SAS Visual Analytics provides the ability to implement row-level security on data. As documented in the SAS® Visual Analytics: Administration Guide, there are three methods that you can use to define your conditions:
- The user interface available in the SAS® Visual Analytics Administrator.
- The batch tools for metadata authorization.
- The DATA step functions for metadata security administration. The Full Code tab contains example code for the DATA step functions.
There are differences between the methods. For example, the user interface does not support the use of the IN operator, which is most often used with the IdentityGroups property. In order to implement row-level security using the IdentityGroups property (or any other statement using the IN operator), you must use the batch tools for metadata authorization.
For example, the following expression subsets Region for all users in the SASUSERS group where the value of Region matches the name of any group that user is a member of:
sas-set-metadata-access -host localhost -port 8561 -user "sasadm@saspw" -password xxxxxxx
"/Shared Data/Libraries/LASR Library/MEGACORP1MILLION (Table)" -grant SASUsers:Read -condition
"Region IN ('SUB::SAS.IdentityGroups')"
In this example, the sasdemo user is a member of a metadata group called "West." Therefore, only data for the "West" region is displayed.
Here are some tips for creating your condition:
- The data item name should be the name of the variable as it is defined in metadata. It should not refer to the label or description.
- If the data item name contains a space, enclose the data item name in single quotation marks and append an "n." For example, your -condition statement would look something like -condition "'FacilityRegion'n IN ('SUB::SAS.IdentityGroups')".
Note: For a link to the SAS Visual Analytics: Administration Guide, see the SAS Visual Analytics documentation page. Click the tab for the release that you are using, and look under the "Administration and Deployment" section.