Attention : This code requires administrator privileges.
The 'accessControl.updSomeAcsTable' action allows modifying access controls for CAS resources. By specifying 'permType="None"' for a given combination of caslib, table, identity, and identity type, any direct access control explicitly defined for that combination is removed. This means that the specified identity's access to the table will then be determined by the groups to which it belongs or by access settings inherited from the parent caslib. This action is crucial for managing the granularity of permissions in a SAS© Viya™ environment.
Data Analysis
Type : INTERNAL_CREATION
The examples generate temporary data to illustrate the application of access controls before their removal.
1 Code Block
CAS Action Data
Explanation :
This example demonstrates the basic use of 'updSomeAcsTable' to revoke a specific 'Select' permission. It starts by creating a table, explicitly granting 'Select' access to 'groupA', then uses 'updSomeAcsTable' with 'permType="None"' to remove this direct control. The intermediate 'listAcsTable' steps allow visualizing the state of permissions before and after the operation.
This example demonstrates the basic use of 'updSomeAcsTable' to revoke a specific 'Select' permission. It starts by creating a table, explicitly granting 'Select' access to 'groupA', then uses 'updSomeAcsTable' with 'permType="None"' to remove this direct control. The intermediate 'listAcsTable' steps allow visualizing the state of permissions before and after the operation.
Copied!
| 1 | /* Début de l'exemple 1: Suppression Basique d'un Accès SELECT */ |
| 2 | |
| 3 | /* Création d'une session CAS */ |
| 4 | CAS casauto; |
| 5 | |
| 6 | /* Création d'une caslib temporaire pour l'exemple */ |
| 7 | CASLIB mycaslib_temp LIBRARY="/tmp/mycaslib_temp" ; |
| 8 | |
| 9 | /* Charger des données de démonstration dans une table CAS temporaire */ |
| 10 | DATA casuser.tableA; |
| 11 | INPUT id $ name $; |
| 12 | DATALINES; |
| 13 | 1 John |
| 14 | 2 Jane |
| 15 | ; |
| 16 | RUN; |
| 17 | |
| 18 | /* Sauvegarder la table en sashdat pour qu'elle puisse avoir des contrôles d'accès directs */ |
| 19 | PROC CASUTIL incaslib="casuser" outcaslib="mycaslib_temp" ; |
| 20 | save casuser.tableA replace ; |
| 21 | QUIT; |
| 22 | |
| 23 | /* Vérifier les contrôles d'accès existants (normalement aucun direct au début) */ |
| 24 | PROC CAS; |
| 25 | ACCESSCONTROL.listAcsTable / |
| 26 | caslib="mycaslib_temp", |
| 27 | TABLE="tableA.sashdat" ; |
| 28 | QUIT; |
| 29 | |
| 30 | /* Ajouter un contrôle d'accès direct 'Select' pour groupA sur tableA */ |
| 31 | PROC CAS; |
| 32 | ACCESSCONTROL.modAcsTable / |
| 33 | caslib="mycaslib_temp", |
| 34 | TABLE="tableA.sashdat", |
| 35 | identity="groupA", |
| 36 | identityType="Group", |
| 37 | permission="Select", |
| 38 | permType="Grant" ; |
| 39 | QUIT; |
| 40 | |
| 41 | /* Vérifier que le contrôle d'accès direct a été ajouté */ |
| 42 | PROC CAS; |
| 43 | ACCESSCONTROL.listAcsTable / |
| 44 | caslib="mycaslib_temp", |
| 45 | TABLE="tableA.sashdat" ; |
| 46 | QUIT; |
| 47 | |
| 48 | /* Supprimer le contrôle d'accès direct 'Select' pour groupA sur tableA */ |
| 49 | PROC CAS; |
| 50 | ACCESSCONTROL.updSomeAcsTable / |
| 51 | acs={ |
| 52 | {caslib="mycaslib_temp", |
| 53 | TABLE="tableA.sashdat", |
| 54 | identity="groupA", |
| 55 | identityType="Group", |
| 56 | permType="None", |
| 57 | permission="Select"} |
| 58 | }; |
| 59 | QUIT; |
| 60 | |
| 61 | /* Vérifier que le contrôle d'accès direct a été supprimé */ |
| 62 | PROC CAS; |
| 63 | ACCESSCONTROL.listAcsTable / |
| 64 | caslib="mycaslib_temp", |
| 65 | TABLE="tableA.sashdat" ; |
| 66 | QUIT; |
| 67 | |
| 68 | /* Nettoyer: Supprimer la table CAS et la caslib temporaire */ |
| 69 | PROC CASUTIL incaslib="mycaslib_temp" ; |
| 70 | drop tableA ; |
| 71 | QUIT; |
| 72 | CASLIB mycaslib_temp DROP ; |
| 73 | CAS; |
| 74 | /* Fin de l'exemple 1 */ |
2 Code Block
CAS Action Data
Explanation :
This example illustrates how to remove multiple direct access permissions ('Read' and 'Write') for a user ('userX') on a specific table ('tableB.sashdat') in a single 'updSomeAcsTable' execution. The syntax uses an 'acs' array to include multiple permission objects, each specifying 'permType="None"'.
