SAS Users

Securing sensitive data using SAS Federation Server at the row and column level

SAS® Federation Server provides a central, virtual environment for administering and securing access to your data. It also allows you to combine data from multiple sources without moving or copying the data. SAS Federation Server Manager, a web-based application, is used to administer SAS Federation Server(s).

Data privacy is a major concern for organizations and one of the features of SAS Federation Server is it allows you to effectively and efficiently control access to your data, so you can limit who is able to view sensitive data such as credit card numbers, personal identification numbers, names, etc. In this three-part series, I will explore the topic of controlling data access using SAS Federation Server.

SAS Metadata Server is used to perform authentication for users and groups in SAS Federation Server and SAS Federation Server Manager is used to help control access to the data. Note: Permissions applied for particular data source cannot be bypassed with SAS Federation Server security. If permissions are denied at the source data, for example on a table, then users will always be denied access to that table, no matter what permissions are set in SAS Federation Server.

In this blog post, I build on the example in my previous post and demonstrate how you can use SAS Federation Server Manager to control access to columns and rows in tables and views.

Previously, I gave the Finance Users group access to the SALARY table. Robert is a member of the Finance Users group, so he has access to the SALARY table; however, I want to restrict his access to the IDNUM column on the table. To do this, first I view the SALARY table Authorizations in Federation Server Manager, then I select the arrow to the right of the table name to view its columns.

SAS Administrators, SAS Federation Server, SAS Professional Services

Next, I select the IDNUM column. I then add the user Robert and set his SELECT permission to Deny for the column.

SAS Administrators, SAS Federation Server, SAS Professional Services

Note: There are 5 columns on the SALARY table.
Since he was denied access to the IDNUM column, Robert is only able to view 4 out of 5 columns.

SAS Administrators, SAS Federation Server, SAS Professional Services

Susan is also a member of the Finance Users group, so she has access to the SALARY table; however, I want to restrict her access to only rows where the JOBCODE starts with a “Q.” To do this, first I view the SALARY table Authorizations in Federation Server Manager.

SAS Administrators, SAS Federation Server, SAS Professional Services

Next, I select the Row Authorizations tab and select New Filter. I use the SQL Clause Builder to build my condition of JOBCODE LIKE Q%.

SAS Administrators, SAS Federation Server, SAS Professional Services

Next, I select the Users and Groups tab and add Susan to restrict her access to the filter I just created.

SAS Administrators, SAS Federation Server, SAS Professional Services

Next, I select the Users and Groups tab and add Susan to restrict her access to the filter I just created.

SAS Administrators, SAS Federation Server, SAS Professional Services

Susan is now only able to view the rows of the SALARY table where the JOBCODE begins with “Q.”

SAS Administrators, SAS Federation Server, SAS Professional Services

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s