Read, Write, Create, or Delete Use to control user interactions with the
underlying computing resource that is
represented by a metadata object; and to
control interactions with some metadata
objects, such as dashboard objects.
Administer Use to control administrative interactions
(such as starting or stopping) with the SAS
server that is represented by a metadata
Secured library objects and secured table objects are subject to additional metadata-
To enable you to further control access to physical data, Base SAS includes the ability to
define metadata-bound libraries. A metadata-bound library is a physical library that is
tied to a corresponding metadata object. Each physical table within a metadata-bound
library has information in its header that points to a specific metadata object (a secured
table object). The pointer creates a security binding between the physical table and the
The binding ensures that SAS universally enforces metadata-layer permission
requirements for the physical table—regardless of how a user requests access from SAS.
Users who attempt to reference the data directly (for example, through a LIBNAME
statement) are subject to the same metadata-based authorization as users who request the
data through a BI client (such as SAS Web Report Studio).
Another way to control access to physical data is to use locked-down servers. A locked-
down server is a SAS server that is allowed to access only specified host resources
(directory paths and files). Regardless of host-layer permissions, FILENAME and
LIBNAME statements that users submit through a locked-down server are rejected,
unless the target resource is included in the server’s lockdown paths list.
You can place the following types of servers in a locked-down state: standard and pooled
workspace servers, stored process servers, batch servers, grid servers, and
External Authorization Mechanisms
A user's ability to perform a particular action is determined not only by metadata-based
and Base SAS mechanisms, but also by external authorization mechanisms such as
operating system permissions and database controls. To perform a particular action, the
user must have the necessary permissions in all of the applicable authorization layers.
For example, regardless of the access controls that have been defined for the user in the
metadata repository, the user cannot access a particular file if the operating system
permissions do not permit the action.
Authorization and Permissions Overview 55