For reference, this topic documents the underlying security report macros.
You can choose to directly use the underlying report macros instead of using only
%MDSECDS (which is the standard approach to building authorization data sets).
However, the underlying macros don't offer any unique inclusion or exclusion
parameters. The following figure introduces the underlying macros. In the figure, arrow direction indicates input to and output from each underlying macro.
Additional Resources for Building Authorization Data Sets 87
Figure 8.1 Underlying Macros Metadata Repository
work.mdsecds_objs
work.mdsecds_pconds work.mdsecds_permsl
work.mdsecds_permsw
work.mdsecds_join
%MDSECGP
%MDSECTR
%MDSECVW
Which permissions?
Which identities?
Which folder?
Which objects?
%MDSECGO 1
4 3 2
The numbers in the preceding figure correspond to these activities:
1. %MDSECGO extracts information for a specified set of objects. You specify one folder and indicate whether to include subdirectories. You can also provide a list of object types to include and filter the data set by attribute value.
Note: The same level of control is provided by using %MDSECDS on its own.
2. For every object in a specified data set, %MDSECGP gets effective permission settings for a specified set of identities and permissions.
Note: This is the point at which using the underlying macros creates an opportunity for you to define a subset of the objs data set.
3. %MDSECTR transforms the extracted data set from a long format (a separate row for each permission) to a wide format (all permissions in the same row).
4. %MDSECVW creates a joined view or data set that can be used for reporting.
The following table introduces a few utility macros that can be useful in security reporting:
Table 8.6 Utility Macros for Security Reporting
Utility Macro Description
%MDUTYPED Extracts information about top-level metadata objects or locates templates for a particular object type.
%MDUGFLDR Returns the object ID for a specified folder.
%DEFINEOBJTAB_SQL Defines the table into which %MDSECGO inserts rows.
The underlying macros and utility macros are in SAS-installation-directory
\SASFoundation\9.3\core\sasmacro (Windows) or SAS-installation-directory/ SASFoundation/9.3/sasautos (UNIX).
Dictionary
%MDSECDS
Generates authorization data sets. This is the top-level macro (it calls the underlying macros and should be used on its own).
Used by: Security reporting Type: Stand-alone
Requirement: Connection to the metadata server
Syntax
%MDSECDS
(OUTDATA=data-set,
<FOLDER="path">,
<INCLUDESUBFOLDERS=YES | NO>,
<INCLUDETABLECOMPONENTS=YES | NO>,
<INCLUDECUBECOMPONENTS=YES | NO>,
<INCLUDESECUREDTABLES=YES | NO>,
<MEMBERTYPES="list">, <MEMBERFILTER="expression">,
<PERMS="list">,
<IDENTITYNAMES="list">, <IDENTITYTYPES="list">);
Optional Arguments OUTDATA
provides a base name for the output. By default, the base name is work.mdsecds. FOLDER
identifies a starting point folder. By default, the starting point is the server root (the SAS Folders node). If you provide a path (such as "\Products\SAS
Intelligence Platform\Samples"), the starting point is the last folder in the path. To avoid having to type a long pathname, copy the path from a child item's general properties into your code.
%MDSECDS 89
INCLUDESUBFOLDERS
controls whether the entire subtree is included. By default, all objects in the entire subtree are included. If you specify NO, only the immediate contents of the starting point folder are included.
INCLUDETABLECOMPONENTS
controls whether table columns are included when a table is returned. By default, columns are included.
INCLUDECUBECOMPONENTS
controls whether cube hierarchies, levels, and dimensions are included when a cube is returned. By default, these components are included.
INCLUDESECUREDTABLES
controls whether secured table objects are included when a secured library object is returned. By default, secured table objects are included.
MEMBERTYPES
limits by object type. By default, all public types are included. If you provide a comma-delimited list of types, only those types are included.
You must provide the public type name in its TypeName format. For example, if you access the Advanced tab in the properties dialog box for the Information Map (relational) object type, you will see that its TypeName is
InformationMap.Relational.
