Attention : This code requires administrator privileges.
The `accessControl.updSomeAcsColumn` action is used to define granular column-level access rules. It revokes 'ReadInfo' and 'Select' permissions for the generic group '*' (all users) on the 'CCnum' column of the 'Receipts.sashdat' table in the 'sales' caslib. Simultaneously, it explicitly grants these same permissions to 'groupA', thereby ensuring that only members of this group will be able to view and select this column, strengthening sensitive data security.
Data Analysis
Type : CREATION_INTERNE
Examples use generated data (DATA step with DATALINES) or SASHELP if necessary.
1 Code Block
CASL Data
Explanation :
This example begins by creating a simple 'Receipts' table with dummy data and a sensitive 'CCnum' column. It then loads this table into the 'sales' caslib. The `accessControl.updSomeAcsColumn` action is then used to deny 'ReadInfo' and 'Select' permissions on the 'CCnum' column to all users (group '*') and grant these same permissions to 'groupA'. This ensures that only members of 'groupA' can view the content of this column.
This example begins by creating a simple 'Receipts' table with dummy data and a sensitive 'CCnum' column. It then loads this table into the 'sales' caslib. The `accessControl.updSomeAcsColumn` action is then used to deny 'ReadInfo' and 'Select' permissions on the 'CCnum' column to all users (group '*') and grant these same permissions to 'groupA'. This ensures that only members of 'groupA' can view the content of this column.
Copied!
| 1 | CAS auto; |
| 2 | CASLIB _ALL_ assign; |
| 3 | |
| 4 | /* Créer une table de démonstration 'Receipts' avec une colonne sensible 'CCnum' */ |
| 5 | DATA casuser.Receipts; |
| 6 | LENGTH ID 8 Nom $ 20 CCnum $ 16; |
| 7 | INPUT ID Nom $ CCnum $; |
| 8 | DATALINES; |
| 9 | 101 John_Doe 1234-5678-9012-3456 |
| 10 | 102 Jane_Smith 9876-5432-1098-7654 |
| 11 | 103 Peter_Jones 1122-3344-5566-7788 |
| 12 | ; |
| 13 | RUN; |
| 14 | |
| 15 | /* Charger la table dans la caslib 'sales' (ou une autre caslib accessible) */ |
| 16 | PROC CASUTIL; |
| 17 | load DATA=casuser.Receipts outcaslib="sales" casout="Receipts" replace; |
| 18 | RUN; |
| 19 | |
| 20 | /* Masquer la colonne CCnum pour tous les utilisateurs (*) et la rendre visible pour 'groupA' */ |
| 21 | PROC CAS; |
| 22 | ACCESSCONTROL.updSomeAcsColumn |
| 23 | acs={ |
| 24 | {caslib="sales", |
| 25 | TABLE="Receipts", |
| 26 | column="CCnum", |
| 27 | identity="*", |
| 28 | identityType="Group", |
| 29 | permType="Deny", |
| 30 | permission="ReadInfo"}, |
| 31 | {caslib="sales", |
| 32 | TABLE="Receipts", |
| 33 | column="CCnum", |
| 34 | identity="*", |
| 35 | identityType="Group", |
| 36 | permType="Deny", |
| 37 | permission="Select"}, |
| 38 | {caslib="sales", |
| 39 | TABLE="Receipts", |
| 40 | column="CCnum", |
| 41 | identity="groupA", |
| 42 | identityType="Group", |
| 43 | permType="Grant", |
| 44 | permission="ReadInfo"}, |
| 45 | {caslib="sales", |
| 46 | TABLE="Receipts", |
| 47 | column="CCnum", |
| 48 | identity="groupA", |
| 49 | identityType="Group", |
| 50 | permType="Grant", |
| 51 | permission="Select"} |
| 52 | }; |
| 53 | RUN; |
| 54 | |
| 55 | /* Vérifier les accès (en tant qu'administrateur ou membre de groupA pour voir CCnum) */ |
| 56 | PROC CAS; |
| 57 | ACCESSCONTROL.viewAcsTable{caslib="sales", TABLE="Receipts"}; |
| 58 | RUN; |
| 59 |
2 Code Block
CASL
Explanation :
This example demonstrates how to revoke all access permissions (ReadInfo, Select, Update, Delete) on the 'Receipts' table for a specific user ('userB'). This prevents 'userB' from performing any operation on this table, regardless of any other inherited or general permissions.
