Create a Custom ACT

Why Create Custom ACTs?

Several predefined ACTs are provided. To further centralize access management, create an ACT for each access pattern that you use multiple times. This list outlines common patterns and provides tips:
  • It is often useful to create ACTs to manage read access for different business units.
  • It is often useful to create an ACT that manages write access for a functional group that includes users from multiple business units.
  • You do not have to capture all of an item's protections in one ACT. You can use combinations of ACTs, explicit settings, and inherited settings to define access to an item.

How to Create a Custom ACT

  1. Review the existing ACTs to make sure that the pattern does not already exist.
    1. On the Plug-ins tab of SAS Management Console, select Environment Managementthen selectAuthorization Managerthen selectAccess Control Templates
    2. On the Permission Pattern tab of each ACT, examine the settings for each identity.
      Note: Do not confuse an ACT's Authorization tab with its Permission Pattern tab. Settings on an ACT's Authorization tab affect who can access that ACT; settings on an ACT's Permission Pattern tab affect access to the items to which that ACT is applied.
  2. Create the ACT.
    1. On the Plug-ins tab in SAS Management Console, select Authorization Managerthen selectAccess Control Templates.
    2. Right-click and select New Access Control Template.
    3. On the General tab, enter a name. It is a good idea to use the description field to document the intended purpose of the ACT.
    4. On the Permission Pattern tab, add one or more identities and select check boxes. Each restricted identity that you add gets a grant of the ReadMetadata permission in the pattern.
      Note: The pattern is a collection of settings that will be added to the protections for each item to which you apply this ACT. Any gray check boxes come from group memberships. The gray settings are not part of the ACT's pattern; they just show the net effect of that pattern for the selected identity.
      Note: For each identity, the pattern can provide a grant, a deny, or a blank setting for each permission. Settings that are unspecified (neither granted nor denied) in an ACT's pattern have no effect when that ACT is applied to an item.
      Note: If the identity that is selected in the Users and Groups list box has the unrestricted role, all permissions are granted and you cannot change the settings.
    5. On the Authorization tab, define who can do what to the new ACT. It is important to prevent regular users from modifying or removing an ACT. A typical approach is to add an explicit clear check box denial of WriteMetadata for PUBLIC and an offsetting explicit grant of WriteMetadata for SAS Administrators.
    6. In the Properties dialog box, click OK. The new ACT is now in the list of ACTs under Authorization Managerthen selectAccess Control Templates.
  3. Apply the ACT to one or more items. For each item to which you want to add the ACT's settings, complete these steps:
    1. Navigate to the item's Authorization tab.
    2. Click Access Control Templates.
    3. In the Available list box, open the nodes and move the new ACT to the Currently Using list box. Click OK to close the dialog box.
    4. On the item's Authorization tab, verify that the revised settings are as you expect. On the Authorization tab of an item to which an ACT is applied, settings that are explicit white check box in the ACT's pattern are green green check box.
      Note: The applied ACT contributes its settings to the item's protections. The item can also have explicit settings and other applied ACTs (as well as inherited settings).
  4. If necessary, adjust the ACT's pattern. The advantage of using an ACT is that you can change the pattern without revisiting the items to which the pattern is applied. Simply make changes on the ACT's Permission Pattern tab.

See Also

Use and Enforcement of Each Permission
Who Can Set Permissions?
Copyright © SAS Institute Inc. All rights reserved.