WriteMetadata and WriteMemberMetadata

The following permissions affect the ability to create, update, and delete metadata.
WriteMetadata (WM)
Edit, delete, change permissions for, or rename an object. For example, to edit a report, you need WM for the report. To delete a report, you need WM for the report (and WMM for the report's parent folder). For containers other than folders (such as repositories, libraries, and schemas), WM also affects adding and deleting child objects. For example, to add an object anywhere in a repository, you need WM at the repository level. For folders, adding and deleting child objects is controlled by WMM, not WM.
WriteMemberMetadata (WMM)
Add an object to a folder or delete an object from a folder. For example, to save a report to a folder, you need WMM for the folder. To remove a report from a folder, you need WMM for the folder (and WM for the report). To enable someone to interact with a folder's contents but with not the folder itself, grant WMM and deny WM.
Note: We recommend that anyone who has a grant of WM is not denied WMM.
To experiment with WM and WMM, complete this exercise in SAS Management Console:
  1. Log on as someone who has a well-formed user definition.
    Note: Step 5a assumes that you are restricted and are not in the SAS Administrators group. To create a temporary restricted user for this exercise, use an internal account. (for example, use the name temp and log on as temp@saspw).
  2. On the Folders tab, right-click your My Folder my folder icon and select Newthen selectFolder. Create a new folder named learn.
  3. To see how WM influences WMM:
    1. Right-click the learn folder, select Properties, and select the Authorization tab.
    2. Notice that WMM is in the permissions list. This permission is meaningful only for folders.
    3. In the Users and Groups list box, select PUBLIC. Notice that this group has indirect gray check box denials for both WM and WMM. Add an explicit white check box grant of WM. Notice that this causes the WMM setting to change to a grant.
    4. Select the grant WM check box again. This clears the check box and removes the explicit grant. Notice that the WMM setting also reverts to a denial.
    5. Add an explicit white check box grant of WMM. Notice that this has no effect on the WM setting. The mirroring is one-way. WM influences WMM, but WMM does not influence WM. Remove the grant of WMM to revert to the initial settings (indirect gray check box denials of both WM and WMM). Click OK.
  4. To see how WMM on a folder is conveyed to the objects inside the folder:
    1. Right-click the learn folder and select Newthen selectFolder. Create a new folder named child.
      learn and child folders
    2. On the learn folder's Authorization tab, click Add. In the Add Users and Groups dialog box, clear the Show Groups check box. Move one restricted user (such as the SAS Demo User) to the Selected Identities list box and click OK.
    3. In the permissions list, give the user who you just added an explicit denial of WM and an explicit grant of WMM. Click OK.
      Note: If the permissions list is disabled, the selected user is unrestricted (for example, the original SAS Administrator is unrestricted). Add a restricted user to the Authorization tab.
    4. On the child folder's Authorization tab, select the user who you added in step 4b. Notice that the denial of WM on the learn folder is not conveyed to the child folder. Instead, the grant of WMM on the learn folder is conveyed to the child folder as an indirect grant of WM. On the child folder, the WMM setting mirrors the WM setting as usual.
  5. To see which actions each permission controls:
    1. Right-click your My Folder my folder icon . Notice that actions such adding a new folder or stored process are available (because you have WMM) but, if you are a regular user, Rename and Delete are disabled (because you do not have WM).
      Note: This is an example of a folder that is under administrative control. Certain users (or groups) can contribute objects to the folder, but the folder itself is protected.
    2. Right-click the learn folder and examine its pop-up menu. Notice that all actions are all available (because you have both WM and WMM).
  6. To clean up, right-click the learn folder and select Delete. If you created a temporary user for this exercise, log on with your administrative account, delete the temporary user (on the Plug-ins tab under User Manager) and that user's associated folder (at SAS Foldersthen selectUser Foldersthen select<the temporary user> or SAS Foldersthen selectUsersthen select<the temporary user>).
Copyright © SAS Institute Inc. All rights reserved.