This example illustrates how to remove multiple direct access permissions ('Read' and 'Write') for a user ('userX') on a specific table ('tableB.sashdat') in a single 'updSomeAcsTable' execution. The syntax uses an 'acs' array to include multiple permission objects, each specifying 'permType="None"'.
Copied!
| 1 | /* Début de l'exemple 2: Suppression de Multiples Permissions pour un Utilisateur */ |
| 2 | |
| 3 | CAS casauto; |
| 4 | CASLIB mycaslib_temp2 LIBRARY="/tmp/mycaslib_temp2"; |
| 5 | |
| 6 | DATA casuser.tableB; |
| 7 | INPUT id $ value; |
| 8 | DATALINES; |
| 9 | A 10 |
| 10 | B 20 |
| 11 | ; |
| 12 | RUN; |
| 13 | |
| 14 | PROC CASUTIL incaslib="casuser" outcaslib="mycaslib_temp2"; |
| 15 | save casuser.tableB replace; |
| 16 | QUIT; |
| 17 | |
| 18 | /* Accorder des permissions 'Read' et 'Write' directes à 'userX' sur 'tableB' */ |
| 19 | PROC CAS; |
| 20 | ACCESSCONTROL.modAcsTable / |
| 21 | caslib="mycaslib_temp2", |
| 22 | TABLE="tableB.sashdat", |
| 23 | identity="userX", |
| 24 | identityType="User", |
| 25 | permission="Read", |
| 26 | permType="Grant"; |
| 27 | ACCESSCONTROL.modAcsTable / |
| 28 | caslib="mycaslib_temp2", |
| 29 | TABLE="tableB.sashdat", |
| 30 | identity="userX", |
| 31 | identityType="User", |
| 32 | permission="Write", |
| 33 | permType="Grant"; |
| 34 | QUIT; |
| 35 | |
| 36 | /* Lister les ACLs pour vérifier */ |
| 37 | PROC CAS; |
| 38 | ACCESSCONTROL.listAcsTable / |
| 39 | caslib="mycaslib_temp2", |
| 40 | TABLE="tableB.sashdat"; |
| 41 | QUIT; |
| 42 | |
| 43 | /* Supprimer les contrôles d'accès directs 'Read' et 'Write' pour 'userX' */ |
| 44 | PROC CAS; |
| 45 | ACCESSCONTROL.updSomeAcsTable / |
| 46 | acs={ |
| 47 | {caslib="mycaslib_temp2", |
| 48 | TABLE="tableB.sashdat", |
| 49 | identity="userX", |
| 50 | identityType="User", |
| 51 | permType="None", |
| 52 | permission="Read"}, |
| 53 | {caslib="mycaslib_temp2", |
| 54 | TABLE="tableB.sashdat", |
| 55 | identity="userX", |
| 56 | identityType="User", |
| 57 | permType="None", |
| 58 | permission="Write"} |
| 59 | }; |
| 60 | QUIT; |
| 61 | |
| 62 | /* Lister les ACLs pour vérifier la suppression */ |
| 63 | PROC CAS; |
| 64 | ACCESSCONTROL.listAcsTable / |
| 65 | caslib="mycaslib_temp2", |
| 66 | TABLE="tableB.sashdat"; |
| 67 | QUIT; |
| 68 | |
| 69 | /* Nettoyer: Supprimer la table CAS et la caslib temporaire */ |
| 70 | PROC CASUTIL incaslib="mycaslib_temp2" ; |
| 71 | drop tableB ; |
| 72 | QUIT; |
| 73 | CASLIB mycaslib_temp2 DROP ; |
| 74 | CAS; |
| 75 | /* Fin de l'exemple 2 */ |
3 Code Block
CAS Action / CASL Data
Explanation :
This example combines CASL (SAS Cloud Analytic Services Language) with the 'accessControl.updSomeAcsTable' action. A CASL macro is created to first list a table's access controls, check if a specific direct permission ('Delete' for 'userZ') exists, and only if it exists, remove it using 'updSomeAcsTable'. This illustrates a more robust and conditional management of rights.
