Attention : This code requires administrator privileges.
This CASL script illustrates how to use the 'updSomeAcsCaslib' action from the 'accessControl' action set to define access controls on a global caslib. The objective is to allow a user group ('groupA' in this example) to read information and select data within a caslib named 'caslibA'. It is crucial to grant both 'ReadInfo' (metadata reading) and 'Select' (data reading) for full read access. This mechanism is essential for managing data permissions and security in the SAS© Cloud Analytic Services (CAS) environment.
Data Analysis
Type : CREATION_INTERNE
Examples use caslib and group/user names that are fictitious or default existing ones in the Viya environment. No external data is required as the manipulation concerns security metadata.
1 Code Block
accessControl.updSomeAcsCaslib
Explanation :
This basic example shows how to make a global caslib (here 'myGlobalCaslib') available to a group ('groupA') with read permissions ('ReadInfo' and 'Select'). It includes the creation of a fictitious caslib and permission verification after granting.
This basic example shows how to make a global caslib (here 'myGlobalCaslib') available to a group ('groupA') with read permissions ('ReadInfo' and 'Select'). It includes the creation of a fictitious caslib and permission verification after granting.
Copied!
| 1 | /* Établir une session CAS si ce n'est pas déjà fait */ |
| 2 | cas casauto; |
| 3 | |
| 4 | /* Définir une caslib globale si elle n'existe pas */ |
| 5 | /* Remplacez 'myGlobalCaslib' par le nom de votre caslib et le chemin si nécessaire */ |
| 6 | PROC CASUTIL; |
| 7 | addcaslib caslib='myGlobalCaslib' path='/cas/data/myGlobalCaslib' sessref=casauto; |
| 8 | QUIT; |
| 9 | |
| 10 | /* Octroyer les permissions ReadInfo et Select au groupe 'groupA' sur 'myGlobalCaslib' */ |
| 11 | ACCESSCONTROL.updSomeAcsCaslib / |
| 12 | acs={ |
| 13 | {caslib="myGlobalCaslib", |
| 14 | identity="groupA", |
| 15 | identityType="Group", |
| 16 | permType="Grant", |
| 17 | permission="ReadInfo"}, |
| 18 | {caslib="myGlobalCaslib", |
| 19 | identity="groupA", |
| 20 | identityType="Group", |
| 21 | permType="Grant", |
| 22 | permission="Select"} |
| 23 | }; |
| 24 | RUN; |
| 25 | |
| 26 | /* Vérifier les contrôles d'accès de la caslib */ |
| 27 | ACCESSCONTROL.viewCaslibAcs / caslib="myGlobalCaslib"; |
| 28 | RUN; |
2 Code Block
accessControl.updSomeAcsCaslib
Explanation :
This intermediate example grants 'Write' permission to a specific user ('userB') on an existing caslib ('existingCaslib'). Permission verification confirms the application of changes.
This intermediate example grants 'Write' permission to a specific user ('userB') on an existing caslib ('existingCaslib'). Permission verification confirms the application of changes.
Copied!
| 1 | /* Établir une session CAS si ce n'est pas déjà fait */ |
| 2 | cas casauto; |
| 3 | |
| 4 | /* Supposons que 'existingCaslib' existe */ |
| 5 | /* Octroyer la permission Write à l'utilisateur 'userB' sur 'existingCaslib' */ |
| 6 | ACCESSCONTROL.updSomeAcsCaslib / |
| 7 | acs={ |
| 8 | {caslib="existingCaslib", |
| 9 | identity="userB", |
| 10 | identityType="User", |
| 11 | permType="Grant", |
| 12 | permission="Write"} |
| 13 | }; |
| 14 | RUN; |
| 15 | |
| 16 | /* Vérifier les contrôles d'accès de la caslib 'existingCaslib' */ |
| 17 | ACCESSCONTROL.viewCaslibAcs / caslib="existingCaslib"; |
| 18 | RUN; |
3 Code Block
accessControl.updSomeAcsCaslib
Explanation :
This advanced example shows how to explicitly revoke multiple permissions (ReadInfo, Select, Write, Delete) from a group ('groupA') on a caslib ('myGlobalCaslib'). This is useful for withdrawing previously granted access.
This advanced example shows how to explicitly revoke multiple permissions (ReadInfo, Select, Write, Delete) from a group ('groupA') on a caslib ('myGlobalCaslib'). This is useful for withdrawing previously granted access.
