Technical Paper. Securing SAS Business Intelligence Content That Is Managed in Metadata

Transcription

1 Technical Paper Securing SAS Business Intelligence Cntent That Is Managed in Metadata

2 Release Infrmatin Cntent Versin: 1.0 Nvember Trademarks and Patents SAS Institute Inc., SAS Campus Drive, Cary, Nrth Carlina SAS and all ther SAS Institute Inc. prduct r service names are registered trademarks r trademarks f SAS Institute Inc. in the USA and ther cuntries. indicates USA registratin. Other brand and prduct names are registered trademarks r trademarks f their respective cmpanies.

3 Cntents Intrductin... 3 Patterns f Use... 3 Access Cntrls and the Repsitry Default ACT... 4 Granting WriteMetadata in the Default ACT... 4 Setting Permissins fr PUBLIC and SASUSERS Implicit Grups in the Repsitry Default ACT... 6 Securing Permissin Patterns in the Default ACT...6 Tw Appraches t Defining Grup Access Cntrls... 7 Basic Permissin Patterns fr Securing Cntent Mdeled in the Metadata Repsitry... 7 Flat and Hierarchic Grup Flder Structure... 8 Securing Cntent Lcatins in the Metadata Repsitry... 9 Infrmatin Maps... 9 Web Reprts Stred Prcesses Creating and Securing Stred Prcesses with SAS Enterprise Guide Publishing Framewrk Metadata Publish-Subscribe Usage Prtal Permissin Trees Audits fr Metadata Permissins Areas fr Custmer Attentin Best Practices fr a Strnger Metadata-Based Security Plicy Appendix A: Flat Flder Structure Permissins (Generic Example) Appendix B: Hierarchic Flder Structure (Generic Example) i

4 ii

5 Intrductin Nte: Infrmatin in this dcument pertains t SAS Service Pack 4. SAS client sftware uses metadata t manage and secure business intelligence (BI) cntent items. Secure access t cntent items thrugh client user interfaces is cntrlled by metadata permissins, which are enfrced by the SAS Metadata Server. ReadMetadata and WriteMetadata access cntrls that are placed n individual items r flders grant r deny access t cntent items based n the identity f the user. Cntent items managed in metadata include: stred prcesses infrmatin maps data explratins web reprts publicatins channels and archived result packages Data tables and libraries are nt discussed in this dcument, but infrmatin abut them is given in SAS Data Integratin Studi (frmerly named SAS ETL Studi) dcumentatin. Fr infrmatin abut cntrlling OLAP cube access in metadata, see "Access Requirements fr OLAP Data," available at supprt.sas.cm/nlinedc/913/getdc/en/bisecag.hlp/a htm. Patterns f Use Client applicatins create bjects in the metadata repsitry t mdel and prvide authrizatin cntrl t cntent items. Sme applicatins have specific repsitry lcatins fr cntent metadata; ther applicatins let the SAS administratr create and manage the lcatins. SAS administratrs must manage grups f users. Each grup requires secure access t specific sets f cntent. The administratr creates subsetted flders (subflders) in the metadata rt flder and applies access permissins s that PUBLIC is denied access while specific grup access is granted. The administratr shuld als grant access t an administratrs' grup fr cntent management. Fr mre infrmatin abut applying access cntrls, see the nline Help fr the Authrizatin Manager plug-in t SAS Management Cnsle. Access t cntent is cntrlled by tw permissins: ReadMetadata and WriteMetadata. These permissins are enfrced by the server based n the identity f the cnnecting client. ReadMetadata permissin is needed t navigate and read cntent. If a user des nt have ReadMetadata permissin fr a cntent item, the item is nt fund in a search and is nt viewable in a metadata brwse client. WriteMetadata permissin is needed t create new bjects such as trees (flders) r cntent bjects such as stred prcesses, reprts, and infrmatin maps. A first step in prviding secure access t cntent is t secure wh can mdify grup identities and membership. Grup identities shuld be secured s that nly administratrs can mdify membership. 3

6 T restrict grup identity editing t administratrs, cmplete the fllwing steps: 1. Start SAS Management Cnsle. 2. In the User Manager plug-in, select the grup and then select Prperties. 3. On the Authrizatin tab: Select Grant WriteMetadata t Administratr grups. Select Deny WriteMetadata t PUBLIC. Apply a similar security pattern t Access Cntrl Templates (ACTs) that are applied t bjects and flders. Yu can access ACTs frm the Authrizatin Manager plug-in in SAS Management Cnsle. 1. Frm the plug-in, select Prperties Authrizatin fr each ACT. 2. Select Grant WriteMetadata t Administratr grups. 3. Select Deny WriteMetadata t PUBLIC grup. Sme SAS applicatins have a specific lcatin fr shared grup cntent; ther applicatins allw the administratr t set the lcatin. Sme applicatins prvide a User flder t stre persnal cntent items that are created in specific lcatins in the repsitry as presented later in the sectin "Errr! Reference surce nt fund.." This sectin reviews these lcatins and prvides strategies fr securing cntent at these lcatins. Access Cntrls and the Repsitry Default ACT Yu can use Access Cntrl Templates (ACTs) t apply sets f access cntrls t bjects. The Default ACT has a unique rle in that it applies (thrugh inheritance) t all bjects in the repsitry. Whenever a new bject is created, the access cntrls f the Default ACT gvern the initial creatin f the bject. This means that the identity that creates bjects in the repsitry must be granted WriteMetadata in the Default ACT. Granting WriteMetadata in the Default ACT Custmer administratrs ften ask why brad ReadMetadata and WriteMetadata permissins are needed in the Default ACT fr peratin f client sftware. ReadMetadata is required in rder t navigate and search fr bjects. WriteMetadata is required fr the initial creatin f bjects in the repsitry. Parent bjects like servers and flders prvide permissins thrugh inheritance dwn t child bjects. After an bject is created and assciated with a flder, permissins are inherited frm the flder as well as frm the Default ACT. Fr example, cnsider the creatin f a stred-prcess bject. SAS Enterprise Guide users must have WriteMetadata in the Default ACT t create the bject. T assciate that bject with a flder, users must have WriteMetadata fr these bjects als. After a user assciates the bject with a flder, that bject inherits permissins frm the parent bject as well as frm the Default ACT. 4

7 The fllwing table describes when and why identities must have WriteMetadata in the Default ACT. Client Task Creating Stred Prcesses Requirement fr WriteMetadata in Default ACT Authr f the stred prcess needs WriteMetadata fr initial creatin f the stred-prcess bject. Infrmatin Delivery Prtal Persnal Desktp Infrmatin Delivery Prtal Permissin Trees Prtal users manage persnal desktp cnfiguratin in the Prtal prfile bject that is assciated with each prtal user s identity. WriteMetadata is needed in the Default ACT fr creating and editing the prfile bject. The Prtal Applicatin Tree flder is accessed by Prtal cde t create user and grup permissin tree flders that are used t secure Prtal cntent n a per-user and per-grup basis. Prtal users must be granted WriteMetadata permissin fr the Prtal Applicatin Tree rt flder when they first lg n t the prtal. This permissin is required because the user's permissin tree flder is created as part f their first lgn prcess. A prtal user can be granted WriteMetadata in either f tw ways: directly granted by Access Cntrl Entries (ACE) r an ACT n a per-user r per-grup basis inherited frm the Default ACT Nte: Because all Prtal users must have a metadata identity (t save desktp persnalizatins), yu can use the SASUSERS grup (users with identities) t grant this required access permissin. After a user's first lgn, yu can remve the WriteMetadata grant that allwed initial creatin f the user's permissin trees. CAUTION: Be careful when changing the permissins fr the Prtal Applicatin Tree. The SAS Web Administratr identity and all prtal users (including SAS Guest) must have WriteMetadata n this rt flder. A best practice fr applying access cntrls is t use flders (tree bjects) t apply individual ACEs and ACTs t bjects in the flders. Objects within a flder inherit access cntrls frm the flder. Fr mre infrmatin abut access cntrls, inheritance f access cntrls, and precedence in inheritance, see the SAS Management Cnsle Authrizatin Manager nline Help. Mst administratrs als apply access cntrls at the rt f a flder path t prvide additinal and specific access cntrls t thse bjects within that flder that augment thse inherited frm the Default ACT. 5

