Business Context
An internal data governance policy prohibits storing sensitive Personally Identifiable Information (PII) in personal CAS workspaces. An IT administrator must perform a spot audit on a specific user's personal caslib (`CASUSER(finance_user)`) to check for non-compliant data without disrupting the user's session.
About the Set : accessControl
Management of access rights and data security.
Discover all actions of accessControl Data Preparation
Simulate a scenario where 'finance_user' has loaded two tables into their personal caslib: one compliant ('quarterly_sales') and one non-compliant ('employee_pii') containing sensitive data. This setup requires admin rights to place tables in another user's caslib.
Copied!
| 1 | /* Data setup requires admin privileges */ |
| 2 | PROC CAS; |
| 3 | /* Simulate finance_user's data */ |
| 4 | DATA casuser(finance_user).employee_pii(promote=yes); |
| 5 | LENGTH ssn $11 name $50; |
| 6 | ssn='123-45-678'; name='John Doe'; OUTPUT; |
| 7 | ssn='987-65-432'; name='Jane Smith'; OUTPUT; |
| 8 | RUN; |
| 9 | |
| 10 | DATA casuser(finance_user).quarterly_sales(promote=yes); |
| 11 | LENGTH product $20; |
| 12 | product='Widget A'; sales=15000; OUTPUT; |
| 13 | product='Widget B'; sales=22000; OUTPUT; |
| 14 | RUN; |
| 15 | QUIT; |
Étapes de réalisation
1
Baseline Check: As an administrator, attempt to list tables in 'CASUSER(finance_user)'. This step is expected to fail with an authorization error, proving that access is initially restricted.
Copied!
| 1 | PROC CAS; |
| 2 | /* This will fail as access is not yet granted */ |
| 3 | TABLE.tableInfo / caslib="CASUSER(finance_user)"; |
| 4 | RUN; |
2
Privilege Escalation: Execute the accessPersonalCaslibs action to gain administrative access to all personal caslibs for the current session.
Copied!
| 1 | |
| 2 | PROC CAS; |
| 3 | ACCESSCONTROL.accessPersonalCaslibs; |
| 4 | RUN; |
| 5 |
3
Verification: Re-run the table.tableInfo action on 'CASUSER(finance_user)'. This time, the action should succeed, returning a list of tables.
Copied!
| 1 | PROC CAS; |
| 2 | /* This should now succeed */ |
| 3 | TABLE.tableInfo / caslib="CASUSER(finance_user)"; |
| 4 | RUN; |
4
Audit Execution: Fetch a few rows from the suspicious 'employee_pii' table to confirm its contents, completing the audit.
Copied!
| 1 | |
| 2 | PROC CAS; |
| 3 | TABLE.fetch / TABLE={caslib="CASUSER(finance_user)", name="employee_pii"}, to=5; |
| 4 | RUN; |
| 5 |
Expected Result
The administrator successfully lists and inspects tables within another user's personal caslib after executing the action. The initial attempt fails due to lack of permissions, while the subsequent attempts succeed, confirming the action correctly elevates privileges for targeted administrative tasks.