Copied!
| 1 | /* Établir une session CAS si ce n'est pas déjà fait */ |
| 2 | cas casauto; |
| 3 | |
| 4 | /* Révoquer toutes les permissions du groupe 'groupA' sur 'myGlobalCaslib' */ |
| 5 | ACCESSCONTROL.updSomeAcsCaslib / |
| 6 | acs={ |
| 7 | {caslib="myGlobalCaslib", |
| 8 | identity="groupA", |
| 9 | identityType="Group", |
| 10 | permType="Revoke", |
| 11 | permission="ReadInfo"}, |
| 12 | {caslib="myGlobalCaslib", |
| 13 | identity="groupA", |
| 14 | identityType="Group", |
| 15 | permType="Revoke", |
| 16 | permission="Select"}, |
| 17 | {caslib="myGlobalCaslib", |
| 18 | identity="groupA", |
| 19 | identityType="Group", |
| 20 | permType="Revoke", |
| 21 | permission="Write"}, |
| 22 | {caslib="myGlobalCaslib", |
| 23 | identity="groupA", |
| 24 | identityType="Group", |
| 25 | permType="Revoke", |
| 26 | permission="Delete"} |
| 27 | }; |
| 28 | RUN; |
| 29 | |
| 30 | /* Vérifier que le groupe 'groupA' n'a plus de permissions explicites sur 'myGlobalCaslib' */ |
| 31 | ACCESSCONTROL.viewCaslibAcs / caslib="myGlobalCaslib"; |
| 32 | RUN; |
4 Code Block
accessControl.updSomeAcsCaslib, session.addCaslib
Explanation :
This Viya/CAS-oriented example illustrates the creation of a temporary caslib ('tempCaslib') within the active CAS session, followed by the application of default access controls, granting read permissions ('ReadInfo' and 'Select') to the 'public' group. Cleanup of the caslib at the end of the session is also included.
This Viya/CAS-oriented example illustrates the creation of a temporary caslib ('tempCaslib') within the active CAS session, followed by the application of default access controls, granting read permissions ('ReadInfo' and 'Select') to the 'public' group. Cleanup of the caslib at the end of the session is also included.
Copied!
| 1 | /* Établir une session CAS si ce n'est pas déjà fait */ |
| 2 | cas casauto; |
| 3 | |
| 4 | /* Créer une caslib temporaire 'tempCaslib' pour la session actuelle */ |
| 5 | SESSION.addCaslib / caslib='tempCaslib' active=true; |
| 6 | RUN; |
| 7 | |
| 8 | /* Définir des permissions par défaut sur 'tempCaslib' : octroyer ReadInfo/Select à 'public' */ |
| 9 | ACCESSCONTROL.updSomeAcsCaslib / |
| 10 | acs={ |
| 11 | {caslib="tempCaslib", |
| 12 | identity="public", |
| 13 | identityType="Group", |
| 14 | permType="Grant", |
| 15 | permission="ReadInfo"}, |
| 16 | {caslib="tempCaslib", |
| 17 | identity="public", |
| 18 | identityType="Group", |
| 19 | permType="Grant", |
| 20 | permission="Select"} |
| 21 | }; |
| 22 | RUN; |
| 23 | |
| 24 | /* Vérifier les contrôles d'accès de la caslib temporaire */ |
| 25 | ACCESSCONTROL.viewCaslibAcs / caslib="tempCaslib"; |
| 26 | RUN; |
| 27 | |
| 28 | /* Nettoyage : retirer la caslib temporaire à la fin de la session */ |
| 29 | SESSION.dropCaslib / caslib='tempCaslib'; |
| 30 | RUN; |
This material is provided "as is" by We Are Cas. There are no warranties, expressed or implied, as to merchantability or fitness for a particular purpose regarding the materials or code contained herein. We Are Cas is not responsible for errors in this material as it now exists or will exist, nor does We Are Cas provide technical support for it.
Copyright Info : Copyright © SAS Institute Inc. All Rights Reserved.
Expert Advice
Michael
Responsable de l'infrastructure Viya.
« Always use the accessControl.viewCaslibAcs action immediately after a modification. This allows you to verify the "Effective Access," ensuring that a Revoke on one group isn't accidentally blocking a user who belongs to multiple departments. »