Administration SAS VIYA CAS

The 'Factory Reset' for Permissions: Using remAllAcsData to Clean Up CAS Tables

This code is also available in: Deutsch
Difficulty Level
Beginner
Published on :
Michael

Expert Advice

Michael
Responsable de l'infrastructure Viya.

It is crucial to remember that accessControl.remAllAcsData only removes Table-Level permissions. If you have applied Column-Level security (e.g., hiding a "Salary" column from specific users), those rules are stored separately and will persist even after you run this command. You must use accessControl.remAllAcsColumn if you want to perform a true "clean slate" reset on the data structure.

Attention : This code requires administrator privileges.
The accessControl.remAllAcsData action is used to revoke all direct access controls (ACLs) specifically defined on a CAS table. Once this action is executed, the table's access permissions are again determined by the access rules of the CAS library (caslib) to which it belongs. This action is essential for simplifying permission management or for correcting specific access configurations that might hinder inherited access. It only affects table-level access controls and not column-level access controls.
Data Analysis

Type : CREATION_INTERNE


The examples create temporary CAS tables for demonstration purposes, using either datalines or SASHELP data.

1 Code Block
CAS Action / DATA STEP Data
Explanation :
This example creates a temporary table 'ma_table_test' in a temporary caslib '_NAME_TEMP_'. A direct access control is then applied for a dummy user ('sasguest'). The `accessControl.remAllAcsData` action is then used to remove this direct access control, reverting the table to inherit permissions from the caslib. Verification steps (`showTableAcl`) allow confirming the permission status before and after the operation. The example includes the creation and cleanup of temporary resources.
Copied!
1CAS casauto;
2 
3/* Création d'une caslib temporaire et d'une table simple */
4caslib _NAME_TEMP_ cas datasource=(srctype='path') path='/tmp/';
5DATA _NAME_TEMP_.ma_table_test;
6 x=1;
7 OUTPUT;
8RUN;
9 
10/* Appliquer un contrôle d'accès direct pour la démonstration */
11ACCESSCONTROL.addTableAcl / caslib='_NAME_TEMP_', TABLE='ma_table_test', userId='sasguest', perm='read';
12 
13/* Vérifier les contrôles d'accès avant la réinitialisation (optionnel) */
14PROC CAS;
15 ACCESSCONTROL.showTableAcl / caslib='_NAME_TEMP_', TABLE='ma_table_test';
16RUN;
17 
18/* Réinitialiser tous les contrôles d'accès directs pour 'ma_table_test' */
19ACCESSCONTROL.remAllAcsData /
20 caslib='_NAME_TEMP_',
21 TABLE='ma_table_test';
22 
23/* Vérifier les contrôles d'accès après la réinitialisation */
24PROC CAS;
25 ACCESSCONTROL.showTableAcl / caslib='_NAME_TEMP_', TABLE='ma_table_test';
26RUN;
27 
28/* Nettoyage */
29PROC CAS;
30 TABLE.dropTable / caslib='_NAME_TEMP_', name='ma_table_test';
31 caslib.dropCaslib / caslib='_NAME_TEMP_';
32RUN;
2 Code Block
CAS Action Data
Explanation :
This example illustrates reverting access controls for a table after several direct permissions have been applied. It creates an 'autre_table' based on SASHELP.CLASS, adds specific permissions for 'sasguest' and 'sasuser', then uses `remAllAcsData` to revoke everything. Verification is performed before and after the reset to visualize the change and ensure the table has returned to its inherited access state.
Copied!
1CAS casauto;
2 
3/* Création d'une caslib temporaire et d'une table */
4caslib _NAME_TEMP_2 cas datasource=(srctype='path') path='/tmp/';
5DATA _NAME_TEMP_2.autre_table;
6 SET sashelp.class;
7RUN;
8 
9/* Appliquer des ACLs directes variées */
10ACCESSCONTROL.addTableAcl / caslib='_NAME_TEMP_2', TABLE='autre_table', userId='sasguest', perm='read';
11ACCESSCONTROL.addTableAcl / caslib='_NAME_TEMP_2', TABLE='autre_table', userId='sasuser', perm='update';
12 
13/* Afficher les ACLs avant de les retirer */
14PROC CAS;
15 ACCESSCONTROL.showTableAcl / caslib='_NAME_TEMP_2', TABLE='autre_table';
16RUN;
17 
18/* Réinitialiser les contrôles d'accès directs */
19ACCESSCONTROL.remAllAcsData / caslib='_NAME_TEMP_2', TABLE='autre_table';
20 
