Conditional Grants in SAS Visual Analytics

At Metacoda we thrive on metadata and enjoy building software to help organizations review, search, explore and manage their SAS® Software metadata more easily. With more SAS customers embracing SAS Visual Analytics, we’ve been asked whether our Metacoda Security Plug-ins software can show SAS Visual Analytics metadata and YES it can! SAS Visual Analytics connects to a SAS metadata server and the objects you create within SAS Visual Analytics (data queries, explorations, reports etc) are simply additional SAS metadata objects with some cool new icons! So let’s take a look at some SAS Visual Analytics metadata by creating a conditional grant on a SAS Visual Analytics LASR table (with some tips along the way).

What is a SAS Visual Analytics Conditional Grant?

As SAS users already know, there are many ways to filter data using programming or the point and click tools provided by SAS Software. SAS Visual Analytics also provide a number of ways to filter data in an exploration or report. This can be at the data level; at a visualization or report object level; in a section prompt; or when using filter interactions etc. Another method is via row-level security in the underlying SAS Visual Analytics LASR table using a conditional grant. A conditional grant is where the requesting user can see only those rows that meet the specified filtering condition from the LASR table. For details on conditional grants, have a look at the SAS Visual Analytics 6.3: Administration Guide.

What’s involved in setting up a conditional grant?

A conditional grant for a metadata identity on a LASR table can be configured through the SAS Visual Analytics Administrator interface (aka “Manage Environment” link). Once we set up the conditional grant, we’ll see it in action and then examine the SAS metadata. We will go through the following steps:

  1. define the permission condition (with a tip on being “quote aware”)
  2. demonstrate how row-level security is achieved in an exploration with two users, Famke & Koby
  3. show how you can review all the conditional grants set in your SAS Visual Analytics environment

Step One: Define the Permission Condition

A user with access to “Manage Environment” can configure the permission condition by right mouse clicking the desired table in the left pane and selecting Authorization. A tab opens showing the effective permissions on the LASR table.

Setting up a conditional grant [click on image]

Selecting the + icon on the right of the screen displays an identity window where a user or a group can be selected and the permission condition can be set. We want to set up a permission condition for Famke Foster. Famke is only permitted to read data in the Sydney & North Sydney Local Government Areas (LGA). So we need to set up a conditional grant on the Read permission. Clicking the Read cell we get the Edit Permission Conditions screen where we can specify the condition (see below).

Tip: no quotes!

As you can see in the screenshot, we’ve specified the condition, LGA Contains Sydney

Visual Analytics Permission Condition
Permission Condition editor [click on image]

Note there are no quotes around Sydney!!! SAS Visual Analytics will automatically put the quotation marks around the string literal, Sydney, when needed. If you include your own quotation marks they will be treated as part of the string literal and cause problems (as I discovered the first time I did this).

Tip: Programmer beware... 
     don't quote your string literal!

So now the Conditional Grant for Famke has been set up, let’s compare what is displayed in an exploration for two users Famke and Koby. Koby has an unrestricted view of the data.

Step Two: Row-Level Security

In the screenshots below I’ve opened the same SAS Visual Analytics exploration as two different users, Famke and Koby. You’ll see that the data has been successfully filtered for Famke based on the conditional grant. Famke can only see 2 LGA categories (Sydney and North Sydney) and Koby can see all 155. Success!

VA_famke_exploration
Famke’s view of an exploration [click on image]
VA_koby_exploration
Koby’s view of an exploration [click on image]

Conditional Grant – setting a data filter

If you’ve created multiple explorations where the only difference is the data filter for specific users (or groups/departments etc), you may want to consider creating an exploration that uses conditional grants for SAS metadata identities. This way, if a user changes departments/groups, the data they see is only what they are supposed to see, as governed by your SAS security model.

Step Three: How to review your conditional grants?

So now that we have our conditional grant in place, how do we find ALL the conditional grants applied to ALL our LASR tables? When we configure a conditional grant we are stating a specific access control for a particular entity. Using Metacoda Security Plug-ins ACE Reviewer we can easily review and manage all the access controls in your environment. Permission conditions are simply a type of access control that you have in your SAS Visual Analytics metadata. In the screenshot below you can see that there is an explicit Read permission for Famke Foster on the table AND you can also see the underlying XML that is stored in the permission condition. (This is where you can see SAS Visual Analytics has added the quotations marks around the string literal, Sydney).

VA_SMC_Metacoda_ACE_Reviewer
Metacoda ACE Reviewer showing conditional grant XML [click on image]

Because there could be many access controls in your environment, we’ve also filtered the list by searching for LASR in the ACE name/path at the top of the ACE Reviewer. This method provides the SAS Administrator an easy way to review ALL the conditional grants on ALL the SAS Visual Analytic LASR tables!

If you’re using SAS Visual Analytics, have you considered and/or implemented a conditional grant? How do you review/manage them? If you have any further conditional grant tips, please share in the comments below.

To find out more about our Metacoda Security Plug-ins software, visit our product page. Or register to download our plug-ins and get a free one-month evaluation license to try out the ACE Reviewer and rest of the plug-ins with your own SAS metadata including SAS Visual Analytics metadata!Register Now ...