8 Nte the tw rles f the Default ACT: When yu create an bject, nly the access cntrls f the Default ACT apply. After yu create the bject and assciate it with a flder r ther bjects, access cntrls are inherited frm the Default ACT and frm parent bjects (flders, servers) thrugh assciatin. Setting Permissins fr PUBLIC and SASUSERS Implicit Grups in the Repsitry Default ACT The SAS Metadata Server supprts tw implicit membership grups: PUBLIC All authenticated users. SASUSERS a subset f PUBLIC; authenticated users that have an identity in the repsitry. Administratrs can chse t cntrl access t cntent based n these grups. If ReadMetadata permissin is denied fr PUBLIC users but granted t SASUSERS, PUBLIC users can lg n t SAS applicatins but cannt view any cntent. In this cnfiguratin, a user identity must be added t the repsitry in rder fr the applicatin user t access cntent. This permissin pattern (Deny PUBLIC ReadMetadata, WriteMetadata) can be applied thrugh the Default ACT. Securing Permissin Patterns in the Default ACT The SAS Intelligence Platfrm: Security Administratin Guide, Secnd Editin (supprt.sas.cm/dcumentatin/cnfiguratin/bisecag.pdf) prvides guidance fr securing yur metadata repsitry with permissins applied in the Default ACT. After cmpleting these steps, the permissins in the Default ACT are as fllws: PUBLIC Deny ReadMetadata, WriteMetadata SAS Guest Grant ReadMetadata, WriteMetadata SAS Dem User Grant ReadMetadata, WriteMetadata Administratrs grup (sasadm) Grant ReadMetadata, WriteMetadata SAS System Services grup (SAS Web Administratr, SAS Trusted User) Grant ReadMetadata, WriteMetadata With this cnfiguratin, the Dem User can lg n t SAS web applicatins, and the SAS Guest accunt can be used t custmize the prtal s public kisk. The web administratr accunt can be used t manage web-applicatin cntent and be used as a utility accunt fr managing security. Nte: The SAS Intelligence Platfrm: Security Administratin Guide includes cntent that was frmerly in the SAS Enterprise Intelligence Platfrm: Administratin Guide befre Nvember Mst administratrs als apply access cntrls at the rt f a flder path t prvide additinal and specific access cntrls t thse bjects within that flder that augment thse inherited frm the Default ACT. 6

9 Tw Appraches t Defining Grup Access Cntrls As a best practice, yu shuld grant permissins thrugh grups. Using this apprach, yu can mdify the Default ACT as fllws: Optin 1: Identity-based grups PUBLIC Deny ReadMetadata, WriteMetadata SASUSERS Grant ReadMetadata, WriteMetadata Administratrs Grant ReadMetadata, WriteMetadata Prtal Admins (SAS Web Administratr, custmer Prtal admins) Grant ReadMetadata, WriteMetadata SAS System Services (SAS Web Administratr, SAS Trusted User) Grant ReadMetadata, WriteMetadata With this cnfiguratin, users wh have identities in metadata (SASUSERS) have permissins t access the prtal and ther web applicatins. Administratrs, including the Prtal Admins grup (SAS Web Administratr, SAS Trusted User), have permissins t manage web-applicatin security and peratins. All web applicatin users must have an identity in SAS Metadata Server because PUBLIC users are denied permissins. Mst cntent flders are accessible. Permissin fr securing cntent is described later in this dcument. Optin 2: Applicatin User Grups PUBLIC Deny ReadMetadata, WriteMetadata SASUSERS Deny ReadMetadata, WriteMetadata Create the Web Applicatin Users grup Grant ReadMetadata, WriteMetadata. Add SAS Guest, SAS Dem User, and all prtal and web-applicatin users. Administratrs grup Grant ReadMetadata, WriteMetadata Prtal Admins Grant ReadMetadata, WriteMetadata SAS System Services Grant ReadMetadata, WriteMetadata In Optin 2, yu have the same user permissin pattern as in Optin 1. Hwever, nw yu are creating specific applicatin user grups (fr example, Web Applicatin Users), and granting permissins t the grup instead f the brader permissin grant t SASUSERS. Nte: Yu need t create a grup fr each applicatin user grup in yur system and grant each ne ReadMetadata permissin at a minimum and WriteMetadata fr certain activities. Basic Permissin Patterns fr Securing Cntent Mdeled in the Metadata Repsitry ReadMetadata permissin is required fr navigating flder paths r searching fr cntent items. Fr this reasn, ReadMetadata permissin is granted at rt flders and then denied as needed t secure lwer cntent flders. It is a best practice t deny WriteMetadata permissin t PUBLIC at the rt flder level, and then grant it as required in lwer flders. Users wh nly view cntent items d nt need WriteMetadata permissin. WriteMetadata permissin is required t create, mve, r delete a cntent bject, and is therefre typically granted t cntent authrs and administratrs. 7

10 Use Access Cntrl Templates (ACTs) t implement this best practice. T use ACTs t restrict access at the rt flder level, fllw these steps: 1. Start SAS Management Cnsle. 2. In the Authrizatin Manager plug-in, create an ACT named Public RM Only. 3. On the Authrizatin tab, select Grant WriteMetadata t Administratr grups. Then select Deny WriteMetadata t PUBLIC. Apply this ACT t the rt f cntent flders such as /BIP Tree. The permissin pattern f the ACT is inherited frm the rt t subflders and cntent within thse subflders. This prevents WriteMetadata access. The administratr then grants WriteMetadata permissin t specific grups that need it. This permissin pattern allws flder path navigatin but blcks users frm creating cntent in lcatins that are nt secured r apprpriate. In lwer flder lcatins, create ACTs fr grup flders by using the fllwing grup permissin pattern: PUBLIC Deny ReadMetadata, Deny WriteMetadata Grup Grant ReadMetadata. Can view but nt alter. Grup administratrs and cntent authrs Grant ReadMetadata, Grant WriteMetadata. Can create, delete, and cpy. Using this permissin pattern, applicatin users can navigate nly r search flders where they have ReadMetadata access. When navigating r searching, they see in the user interface nly the flders and cntent items that are available t their grup. The grup wner permissin pattern demnstrates three best practice rules fr permissin-based security: Rule 1: Deny permissin bradly (PUBLIC) and grant permissin specifically (Grup). Rule 2: Use grups t cntrl permissins and nt individual identities. This is mre manageable and easier t administer; users are added r remved frm grups based n their need fr rle-based security. Rule 3: Apply access cntrls t flders either directly r thrugh inheritance, and let cntent items in the flder inherit access cntrls frm the cntaining flder. Flat and Hierarchic Grup Flder Structure There are tw cmmn patterns fr applying access cntrls t grup flders: flat flder structure and hierarchic flder structure. A flat flder structure is mst cmmn and is easy t visualize and manage. /BIP Tree/Grups/Dept A /BIP Tree/Grups/Dept B /BIP Tree/Grups/Marketing Divisin A hierarchic flder structure typically fllws the rganizatinal structure fr a business unit. There is a need t access cntent based n a hierarchy f rle-based permissins. Fr example, wrk grups can access nly grup 8

