Further Considerations for Permissions on Folders :: SAS(R) 9.3 Intelligence Platform: Security Administration Guide

Consolidation of ACTs

In general, consolidation (using one pattern in all of the places where it is appropriate) is beneficial, because it simplifies management. However, it might be appropriate to maintain two ACTs that have the similar patterns in circumstances such as these:

You anticipate that access requirements might diverge. For example, if you think you will eventually separate folder administration from server administration, you might create a SystemProtect ACT for items that aren't in the folder tree.
You want to use a pattern that is similar to but not exactly the same as one of the predefined ACTs. For example, the baseline Hide ACT is not very different from the predefined Private User Folder ACT. We strongly recommend that you do not modify or delete the predefined ACTs, because these ACTs are an integral part of the protections that are set up for you during installation. The usage of each predefined ACT requires certain settings. Modifying the settings on a predefined ACT can compromise the security that that ACT provides.

Note: The examples in this chapter don't demonstrate use of an ACT to protect other ACTs. Consider returning to each ACT's Authorization tab, removing the explicit controls, and instead applying an ACT such as the Protect ACT.

Separated Administration

If you need to separate administration privileges by department, the approach in this chapter is not granular enough. If you don't want the SAS Administrators group to have universal access, consider creating parallel sets of baseline ACTs.

For example, to separate administration for an East region and a West region, you might create ACTs such as Hide_East, Hide_West. In each baseline ACT pattern, you would replace the SAS Administrators group with a narrower administrative group (for example, East_Admins, West_Admins). The denials to PUBLIC and grants to the SAS System Services group would not change. Any unrestricted users can still access everything.

End Users, Folders, and Permissions

Proper use of the WriteMetadata and WriteMemberMetadata permissions protects a folder structure. Keep in mind that end users can affect access to content as follows:

A user who can update an item can add settings on that item. You can't prevent this by limiting the availability of SAS Management Console because users can set permissions in other applications (for example, SAS Information Map Studio, SAS OLAP Cube Studio, SAS Data Integration Studio, SAS Enterprise Guide, and the SAS Add-In for Microsoft Office).
A user who can contribute items to a folder can also add subfolders below that folder. You can't prevent this by limiting the availability of SAS Management Console because users can add folders in other applications (for example, SAS Information Map Studio, SAS OLAP Cube Studio, SAS Data Integration Studio, SAS Enterprise Guide, and the SAS Add-In for Microsoft Office).
If you give someone CheckInMetadata permission on a folder, that person can update or delete the folder (through change management activities), as well as check in content to that folder. Change management is an optional feature that is available only for SAS Data Integration Studio.