Object Inheritance

In the metadata layer, parent objects convey their effective permissions to child objects. Children inherit the net effect of their parents' access controls, not the access controls themselves. The following figures depict inheritance paths in a foundation repository. The arrows in the first figure flow from child to parent (for example, a table inherits effective permissions from its parent folder). The arrows in the second figure flow from parent to child (for example, a folder conveys its effective permissions to the items that it contains).
Inheritance Paths (Separated View)
separated view
Inheritance Paths (Integrated View)
integrated view
Here are some details about the preceding figures:
  • The depicted folder structure is arbitrary and intended only to show the security relationships between different types of objects.
  • Not all object types are depicted.
    Tip
    In SAS Management Console, you can trace an object’s inheritance by clicking Advanced on the object's Authorization tab. This feature is available to only unrestricted users.
  • The root folder represents the top of the folder tree for the foundation repository (the SAS Folders node).
  • The root folder inherits settings from the permission pattern of the repository ACT (which is usually named Default ACT).
  • Any custom repositories are represented as folders (immediate children of the foundation root folder). Although these folders inherit permissions from both the foundation root folder and the repository ACT of the custom repository, access to objects within the custom repository branch should be managed from the folder side whenever possible.
  • In some clients, your My Folder my folder icon is displayed directly below the root folder. This is just a shortcut for accessing your personal content area. This folder is not an immediate child of the root folder.
  • In general, specialized folders (such as search folders, favorites folders, and virtual folders) don't convey permissions to the objects that they contain. An exception is that a favorites folder does convey permissions to any child favorites folders (favorites groups) that it contains.
  • The figures show users, groups, and roles inheriting repository-level permissions. In some clients, the authorization information for a user, group, or role reflects special rules that protect identity definitions.

See Also

Identity Hierarchy
Authorization Decisions
Copyright © SAS Institute Inc. All rights reserved.