11 cntent, managers can access cntent acrss all grups plus a manager s area, and executives can lk at cntent acrss all grup and managers areas plus an executive reprts area. /BIP Tree/ReprtStudi/Shared/ Reprts/Sales Reprts/Sales/Natinal Reprts/Sales/Sutheast/Regin Reprts/Sales/Sutheast/Flrida Reprts/Sales/Sutheast/Gergia These tw appraches t flder structure each require a unique pattern f access permissins t prperly secure the cntent flders. Examples that present these access permissin patterns are prvided in the Appendices. Securing Cntent Lcatins in the Metadata Repsitry SAS client applicatins can have default lcatins fr string metadata cntent entries, r the applicatin administratr might be allwed t define these lcatins. Multiple SAS clients fr each cntent type exist, and each client is designed t meet the needs f a specific user grup. Sme f these SAS clients are read-nly viewers; ther clients enable the user t create and edit cntent. T understand, secure, and audit access t cntent, the applicatin administratr must knw hw and where client applicatins access cntent bjects and flders. The fllwing sectin presents a summary, rganized by cntent type, f SAS client sftware that views r creates cntent that is managed in metadata. The sectin als details the typical lcatins f that cntent in the metadata repsitry. Use this summary t review these cntent lcatins and apply the apprpriate access cntrl patterns t secure the cntent. Infrmatin Maps Clients that Create Infrmatin Maps: SAS Infrmatin Map Studi, Data Explrer Clients that View Infrmatin Maps: SAS Web Reprt Studi, SAS Infrmatin Delivery Prtal, SAS Infrmatin Maps Navigatr prtlet and Tree Navigatr prtlet, Prtal Search feature (prtal uses Data Explrer t view maps that are surfaced in Navigatr prtlets and Search result lists); SAS Web OLAP Viewer fr Java views OLAP maps. SAS Web Reprt Studi Infrmatin Maps The default repsitry lcatin fr maps used by SAS Web Reprt Studi is /BIP Tree/ReprtStudi/Maps/. Secure grup subflders can be created at this lcatin. SAS Web Reprt Studi searches all subflders at this lcatin when prviding the user with a list f data surces. A typical grup flder pattern wuld be: /BIP Tree/ReprtStudi/Maps/Public /BIP Tree/ReprtStudi/Maps/DeptA /BIP Tree/ReprtStudi/Maps/DeptB /BIP Tree/ReprtStudi/Maps/MarketingDivisin 9

12 Data Explrer Infrmatin Maps Maps used primarily by the Data Explrer can be stred in any lcatin in the Infrmatin Service. Creating a Maps flder higher in a BI rt flder makes navigatin and access cntrl easier. /BIP Tree/Grups/DeptA secured t Department A grup (see grup-wner pattern in Appendix B.) /BIP Tree/Grups/DeptB secured t Department B grup In this example, the lcatin /BIP Tree/Grups can be secured s that nly the administratr can create grup flders and security permissins can be applied when grup flders are created. A permissin pattern t secure flder creatin nly fr administratrs is as fllws: PUBLIC Grant ReadMetadata, Deny WriteMetadata Administratrs grups Grant ReadMetadata, Grant WriteMetadata Data Explratins Visual Data Explrer and SAS Web OLAP Viewer fr Java prvide a File Save feature t stre data explratins (specific views n infrmatin maps) in user flders created in the repsitry as /BIP Tree/Users/user-ID/. Fr SAS Service Pack 3, these flders are nt secured t the wner. Apply the fllwing permissin pattern using an ACE t each flder after creatin. PUBLIC Deny ReadMetadata, Deny WriteMetadata User Grant ReadMetadata, Grant WriteMetadata SAS Service Pack 4 includes enhancements fr Visual Data Explrer (VDE) and SAS Web OLAP Viewer fr Java limits the Save feature t a user s secure flder at /BIP Tree/Users/user-ID. Bth Data Explrer and SAS Web OLAP Viewer fr Java prvide a File Open feature. Because File Open access is cntrlled by ReadMetadata permissins, access cntrls shuld be placed n flders and cntent items such that the File Open feature prvides secure access t cntent. Specifically, all users have sle access t their wn user flders and can als access grup flders based n grup membership. Viewing and Saving OLAP Cubes When yu use Data Explrer r SAS Web OLAP Viewer fr Java applicatins t view OLAP cubes, infrmatin maps are generated fr use by the query subsystem. These maps are created in the fllwing shared area: /BIP Tree/SASGeneratedMaps/OLAP-schema-name/ All users f Data Explrer and SAS Web OLAP Viewer fr Java must have ReadMetadata and, WriteMetadata access t this area when creating cubes. As a result, infrmatin maps that are created here are accessible t all users. Althugh the infrmatin map cannt expse cube attributes restricted by cube metadata permissins, applicatin develpers might want t limit access t these maps and limit this type f direct access t cubes. Nte: SAS Service Pack 4 allws limiting direct access t cubes thrugh an applicatin parameter setting. In this cnfiguratin, the File Open dialg bx des nt allw cubes in the Open ptin. It nly allws OLAP infrmatin maps. 10

13 Web Reprts Clients that Create Web Reprts: SAS Web Reprt Studi Clients that View Web Reprts: SAS Infrmatin Delivery Prtal Web Reprt Navigatr prtlet and Tree Navigatr prtlet Nte: The Prtal Search feature als accesses web reprts. By default, the prtal uses SAS Web Reprt Viewer t view web reprts that are displayed in Navigatr prtlets and Search feature result lists. The default lcatin in the repsitry fr shared web reprts is /BIP Tree/ReprtStudi/Shared/Reprts/. Secure grup subflders shuld be created at this lcatin, as shwn in the fllwing examples: /BIP Tree/ReprtStudi/Shared/Reprts/DeptA /BIP Tree/ReprtStudi/Shared/Reprts/DeptB Yu can als create a Public flder that has ReadMetadata and WriteMetadata permissins granted t PUBLIC: /BIP Tree/ReprtStudi/Shared/Reprts/Public Such a flder prvides pen access s that any authenticated user can create and share cntent with all users. Other flders can be created and secured t share cntent within a grup f grups. When a user lgs in fr the first time, SAS Web Reprt Studi prgrammatically creates a persnal user flder fr that user. In the default flder naming structure, the lcatin is /BIP Tree/ReprtStudi/Users/user- ID/Reprts/. Fr SAS Service Pack 3, the /Users flder has PUBLIC access by default, with each user s /Reprts flder prtected at creatin by the fllwing ACE settings: PUBLIC Deny ReadMetadata, Deny WriteMetadata User Grant ReadMetadata, Grant WriteMetadata These settings prtect the /Reprts flder frm view and access f cntent, but it des nt secure the user flder named /BIP Tree/ReprtStudi/Users/user-ID frm view by anther metadata brwsing client such as the Web Reprt Navigatr prtlet in SAS Infrmatin Delivery Prtal. SAS Service Pack 4 applies the user secured permissin pattern ne level up frm the /Reprts flder, which prtects the user flder name frm view. Stred Prcesses Clients that Create Stred Prcesses: BI Manager plug-in versin 1.4 fr SAS Management Cnsle Stred Prcess Manager, SAS Enterprise Guide 3 Nte: The BI Manager plug-in versin 1.4 fr SAS Management Cnsle includes functinality previusly cntained in the Stred Prcess Manager. Clients that View Stred Prcesses: SAS Add-In fr Micrsft Office, SAS Infrmatin Delivery Prtal Tree Navigatr prtlet and SAS Infrmatin Delivery Prtal Stred Prcess Navigatr prtlet, and the SAS Infrmatin Delivery Prtal Search feature. SAS Stred Prcess Web Applicatin is used t view stred prcesses that are selected in Navigatr prtlets and Prtal Search results lists. 11