This example demonstrates how to revoke all access permissions (ReadInfo, Select, Update, Delete) on the 'Receipts' table for a specific user ('userB'). This prevents 'userB' from performing any operation on this table, regardless of any other inherited or general permissions.
Copied!
| 1 | CAS auto; |
| 2 | CASLIB _ALL_ assign; |
| 3 | |
| 4 | /* Supposons que la table 'Receipts' existe dans la caslib 'sales' */ |
| 5 | /* Créer une table de démonstration 'Receipts' avec une colonne sensible 'CCnum' */ |
| 6 | DATA casuser.Receipts; |
| 7 | LENGTH ID 8 Nom $ 20 CCnum $ 16; |
| 8 | INPUT ID Nom $ CCnum $; |
| 9 | DATALINES; |
| 10 | 101 John_Doe 1234-5678-9012-3456 |
| 11 | 102 Jane_Smith 9876-5432-1098-7654 |
| 12 | 103 Peter_Jones 1122-3344-5566-7788 |
| 13 | ; |
| 14 | RUN; |
| 15 | |
| 16 | /* Charger la table dans la caslib 'sales' (ou une autre caslib accessible) */ |
| 17 | PROC CASUTIL; |
| 18 | load DATA=casuser.Receipts outcaslib="sales" casout="Receipts" replace; |
| 19 | RUN; |
| 20 | |
| 21 | /* Révoquer toutes les permissions (ReadInfo, Select, Update, Delete) sur la table 'Receipts' pour 'userB' */ |
| 22 | PROC CAS; |
| 23 | ACCESSCONTROL.updSomeAcsTable |
| 24 | acs={ |
| 25 | {caslib="sales", |
| 26 | TABLE="Receipts", |
| 27 | identity="userB", |
| 28 | identityType="User", |
| 29 | permType="Deny", |
| 30 | permission="ReadInfo"}, |
| 31 | {caslib="sales", |
| 32 | TABLE="Receipts", |
| 33 | identity="userB", |
| 34 | identityType="User", |
| 35 | permType="Deny", |
| 36 | permission="Select"}, |
| 37 | {caslib="sales", |
| 38 | TABLE="Receipts", |
| 39 | identity="userB", |
| 40 | identityType="User", |
| 41 | permType="Deny", |
| 42 | permission="Update"}, |
| 43 | {caslib="sales", |
| 44 | TABLE="Receipts", |
| 45 | identity="userB", |
| 46 | identityType="User", |
| 47 | permType="Deny", |
| 48 | permission="Delete"} |
| 49 | }; |
| 50 | RUN; |
| 51 | |
| 52 | /* Vérifier les accès (en tant qu'administrateur) */ |
| 53 | PROC CAS; |
| 54 | ACCESSCONTROL.viewAcsTable{caslib="sales", TABLE="Receipts"}; |
| 55 | RUN; |
| 56 |
3 Code Block
CASL
Explanation :
This example creates a row-level filter for the 'SalesData' table. The `accessControl.updSomeAcsTable` action is used to grant the 'RowFilter' permission to 'groupEast' with the condition 'Region = 'East''. This means that any user member of 'groupEast' will only see rows where the 'Region' column is 'East', even if they have access to the entire table, providing dynamic and advanced access control.
This example creates a row-level filter for the 'SalesData' table. The `accessControl.updSomeAcsTable` action is used to grant the 'RowFilter' permission to 'groupEast' with the condition 'Region = 'East''. This means that any user member of 'groupEast' will only see rows where the 'Region' column is 'East', even if they have access to the entire table, providing dynamic and advanced access control.
Copied!
| 1 | CAS auto; |
| 2 | CASLIB _ALL_ assign; |
| 3 | |
| 4 | /* Créer une table de données avec une colonne région */ |
| 5 | DATA casuser.SalesData; |
| 6 | LENGTH Region $ 10 Product $ 10 Sales 8; |
| 7 | INPUT Region $ Product $ Sales; |
| 8 | DATALINES; |
| 9 | East A 100 |
| 10 | West B 150 |
| 11 | East C 200 |
| 12 | South D 50 |
| 13 | North E 120 |
| 14 | West F 180 |
| 15 | ; |
| 16 | RUN; |
| 17 | |
| 18 | /* Charger la table dans la caslib 'sales' */ |
| 19 | PROC CASUTIL; |
| 20 | load DATA=casuser.SalesData outcaslib="sales" casout="SalesData" replace; |
| 21 | RUN; |
| 22 | |
| 23 | /* Définir un filtre au niveau des lignes : 'groupEast' ne voit que les données de la région 'East' */ |
| 24 | PROC CAS; |
| 25 | ACCESSCONTROL.updSomeAcsTable |
| 26 | acs={ |
| 27 | {caslib="sales", |
| 28 | TABLE="SalesData", |
| 29 | identity="groupEast", |
| 30 | identityType="Group", |
| 31 | permType="Grant", |
| 32 | permission="RowFilter", |
| 33 | filter="Region = 'East'"} |
| 34 | }; |
| 35 | RUN; |
| 36 | |
| 37 | /* Vérifier les accès (en tant qu'administrateur, puis simuler groupEast) */ |
| 38 | PROC CAS; |
| 39 | ACCESSCONTROL.viewAcsTable{caslib="sales", TABLE="SalesData"}; |
| 40 | /* Pour tester, un utilisateur de 'groupEast' verrait : */ |
| 41 | /* proc cas; |
| 42 | simple.fetch caslib='sales' table='SalesData'; |
| 43 | run; */ |
| 44 | RUN; |
| 45 |
4 Code Block
CASL
Explanation :
This example uses the `accessControl.viewAcsCaslib` action to display all access controls defined on a specific caslib, here 'mylib'. This is a useful action for administrators to audit and understand the permissions applied to CAS resources. The example includes creating a temporary caslib and assigning a simple permission to make the example executable and relevant.
This example uses the `accessControl.viewAcsCaslib` action to display all access controls defined on a specific caslib, here 'mylib'. This is a useful action for administrators to audit and understand the permissions applied to CAS resources. The example includes creating a temporary caslib and assigning a simple permission to make the example executable and relevant.
Copied!
| 1 | CAS auto; |
| 2 | CASLIB _ALL_ assign; |
| 3 | |
| 4 | /* Supposons qu'une caslib 'mylib' existe et que des contrôles d'accès y sont définis */ |
| 5 | /* Vous pouvez créer une caslib de démonstration si nécessaire */ |
| 6 | PROC CAS; |
| 7 | caslib _name_="mylib" path="/tmp/mylib" subdirs; |
| 8 | RUN; |
| 9 | |
| 10 | /* Assigner des permissions de démonstration à la caslib */ |
| 11 | PROC CAS; |
| 12 | ACCESSCONTROL.updSomeAcsCaslib |
| 13 | acs={ |
| 14 | {caslib="mylib", |
| 15 | identity="userA", |
| 16 | identityType="User", |
| 17 | permType="Grant", |
| 18 | permission="Read"} |
| 19 | }; |
| 20 | RUN; |
| 21 | |
| 22 | /* Visualiser tous les contrôles d'accès définis pour la caslib 'mylib' */ |
| 23 | PROC CAS; |
| 24 | ACCESSCONTROL.viewAcsCaslib{caslib="mylib"}; |
| 25 | RUN; |
| 26 |
This material is provided "as is" by We Are Cas. There are no warranties, expressed or implied, as to merchantability or fitness for a particular purpose regarding the materials or code contained herein. We Are Cas is not responsible for errors in this material as it now exists or will exist, nor does We Are Cas provide technical support for it.
Copyright Info : Copyright © SAS Institute Inc. All Rights Reserved.
Expert Advice
Michael
Responsable de l'infrastructure Viya.
« For row-level security (RowFilters), ensure your filter expression is optimized for the CAS engine. Standard SQL syntax is supported, but keeping filters simple (e.g., Region = 'East') ensures they are processed efficiently during the initial data fetch across the distributed cluster. »