/* The ACLSPECIAL= statement allows */
/* the user 'admin1' to operate under */
/* the user ID 'prod1', allowing the */
/* ACLs to be modified. */
set acluser prod1 ;
modify ACL /
LIBNAME admingrp=(y,n,n,n) ;
list ACL _all_ ;
quit ;
LIBACLINHERIT
If the LIBACLINHERIT parameter file option is turned on, the ACL precedence of
permission checks changes. Turning on LIBACLINHERIT creates a LIBNAME ACL on
the specified LIBNAME domain. The LIBNAME ACL grants users rights to all resources
within the LIBNAME domain. When a LIBNAME ACL is created for a specified
LIBNAME domain, the ACL precedence of permission checks becomes:
1.
Check user-specific permissions first. If defined, the accessor gets these permissions.
2.
If a resource is owned by the same ACL group as the accessor, the accessor gets the
resource's GROUP permissions.
3.
LIBNAME ACL permissions are used for domains where LIBACLINHERIT is turned
on.
4.
If the resource is owned by a different ACL group than the accessor, the accessor gets
the resource's UNIVERSAL permissions.
The following is an example using LIBACLINHERIT:
/* information from libnames.parm */
/* */
/* LIBNAME=LIBINHER */
/* pathname=/IDX1/spdsmgr/spds41test/libinher */
/* LIBACLINHERIT=YES */
/* owner=admin; */
/* LIBNAME=noinher */
/* pathname=/IDX1/spdsmgr/spds41test/noinher */
/* owner=admin; */
LIBNAME libinher sasspds 'libinher'
server=zztop.5129
user='admin'
password='spds123';
LIBNAME noinher sasspds 'noinher'
server=zztop.5129
user='admin'
password='spds123';
data libinher.admins_table
noinher.admins_table ;
do i = 1 to 10;
output;
170 Chapter 14 • ACL Security Overview