14 Yu can create and access stred prcesses thrugh any BI rt flder in the repsitry, requiring ReadMetadata permissin t execute and requiring WriteMetadata permissin t create. The default lcatin fr stred prcesses that are used by web reprts is /BIP Tree/ReprtStudi/Shared/Reprts/StredPrcesses/. Yu can create grup flders in this lcatin t rganize and secure stred prcesses that are available fr web reprts. Other BI rt flders that are available in a typical SAS Enterprise BI Server install are: /Samples/Stred Prcesses/ Used by the SAS Integratin Technlgies installatin t stre sample stred prcesses. Mst custmers want t deny ReadMetadata access t the PUBLIC grup fr the /Samples rt and nly grant ReadMetadata access t authring grups (SAS Enterprise Guide users) that need t access the samples fr example cde. /Integratin Technlgies SAS Publish-Subscribe metadata is stred in this rt flder and used t manage channels and subscriber prfiles. Deny WriteMetadata access t the PUBLIC grup in this flder area, and limit access t users wh wrk with the publish framewrk. /Prtal Applicatin Tree SAS Infrmatin Delivery Prtal uses the rt flder t maintain permissin trees t secure Prtal cntent. Deny WriteMetadata access t the PUBLIC grup fr this flder and grant WriteMetadata access t SAS Web Administratr, the Prtal s utility administratr accunt. When permissin tree flders are created, they are prgrammatically secured t the wning user r grup. CAUTION: Althugh it is pssible, DO NOT stre stred-prcess bjects in these repsitry flders. Best practice is t manage all cntent in the /BIP Tree rt flder. This prvides a simpler envirnment t secure. Grup flders can be maintained as /BIP Tree/Grups/grup. At this lcatin, yu can create grup subflders and apply permissins as fllws: Grup users Grant ReadMetadata Grup administratrs and cntent authrs Grant ReadMetadata, Grant WriteMetadata PUBLIC Deny ReadMetadata, Deny WriteMetadata As seen previusly, yu can easily save this grup-wner permissin pattern and apply it as an ACT fr each grup. /BIP Tree/GrupA (apply GrupA wner ACT).../BIP Tree/GrupZ (apply GrupZ wner ACT) Stred prcesses are unique in that they must have an assciated Surce directry bject fr the lcatin f stred prcess surce cde. As a result, clients that create stred-prcess bjects must als create Stred Prcess Surce directry bjects. The directry bjects btain access cntrls nly frm the Default ACT. Therefre, users wh create stred prcesses (fr example, SAS Enterprise Guide users and the BI Manager plug-in fr SAS Management Cnsle users) must have WriteMetadata permissin in the Default ACT. Stred-prcess bjects are als unique in that they have an assciatin t a server bject fr executin (either SAS Wrkspace Server r SAS Stred Prcess Server). A user wh creates a stred-prcess bject must als have WriteMetadata permissin fr the lgical stred-prcess server fr the executin server. Finally, a stred prcess authr must have WriteMetadata fr the flder where the stred prcess is saved. 12

15 As a pattern f access cntrls, stred-prcess authrs (using the BI Manager plug-in fr SAS Management Cnsle r SAS Enterprise Guide) must be granted ReadMetadata and WriteMetadata permissins fr the fllwing lcatins and bjects: the flder that cntains the stred-prcess entry the lgical stred-prcess server fr executin the Default ACT fr creating the assciated surce directry bject Creating and Securing Stred Prcesses with SAS Enterprise Guide Yu can cnfigure SAS Enterprise Guide 3 t use the SAS Metadata Repsitry t lcate wrkspace servers and stred-prcess servers and t save and share stred prcesses. Stred-prcess authrs must first use the SAS Enterprise Guide administratr t cnfigure the SAS Metadata Repsitry as a prject repsitry. The credentials that are prvided fr the metadata server cnnectin shuld be thse f the user and nt a general purpse access accunt. This allws the use f metadata access cntrls t restrict stred-prcess authrs t grup flders specific t their scpe f wrk. When a SAS Enterprise Guide Prject is pened, a cnnectin is made t the metadata server using the credentials that were defined by the SAS Enterprise Guide Administratr applicatin. First-time users are prmpted fr these credentials, and these credentials are persisted by the applicatin via default security settings. The prcess f creating, testing, and delivering a stred prcess requires cnnectins t bth wrkspace servers (stres the SAS Enterprise Guide Prject and executes the SAS cde) and stred-prcess servers (executes the stred prcess). In SAS Enterprise Guide 3.01, users were prmpted fr server access credentials fr the wrkspace server. Fr SAS Enterprise Guide 3.02, a cnnectin t the wrkspace server is attempted with the cached metadata-server credential, and then using available metadata lgns fr the user. When yu cnnect t a stredprcess server, cached credentials are nt used. Metadata lgns are used instead. If n metadata lgns are available, the user is then prmpted. Cnsistent credential caching and lgn management is in SAS Enterprise Guide 4. The use f secured grup flders restricts stred-prcess authrs t flders based n their scpe f wrk, and enables secure delivery t the grup. Hwever, due t the nature f stred-prcess bjects and assciatins (t servers and surce directries), stred-prcess authrs must have WriteMetadata access fr bth the stredprcess flder and the lgical stred-prcess server where the stred prcess will execute. They must als have WriteMetadata access in the Default ACT. Fr SAS Enterprise Guide 3.0, a user must be granted WriteMetadata permissin t all stred-prcess entries that exist in a flder in rder t save a new stred prcess in the flder. Because f this restrictin, access cntrls fr stred-prcess entries shuld always be made at the flder level and passed by inheritance t each stred-prcess entry in the flder. This behavir ensures that cnsistent WriteMetadata access is prvided t authrs wh create and save stred prcesses in the flder. Publishing Framewrk Metadata Clients that Create Publishing Framewrk: SAS Management Cnsle Publishing Framewrk plug-in Clients that View Publishing Framewrk: SAS Enterprise Guide 3, SAS Infrmatin Delivery Prtal Channels are managed in the SAS Integratin Technlgies BI rt flder: /Integratin Technlgies/Publish-Subscribe/Channels 13

