
3 SESSION.listSessions / allUsers=true;
4 /* The output table should be inspected to confirm 'limited_user' session has no assumed role. */
5RUN;

Expected Result

The test is successful if the `assumeRole` action in step 2 generates a clear error message indicating the user is not authorized to assume the role. Consequently, the action in step 3 must also fail. The administrative audit in step 4 must show that the 'limited_user' session does not have any administrative roles assigned.

Voir la documentation technique de assumeRole
Copyright © WeAreCAS 2014-2026
SAS and all other SAS Institute Inc. product or service names are registered trademarks or trademarks of SAS Institute Inc. in the USA and other countries. ® indicates USA registration. WeAreCAS is an independent community site and is not affiliated with SAS Institute Inc.