This example combines CASL (SAS Cloud Analytic Services Language) with the 'accessControl.updSomeAcsTable' action. A CASL macro is created to first list a table's access controls, check if a specific direct permission ('Delete' for 'userZ') exists, and only if it exists, remove it using 'updSomeAcsTable'. This illustrates a more robust and conditional management of rights.
Copied!
| 1 | /* Début de l'exemple 3: Suppression Conditionnelle d'Accès et Vérification */ |
| 2 | |
| 3 | CAS casauto; |
| 4 | CASLIB mycaslib_temp3 LIBRARY="/tmp/mycaslib_temp3"; |
| 5 | |
| 6 | DATA casuser.tableC; |
| 7 | INPUT id $ value; |
| 8 | DATALINES; |
| 9 | X 100 |
| 10 | Y 200 |
| 11 | ; |
| 12 | RUN; |
| 13 | |
| 14 | PROC CASUTIL incaslib="casuser" outcaslib="mycaslib_temp3"; |
| 15 | save casuser.tableC replace; |
| 16 | QUIT; |
| 17 | |
| 18 | /* Accorder temporairement une permission 'Delete' à 'userZ' */ |
| 19 | PROC CAS; |
| 20 | ACCESSCONTROL.modAcsTable / |
| 21 | caslib="mycaslib_temp3", |
| 22 | TABLE="tableC.sashdat", |
| 23 | identity="userZ", |
| 24 | identityType="User", |
| 25 | permission="Delete", |
| 26 | permType="Grant"; |
| 27 | QUIT; |
| 28 | |
| 29 | /* Utiliser CASL pour vérifier si la permission 'Delete' existe avant de la supprimer */ |
| 30 | %macro check_and_remove(caslib, TABLE, identity, permission); |
| 31 | PROC CAS; |
| 32 | outargs=\"acltable\" accessControl.listAcsTable / |
| 33 | caslib=&caslib, |
| 34 | table=&table; |
| 35 | quit; |
| 36 | |
| 37 | %local found_direct_delete; |
| 38 | %let found_direct_delete = 0; |
| 39 | |
| 40 | %do i = 1 %to &acltable.Acl.nobs; |
| 41 | %if "&acltable.Acl[&i,identity]" = "&identity" and |
| 42 | "&acltable.Acl[&i,permission]" = "&permission" and |
| 43 | "&acltable.Acl[&i,permType]" = "Direct" %then %do; |
| 44 | %let found_direct_delete = 1; |
| 45 | %goto found; |
| 46 | %end; |
| 47 | %end; |
| 48 | |
| 49 | %found: |
| 50 | |
| 51 | %if &found_direct_delete = 1 %then %do; |
| 52 | %put NOTE: Permission &permission for &identity found. Attempting to remove direct control.; |
| 53 | proc cas; |
| 54 | accessControl.updSomeAcsTable / |
| 55 | acs={ |
| 56 | {caslib="&caslib", |
| 57 | table="&TABLE", |
| 58 | identity="&identity", |
| 59 | identityType="User", |
| 60 | permType="None", |
| 61 | permission="&permission"} |
| 62 | }; |
| 63 | quit; |
| 64 | %put NOTE: Direct control for &permission for &identity removed.; |
| 65 | %end; |
| 66 | %else %do; |
| 67 | %put NOTE: No direct permission &permission found for &identity.; |
| 68 | %end; |
| 69 | |
| 70 | /* Re-lister pour confirmation */ |
| 71 | proc cas; |
| 72 | accessControl.listAcsTable / |
| 73 | caslib=&caslib, |
| 74 | table=&table ; |
| 75 | quit; |
| 76 | %mend; |
| 77 | |
| 78 | /* Exécuter la macro */ |
| 79 | %check_and_remove(mycaslib_temp3, tableC.sashdat, userZ, Delete); |
| 80 | |
| 81 | /* Nettoyer: Supprimer la table CAS et la caslib temporaire */ |
| 82 | proc casutil incaslib="mycaslib_temp3" ; |
| 83 | drop tableC ; |
| 84 | quit; |
| 85 | CASLIB mycaslib_temp3 DROP ; |
| 86 | CAS; |
| 87 | /* Fin de l'exemple 3 */ |
4 Code Block
CAS Action Data
Explanation :
This example focuses on managing access controls for transient tables (in-memory CAS). It creates a temporary table, grants direct 'Alter' permission to 'userY', then uses 'updSomeAcsTable' to revoke this permission. This is relevant in Viya/CAS environments where in-memory tables can also have ACLs.
