set acluser prod1 ;
There is no need to issue an add ACL command for prod1_table. Deleting a table or
replacing a table does not delete the ACLs. The ACL for that table remains until:
• The table ACL is deleted using PROC SPDO delete syntax.
• The table is deleted and another user creates a table with the same name.
At that time, the ACLs have not been deleted. Deleting the table releases any rights that
owner has on the table. The exception is when persistent ACLs are used.
After the table has been refreshed, the ACL can be modified to allow read access once
again.
modify ACL prod1_table /
prodgrp=(y,n,n,y)
group1=(y,n,n,n)
group2=(y,n,n,n)
group3=(y,n,n,n)
group4=(y,n,n,n) ;
list ACL _all_ ;
run ;
Bringing a Domain Offline to Refresh Tables
When it is time to refresh the table(s), one approach to minimize contention and table
locking is to revoke privileges of users and groups who will not be involved in the refreshing
of tables in the domain.
This example assumes that the tables are already loaded in the domain and that the groups
who use them have access.
LIBNAME d2 sasspds 'd2'
server=zztop.5162
user='prod1'
password='spds123'
IP=YES ;
PROC SPDO library=d2 ;
/* Assign who owns the ACLs */
set acluser prod1 ;
It is possible to revoke read access at the LIBNAME or domain level, which allows the
IDs that are used to refresh the warehouse complete control of resources in the domain.
This example turns off all read access to the domain, except for IDs that are in the production
group (prodgrp).
By doing this, the production IDs have full control over the tables and resources.
Note: Any user that is currently accessing the domain will continue to have access until
they are disconnected. This can cause a lock to occur. The PROC SPDO special operator
commands can be used to identify the user and disconnect the process so the refresh
can take place.
modify ACL / LIBNAME
182 Chapter 14 • ACL Security Overview