T I P In SAS Management Console, all public types are displayed on the Folders tab under System ð Types.
Note: If you use this option, examine the output. The log doesn't display errors or warnings for incorrectly specified types.
MEMBERFILTER
limits by metadata attribute value. By default, no filter is applied. If you provide an expression, only objects that meet the criteria are included. The format for the expression is @attribute-name comparison-operator 'value' (for example,
@ID='A5HDAJSI.B90006Y5' or @Name=:'Salary').
Comparison operators for character data include = (equals), =: (begins with), ? (contains), and ne (not equals).
Metadata attributes are associated with an object's metadata type (not public type).
Here are two common attributes:
ID is the object's metadata ID, which is displayed on the object's Inheritance tab.
Name is the object's name, which is displayed in the Name field on the object's General tab.
To find additional attributes, determine the MetadataType of the object that you are interested in. The type is displayed on the object's Inheritance tab. Then, in the reference documentation for the metadata model, look up that MetadataType to find the names of its attributes.
PERMS
specifies which permissions to include. By default, all permissions that are supported for each object type are included for objects of that type. If you provide a comma-delimited list of permissions, only those permissions are included. Even if the permissions in your user interface are translated, you must specify the English-language permission names (for example, ReadMetadata).
IDENTITYNAMES
specifies which identities to include. By default, only the named participants (the identities that are listed in an object's authorization properties) are included. If you provide a comma-delimited list of identity names, only those identities are included.
List identities by their names, not their display names.
If you use this option, you must also use the IDENTITYTYPES option.
IDENTITYTYPES
specifies whether names in the IDENTITYNAMES list correspond to users or to groups. For example, the first name listed in the IDENTITYNAMES parameter must match the first value in the IDENTITYTYPES list. Valid values in this list are Person and IdentityGroup.
Examples
Example 1: Permissions for All Objects within a Folder
This code extracts information about permissions on the objects in the Sales folder but doesn't include objects in subfolders:
%mdsecds(folder="\Shared Data\Sales", includesubfolders=no);
Example 2: Permissions for Two Object Types within a Folder Branch
This code extracts information about permissions on tables and schemas in the Sales folder and its subfolders:
%mdsecds(folder="\Shared Data\Sales", membertypes="Library,OLAPSchema");
Example 3: ReadMetadata Permission for Libraries for a Specified User
This code extracts information that indicates which libraries a particular user (the SAS Demo User) can see:
%mdsecds(identitynames="sasdemo", identitytypes="Person", membertypes="Library", perms="ReadMetadata");
Example 4: ReadMetadata Permission for Stored Processes for Two Specified Users
This code extracts information that indicates which stored processes two users (the SAS Demo User and Tara O'Toole) can see:
%mdsecds(identitynames="sasdemo,totoo", identitytypes="Person,Person", membertypes="StoredProcess", perms="ReadMetadata");
Example 5: WriteMetadata Permission for Reports for Specified Identities
This code extracts information that indicates which reports one user and one group (the SAS Demo User and PUBLIC) can modify:
%mdsecds(identitynames="sasdemo,PUBLIC", identitytypes="Person,IdentityGroup", membertypes="Report", perms="WriteMetadata");
%MDSECDS 91
Example 6: ReadMetadata Permission for a Subset of Reports This code extracts information that indicates who can view reports that include the word
"Salary" in their names:
%mdsecds(membertypes="Report", perms="ReadMetadata", memberfilter="@Name ? 'Salary'");
Example 7: Permissions for an Object (Referenced by Object ID) This code extracts permission settings for an object that is referenced by its object ID:
%mdsecds(memberfilter="@ID='A5HDAJSI.B90006Y5'");
Note: Member filters are not applied to folders, so this example returns all folders (in addition to the object that has the specified ID).
Part 3
Authentication
Chapter 9
Authentication Model . . . 95 Chapter 10
Authentication Mechanisms . . . 109 Chapter 11
Authentication Tasks . . . 131 Chapter 12
Server Configuration, Data Retrieval, and Risk . . . 153 93