Attention : This code requires administrator privileges.
This CAS action provides detailed information on the effective access rights of a user or group to a specific resource (table, caslib, or column) on the CAS server. It takes into account all explicit and inherited access rules, as well as the presence of row-level filters. The results indicate, for each relevant identity and permission, whether access is authorized (explicitly or inherited), unauthorized, or filtered. Decisions can be returned numerically (by default) or textually for better readability.
Data Analysis
Type : CREATION_INTERNE
The provided examples create their own data via DATA steps with DATALINES or use default caslibs like `casuser` to ensure their autonomy and executability.
1 Code Block
DATA STEP / PROC CAS Data
Explanation :
This example illustrates the simplest use of the `whatIsEffective` action for a specific table. It first creates a small in-memory CAS table (`casuser.mydata`), then calls the `whatIsEffective` action by specifying the caslib (`casuser`), the object type (`table`), and the table name (`mydata`). The results display the effective access for relevant users and groups by default in numeric form.
This example illustrates the simplest use of the `whatIsEffective` action for a specific table. It first creates a small in-memory CAS table (`casuser.mydata`), then calls the `whatIsEffective` action by specifying the caslib (`casuser`), the object type (`table`), and the table name (`mydata`). The results display the effective access for relevant users and groups by default in numeric form.
Copied!
| 1 | /* Création d'une table CAS temporaire pour l'exemple */ |
| 2 | DATA casuser.mydata; |
| 3 | INPUT id name $; |
| 4 | DATALINES; |
| 5 | 1 Alice |
| 6 | 2 Bob |
| 7 | 3 Charlie |
| 8 | ; |
| 9 | RUN; |
| 10 | |
| 11 | PROC CAS; |
| 12 | /* Connexion à la session CAS par défaut */ |
| 13 | SESSION casauto; |
| 14 | |
| 15 | /* Vérification de l'accès effectif à la table 'mydata' dans la caslib 'casuser' */ |
| 16 | ACCESSCONTROL.whatIsEffective / |
| 17 | objectSelector={caslib="casuser",objType="table",TABLE="mydata"}; |
| 18 | QUIT; |
| 19 | |
| 20 | /* Nettoyage de la table temporaire */ |
| 21 | PROC CAS; |
| 22 | SESSION casauto; |
| 23 | TABLE.dropTable / caslib="casuser", name="mydata"; |
| 24 | QUIT; |
2 Code Block
DATA STEP / PROC CAS Data
Explanation :
This advanced example shows how to specify identities (users or groups) for which effective access should be checked. The `returnDecisionText=TRUE` option is used to obtain more readable results (e.g., 'Authorized', 'Not Authorized') instead of numeric codes. Here, access is checked for 'sasadm' (a typical administrator user) and 'sasguest' (a guest user) on a sales data table.
This advanced example shows how to specify identities (users or groups) for which effective access should be checked. The `returnDecisionText=TRUE` option is used to obtain more readable results (e.g., 'Authorized', 'Not Authorized') instead of numeric codes. Here, access is checked for 'sasadm' (a typical administrator user) and 'sasguest' (a guest user) on a sales data table.
Copied!
| 1 | /* Création d'une table CAS temporaire pour l'exemple */ |
| 2 | DATA casuser.sales_data; |
| 3 | INPUT region $ sales; |
| 4 | DATALINES; |
| 5 | East 100 |
| 6 | West 150 |
| 7 | North 200 |
| 8 | South 120 |
| 9 | ; |
| 10 | RUN; |
| 11 | |
| 12 | PROC CAS; |
| 13 | SESSION casauto; |
| 14 | |
| 15 | /* Vérification de l'accès effectif pour des identités spécifiques */ |
| 16 | /* et demande un résultat en texte compréhensible */ |
| 17 | ACCESSCONTROL.whatIsEffective / |
| 18 | objectSelector={caslib="casuser", objType="table", TABLE="sales_data"}, |
| 19 | identities={ |
| 20 | {{id="sasadm", idType="user"}}, /* Exemple: administrateur CAS */ |
| 21 | {{id="sasguest", idType="user"}} /* Exemple: utilisateur invité */ |
| 22 | }, |
| 23 | returnDecisionText=TRUE; /* Demander le texte de décision au lieu des codes numériques */ |
| 24 | QUIT; |
| 25 | |
| 26 | /* Nettoyage de la table temporaire */ |
| 27 | PROC CAS; |
| 28 | SESSION casauto; |
| 29 | TABLE.dropTable / caslib="casuser", name="sales_data"; |
| 30 | QUIT; |
3 Code Block
DATA STEP / PROC CAS Data
Explanation :
This example demonstrates the flexibility of the `whatIsEffective` action by applying it to an entire caslib rather than a specific table. It also uses macro variables (`%let`) to dynamicize caslib and group names, which is common in more complex SAS scripts. Here, the effective access of the `CASHostAccountUsers` group to the `casuser` caslib is checked.
This example demonstrates the flexibility of the `whatIsEffective` action by applying it to an entire caslib rather than a specific table. It also uses macro variables (`%let`) to dynamicize caslib and group names, which is common in more complex SAS scripts. Here, the effective access of the `CASHostAccountUsers` group to the `casuser` caslib is checked.