21/* Afficher les ACLs après réinitialisation pour confirmer l'héritage */
22PROC CAS;
23 ACCESSCONTROL.showTableAcl / caslib='_NAME_TEMP_2', TABLE='autre_table';
24RUN;
25 
26/* Nettoyage */
27PROC CAS;
28 TABLE.dropTable / caslib='_NAME_TEMP_2', name='autre_table';
29 caslib.dropCaslib / caslib='_NAME_TEMP_2';
30RUN;
3 Code Block
CAS Action Data
Explanation :
This example deepens the understanding of permission inheritance. A table is created and its initial permissions (inherited from the caslib) are displayed. Then, a direct permission is added to the table. `remAllAcsData` is used to remove this direct permission, demonstrating how inherited access becomes predominant again. The goal is to clearly show the impact of the reset on the permission cascade.
Copied!
1CAS casauto;
2 
3/* Création d'une caslib et d'une table */
4caslib _NAME_TEMP_3 cas datasource=(srctype='path') path='/tmp/';
5DATA _NAME_TEMP_3.table_heritee;
6 x=1; y=2;
7RUN;
8 
9/* Afficher les permissions initiales de la caslib et de la table */
10PROC CAS;
11 ACCESSCONTROL.showCaslibAcl / caslib='_NAME_TEMP_3';
12 ACCESSCONTROL.showTableAcl / caslib='_NAME_TEMP_3', TABLE='table_heritee';
13RUN;
14 
15/* Ajouter une permission directe à la table qui surcharge l'héritage */
16ACCESSCONTROL.addTableAcl / caslib='_NAME_TEMP_3', TABLE='table_heritee', userId='sasguest', perm='promote';
17 
18/* Vérifier que la permission directe est active */
19PROC CAS;
20 ACCESSCONTROL.showTableAcl / caslib='_NAME_TEMP_3', TABLE='table_heritee';
21RUN;
22 
23/* Réinitialiser la table aux permissions héritées */
24ACCESSCONTROL.remAllAcsData / caslib='_NAME_TEMP_3', TABLE='table_heritee';
25 
26/* Vérifier l'état après réinitialisation - la permission 'promote' devrait avoir disparu au niveau de la table */
27PROC CAS;
28 ACCESSCONTROL.showTableAcl / caslib='_NAME_TEMP_3', TABLE='table_heritee';
29RUN;
30 
31/* Nettoyage */
32PROC CAS;
33 TABLE.dropTable / caslib='_NAME_TEMP_3', name='table_heritee';
34 caslib.dropCaslib / caslib='_NAME_TEMP_3';
35RUN;
4 Code Block
CAS Action Data
Explanation :
This example focuses on robustness and error handling. It first attempts to apply `remAllAcsData` to a non-existent table to demonstrate how the system handles such situations (usually by returning an error code). Then, a table is created, permissions are applied, and then reset to show the correct operation of the action on a valid resource. This helps in understanding expected behaviors in less-than-ideal scenarios.
Copied!
1CAS casauto;
2 
3/* Création d'une caslib temporaire */
4caslib _NAME_TEMP_4 cas datasource=(srctype='path') path='/tmp/';
5 
6/* Tentative de réinitialisation sur une table qui n'existe pas */
7PROC CAS;
8 ACCESSCONTROL.remAllAcsData / caslib='_NAME_TEMP_4', TABLE='table_inexistante';
9 IF _STATUS_ ne 0 THEN DO;
10 PRINT 'Erreur: La table n\'existe pas ou une autre erreur s\'est produite.';
11 END;
12RUN;
13 
14/* Création d'une table et application de permissions */
15DATA _NAME_TEMP_4.ma_table_err;
16 id=1;
17 name='Test';
18RUN;
19ACCESSCONTROL.addTableAcl / caslib='_NAME_TEMP_4', TABLE='ma_table_err', userId='sasguest', perm='delete';
20 
21/* Réinitialisation réussie */
22PROC CAS;
23 ACCESSCONTROL.remAllAcsData / caslib='_NAME_TEMP_4', TABLE='ma_table_err';
24RUN;
25 
26/* Nettoyage */
27PROC CAS;
28 TABLE.dropTable / caslib='_NAME_TEMP_4', name='ma_table_err';
29 caslib.dropCaslib / caslib='_NAME_TEMP_4';
30RUN;
Pro Tip
If you are automating a data promotion pipeline, include remAllAcsData as a standard cleanup step. This ensures that promoted tables always align with the production Caslib's security policy rather than carrying over experimental permissions from a sandbox.
This material is provided "as is" by We Are Cas. There are no warranties, expressed or implied, as to merchantability or fitness for a particular purpose regarding the materials or code contained herein. We Are Cas is not responsible for errors in this material as it now exists or will exist, nor does We Are Cas provide technical support for it.
Copyright Info : Copyright © SAS Institute Inc. All Rights Reserved.


Related Documentation

Aucune documentation spécifique pour cette catégorie.