Working with Explicit Controls

To experiment with explicit controls, complete this exercise in SAS Management Console:
  1. Log on as someone who has a well-formed user definition.
  2. On the Folders tab, right-click your My Folder my folder icon and select Newthen selectFolder. Create a new folder named test.
  3. Right-click the test folder and select Properties. On the test folder's Authorization tab, briefly examine the settings for each identity in the Users and Groups list box. Notice that all of the settings are indirect grey check box . These settings come from the test folder's parent folder.
    Note: You cannot remove anyone, because all of the listed identities participate in settings that are defined elsewhere.
  4. To give the SASUSERS group an explicit setting:
    1. In the Users and Groups list box on the test folder's Authorization tab, select SASUSERS. Notice that SASUSERS has an indirect grey check box denial of the ReadMetadata permission.
      Note: These instructions assume that your My Foldermy folder icon has standard settings. If this setting is not present, select another identity (such as PUBLIC) that does have an indirect denial of ReadMetadata.
    2. Select the opposing check box (grant ReadMetadata). This gives the SASUSERS group an explicit white check box grant of ReadMetadata permission on the test folder.
    3. Select the grant ReadMetadata check box again. This removes the explicit grant and reveals the underlying indirect denial.
    4. Select the (already selected) deny ReadMetadata check box. This adds an explicit white check box denial on top of the indirect grey check box denial.
    5. Click OK. An error message tells you that you cannot save these settings. The only explicit setting on the test folder is the denial of ReadMetadata permission for SASUSERS. This denial blocks access for all registered users, including you. Click OK to close the message box and return to the Authorization tab.
      Note: If you are unrestricted, you will not see the error message. Go to step 5.
    6. To see the impact that the SASUSERS denial has on you, select yourself in the Users and Groups list box on the test folder's Authorization tab. Notice that your previous indirect grant of ReadMetadata permission is now an indirect denial of ReadMetadata permission.
    7. To restore access for yourself, select the grant ReadMetadata check box. This gives you an explicit grant that offsets the SASUSERS explicit denial. Click OK.
      Note: An offsetting grant does not have to be assigned directly to you; it can be assigned to any group that is closer to you than the group that has the explicit denial. For example, your custom group memberships are closer to you than SASUSERS, and SASUSERS is closer to you than PUBLIC.
  5. To give an explicit setting to someone who is not already listed:
    1. On the test folder's Authorization tab, click Add. In the Add Users and Groups dialog box, clear the Show Groups check box. Move one user (such as the SAS Demo User) to the Selected Identities list box and click OK.
      Note: In practice, it is preferable to assign permissions to groups rather than to individual users (for ease of management).
    2. On the Authorization tab, notice that the user is selected and has an explicit white check box grant of ReadMetadata permission. An explicit grant of ReadMetadata permission is automatically given to every restricted identity that you add.
      Select the opposing check box, deny ReadMetadata permission. This replaces the explicit grant with an explicit denial.
      Note: If the selected user has the unrestricted role, you cannot change any settings.
    3. Click Remove and then click Yes in the confirmation message box. You can remove this user because this user is named only in explicit settings.
    Note: Regular users cannot navigate to each other's MyFolder because of a denial of ReadMetadata permission to PUBLIC on a parent folder.
  6. To clean up, right-click the test folder and select Delete.
Copyright © SAS Institute Inc. All rights reserved.