/*
控制要求如下:
三個邏輯庫(數據源SA, SB, 中間結果SC)
讓TA組對SA只讀,SC可讀寫
讓TB組對SB只讀,SC可讀寫
假設TA組有ta1,ta2用戶,TB組有TB1用戶*/
/*通過管理員連接3庫*/
libname sa sasspds "sa" server=wuyz.5400 user="admin" password="sasadm2" ;
libname sb sasspds "sb" server=wuyz.5400 user="admin" password="sasadm2" ;
libname sc sasspds "sc" server=wuyz.5400 user="admin" password="sasadm2" ;
/*寫入初始測試表*/
data sa.test;
do i=1 to 100;
output;
end;
run;
data sc.test;
do i=1 to 100;
output;
end;
run;
/*
驗證用戶名是否能登陸
第一次連接時會提示如下:
ERROR: No ACL READ access to LIBNAME domain granted.
ERROR: LIBNAME 語句出錯。
*/
libname u_sa sasspds "sa" server=wuyz.5400 user="ta1" password="sasadm1" prompt=yes;
libname u_sa sasspds "sa" server=wuyz.5400 user="ta2" prompt=yes;
libname u_sa sasspds "sa" server=wuyz.5400 user="tb1" prompt=yes;
/*
開始授權
讓TA組對SA只讀,SC可讀寫
讓TB組對SB只讀,SC可讀寫
*/
proc spdo library=sa;
set acluser admin;
add acl/libname;
modify acl/libname ta=(y,n,n,n);
list acl _all_;
quit;
proc spdo library=sb;
set acluser admin;
add acl/libname;
modify acl/libname tb=(y,n,n,n);
list acl _all_;
quit;
proc spdo library=sc;
set acluser admin;
add acl/libname;
modify acl/libname ta=(y,y,y,n) tb=(y,y,y,n);
list acl _all_;
quit;
/*測試TA組所在用戶是否擁有對SA庫的讀權限*/
libname u_sa sasspds "sa" server=wuyz.5400 user="ta1" password="sasadm2";
/*
由於只有讀權限,故不能執行寫動作,否則報如下錯誤:
ERROR: ACLWRITE access to LIBNAME domain required to create new data set.
*/
data u_sa.ta1_t1;
i=1;run;
/*
如果讀sa.test表,出現如下錯誤:
ERROR: ACLREAD access to existing data set required.
則是由於LIBNAMES.parm在分配庫時沒有指定 LIBACLINHERIT=YES 選項,故導致組的權限不能被繼承下來,通過改動,則可以正常執行
*/
data _null_;
set u_sa.test;
put _all_;
run;
/*
測試TA組所在用戶是否擁有對SB庫的任意權限
由於用戶沒有對sb庫的權限,會提示如下錯誤:
ERROR: No ACL READ access to LIBNAME domain granted.
ERROR: LIBNAME 語句出錯。
*/
libname u_sb sasspds "sb" server=wuyz.5400 user="ta1" password="sasadm2";
/*測試TA組所在用戶是否擁有對SC庫的讀寫權限*/
libname u_sc sasspds "sc" server=wuyz.5400 user="ta1" password="sasadm2";
/*測試寫*/
data u_sc.ta1_t1;
i=1;run;
/*測試讀*/
data _null_;
set u_sc.test;
put _all_;
run;
/*測試能否更改*/
data u_sc.test;
set u_sc.test;
run;
/*TB組的測試不在參照TA組*/