Copied!
| 1 | /* Création d'une table CAS temporaire pour s'assurer que la caslib casuser contient des données */ |
| 2 | DATA casuser.products; |
| 3 | INPUT product $ price; |
| 4 | DATALINES; |
| 5 | Apple 1.00 |
| 6 | Banana 0.50 |
| 7 | Orange 0.75 |
| 8 | ; |
| 9 | RUN; |
| 10 | |
| 11 | %let targetCaslib = casuser; |
| 12 | %let targetGroup = CASHostAccountUsers; |
| 13 | |
| 14 | PROC CAS; |
| 15 | SESSION casauto; |
| 16 | |
| 17 | /* Vérifier l'accès effectif pour une caslib entière pour un groupe */ |
| 18 | ACCESSCONTROL.whatIsEffective / |
| 19 | objectSelector={caslib="&targetCaslib", objType="caslib"}, |
| 20 | identities={ |
| 21 | {{id="&targetGroup", idType="group"}} /* Vérifier pour le groupe d'utilisateurs CAS */ |
| 22 | }, |
| 23 | returnDecisionText=TRUE; |
| 24 | QUIT; |
| 25 | |
| 26 | /* Nettoyage de la table temporaire */ |
| 27 | PROC CAS; |
| 28 | SESSION casauto; |
| 29 | TABLE.dropTable / caslib="casuser", name="products"; |
| 30 | QUIT; |
4 Code Block
DATA STEP / PROC CAS Data
Explanation :
This more advanced example aims to illustrate the detection of row-level filters by `whatIsEffective`. It creates a table, then checks access for an administrator and a hypothetical user (`user101`). If a filter had previously been configured for `user101` on this table (e.g., to only see their own transactions), the `whatIsEffective` action would report it with a decision like 'Authorized with Filter'. The code to add such a filter is included for indicative purposes but commented out, as it would require administrative privileges and be a separate action.
This more advanced example aims to illustrate the detection of row-level filters by `whatIsEffective`. It creates a table, then checks access for an administrator and a hypothetical user (`user101`). If a filter had previously been configured for `user101` on this table (e.g., to only see their own transactions), the `whatIsEffective` action would report it with a decision like 'Authorized with Filter'. The code to add such a filter is included for indicative purposes but commented out, as it would require administrative privileges and be a separate action.
Copied!
| 1 | /* Création d'une table CAS temporaire */ |
| 2 | DATA casuser.transactions; |
| 3 | INPUT transaction_id amount user_id; |
| 4 | DATALINES; |
| 5 | 1 100 101 |
| 6 | 2 50 102 |
| 7 | 3 200 101 |
| 8 | 4 75 103 |
| 9 | ; |
| 10 | RUN; |
| 11 | |
| 12 | /* Création d'une table temporaire avec des contrôles d'accès basiques (pour simuler un filtre si possible) */ |
| 13 | /* NOTE: L'ajout de contrôles de table avec filtres est une opération distincte. */ |
| 14 | /* Cet exemple suppose qu'un filtre pourrait exister et montre comment whatIsEffective le révélerait. */ |
| 15 | |
| 16 | PROC CAS; |
| 17 | SESSION casauto; |
| 18 | |
| 19 | /* Tentative de vérifier l'accès effectif pour un utilisateur qui pourrait avoir un filtre */ |
| 20 | /* Si un filtre est en place, le résultat de returnDecisionText=TRUE affichera 'Authorized with Filter'. */ |
| 21 | ACCESSCONTROL.whatIsEffective / |
| 22 | objectSelector={caslib="casuser", objType="table", TABLE="transactions"}, |
| 23 | identities={ |
| 24 | {{id="sasadm", idType="user"}}, /* Utilisateur administrateur */ |
| 25 | {{id="user101", idType="user"}} /* Utilisateur potentiel avec un filtre */ |
| 26 | }, |
| 27 | returnDecisionText=TRUE; |
| 28 | |
| 29 | /* Pour un véritable test de filtre, vous devriez d'abord ajouter un filtre */ |
| 30 | /* Exemple (commenté, car cela dépend de la configuration et des privilèges): */ |
| 31 | /* accessControl.addTableControls / caslib="casuser", name="transactions", */ |
| 32 | /* grant={{id="user101", idType="user", permissions={"select"}}, filter="user_id = 101"}; */ |
| 33 | QUIT; |
| 34 | |
| 35 | /* Nettoyage de la table temporaire */ |
| 36 | PROC CAS; |
| 37 | SESSION casauto; |
| 38 | TABLE.dropTable / caslib="casuser", name="transactions"; |
| 39 | QUIT; |
This material is provided "as is" by We Are Cas. There are no warranties, expressed or implied, as to merchantability or fitness for a particular purpose regarding the materials or code contained herein. We Are Cas is not responsible for errors in this material as it now exists or will exist, nor does We Are Cas provide technical support for it.
Copyright Info : Copyright © SAS Institute Inc. All Rights Reserved.
