/* create two tables */
data d1.admin1_table1 ;
do i = 1 to 100 ;
output ;
end ;
run ;
/* admin1 has write priviliges to */
/* the domain */
data d1.admin1_table2 ;
do i = 1 to 100 ;
output ;
end ;
run ;
/* Generic ACLs allow all users to */
/* read tables created by admin1 */
/* unless a specific ACL is placed */
/* on a resource */
PROC SPDO library=d1 ;
/* Assign who owna the ACLs */
set acluser admin1 ;
The two ACL commands in the code below give read privileges to members of the ACL
group 'ADMIN1' for any table that is created by admin1, who has read access to the domain.
This ACL is a good example for data marts and warehouses which DO NOT contain
sensitive data. A GENERIC ACL gives broad access to tables in a domain. Generic ACLs
must be used correctly (or not at all) if sensitive data needs to be restricted to specific users
or groups of users.
If a table in a domain with generic ACLs is not specifically protected by its own ACL, there
is a risk of allowing access by any user to sensitive data.
add ACL / generic
read ;
modify ACL / generic read
admingrp=(y,n,n,y) ;
list ACL _all_;
quit ;
/* Test access for a user in group1 */
LIBNAME user1d1 sasspds 'd1'
server=zztop.5162
user='user1'
password='spds123'
IP=YES ;
PROC PRINT data=user1d1.admin1_table1
(obs=10) ;
title
ACL Security Examples 175