16 Administratrs can create channel entries using the SAS Management Cnsle Publishing Framewrk plug-in. Administratrs can create secure grup subflders t rganize and secure channel access fr user grups. Examples: /Integratin Technlgies/Publish-Subscribe/Channels/Sales /Integratin Technlgies/Publish-Subscribe/Channels/DeptA/WeeklyReprts /Integratin Technlgies/Publish-Subscribe/Channels/DeptB/FinanceReprts The Publish-Subscribe mdel requires the fllwing access cntrl patterns: Subscriber r Admin must be granted WriteMetadata n the Package Subscribers flder in the Publishing Framewrk permissin tree t create subscriber prfiles Publishers must be granted ReadMetadata n the channel flder t read subscriber prfiles fr delivery Publishers t Channels with Archives (the cntent f which is tracked in Metadata) must be granted WriteMetadata n the Channel bject In the prtal, the Manage Subscriptins ptin presents a list f channels that users can subscribe t. The list is created frm a search f channel bjects in flders and subflders starting at this lcatin: /Integratin Technlgies/Publish-Subscribe/Channels A user must be granted ReadMetadata permissin t view the channel in the user interface, and must be granted WriteMetadata permissin t subscribe t the channel. Nte: Fr this reasn, ReadMetadata and WriteMetadata permissins shuld always be granted r denied tgether fr a channel bject r a flder that cntains channel bjects that the administratr wants t ffer fr pen subscriptin t a grup. This prvides cnsistency fr the user interface that enables the user t subscribe t any Channel that is displayed t them. Clsed Enrllment Channels Sme channels might be ffered with clsed enrllment. A prtal administratr might want t manage a channel t which all prtal users are subscribed, r create a channel fr news that is displayed n the prtal s public kisk. Fr these channels, the administratr can create a flder such as the fllwing: /Integratin Technlgies/Publish-Subscribe/Channels/AdminCntrlled The administratr can als place an ACT n this flder with the fllwing permissins: Administratrs grups Grant ReadMetadata, Grant WriteMetadata PUBLIC Deny ReadMetadata, Deny WriteMetadata Then, the administratr creates tw channels: PrtalNews subscribe all prtal users PublicNews nly subscribe SAS Guest (accunt used fr the public kisk) Only the administratr can change subscriptins fr these channels. If users ther than the administratr grup need t publish t these channels, thse users must be granted WriteMetadata permissin. The prtal Manage Subscriber Prfiles feature enables yu t create subscriber prfiles that prvide infrmatin t publishing prcesses fr cntent delivery. Alternatively, an administratr can create prfiles fr subscribers by using the Publishing Framewrk plug-in t SAS Management Cnsle. 14

17 By default, the Subscriber flder is created withut access cntrls. Hwever, this enables users f clients with navigatin user interfaces (such as VDE and Prtal Tree Navigatr prtlet) t view subscriber prfile names in this lcatin: /Integratin Technlgies/Publish-Subscribe/Subscribers/Cntent Subscribers Nte: If the administratr chses t keep this flder lcatin pen by granting ReadMetadata permissin, then subscriber prfile names shuld nt be based n full user name, user ID, r ther infrmatin that culd expse user identity. Publish-Subscribe Usage Publishing frm the Prtal Cllabratin In this lw-security scenari, a grup f users share a channel amng themselves that is secure t the grup, and all subscribers can als be publishers. Publishing frm the Prtal requires an archive because the Prtal s Publicatin Channel Subscriptins prtlet is used t view channel cntent. Create a flder and apply access cntrls that grant the grup and administratrs ReadMetadata, WriteMetadata while denying PUBLIC ReadMetadata, WriteMetadata. Within this flder, a channel is created, and a subscriber grup is created fr channel subscribers. Alternatively, the channel can be secured directly t the grup (grant ReadMetadata, WriteMetadata fr the grup, deny ReadMetadata, WriteMetadata PUBLIC, grant Admins ReadMetadata, WriteMetadata). The grup is granted ReadMetadata access t the subscriber prfile fr each member f the grup while the PUBLIC grup is denied ReadMetadata access t the grup s subscriber prfiles. As a lw-security scenari, it des nt matter if the subscriber infrmatin fr grup members is expsed t the grup. If a DAV directry is used as the archive fr the channel, it shuld be created and secured t limit access t grup members and administratrs. If a prtal user s subscriber prfile specifies as the publish delivery mechanism, the will cntain a link t the prtal cntent. When the user first attempts t access the link, the Prtal uses the SAS Guest accunt (used t manage the prtal s public kisk page) t access the cntent. If this fails, the user is prmpted t lg n. Using the SAS Guest accunt enables publishers t cnvenient publish lw-security cntent that is available t all users. If the channel archive is a DAV directry, then access must be prvided t the SAS Guest accunt, and all publishers must knw that any user wh searches fr cntent at the public kisk have access t the published package. Cntent that must be secure t a specific grup membership shuld be placed in a metadata flder that denies the PUBLIC grup ReadMetadata access and grants grup members ReadMetadata access. Further, SAS Guest must be denied ReadMetadata access. Grup users wh receive cntent via URLs in are prmpted t lg n fr access, and the cntent is secure frm search frm the public kisk. Publishing Channels fr High Security and Assured Delivery In sme publishing envirnments, channel cntent is sensitive and subscribers have limited access t channels. The same access cntrl requirements might exist when there is a channel fr imprtant alert infrmatin and subscribers are nt allwed t unsubscribe frm the channel. Here the administratr has a larger task. That is, he r she uses the Publishing Framewrk plug-in t SAS Management Cnsle t create bth the channel and subscribers, subscribing individuals t the channel, and then retaining sle WriteMetadata access cntrl fr the channels and subscribers. N user can begin r end a subscriptin except thrugh a request t the administratr. A publishing accunt is als required that has 15

18 WriteMetadata permissin fr the channel and ReadMetadata permissin fr the subscriber prfiles. Create the channel with the fllwing permissins: PUBLIC Deny ReadMetadata, Deny WriteMetadata Subscribed Grups Grant ReadMetadata Users publishing t the channel Grant ReadMetadata Administratr Grant ReadMetadata, Grant WriteMetadata Subscriber prfiles are created and lcked by the administratr with the fllwing permissins: PUBLIC Deny `, Grant WriteMetadata Metadata is written t track-persisted result packages in the archive. Because prtal channels require an archive, channel publishers must be granted WriteMetadata access fr channels with archives, Prtal Permissin Trees Prtal permissin trees (flders) are maintained t secure cntent items that are unique t the prtal applicatin: pages, prtlets, web applicatins, links, and publicatin and syndicatin channels. Permissin trees are managed in the BI rt flder, /Prtal Applicatin Tree, and cntain references t prtal pages. After an installatin, users can navigate t this BI rt flder with the Prtal Navigatr prtlets and see their wn permissin tree and the permissin trees f grups t which they belng. In additin, client user interfaces that can prvide the File Save cmmand selectin can stre cntent in this space. This behavir presents tw areas f pssible cncern: Sme applicatin service prvider (ASP) custmers might differentiate service fferings by grup names t distinguish custmer relatinships (fr example, Ecnmy, Gld, and Platinum). They might nt want custmers t knw this classificatin. Because such grup names are viewable by clients, such grup names shuld nt reveal sensitive infrmatin. Prtal users can navigate t their permissin trees (user and grups that they are members f) and try t view the pages. This event is harmless because the pages are already part f the user s desktp. Prtal users and grups each have a permissin tree flder that is used t secure prtal cntent. When a user r grup becmes active in the prtal, that permissin tree flder is created as a subflder in the Prtal Applicatin Tree rt flder. An access cntrl that grants WriteMetadata permissin is required fr prtal users fr the Prtal Applicatin Tree rt flder when a user first lgs n t the prtal. When the user's permissin tree is created, prtal cde applies direct access cntrls t the tree flder as fllws: PUBLIC Deny ReadMetadata, Deny WriteMetadata Owner, either user r grup Grant ReadMetadata, Grant WriteMetadata Prtal Admins Grant ReadMetadata, Grant WriteMetadata, grant-delete These ACEs enable prtal cde t access the permissin tree flder. Fr strngly secured prtal applicatins where new users must be apprved fr access, yu can cntrl WriteMetadata access fr the Prtal Applicatin Tree flder by using a direct ACE. 16

