Skip to content

Data Controller for SAS® - Security

Summary

DC security is applied at the level of Table and Group. Permissions can only be set at group level. There are two parts to adding a user:

1 - Adding the user to the relevant group

2 - Ensuring that group has the appropriate access level in the MPE_SECURITY table

For guidance with adding SAS users in SAS 9, see SAS Documentation.

Details

In order to surface a table to a new group, simply add a record to the DATACTRL.MPE_SECURITY table. The library.dataset value should go in the BASE_TABLE field, the level of access (either EDIT or APPROVE) should go in the ACCESS_LEVEL field, and the exact name of the relevant metadata group should go in the SAS_GROUP field. The change should then be submitted, and approved, at which point the new security setting will be applied.

Screenshot

ACCESS_LEVEL

EDIT

The EDIT permission determines which groups will be able to upload CSVs and submit changes via the web interface for that table.

APPROVE

The APPROVE permission determines which groups will be able to approve those changes, and hence enable the target table to be loaded. If you wish to have members of a particular group both edit AND approve, then two lines (one for each group) must be entered, per table.

VIEW

The default behaviour when installing Data Controller is that the viewer lets all SAS Users see all the tables that they are authorised to view in SAS. However there may be reasons to further restrict the tables in this component.

There is a global setting that will disable ALL tables in VIEWER unless explicitly authorised - this is available in MPE_CONFIG. Set DC_RESTRICT_VIEWER=YES, submit, and approve.

If authorising groups without this setting, it means that tables will be restricted only in that library (the rest will still be visible).

Groups can be given VIEW access for all libraries or all tables within a library by using the keyword *ALL* instead of the libref / tablename.

It's also worth being aware of the DC_VIEWLIB_CHECK option in MPE_CONFIG. When this is switched on, SAS will confirm that the library is valid and contains tables, before adding to the list. This can sometimes be slow (depending on your library configurations), hence disabled - but as the list is actually cached on frontend (until the next hard refresh) the impact may worth it.

Determining Group Members

Before adding a group to Data Controller, it helps to know the members of that group! A User navigator is available in both the SAS 9 and Viya version of Data Controller. You can navigate Users, Groups and Roles (roles are only visible in the SAS 9 version).

This means you do not need SAS Management Console or SAS Environment Manager to manage Data Controller users. However you will need those tools for managing SAS Groups, unless you define your own groups in the MPE_GROUPS table.