Working with ACTs

Instead of setting every permission explicitly, use access control templates (ACTs). Each ACT consists of a pattern of grants and denials that are assigned to different users and groups. When you apply an ACT to an object, the ACT settings are added to the object's protections. When you want to assign the same settings to several disparate resources, using an ACT is beneficial for these reasons:
  • It is easier to apply a pattern than it is to set each permission individually on each resource for which the pattern is appropriate.
  • If you need to change access to the objects to which a pattern is applied, you can simply update the permission pattern, rather than revisiting each resource and individually modifying the settings.
To learn more, complete this exercise in SAS Management Console:
  1. Log on as someone who has a well-formed user definition.
  2. On the Folders tab, right-click your My Folder my folder icon and select Newthen selectFolder. Create a new folder named test2.
  3. Right-click the test2 folder and select Properties. On the folder's Authorization tab, briefly examine the settings for each identity in the Users and Groups list box. Notice that all of the settings are indirect grey check box .
  4. To apply an ACT to the test2 folder:
    1. Click Access Control Templates. In the Add and Remove Access Control Templates dialog box, expand the Foundation node in the Available list box and select Private User Folder ACT.
    2. Before you apply this ACT to the test2 folder, click Properties to verify the settings that this ACT provides. On the Permission Pattern tab, notice that this ACT provides denials of ReadMetadata, WriteMetadata, and CheckInMetadata permissions for the PUBLIC group, grants of these permissions for the SAS Administrators group, and a grant of ReadMetadata permission for the SAS System Services group.
      Note: Each ACT's pattern consists of only the explicit white check box settings on that ACT's Permission Pattern tab. Settings that are unspecified (blank) on an ACT's pattern have no effect when that ACT is applied to an object.
      Click Cancel to return to the list of ACTs that are applied to the test2 folder.
    3. In the Add and Remove Access Control Templates dialog box, move Private User Folder ACT to the Currently Using list box. This adds that ACT's settings to the access controls for the test2 folder. Any future changes to this ACT's permission pattern will affect access to this folder.
      Note: The Currently Using list box includes only applied ACTs; so this list typically does not include the repository ACT (default ACT).
    4. Click OK to return to the Authorization tab. Notice that the PUBLIC denials of ReadMetadata, WriteMetadata, and CheckInMetadata permissions now come from an ACT (those denials are now green green check box ). Select SAS Administrators and notice the green grants of the same permissions. These ACT settings override and hide the underlying indirect settings.
    5. Click OK to close the Properties dialog box for the test2 folder.
      Note: If you are restricted, an error message indicates that you cannot save the settings. Click OK to dismiss the message. On the Authorization tab, select yourself and add explicit white check box grants of ReadMetadata and WriteMetadata permissions. Click OK.
  5. To clean up, right-click the test2 folder and select Delete.
Several predefined ACTs are provided on the Plug-ins tab under Authorization Managerthen selectAccess Control Templates. You can create additional ACTs in this location.
Copyright © SAS Institute Inc. All rights reserved.