19 Nte: A direct ACE that denies WriteMetadata access t SASUSERS prevents new users frm first-time lg n t the prtal. T enable a new user t lg n and create the required user permissin tree, apply a direct ACE t that user that grants WriteMetadata. Remve that direct ACE after the user's first lgn. Audits fr Metadata Permissins Custmers wh have strict security requirements will want t audit SAS metadata-based security. Requirements might include the fllwing: Persnal cntent is secured t the wner. Grup cntent is secured t grup members. Such grupings can be based n external custmer-client relatinships r internal user grups. Privacy: Users must nt be aware f ther users f the applicatin, individually r by grup assciatin as expsed by metadata navigatr-type clients r search features. If the custmer is an applicatin service prvider (ASP), users must nt be able t see infrastructure metadata abut the service prvider relatinship (fr example, a service user is placed in a lw-pririty usage grup). Here are sme alternatives fr perfrming such audits t verify cmpliance fr security requirements, but nne f these alternative are autmated fr SAS 9.1.3: Lg n t the prtal with representative rle-based accunts, and use the Tree Prtal Navigatr prtlets t navigate all available Infrmatin Service repsitries and t inventry available grup flders. The Tree Navigatr prtlet shws all cntent types. This feature makes it useful fr audit checks, but the administratr can chse t limit its availability t prtal administratrs. Lg n t the prtal with representative rle-base accunts, and use the search feature and all cntent, and review the list. The lcatin that is prvided in the results list indicates the metadata repsitry lcatin fr the item. Lg n t SAS Management Cnsle with representative rle-based accunts, and use the Authrizatin Manager plug-in t view subflders and available cntent. Review the shared cntent areas fr prducts (such as SAS Web Reprt Studi) that using representative rlebased accunts. Cnfirm that grup flders are accessible nly by grup members. Areas fr Custmer Attentin A default installatin f SAS Enterprise BI requires additinal cnfiguratin by the SAS administratr t prvide adequate security fr cntent that is managed by metadata. Fr specific backgrund and guidance, see the SAS Intelligence Platfrm: Security Administratin Guide, Secnd Editin, available at supprt.sas.cm/dcumentatin/nlinedc/intellplatfrm/913/bisecag.pdf. Nte: The SAS Intelligence Platfrm: Security Administratin Guide, Secnd Editin includes cntent that was frmerly in the SAS Enterprise Intelligence Platfrm: Administratin Guide befre Nvember

20 SAS 9 applicatins navigate thrugh the metadata repsitry as a means t access cntent items. Prtal Navigatr prtlets and Visual Data Explrer dialg bxes that are pened by selecting File Open r File Save enable users t navigate the entire Infrmatin Service, including cntent f the fllwing BI rt flders: /BIP Tree /Samples /Integratin Technlgies /Prtal Applicatin Tree additinal BI rt flders that are created by the custmer Fr Prtal Navigatr prtlets, the DAV repsitry that is assciated with the Infrmatin Service is accessible and shuld be secured by using the apprpriate DAV administratin tls. The fllwing review prvides a quick summary f the cmmn cntent flders in a SAS Enterprise Business Intelligence deplyment and the first steps t prvide basic metadata security. In SAS Management Cnsle, an administratr might need t use a specific manager plug-in t create a flder r cntent bject and then use the Authrizatin Manager plug-in t apply access permissins. Administratrs will find it useful t create ACTs fr cmmn access cntrl patterns: Public Read Metadata Only ACT: PUBLIC Grant ReadMetadata, Deny WriteMetadata Administratr grups (including SAS Web Administratr) Grant ReadMetadata, Grant WriteMetadata Admin Access Only ACT: PUBLIC Deny ReadMetadata, Deny WriteMetadata Administratr grups Grant ReadMetadata, Grant WriteMetadata Grup Owner ACT: PUBLIC Grant ReadMetadata, Deny WriteMetadata Grup Grant ReadMetadata Grup administratrs and cntent authrs Grant ReadMetadata, Grant WriteMetadata Administratr grups Grant ReadMetadata, Grant WriteMetadata The Default ACT must prvide ReadMetadata access either t the PUBLIC grup r the SASUSERS grup, depending n security plicy. The PUBLIC grup represents all authenticated users. The SASUSERS grup cnsists f authenticated users wh have established user identities. A typical, secure access permissin pattern is applied as fllws: In /BIP Tree, apply the Public Read Metadata Only ACT. In /BIP Tree/ReprtStudi/Shared/Reprts SAS Web Reprt Studi Shared reprts flders: Create a Public subflder and apply ACE t grant ReadMetadata and WriteMetadata permissins t the PUBLIC grup. Create grup subflders and apply the Grup Owner ACT. 18

21 /BIP Tree/ReprtStudi/Maps SAS Web Reprt Studi Maps flders: Use the same subflder and permissin pattern as is used the Reprts flders (see previus bullet item) t prvide each grup secure access t grup maps. /BIP Tree/ReprtStudi/Users SAS Web Reprt Studi user flders: SAS Service Pack 4: Grant WriteMetadata access t the Admin grup (includes SAS Web Administratr and the SAS Web Reprt Studi privileged accunt). SAS Service Pack 3 (withut ht fix 21WRS01 applied): Apply ACE t grant WriteMetadata access t the PUBLIC grup. This actin enables users t create and secure their wn flders. /BIP Tree/Users Visual Data Explrer user flders: In SAS Service Pack 4 and SAS Service Pack 3 with Ht Fix 913CDD02 applied, user flders are secured t wner. Users cannt create cntent at this lcatin. Apply an ACE t grant WriteMetadata access t the PUBLIC grup, depending n whether the security plicy allws creatin f user flders. In SAS Service Pack 3 (withut Ht Fix 913CDD02 applied), flders are nt secured when they are created. /BIP Tree/SASGeneratedMaps When either Visual Data Explrer r SAS Web OLAP Viewer fr Java access cubes directly, infrmatin maps are generated and stred in this lcatin. Ht fix 913CDD01 prvides an ptin t cntrl direct access f cubes. Generated maps can be accessed by any user wh has been granted WriteMetadata permissin n this lcatin. Applying an ACE t deny WriteMetadata access t the PUBLIC grup r the SASUSERS grup prevents the strage f generated maps (and direct access t cubes). /Samples Apply the Admin Access Only ACT t the Grant Admin grup (includes SAS Web Administratr and the SAS Web Reprt Studi privileged accunt). Grant ReadMetadata and WriteMetadata access t stred-prcess writers. Apply ACEs t grant ReadMetadata access t pwer user grups, as needed. /Integratin Technlgies Apply the Public Read Metadata Only ACT. Grant ReadMetadata and WriteMetadata access, as needed, t lwer flders t manage grup channels and subscriber prfiles. /Integratin Technlgies/Publish-Subscribe/Channels/ Publishing Framewrk channel definitins The administratr uses the Publishing Framewrk plug-in t SAS Management Cnsle t create channels. The administratr applies ACEs r ACTs t grant grups ReadMetadata and WriteMetadata access t individual channels t view (ReadMetadata) and enable grup subscriptin (WriteMetadata). Security and privacy needs determine whether ReadMetadata and WriteMetadata permissins shuld be granted as a pair. (list cntinued) 19

