About Access Management

Introduction

The platform provides a proprietary, metadata-based authorization layer that supplements protections from the host environment and other systems. You can use the metadata authorization layer to manage access to almost any metadata object (for example, reports, data definitions, information maps, jobs, stored processes, and server definitions).
Across authorization layers, protections are cumulative. In order to perform a task, a user must have sufficient access in all applicable layers.
In the metadata layer, the following permissions are always enforced:
  • the ReadMetadata permission (RM), which controls the ability to see an object
  • the WriteMetadata permission (WM), which controls the ability to update or delete an object
Other permissions are specialized and affect only certain types of objects.
CAUTION:
In the metadata authorization layer, not all permissions are enforced for all items.
It is essential to understand which actions are controlled by each permission.
CAUTION:
Some clients enable power users to create and run SAS programs that access data directly, bypassing metadata-layer controls.
It is essential to manage physical layer access in addition to metadata-layer controls. For example, use host operating system protections to limit access to any sensitive SAS data sets.
For more information, see Authorization Model.

Who Can Set Permissions?

Requirements for Setting Permissions
Task
Requirements
Set permissions on an item
WriteMetadata for the item
Change the permission pattern on an ACT
WriteMetadata for the ACT
Designate a different repository ACT
WriteMetadata for the ACT
Note: In SAS Management Console, you can't see the Authorization Manager or any Authorization tabs unless you have the Authorization Manager capability.

Where is Access Management Performed?

Metadata-layer access management is performed as follows: