When defining user-specific ACL permissions, you can use an ACL group wherever you
can use an explicit SPD Server user ACL. Using an ACL group grants privileges to the
ACL group instead of only to a specific SPD Server user.
Column Security
SPD Server allows you to control access to table contents at the column level through the
use of ACLs. Column security ACLs can be applied to individual users at the user level,
or applied to collections of users at the group level. SPD Server enforces precedence for
user and group ACL permissions: first user ACL permissions are applied, then group ACL
restrictions are applied. SPD Server user permissions override SPD Server group
permissions.
When you use an ACL statement to create a protected column in a table, all individual users
or groups are automatically denied access to the protected column until they are explicitly
granted ACL permission to access it. When you issue an ACL statement to grant
or
deny
the contents of a table column to a single user or user group, the protected column
automatically becomes unavailable to
all
individual users and user groups, unless they are
specifically given access to the protected column.
Let's examine a scenario where a testing department hires a new member, Joe. Joe has
applied for classified security clearance, but his security clearance level won't be certified
for several weeks. All members of the department use an SPD Server table TESTING that
contains a column of classified information. Joe needs access to all of the TESTING table
except the protected column, and the rest of his group needs access to the whole TESTING
table.
First, you submit a user-level ACL statement to restrict the secure column in table
TESTING from Joe. Joe is explicitly denied access, but since the column is now a protected
entity, all other TESTING table users are also denied access to the column by default. Once
a column is protected via ACL security, explicit permissions must be granted in order for
any user (or groups of users) to be able to access the column content. Instead of issuing
user-level column ACL permissions to the rest of the testing group individually, you issue
a group-level ACL column permission to the user group TESTGROUP that explicitly
grants access to the protected column.
SPD Server reads the user-level ACL permissions first, and gives Joe access to the table
TESTGROUP, but restricts him from the secure column. Then SPD Server reads the group
ACL permissions, and grants all of the TESTGROUP members access to the full table,
including the secure column. Joe is a member of TESTGROUP, but the user-level ACL
permissions maintain precedence over group-level ACL permissions. This results in all of
TESTGROUP having full table access, except Joe. Joe's user-level ACL column security
restriction prevents him from accessing the classified column.
Now consider another scenario, where John manages a group DEVGROUP whose
members record their billable project hours and codes in an SPD Server table. In that table,
manager John keeps billing rate information based on employee salaries in a protected
column RATE. Only John should be able to see the entire table, and the rest of the
DEVGROUP should be able to see the table minus the RATE column. In this case, you
create column security by protecting the RATE column with a user-level ACL permission
statement for John. The DEVGROUP members can have full table permissions at the group
level, but will not see the protected column because John's user-level column security ACLs
will override any group-level ACLs for the DEVGROUP table.
Generic ACL
You can use generic ACL names for a class of resources that have a common prefix. You
can use the asterisk symbol "*" as a wildcard. This permits you to make a single ACL entry
instead of making explicit entries for each resource. For example, if you have tables named
156
Chapter 14 • ACL Security Overview
Summary of Contents for Scalable Performance Data Server 4.5
Page 1: ...SAS Scalable Performance Data Server 4 5 Administrator s Guide...
Page 7: ...Part 1 Product Notes Chapter 1 SPD Server 4 5 Product Notes 3 1...
Page 8: ...2...
Page 12: ...6...
Page 63: ...Part 3 Migration Chapter 5 SPD Server 3 x to SPD Server 4 5 Conversion Utility 59 57...
Page 64: ...58...
Page 70: ...64 Chapter 5 SPD Server 3 x to SPD Server 4 5 Conversion Utility...
Page 72: ...66...
Page 76: ...70 Chapter 6 Using the SPD Server Name Server to Manage Resources...
Page 94: ...88 Chapter 7 Administering and Configuring SPD Server Using the SAS Management Console...
Page 98: ...92 Chapter 8 SPD Server SQL Query Rewrite Facility...
Page 116: ...110 Chapter 10 Configuring Disk Storage for SPD Server...
Page 128: ...122 Chapter 11 Setting Up SPD Server Parameter Files...
Page 154: ...148...
Page 198: ...192 Chapter 14 ACL Security Overview...
Page 212: ...206 Chapter 15 Managing SPD Server Passwords Users and Table ACLs...
Page 214: ...208...
Page 224: ...218 Chapter 16 SPD Server Operator Interface Procedure PROC SPDO...
Page 236: ...230 Chapter 18 SPD Server Table List Utility Spdsls...
Page 256: ...250 Chapter 19 SPD Server Backup and Restore Utilities...
Page 264: ...258 Chapter 20 SPD Server Directory Cleanup Utility...
Page 270: ......