run ;
ACL Special Users
SPD Server user IDs have two levels, 0 through 3 and 4 through 7. Level 4 through 7 user
IDs can log in as an SPD Server 'super user' that can:
• access any table
• change table ACLs
• disconnect users
• perform administrative functions in a pinch
In many ways, SPD Server super users must be able to take on database administrator
functions. The SPD Server super user cannot change the ownership of a table but they can
assume the identity of the table owner to do required work. Often, this function happens
in a pinch when a user needs access and the table owner or domain owner is out of the
office.
The following should be considered when giving a user SPD Server super user status:
• The user must be trusted, because SPD Server super users can access any data in any
domain
• How many SPD Server super users do you want? Limit the number in order to maintain
control access.
• SPD Server super users must be knowledgeable about the data and the database users'
needs.
Assume the table user1_table1 is loaded, and only read permissions have been given to
users in group1. User4 is a member of group4, and group4 does not have read access to the
table. User1 is the owner of user1_table1 in domain d2. User1 is on vacation and user4
has been given an assignment which requires read access to the user1_table1 to create a
report for management.
Management has approved user4 access to the table. The super user prod1 uses the
ACLSPECIAL= option to modify the ACLs and to give user4 read access to the table.
LIBNAME prod1d2 sasspds 'd2'
server=zztop.5162
user='prod1'
password='spds123'
aclspecial=YES
IP=YES ;
PROC SPDO library=prod1d2 ;
/* assign to the user to who owns */
/* the ACL that will be modified */
set acluser user1 ;
/* give user ID 'user4' read access */
/* to user1_table1 */
modify ACL user1_table1 /
user4=(y,n,n,n) ;
184 Chapter 14 • ACL Security Overview
