diff --git a/sas/sasjs/macros/mpe_accesscheck.sas b/sas/sasjs/macros/mpe_accesscheck.sas index 7c92197..3f64808 100755 --- a/sas/sasjs/macros/mpe_accesscheck.sas +++ b/sas/sasjs/macros/mpe_accesscheck.sas @@ -1,21 +1,22 @@ /** @file - @brief Checks the level of access a user has to the MP Editor + @brief Checks group access level for a table or library @details In order for a user to be able to EDIT or APPROVE a table they must - be in a metadata group that has been granted access to that table in the - &mpelib..mpe_security table. Alternatively, they may be in the - &mpeadmins group (has overall access). + be in a group that has been granted access to that table in the + MPE_SECURITY table. Alternatively, they may be in the &mpeadmins + group (which has full access to everything).

SAS Macros

@li mp_abort.sas + @li mf_getuser.sas @li mf_verifymacvars.sas - @li mpe_getgroups.sas @li mp_dropmembers.sas + @li mpe_getgroups.sas - @param [in] access_level= access_level (per &mpelib..mp_editor_security) reqd - - @returns outds A table containing all the groups that user is a member of, - which are granted the access_level requested. + @param [in] base_table The base table to check for + @param [in] access_level= (APPROVE) access_level (per MPE_SECURITY) reqd + @param [out] outds= (MED_ACCESSCHECK) Output table containing all the groups + the user is a member of, which are granted the access_level requested. @version 9.2 @author 4GL Apps Ltd @@ -25,7 +26,7 @@ **/ %macro mpe_accesscheck( - base_table /* base table to check for */ + base_table ,outds=med_accesscheck /* WORK table to contain access details */ ,user= /* metadata user to check for */ ,access_level=APPROVE @@ -53,37 +54,42 @@ /* ensure any existing table is dropped */ %mp_dropmembers(&ds) - /* create a new table for temp use */ - data; run; - %local tempds; %let tempds=&syslast; - - /* overwrite with the list of groups */ - %mpe_getgroups(user=&user,outds=&tempds); + /* get list of user groups */ + %local tempds1; + %let tempds1=%mf_getuniquename(prefix=usergroups); + %mpe_getgroups(user=&user,outds=&tempds1) + /* get list of groups with access for that table */ + %local tempds2; + %let tempds2=%mf_getuniquename(prefix=tablegroups); + proc sql; + create table &tempds2 as + select distinct sas_group + from &mpelib..mpe_security + where &dc_dttmtfmt. lt tx_to + and access_level="&access_level" + and ( + (libref="%scan(&base_table,1,.)" and upcase(dsn)="%scan(&base_table,2,.)") + or (libref="%scan(&base_table,1,.)" and dsn="*ALL*") + or (libref="*ALL*") + ); %if &_debug ge 131 %then %do; data _null_; - set &tempds; + set &tempds1; + putlog (_all_)(=); + run; + data _null_; + set &tempds2; putlog (_all_)(=); run; %end; proc sql; create table &outds as - select * from &tempds + select * from &tempds1 where groupname="&mpeadmins" - or groupname in - (select sas_group from &mpelib..mpe_security - where &dc_dttmtfmt. lt tx_to - and access_level="&access_level" - & ( - (libref="%scan(&base_table,1,.)" and dsn="%scan(&base_table,2,.)") - or (libref="%scan(&base_table,1,.)" and dsn="*ALL*") - or (libref="*ALL*") - ) - ); + or groupname in (select * from &tempds2); -%put base_table=&base_table; -%put libref=%scan(&base_table,1,.); -%put dsn=%scan(&base_table,2,.); -%put access_level=&access_level; + %put &sysmacroname: base_table=&base_table; + %put &sysmacroname: access_level=&access_level; %mend mpe_accesscheck; diff --git a/sas/sasjs/macros/mpe_makedata.sas b/sas/sasjs/macros/mpe_makedata.sas index ef45a8e..4ac241d 100644 --- a/sas/sasjs/macros/mpe_makedata.sas +++ b/sas/sasjs/macros/mpe_makedata.sas @@ -1351,6 +1351,15 @@ insert into &lib..MPE_VALIDATIONS set ,rule_value='UPCASE' ,rule_active=1 ,tx_to='31DEC5999:23:59:59'dt; +insert into &lib..MPE_VALIDATIONS set + tx_from=0 + ,base_lib="&lib" + ,base_ds="MPE_SECURITY" + ,base_col="LIBREF" + ,rule_type='CASE' + ,rule_value="UPCASE" + ,rule_active=1 + ,tx_to='31DEC5999:23:59:59'dt; insert into &lib..MPE_VALIDATIONS set tx_from=0 ,base_lib="&lib" @@ -1369,6 +1378,15 @@ insert into &lib..MPE_VALIDATIONS set ,rule_value="&lib..MPE_TABLES.LIBREF" ,rule_active=1 ,tx_to='31DEC5999:23:59:59'dt; +insert into &lib..MPE_VALIDATIONS set + tx_from=0 + ,base_lib="&lib" + ,base_ds="MPE_SECURITY" + ,base_col="DSN" + ,rule_type='CASE' + ,rule_value="UPCASE" + ,rule_active=1 + ,tx_to='31DEC5999:23:59:59'dt; insert into &lib..MPE_VALIDATIONS set tx_from=0 ,base_lib="&lib" diff --git a/sas/sasjs/services/hooks/mpe_security_postedit.sas b/sas/sasjs/services/hooks/mpe_security_postedit.sas new file mode 100644 index 0000000..51b63fb --- /dev/null +++ b/sas/sasjs/services/hooks/mpe_security_postedit.sas @@ -0,0 +1,29 @@ +/** + @file + @brief Post Edit Hook script for the MPE_SECURITY table + @details Post edit hooks provide additional backend validation against + user-sourced data. The incoming dataset is always `work.staging_ds` and this + file is included from the mpe_loader.sas macro. + + Available (at runtime) macro variables: + @li DC_LIBREF - The DC control library for your site + @li LIBREF - The library of the dataset being edited (is assigned) + @li DS - The dataset being edited + + +**/ + +/* ensure upcase */ +data work.staging_ds; + set work.staging_ds; + LIBREF=upcase(LIBREF); + DSN=upcase(DSN); + ACCESS_LEVEL=upcase(ACCESS_LEVEL); +run; + +%mp_abort(iftrue=(&syscc ne 0) + ,mac=mpe_tables_postedit + ,msg=%superq(errmsg) +) + +