22 (Optinal) The Metadata administratr can create a channel flder and grant a channel administratr grup WriteMetadata permissins t create channels, as needed, in the flder. If channels have archives, apply ACEs t grant ReadMetadata and WriteMetadata access t publishing grups fr the channel r channel flder. /Integratin Technlgies/Publish-Subscribe/Subscribers/Cntent Subscribers/ The prtal, SAS Enterprise Guide, and the Publishing Framewrk plug-in t SAS Management Cnsle stre subscriber prfiles in this directry. If the administratr wants sle cntrl f subscriptin prfiles, apply an ACT t grant Admin grups the permissin pattern ReadMetadata,WriteMetadata Deny PUBLIC WriteMetadata. This permissin pattern can be inherited frm ACT applied at rt flder. Yu can prvide additinal access cntrl by creating subscriber prfiles and granting ReadMetadata and WriteMetadata access t a limited grup: wner, administratr grup, and publishing grup. /Prtal Applicatin Tree - Prtal permissin trees fr cntent items: Prtal users require the Grant ReadMetadata, Grant WriteMetadata pattern fr this flder. This pattern is usually inherited frm the Default ACT. Permissin trees that are created fr users and grups are secured t the wning user r grup. Administratrs, including the SAS Web Administratr accunt, must als have the Grant ReadMetadata, Grant WriteMetadata permissin pattern fr this rt flder. The SAS Web Administratr accunt is used t manage prtal permissins trees at this lcatin, and administratrs might need t directly manage permissin tree flders here. Best Practices fr a Strnger Metadata-Based Security Plicy Limit cntent lcatins t a small number f BI rt flders, preferably nly in the BIP Tree rt flder. Limit use f the Tree Navigatr prtlet t administrative users nly. T d this, cmplete the fllwing steps: 1. Start the SAS Management Cnsle. 2. In the Authrizatin Manager plug-in, select Resurce Management By Type and pen the Prttype flder. 3. Lcate the TreeNavigatr template. 4. Right-click the template and select Prperties. 5. On the Authrizatin tab, grant ReadMetadata permissin t Admin grups and deny ReadMetadata permissin t the PUBLIC grup. Deny WriteMetadata access whenever pssible. This actin prevents users frm writing cntent in unsecured lcatins. Generally, ReadMetadata access must be bradly granted fr navigatin and searching, and it can be denied at the lwest subflders that must be secured t the wning user r grup. 20

23 When yu apply a direct ACE r ACT t deny ReadMetadata permissin fr an identity, always deny WriteMetadata permissin as well fr the identity. Appendix A: Flat Flder Structure Permissins (Generic Example) The specific lcatin f cntent items depends n the applicatin and the custmer s envirnment. The fllwing is a generic example that shws access cntrl permissin patterns fr infrmatin maps in a typical SAS Web Reprt Studi installatin. In this example, the infrmatin architect has identified a set f infrmatin maps that must be available nly t a certain grup, and anther set t be available nly t anther grup. Fr example, ne grup, Dept A, might be decisin makers viewing maps with the Data Explrer in SAS Infrmatin Delivery Prtal. The ther grup, Dept B, might be business analysts wh wrk with SAS Web Reprt Studi t deliver web reprts. Because f the sensitive infrmatin expsed by the maps, access must be limited t specific grups. The Default ACT is as fllws: PUBLIC Deny ReadMetadata, Deny WriteMetadata SASUSERS Grant ReadMetadata, Grant WriteMetadata Nte: SAS applicatin users must have a user identity in the metadata repsitry t access cntent. SAS Web Reprt Studi (SAS 9.1.3, Service Pack 3) requires that maps be stred in a specific lcatin in the metadata repsitry: /BIP Tree/ReprtStudi/Maps/ The administratr creates an administratrs grup that cntains SAS Web Administratr accunt and ther custmer administratr accunts. The generic user grups are Dept A and Dept B. The administratr als creates a grup called DW Analysts, which cnsists f prgrammers and analysts wrking with the data warehuse and infrmatin maps. The cmmn cntent lcatin is as fllws: /BIP Tree/ReprtStudi/Maps/ Apply default permissins using the fllwing ACE: PUBLIC Deny Write Metadata Administratr grups Grant WriteMetadata DW Analysts Grant WriteMetadata This ACE blcks all users except Administratr grups and Analysts frm creating flders r adding cntent at this lcatin. The administratr creates the fllwing flder fr the Dept A grup: /BIP Tree/ReprtStudi/Maps/DeptA/ 21

24 Apply Dept A Owner permissins using the fllwing ACE: PUBLIC Deny ReadMetadata, Deny WriteMetadata Dept A Grant ReadMetadata Administratr grups Grant ReadMetadata, Grant WriteMetadata DW Analysts Grant ReadMetadata, Grant WriteMetadata The result f applying this ACE is that nly Dept A grup members, administratrs, and analysts can access this flder t view reprts. Only administratrs and analysts can create r manage maps. The administratr als creates a flder fr the Dept B grup: /BIP Tree/ReprtStudi/Maps/DeptB/ Apply Dept B Owner permissins by using the fllwing ACE: PUBLIC Deny ReadMetadata, Deny WriteMetadata Dept B Grant ReadMetadata Administratr grups Grant ReadMetadata, Grant WriteMetadata DW Analysts Grant ReadMetadata, Grant WriteMetadata The result f this ACE is that nly Dept B grup members, administratrs, and analysts can access this flder t view maps. Only admins and Analysts can create r manage maps. Nte: deny PUBLIC WriteMetadata and SAS Admins Grant WriteMetadata permissins are inherited frm the Reprts parent flder. Yu can define the abve cllectin f ACEs as an Access Cntrl Template (ACT) that yu apply t the grup flder t secure a grup flder. Cmplete the fllwing steps t create the ACT: 1. Start the SAS Management Cnsle. 2. In the Authrizatin Manager plug-in, select Prperties fr the grup flder. In the Prperties dialg bx, click the Authrizatin tab. 3. Click the Access Cntrl Template buttn t apply the ACT t the flder. ACEs that are applied thrugh a direct ACT appear with a green backgrund fr the permissin check bxes that are viewed n the Authrizatin tab in that dialg bx. Appendix B: Hierarchic Flder Structure (Generic Example) The example in this appendix deals with the shared web reprts lcatin in the fllwing rt flder: /BIP Tree/ReprtStudi/Shared/Reprts By default, this lcatin in the metadata repsitry has nly thse access cntrls that are inherited frm the Default ACT, meaning that mst grups will have WriteMetadata access at this lcatin and can create flders and reprts. Fr a site where grup cntent must be secure t the grup, the first step fr the administratr is t create grup flders that represent brad user grupings at the site: Sales, Marketing, Operatins, Finance, Human 22