This example focuses on managing access controls for transient tables (in-memory CAS). It creates a temporary table, grants direct 'Alter' permission to 'userY', then uses 'updSomeAcsTable' to revoke this permission. This is relevant in Viya/CAS environments where in-memory tables can also have ACLs.
Copied!
| 1 | /* Début de l'exemple 4: Gestion de l'Accès pour une Table Transitoire (Viya/CAS) */ |
| 2 | |
| 3 | CAS casauto; |
| 4 | |
| 5 | /* Créer une table CAS transitoire (en mémoire, caslib 'casuser' par défaut) */ |
| 6 | DATA casuser.temp_data; |
| 7 | INPUT col1 col2; |
| 8 | DATALINES; |
| 9 | 10 20 |
| 10 | 30 40 |
| 11 | ; |
| 12 | RUN; |
| 13 | |
| 14 | /* Accorder un accès 'Alter' direct à un 'userY' sur la table transitoire */ |
| 15 | PROC CAS; |
| 16 | ACCESSCONTROL.modAcsTable / |
| 17 | caslib="casuser", |
| 18 | TABLE="temp_data", |
| 19 | identity="userY", |
| 20 | identityType="User", |
| 21 | permission="Alter", |
| 22 | permType="Grant"; |
| 23 | QUIT; |
| 24 | |
| 25 | /* Lister les ACLs pour vérifier */ |
| 26 | PROC CAS; |
| 27 | ACCESSCONTROL.listAcsTable / |
| 28 | caslib="casuser", |
| 29 | TABLE="temp_data"; |
| 30 | QUIT; |
| 31 | |
| 32 | /* Supprimer le contrôle d'accès direct 'Alter' pour 'userY' */ |
| 33 | PROC CAS; |
| 34 | ACCESSCONTROL.updSomeAcsTable / |
| 35 | acs={ |
| 36 | {caslib="casuser", |
| 37 | TABLE="temp_data", |
| 38 | identity="userY", |
| 39 | identityType="User", |
| 40 | permType="None", |
| 41 | permission="Alter"} |
| 42 | }; |
| 43 | QUIT; |
| 44 | |
| 45 | /* Lister les ACLs pour vérifier la suppression */ |
| 46 | PROC CAS; |
| 47 | ACCESSCONTROL.listAcsTable / |
| 48 | caslib="casuser", |
| 49 | TABLE="temp_data"; |
| 50 | QUIT; |
| 51 | |
| 52 | /* Nettoyer: Supprimer la table CAS transitoire */ |
| 53 | PROC CASUTIL incaslib="casuser" ; |
| 54 | drop temp_data ; |
| 55 | QUIT; |
| 56 | CAS; |
| 57 | /* Fin de l'exemple 4 */ |
This material is provided "as is" by We Are Cas. There are no warranties, expressed or implied, as to merchantability or fitness for a particular purpose regarding the materials or code contained herein. We Are Cas is not responsible for errors in this material as it now exists or will exist, nor does We Are Cas provide technical support for it.
Expert Advice
Michael
Responsable de l'infrastructure Viya.
« Always run accessControl.listAcsTable before and after using this action. Verifying the state of the ACL ensures that removing a direct control achieves the desired result through inheritance rather than inadvertently leaving a user with no access at all. »