25 Resurces, and s n. In a secure setting, the administratr can als limit the creatin f flders at this level, t frce users t wrk in secure subflders created fr them. If there is a need fr sharing nnsecured reprts between grups, the administratr can create an pen-access Public flder and allw SAS Web Reprt Studi users t create flders and save reprts in these flders. Flder Examples: /BI Tree/ReprtStudi/Shared/Reprts/Public /BI Tree/ReprtStudi/Shared/Reprts/Sales /BI Tree/ReprtStudi/Shared/Reprts/Marketing /BI Tree/ReprtStudi/Shared/Reprts/Finance /BI Tree/ReprtStudi/Shared/Reprts/Executive Use-Case Scenari A U.S. whlesale business divides sales territries int regins (Sutheast, Suthwest, Nrtheast, and Nrthwest) and then by states within regins. Sales teams are managed by state, with a state manager and a reginal manager. Fur reginal managers reprt t the Sales Executive. Sales reprts include discunts and cmmissin data, s state managers must nt see ther managers reprts. Reginal managers can review all state reprts fr their regin but nt the reprts f ther regins. The Sales Executive can review reginal and state reprts and shares a US Sales reprt with the cmpany s Executive grup. The administratr creates and ppulates metadata grups, as fllws: Admins SAS Administratr(s) BI Analysts BI Cntent creatr(s) Executive Sales Exec is a member, with thers Reginal Sales Managers 4 State Managers by Regin 4 grups Sutheast State Managers Nrtheast State Managers Suthwest State Managers Nrthwest State Managers State Sales Managers = 4 Reginal State Manager grups The hierarchic flder structure lks like this:../reprts/public../reprts/executive../reprts/sales../reprts/sales/natinal (list cntinued) 23

26 ../Reprts/Sales/Sutheast/Regin../Reprts/Sales/Sutheast/Flrida../Reprts/Sales/Sutheast/Gergia...mre flders... When yu build permissins in a hierarchic flder structure, there are tw appraches: Prvide brad access at the tp f the hierarchy and blck it as yu wrk dwn the subflders Prvide limited access at the tp f the hierarchy and add access t subflders as yu wrk dwn the hierarchy. In deep hierarchies, either apprach can be difficult t visualize because effective permissins are cmbinatins f inherited permissins and direct permissins. Yu can create an ACT fr repeating patterns f permissins. Applying the ACT t each subflder in the hierarchy can make it easier t determine effective permissins. In the fllwing use case, the secnd apprach is use. This apprach prvides limited access at the tp f the hierarchy and adds access t subflders, cmbined with an ACT. 1. The administratr begins wrk in this flder: /BIP Tree/ReprtStudi/Shared/Reprts/ The administratrs sets permissins by using the fllwing ACE: PUBLIC Deny WriteMetadata Administratr grups Grant WriteMetadata The result f this ACE is that nly administratrs can create flders r cntent at this flder. This permissins setting prevents SAS Web Reprt Studi users frm accidentally saving reprts in an unsecured lcatin. 2. The administratr then creates the Public flder: /BIP Tree/ReprtStudi/Shared/Reprts/Public/ This flder is created with a direct ACE t grant WriteMetadata permissin fr the SASUSERS grup. This actin creates a public lcatin where registered users can share nnsensitive cntent. The administratr then uses the Authrizatin Manager plug-in in SAS Management Cnsle t create an ACT called Base Sales: PUBLIC Deny ReadMetadata Administratr grups Grant ReadMetadata, Grant WriteMetadata BI Analysts Grant ReadMetadata, Grant WriteMetadata Executives Grant ReadMetadata The result f applying this ACT t a flder (r any bject) blcks inheritance f the ReadMetadata permissin fr all users. It als enables administratrs t administer cntent, BI analysts t navigate and create cntent, and executives t navigate and view cntent. (list cntinued) 24

27 3. Next, the administratr creates the Sales flder:../shared/reprts/sales The administratr applies the Base Sales ACT t set the fllwing permissins: Reginal Sales Managers grup Grant ReadMetadata State Sales Managers grup (a supergrup f grups) Grant ReadMetadata The result f applying this ACT is that administratrs, BI analysts, and all sales management can navigate t this flder. Others emplyees cannt navigate t this flder. BI analysts and administratrs can manage flders at this level. 4. The administratr creates the Natinal flder:../shared/reprts/sales/natinal The administratr then applies the Base Sales ACT. The result f applying this ACT is that nly executives can view this flder and cntent. Administratrs and analysts can create and manage cntent. 5. The administratr creates the Sutheast flder:../shared/reprts/sales/sutheast The administratr then applies the Base Sales ACT and creates a direct ACE that sets the fllwing permissins: Sutheast Regin Sales Manager Grant ReadMetadata Sutheast State Sales Managers Grant ReadMetadata The result f applying the ACT and the direct ACE is that executives, the Sutheast reginal manager, and Sutheast state managers can navigate t this flder. 6. The administratr creates the Regin flder:../shared/reprts/sales/sutheast/regin The administratr applies the Base Sales ACT and creates a direct ACE that sets Grant ReadMetadata permissin fr the Sutheast Reginal Manager. The result f applying the ACT and the direct ACE is that executives and the Sutheast Reginal manager can read cntent in this flder. Administratrs and analysts can create and manage cntent. 7. The administratr creates the Gergia flder:../reprts/sales/sutheast/gergia The administratr applies the Base Sales ACT and creates a direct ACE t set the fllwing permissins: Gergia Sales Manager Grant ReadMetadata Sutheast Regin Manager Grant ReadMetadata The result f applying the ACT and the direct ACE is that executives, the Sutheast Reginal Sales Manager, and the Gergia Sales Manager can view this flder and cntent. Administratrs and analysts can create and manage cntent. 25

28 8. The administratr creates the Flrida flder:../reprts/sales/sutheast/flrida The administratr applies the Base Sales ACT and creates a direct ACE t set the fllwing permissins: Flrida Sales Manager Grant ReadMetadata Sutheast Regin Manager Grant ReadMetadata The result f applying the ACT and the direct ACE is that executives, the Sutheast Reginal Sales Manager, and the Flrida Sales Manager can view this flder and cntent. Administratrs and analysts can create and manage cntent. This pattern f flder creatin is repeated thrughut each regin. 26

29

30 T cntact yur lcal SAS ffice, please visit: sas.cm/ffices SAS and all ther SAS Institute Inc. prduct r service names are registered trademarks r trademarks f SAS Institute Inc. in the USA and ther cuntries. indicates USA registratin. Other brand and prduct names are trademarks f their respective cmpanies. Cpyright 2015, SAS Institute Inc. All rights reserved.